From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <jl2012@xbt.hk>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id EF93399A
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Wed, 17 Aug 2016 10:00:42 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from erelay3.ox.registrar-servers.com
	(erelay3.ox.registrar-servers.com [192.64.117.2])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 53ACC1E6
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Wed, 17 Aug 2016 10:00:40 +0000 (UTC)
Received: from localhost (unknown [127.0.0.1])
	by erelay1.ox.registrar-servers.com (Postfix) with ESMTP id
	64A172200771; Wed, 17 Aug 2016 10:00:39 +0000 (UTC)
Received: from erelay1.ox.registrar-servers.com ([127.0.0.1])
	by localhost (erelay.ox.registrar-servers.com [127.0.0.1]) (amavisd-new,
	port 10024)
	with LMTP id njAlNolnmskr; Wed, 17 Aug 2016 06:00:38 -0400 (EDT)
Received: from MTA-06.privateemail.com (unknown [10.20.150.160])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by erelay1.ox.registrar-servers.com (Postfix) with ESMTPS id
	2DA222206BE5; Wed, 17 Aug 2016 06:00:38 -0400 (EDT)
Received: from APP-06 (unknown [10.20.147.156])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by MTA-06.privateemail.com (Postfix) with ESMTPSA id B54C76003D;
	Wed, 17 Aug 2016 10:00:37 +0000 (UTC)
Date: Wed, 17 Aug 2016 06:00:37 -0400 (EDT)
From: Johnson Lau <jl2012@xbt.hk>
Reply-To: Johnson Lau <jl2012@xbt.hk>
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>, 
	Peter Todd <pete@petertodd.org>, Luke Dashjr <luke@dashjr.org>
Message-ID: <253352817.96000.1471428037734@privateemail.com>
In-Reply-To: <201607200617.40917.luke@dashjr.org>
References: <CAKazn3mKUMMz0wyqTsgbkd4mBLgvG2PXziXhgRTi4hX_ApbPhg@mail.gmail.com>
	<20160720054654.GA1420@fedora-21-dvm>
	<201607200617.40917.luke@dashjr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Priority: 3
Importance: Medium
X-Mailer: Open-Xchange Mailer v7.8.1-Rev18
X-Originating-Client: open-xchange-appsuite
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW
	autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Subject: Re: [bitcoin-dev] BIP draft: HTLC transactions
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Aug 2016 10:00:43 -0000


> On July 20, 2016 at 2:17 AM Luke Dashjr via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
> 
> On Wednesday, July 20, 2016 5:46:54 AM Peter Todd via bitcoin-dev wrote:
> 
> > On Tue, Jul 19, 2016 at 10:35:39PM -0600, Sean Bowe via bitcoin-dev wrote:
> > 
> > > I'm requesting feedback for Hash Time-Locked Contract (HTLC) transactions
> > > in Bitcoin.
> > > 
> > > HTLC transactions allow you to pay for the preimage of a hash. CSV/CLTV
> > > can be used to recover your funds if the other party is not cooperative.
> > > These
> > > 
> > > scripts take the following general form:
> > >  [HASHOP]  OP_EQUAL
> > >  OP_IF
> > > 
> > > 
> > > 
> > > OP_ELSE
> > > 
> > >  [TIMEOUTOP] OP_DROP 
> > > 
> > > OP_ENDIF
> > >  OP_CHECKSIG
> > 
> > Note that because you're hashing the top item on the stack regardless
> > scriptSig's that satisfy HTLC's are malleable: that top stack item can be
> > changed anything in the digest-not-provided case and the script still
> > passes.
> 
> OP_SIZE
> OP_IF
>  [HASHOP] <digest> OP_EQUALVERIFY
>  <seller pubkey>
> OP_ELSE
>  <num> [TIMEOUTOP]
>  <buyer pubkey>
> OP_ENDIF
> OP_CHECKSIG
> 

This is incompatible with my proposal for fixing the OP_IF/NOTIF malleability in segwit ("MINIMALIF"). In this case only the timeout branch may be executed.

To make it compatible, you may use one of the following 2 scripts:

OP_SIZE OP_0NOTEQUAL
OP_IF
 [HASHOP] <digest> OP_EQUALVERIFY
 <seller pubkey>
OP_ELSE
 <num> [TIMEOUTOP] OP_DROP
 <buyer pubkey>
OP_ENDIF
OP_CHECKSIG

or

OP_IF
 [HASHOP] <digest> OP_EQUALVERIFY
 <seller pubkey>
OP_ELSE
 <num> [TIMEOUTOP] OP_DROP
 <buyer pubkey>
OP_ENDIF
OP_CHECKSIG

The overall witness size are the same for these scripts. They are 1 byte larger than Luke's script, in case MINIMALIF is not enforced.

(btw, the OP_DROP after TIMEOUTOP is missing in Luke's script)