From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 96DDB3EE for ; Mon, 7 May 2018 23:47:36 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-wm0-f53.google.com (mail-wm0-f53.google.com [74.125.82.53]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 6B874F4 for ; Mon, 7 May 2018 23:47:35 +0000 (UTC) Received: by mail-wm0-f53.google.com with SMTP id t11so15993524wmt.0 for ; Mon, 07 May 2018 16:47:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=gXgh5yMwGPGhB/J0dzYQeaPSgk+yoORS5AHYVP79u7s=; b=JkDYD8gTBHUvz84fEFXZ61ZUuNJK9SJ1i/mn7ZgnLMBrWoVYYZHH23gqyBRnxjzC5y aGG1QQTqIBhCn0uxFmgsg2YjIGGQijiT2jAhz7ajqwOZh0ePXG7uTi+Os/XBy0d5msiK JsScxEH4nvmYP0YAI4QLuSKp+tPoMHBUTk/ueda0orbZKVJedoMyn7oOEuw0pnV7khsx E1xNi7NWIS7SvG1vxMaP7TYtfsrZrKDv49cP+FNmcoLp/dhiVcqUU9ExTtu/eZhNiyLG W/elHho7PlFEq7rQnNfZGfdStefz5M7fyGgvx+5V9l1ZMBcBjkkCsHWz/8GOg7c8lc0F IXGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=gXgh5yMwGPGhB/J0dzYQeaPSgk+yoORS5AHYVP79u7s=; b=cJom6Js56iRHswnRLOoozvh0S1Qr6HSOh46ZJGi4ZN98M7cP063y7M0Hy4PBqHCbFR uNGMOaDyv/r48pBjL3dEGVTKZV5UOnZXzHx593ki4eZ9jzgVmS9hRY1IR1ZChNV1zfUw LK9F2sleho4yLg0FkoNp1ERifHNRZcgTugPYQt5tfCaJCoP5qTUQU29zxCWAMiU9MXet gEaWQhmEui/UfuKUJsCIf6FjowhLpVqXZjzKQDLXjAL+ZMGKx9JpOJL2hMy4oYG0AE6I J+Qfpqkye7ni/+uhXsSY77OtThTqH459GUZbeiWpcnM4pGTD5bL/CR2A8zOcRJv2vyKP fADA== X-Gm-Message-State: ALQs6tBpv21b5vxBL+IYY8VgbZqNnBK7WOnY7IS/WD1yZFIqys01SVjT KO1ukb94+Hj6DUwsznq8U68eRyHZ9FKud/ZmJjY= X-Google-Smtp-Source: AB8JxZpVjHU7MOfR45earP7nJaU9dZ4hO6D6fXAGUxFaiQgLlYHqwqD7n4N7vgcTupjp1z9b7yB718NimwBcNaiuYaM= X-Received: by 2002:aa7:c2d0:: with SMTP id m16-v6mr52608945edp.171.1525736853938; Mon, 07 May 2018 16:47:33 -0700 (PDT) MIME-Version: 1.0 References: <871sewirni.fsf@gmail.com> In-Reply-To: <871sewirni.fsf@gmail.com> From: Olaoluwa Osuntokun Date: Mon, 07 May 2018 23:47:23 +0000 Message-ID: To: Christian Decker , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="0000000000003325da056ba64b0c" X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM, HTML_MESSAGE,RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: Re: [bitcoin-dev] BIP sighash_noinput X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 May 2018 23:47:36 -0000 --0000000000003325da056ba64b0c Content-Type: text/plain; charset="UTF-8" Super stoked to see that no_input has been resurrected!!! I actually implemented a variant back in 2015 when Tadge first described the approach to me for both btcd [1], and bitcoind [2]. The version being proposed is _slightly_ differ though, as the initial version I implemented still committed to the script being sent, while this new version just relies on witness validity instead. This approach is even more flexible as the script attached to the output being spent can change, without rendering the spending transaction invalid as long as the witness still ratifies a branch in the output's predicate. Given that this would introduce a _new_ sighash flag, perhaps we should also attempt to bundle additional more flexible sighash flags concurrently as well? This would require a larger overhaul w.r.t to how sighash flags are interpreted, so in this case, we may need to introduce a new CHECKSIG operator (lets call it CHECKSIG_X for now), which would consume an available noop opcode. As a template for more fine grained sighashing control, I'll refer to jl2012's BIP-0YYY [3] (particularly the "New nHashType definitions" section). This was originally proposed in the context of his merklized script work as it more or less opened up a new opportunity to further modify script within the context of merklized script executions. The approach reads in the sighash flags as a bit vector, and allows developers to express things like: "don't sign the input value, nor the sequence, but sign the output of this input, and ONLY the script of this output". This approach is _extremely_ powerful, and one would be able to express the equivalent of no_input by setting the appropriate bits in the sighash. Looking forward in hearing y'alls thoughts on this approach, thanks. [1]: