public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Andrew Kozlik <andrew.kozlik@satoshilabs.com>
To: "Russell O'Connor" <roconnor@blockstream.com>
Cc: jonasd.nick@gmail.com,
	Bitcoin Protocol Discussion
	<bitcoin-dev@lists.linuxfoundation.org>,
	Pieter Wuille <pieter.wuille@gmail.com>
Subject: Re: [bitcoin-dev] BIP-341: Committing to all scriptPubKeys in the signature message
Date: Mon, 4 May 2020 17:48:00 +0200	[thread overview]
Message-ID: <CACvH2e=sxeJ22v6zFEftiNAyJfd5vEaqew4rTVQdhaSnnM0gSw@mail.gmail.com> (raw)
In-Reply-To: <CAMZUoKmrD78naPBcfGsfr_OxyYiWM+G47sWtpNGP+u-9r4MjXA@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 4461 bytes --]

>
> A side effect of this proposal is it would seem to make it not possible to
> produce a signature for a transaction without having access to the inputs.
> This is limiting for a number of cases where you don't care about that
> data. There are a litany of use cases where you don't want to have
> SIGHASH_ALL behavior, and having to sign the scriptpubkeys breaks that. So
> at the very least it should respect other flags.
>

I agree, sha_scriptPubKeys should be included only if hash_type does not
match SIGHASH_ANYONECANPAY. I am also sympathetic to aj's idea of making
the scriptPubKey field dependent on hash_type matching SIGHASH_ANYONECANPAY.

I also don't really understand the exact attack. So you submit a
> transaction to the wallet asking them to sign input 10. They sign. They've
> committed to the signature being bound to the specific COutpoint and input
> index, so I don't see how they wouldn't be required to sign a second
> signature with the other output too? Is there an attack you can describe
> end-to-end relying on this behavior?
>

For example, in a CoinJoin transaction the attacker can construct a
transaction with two inputs (in1, in2) of identical value and two outputs
of identical value, one belonging to the user (user_out) and another
belonging to the attacker (attacker_out). If such a transaction is sent to
the hardware wallet twice with in1 marked as external the first time and
in2 marked as external the second time, then the hardware wallet will
display two signing requests to the user with spending amounts of in2 -
user_out and in1 - user_out respectively. The user will think that they are
signing two different CoinJoin transactions, while in reality they are
signing two different inputs to a single transaction and sending half of
the amount to the attacker.

As an alternative proposal, I think you can just make a separate BIP for
> some new sigash flags that can be reviewed separately from taproot. There's
> a lot of value in investing in figuring out more granular controls over
> what the signature hash is you sign, which may have some exciting
> contracting implications!
>

The proposal of adding sha_scriptPubKeys is just an optimization which is
not intended to change what the signature message is committing to. Thus I
don't see it as warranting a new sigash flag.

Alternatively, there's the scheme described in the email you linked by Greg
> Saunders (with the scheme co-attributed to Andrew Poelstra), which seems
> reasonable to me.[1]  It's only downside (AFAICT) is that it requires an
> extra one-way communication from a signing device to a coordinator.  For a
> true offline signer, that can be annoying, but for an automated hardware
> wallet participating in coinjoins or LN, that doesn't seem too burdensome
> to me.
>

Yes, I see this as the correct direction forward. Whatever the exact format
of the ownership proof will be, the proof will need to be signed by the
owner of the UTXO using BIP-0322 or something along those lines. So the
scriptPubKey is needed to verify that signature.

Cheers,
Andrew Kozlik

On Sat, May 2, 2020 at 11:16 PM Russell O'Connor <roconnor@blockstream.com>
wrote:

> On Sat, May 2, 2020 at 10:26 AM Anthony Towns <aj@erisian.com.au> wrote:
>
>>
>> except that we'd arguably still be missing:
>>
>>     is this a coinbase output? (Coin.fCoinBase)
>>     what was the height of the coin? (Coin.nHeight)
>>
>> Maybe committing to the coinbase flag would have some use, but committing
>> to the height would make it hard to chain unconfirmed spends, so at
>> least that part doesn't seem worth adding.
>>
>
> To add to this point, the height of the coin is something that is *not*
> currently covered by any signature mode and including it would constitute a
> change of an entirely different  caliber; a change that I would strongly
> caution against for your above reason and more.
>
> The coinbase output flag is currently covered by the signature as the
> outpoint hash has the required information (its prevout index of 0xFFFFFFFF
> is only legal in a coinbase transaction).  While I'm not particularly
> enthusiastic about making it easier to distinguish coinbase outputs from
> other outputs, and I worry a little about alternative designs for
> implementing the Bitcoin protocol where this information is not so readily
> available, I suppose I won't really oppose adding it.  However, I don't
> think anyone is seriously proposing it.
>
>    -
>
>

[-- Attachment #2: Type: text/html, Size: 5736 bytes --]

  reply	other threads:[~2020-05-04 15:48 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-29 14:57 [bitcoin-dev] BIP-341: Committing to all scriptPubKeys in the signature message Andrew Kozlik
2020-05-01  6:57 ` Jeremy
2020-05-01  8:48   ` Andrew Kozlik
2020-05-01 12:23 ` Russell O'Connor
2020-05-01 12:25   ` Greg Sanders
2020-05-02  4:35     ` Jeremy
2020-05-02 14:26   ` Anthony Towns
2020-05-02 14:43     ` Russell O'Connor
2020-05-02 21:15     ` Russell O'Connor
2020-05-04 15:48       ` Andrew Kozlik [this message]
2020-05-02 12:53 ` David A. Harding
2020-05-05 10:20 ` Jonas Nick
2020-05-11 22:12   ` Pieter Wuille

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CACvH2e=sxeJ22v6zFEftiNAyJfd5vEaqew4rTVQdhaSnnM0gSw@mail.gmail.com' \
    --to=andrew.kozlik@satoshilabs.com \
    --cc=bitcoin-dev@lists.linuxfoundation.org \
    --cc=jonasd.nick@gmail.com \
    --cc=pieter.wuille@gmail.com \
    --cc=roconnor@blockstream.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox