From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id A3DC3C016F for ; Sat, 2 May 2020 15:07:27 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 94BCD8832F for ; Sat, 2 May 2020 15:07:27 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EHHEt7f1gaPS for ; Sat, 2 May 2020 15:07:26 +0000 (UTC) X-Greylist: delayed 00:41:12 by SQLgrey-1.7.6 Received: from azure.erisian.com.au (cerulean.erisian.com.au [139.162.42.226]) by whitealder.osuosl.org (Postfix) with ESMTPS id 7C74F8832E for ; Sat, 2 May 2020 15:07:26 +0000 (UTC) Received: from aj@azure.erisian.com.au (helo=sapphire.erisian.com.au) by azure.erisian.com.au with esmtpsa (Exim 4.89 #1 (Debian)) id 1jUt5j-00073Z-Qx; Sun, 03 May 2020 00:26:09 +1000 Received: by sapphire.erisian.com.au (sSMTP sendmail emulation); Sun, 03 May 2020 00:26:02 +1000 Date: Sun, 3 May 2020 00:26:02 +1000 From: Anthony Towns To: Russell O'Connor Message-ID: <20200502142602.rj7q2m32ew6trh6u@erisian.com.au> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20170113 (1.7.2) X-Spam-Score-int: -18 X-Spam-Bar: - Cc: jonasd.nick@gmail.com, Bitcoin Protocol Discussion , Pieter Wuille Subject: Re: [bitcoin-dev] BIP-341: Committing to all scriptPubKeys in the signature message X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 May 2020 15:07:27 -0000 On Fri, May 01, 2020 at 08:23:07AM -0400, Russell O'Connor wrote: > Regarding specifics, I personally think it would be better to keep the > hashes of the ScriptPubKeys separate from the hashes of the input values. I think Andrew's original suggestion achieves this: >> The obvious way to implement this is to add another hash to the >> signature message: >> sha_scriptPubKeys (32): the SHA256 of the serialization of all >> scriptPubKeys of the previous outputs spent by this >> transaction. presumably with sha_scriptPubKeys' inclusion being conditional on hash_type not matching ANYONECANPAY. We could possibly also make the "scriptPubKey" field dependent on hash_type matching ANYONECANPAY, making this not cost any more in serialised bytes per signature. This would basically mean we're committing to each component of the UTXOs being spent: without ANYONECANPAY: sha_prevouts commits to the txid hashes and vout indexes (COutPoint) sha_amounts commits to the nValues (Coin.CTxOut.nValue) sha_scriptpubkeys commits to the scriptPubKey (Coin.CTxOut.scriptPubKey) with ANYONECANPAY it's the same but just for this input's prevout: outpoint amount scriptPubKey except that we'd arguably still be missing: is this a coinbase output? (Coin.fCoinBase) what was the height of the coin? (Coin.nHeight) Maybe committing to the coinbase flag would have some use, but committing to the height would make it hard to chain unconfirmed spends, so at least that part doesn't seem worth adding. > I would also (and independently) propose > separating the hashing of the output values from the output ScriptPubKeys in > `sha_outputs` so again, applications interested only in summing the values of > the outputs (for instance to compute fees) do not have to wade through those > arbitrarily long ScriptPubKeys in the outputs. If you didn't verify the output scriptPubKeys, you would *only* be able to care about fees since you couldn't verify where any of the funds went? And you'd only be able to say fees are "at least x", since they could be more if one of the scriptPubKeys turned out to be OP_TRUE eg. That might almost make sense for a transaction accelerator that's trying to increase the fees; but only if you were doing it for someone else's transaction (since otherwise you'd care about the output addresses) and only if you were happy to not receive any change? Seems like a pretty weird use case? There's some prior discussion on this topic at: http://www.erisian.com.au/taproot-bip-review/log-2020-03-04.html http://www.erisian.com.au/taproot-bip-review/log-2020-03-05.html Cheers, aj