https://github.com/Roasbeef/btcd/commits/SIGHASH_NOINPUT [2]: https://github.com/Roasbeef/bitcoin/commits/SIGHASH_NOINPUT [3]: https://github.com/jl2012/bips/blob/vault/bip-0YYY.mediawiki#new-nhashtype-definitions -- Laolu On Mon, Apr 30, 2018 at 10:30 AM Christian Decker via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > Hi all, > > I'd like to pick up the discussion from a few months ago, and propose a new > sighash flag, `SIGHASH_NOINPUT`, that removes the commitment to the > previous > output. This was previously mentioned on the list by Joseph Poon [1], but > was > never formally proposed, so I wrote a proposal [2]. > > We have long known that `SIGHASH_NOINPUT` would be a great fit for > Lightning. > They enable simple watch-towers, i.e., outsource the need to watch the > blockchain for channel closures, and react appropriately if our > counterparty > misbehaves. In addition to this we just released the eltoo [3,4] paper > which > describes a simplified update mechanism that can be used in Lightning, and > other > off-chain contracts, with any number of participants. > > By not committing to the previous output being spent by the transaction, > we can > rebind an input to point to any outpoint with a matching output script and > value. The binding therefore is no longer explicit through a reference, but > through script compatibility, and the transaction ID reference in the > input is a > hint to validators. The sighash flag is meant to enable some off-chain > use-cases > and should not be used unless the tradeoffs are well-known. In particular > we > suggest using contract specific key-pairs, in order to avoid having any > unwanted > rebinding opportunities. > > The proposal is very minimalistic, and simple. However, there are a few > things > where we'd like to hear the input of the wider community with regards to > the > implementation details though. We had some discussions internally on > whether to > use a separate opcode or a sighash flag, some feeling that the sighash flag > could lead to some confusion with existing wallets, but given that we have > `SIGHASH_NONE`, and that existing wallets will not sign things with unknown > flags, we decided to go the sighash way. Another thing is that we still > commit > to the amount of the outpoint being spent. The rationale behind this is > that, > while rebinding to outpoints with the same value maintains the value > relationship between input and output, we will probably not want to bind to > something with a different value and suddenly pay a gigantic fee. > > The deployment part of the proposal is left vague on purpose in order not > to > collide with any other proposals. It should be possible to introduce it by > bumping the segwit script version and adding the new behavior. > > I hope the proposal is well received, and I'm looking forward to discussing > variants and tradeoffs here. I think the applications we proposed so far > are > quite interesting, and I'm sure there are many more we can enable with this > change. > > Cheers, > Christian > > [1] > https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016-February/012460.html > [2] https://github.com/cdecker/bips/blob/noinput/bip-xyz.mediawiki > [3] https://blockstream.com/2018/04/30/eltoo-next-lightning.html > [4] https://blockstream.com/eltoo.pdf > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --0000000000003325da056ba64b0c Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Super stoked to see that no_input has been resur= rected!!! I actually
implemented a variant back in 2015 when Tadg= e first described the approach to
me for both btcd [1], and bitco= ind [2]. The version being proposed is
_slightly_ differ though, = as the initial version I implemented still committed
to the scrip= t being sent, while this new version just relies on
witness valid= ity instead. This approach is even more flexible as the script
at= tached to the output being spent can change, without rendering the spending=
transaction invalid as long as the witness still ratifies a bran= ch in the
output's predicate.

