public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Peter Todd <pete@petertodd.org>
To: Johnson Lau <jl2012@xbt.hk>,
	Bitcoin Protocol Discussion
	<bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Disallow insecure use of SIGHASH_SINGLE
Date: Tue, 5 Jun 2018 20:49:01 -0400	[thread overview]
Message-ID: <20180606004901.zqkpro2by7xj4jpc@petertodd.org> (raw)
In-Reply-To: <9FC9FA73-9572-48AF-9590-68F0D298D6A0@xbt.hk>

[-- Attachment #1: Type: text/plain, Size: 1290 bytes --]

On Fri, Jun 01, 2018 at 02:53:01AM +0800, Johnson Lau via bitcoin-dev wrote:
> I’ve made a PR to add a new policy to disallow using SIGHASH_SINGLE without matched output:
> 
> https://github.com/bitcoin/bitcoin/pull/13360
> 
> Signature of this form is insecure, as it commits to no output while users might think it commits to one. It is even worse in non-segwit scripts, which is effectively SIGHASH_NOINPUT|SIGHASH_NONE, so any UTXO of the same key could be stolen. (It’s restricted to only one UTXO in segwit, but it’s still like a SIGHASH_NONE.)
> 
> This is one of the earliest unintended consensus behavior. Since these signatures are inherently unsafe, I think it does no harm to disable this unintended “feature” with a softfork. But since these signatures are currently allowed, the first step is to make them non-standard.

I don't see why we should bother to soft fork this out on the basis of
security, given that there are many other ways to insecurely use private keys
(e.g. reused nonces). Maybe soft-fork it out on the basis of code complexity,
but this sounds like a lot of work.

Also, I have to wonder if it's just as likely the devs might think the
non-standardness means it is secure.

-- 
https://petertodd.org 'peter'[:-1]@petertodd.org

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

      parent reply	other threads:[~2018-06-06  0:49 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-31 18:53 [bitcoin-dev] Disallow insecure use of SIGHASH_SINGLE Johnson Lau
2018-06-06  0:17 ` Chris Stewart
2018-06-06  0:43   ` Peter Todd
2018-06-06  0:49 ` Peter Todd [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180606004901.zqkpro2by7xj4jpc@petertodd.org \
    --to=pete@petertodd.org \
    --cc=bitcoin-dev@lists.linuxfoundation.org \
    --cc=jl2012@xbt.hk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox