On Wed, Dec 12, 2018 at 5:15 PM Russell O'Connor via bitcoin-dev
<bitcoin-dev@lists.linuxfoundation.org> wrote:
> I tend to think in opposite terms. Is there a proof that any script can be transformed into an equivalent one that avoids witness weight malleability? But I admit there is a trade off: If we don't allow for signature covers weight, and we do need it, it will be too late to add. On the other hand if we add signature covers weight, but it turns out that no Script ever needs to use it, then we've added that software complexity for no gain. However, I think the software complexity is relatively low, making it worthwhile.
>
> Moreover, even if witness weight malleability is entirely avoidable, it always seems to come at a cost. Taking as an example libwally's proposed "csv_2of3_then_2"
I'm largely in agreement with you-- but my difficulty in arguing for
signing the weight is that it seemed to me that it was only easy to
sign an upper bound because some witnesses are variable size... and
signing an upper bound means more signalling overhead... offsetting
the space gains for demalleating.
In multi-party protocols, the last person to sign knows what the total weight is going to be (now that we have fixed sized signatures) and at least they have the ability to sign it. They are probably motivated to sign the weight as long as they are interested in the success of the transaction. I suppose there could be asynchronous protocols where there isn't a last person to sign, but that seems a bit weird. Greg, you are probably more familiar with examples of multi-party protocols than I am.
OTOH maybe the last person to sign isn't interested in the success of the transaction and wants to cause grief by bloating the transaction and signing the bloated weight. I guess in such protocols, you'll have to keep the anti-malleablity Script Code.
I totally get the idea that signing weight has a lot of issues in many scenarios. But I still feel than on the whole it is better to make the option available than to be forced to rely on anti-malleability Script Code or non-consensus relay policy.