Given = that this would introduce a _new_ sighash flag, perhaps we should also
attempt to bundle additional more flexible sighash flags concurrently= as well?
This would require a larger overhaul w.r.t to how sigha= sh flags are
interpreted, so in this case, we may need to introdu= ce a new CHECKSIG operator
(lets call it CHECKSIG_X for now), whi= ch would consume an available noop
opcode. As a template for more= fine grained sighashing control, I'll refer to
jl2012's = BIP-0YYY [3] (particularly the "New nHashType definitions" sectio= n).
This was originally proposed in the context of his merklized = script work as it
more or less opened up a new opportunity to fur= ther modify script within the
context of merklized script executi= ons.=C2=A0 The approach reads in the
sighash flags as a bit vecto= r, and allows developers to express things like:
"don't = sign the input value, nor the sequence, but sign the output of this
input, and ONLY the script of this output". This approach is _extre= mely_
powerful, and one would be able to express the equivalent o= f no_input by
setting the appropriate bits in the sighash.
<= div>
Looking forward in hearing y'alls thoughts on this a= pproach, thanks.


-- Laolu

On Mon, Apr 30, 2018 at 10:30 AM Chris= tian Decker via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
Hi all,

I'd like to pick up the discussion from a few months ago, and propose a= new
sighash flag, `SIGHASH_NOINPUT`, that removes the commitment to the previou= s
output. This was previously mentioned on the list by Joseph Poon [1], but w= as
never formally proposed, so I wrote a proposal [2].

We have long known that `SIGHASH_NOINPUT` would be a great fit for Lightnin= g.
They enable simple watch-towers, i.e., outsource the need to watch the
blockchain for channel closures, and react appropriately if our counterpart= y
misbehaves. In addition to this we just released the eltoo [3,4] paper whic= h
describes a simplified update mechanism that can be used in Lightning, and = other
off-chain contracts, with any number of participants.

By not committing to the previous output being spent by the transaction, we= can
rebind an input to point to any outpoint with a matching output script and<= br> value. The binding therefore is no longer explicit through a reference, but=
through script compatibility, and the transaction ID reference in the input= is a
hint to validators. The sighash flag is meant to enable some off-chain use-= cases
and should not be used unless the tradeoffs are well-known. In particular w= e
suggest using contract specific key-pairs, in order to avoid having any unw= anted
rebinding opportunities.

The proposal is very minimalistic, and simple. However, there are a few thi= ngs
where we'd like to hear the input of the wider community with regards t= o the
implementation details though. We had some discussions internally on whethe= r to
use a separate opcode or a sighash flag, some feeling that the sighash flag=
could lead to some confusion with existing wallets, but given that we have<= br> `SIGHASH_NONE`, and that existing wallets will not sign things with unknown=
flags, we decided to go the sighash way. Another thing is that we still com= mit
to the amount of the outpoint being spent. The rationale behind this is tha= t,
while rebinding to outpoints with the same value maintains the value
relationship between input and output, we will probably not want to bind to=
something with a different value and suddenly pay a gigantic fee.

The deployment part of the proposal is left vague on purpose in order not t= o
collide with any other proposals. It should be possible to introduce it by<= br> bumping the segwit script version and adding the new behavior.

I hope the proposal is well received, and I'm looking forward to discus= sing
variants and tradeoffs here. I think the applications we proposed so far ar= e
quite interesting, and I'm sure there are many more we can enable with = this
change.

Cheers,
Christian

[1] https://lists.l= inuxfoundation.org/pipermail/bitcoin-dev/2016-February/012460.html
[2] https://github.com/cdecker/bips/bl= ob/noinput/bip-xyz.mediawiki
[3] https://blockstream.com/2018/04/30/e= ltoo-next-lightning.html
[4] https://blockstream.com/eltoo.pdf
_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
--0000000000003325da056ba64b0c--