On Wed, Dec 12, 2018 at 7:06 PM Anthony Towns <aj@erisian.com.au> wrote:
On Tue, Dec 11, 2018 at 05:50:24PM -0500, Russell O'Connor via bitcoin-dev wrote:
> On Sun, Dec 9, 2018 at 2:13 PM Johnson Lau <jl2012@xbt.hk> wrote:
>     The current proposal is that a 64-byte signature will be used for the
>     default “signing all” sighash, and 65-byte for other sighash types. The
>     space saved will allow a few more txs in a block, so I think it worths
>     doing. However, this also makes witness weight estimation more difficult in
>     multisig cases.

This seems strange to me -- why wouldn't you just assume every signature
is 65 witness bytes, and just be grateful for the prioritisation benefit
if someone chooses a shorter signature? Your error margin is just 0.25
vbytes per signature.

The issue is that the proposal is to sign the actual weight, rather than sign an upper bound on the weight.
The problem with signing an upper bound, is that you need to specify that upper bound someplace in the transaction, and we are out of sneaky places to stash that data.
Signing the actual weight is easy because the total weight is implicit, but now you need to know the total weight before signing.
 
> I tend to think in opposite terms. Is there a proof that any script can be
> transformed into an equivalent one that avoids witness weight malleability?

An alternative generalisation: is there a proof that all valid witnesses
will have a weight within some small range?

> Moreover, even if witness weight malleability is entirely avoidable, it always
> seems to come at a cost.  Taking as an example libwally's proposed "
> csv_2of3_then_2" Script, it begins with "OP_DEPTH OP_1SUB OP_1SUB"

(DEPTH 2 NUMNOTEQUAL seems like it would have been more obvious...)

I think the 1SUB idea was derived from the csv_2of2_then_1 Script where DEPTH 1SUB is shorter than DEPTH 1 NUMNOTEQUAL.
 
Cheers,
aj