public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Johnson Lau <jl2012@xbt.hk>
To: Jonas Nick <jonasdnick@gmail.com>,
	bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] BIP sighash_noinput
Date: Thu, 27 Sep 2018 03:45:49 +0800	[thread overview]
Message-ID: <D3D0114C-0D5C-4EE4-AD48-B046551BAAD4@xbt.hk> (raw)
In-Reply-To: <feff454d-2cc2-2104-5c6c-69630506bd56@gmail.com>

In BIP143, the nSequence of the same input is always signed, with any hashtype. Why do you need to sign the sequence of other inputs?

> On 26 Sep 2018, at 5:36 PM, Jonas Nick via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
> 
>> At the risk of bikeshedding, shouldn't NOINPUT also zero out the
>> hashSequence so that its behaviour is consistent with ANYONECANPAY?
> 
> There is a good reason for not doing that. If NOINPUT would sign the
> hashSequence then it would be possible to get rid of OP_CSV in eltoo update
> scripts. As a result update scripts could be taprootified because the more
> common branch (settlement) would be just a 2-of-2 multisig. Applying taproot
> would then make unilateral settlement look like a single pubkey spend and avoid
> having to reveal the unexecuted (update) branch.
> 
> Eltoo update transaction outputs consist of two branches, update and
> settlement, where the update branch can be spend by a more recent update
> transaction if an obsolete update transaction ends up spending the funding
> output. The settlement branch is a 2-of-2 multisig with a relative timelock
> using OP_CSV. Removing OP_CSV is possible because both parties signature is
> required to spend the update transaction. They will only sign if the input has
> the right sequence numbers which is sufficient to enforce the timeout (BIP68) -
> assuming they are covered by the signature.
> 
> There's a catch: hashSequence includes the sequence numbers of all transaction
> inputs. That's not a problem for eltoo because settlement transactions only
> have one input. The update mechanism with update transactions relies on being
> able to bump the fee by unilaterally adding inputs and and change outputs to
> the transaction. That's also not a problem because update spends do not use
> relative timelocks and they are signed with SINGLE. So whenever NOINPUT is
> combined SINGLE the hashSequence should be zeroed. This is in fact what a
> minimal change to the current NOINPUT implementation would naturally do (see
> below). However, that's error-prone when using NOINPUT in other contexts so in
> general it would be better if NOINPUT would only sign the sequence number of
> the corresponding input.
> 
> Another downside of this approach is that you can never rebind to an output
> with an OP_CSV that requires a larger sequence number, unless you also sign
> with SIGHASH_SINGLE. It's difficult to imagine application where this would be
> an issue.
> 
> This is the modification to the NOINPUT implementation
> (https://github.com/cdecker/bitcoin/commits/noinput) which makes eltoo
> unilateral closes taprootifiable:
> +++ b/src/script/interpreter.cpp
> @@ -1223,7 +1223,7 @@ uint256 SignatureHash(const CScript& scriptCode, const CTransaction& txTo, unsig
>             hashPrevouts = cacheready ? cache->hashPrevouts : GetPrevoutHash(txTo);
>         }
> 
> -        if (!(nHashType & SIGHASH_ANYONECANPAY) && (nHashType & 0x1f) != SIGHASH_SINGLE && (nHashType & 0x1f) != SIGHASH_NONE && !noinput) {
> +        if (!(nHashType & SIGHASH_ANYONECANPAY) && (nHashType & 0x1f) != SIGHASH_SINGLE && (nHashType & 0x1f) != SIGHASH_NONE) {
>             hashSequence = cacheready ? cache->hashSequence : GetSequenceHash(txTo);
>         }
> 
> On 5/1/18 4:58 PM, Russell O'Connor via bitcoin-dev wrote:
>> At the risk of bikeshedding, shouldn't NOINPUT also zero out the
>> hashSequence so that its behaviour is consistent with ANYONECANPAY?
>> 
> 




  reply	other threads:[~2018-09-26 19:46 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-04-30 16:29 [bitcoin-dev] BIP sighash_noinput Christian Decker
2018-04-30 18:25 ` Dario Sneidermanis
2018-05-01 16:58 ` Russell O'Connor
2018-05-01 17:32   ` Christian Decker
2018-05-04  9:15     ` ZmnSCPxj
2018-05-04 11:09       ` Christian Decker
2018-05-04 14:25         ` ZmnSCPxj
2018-09-26  9:36   ` Jonas Nick
2018-09-26 19:45     ` Johnson Lau [this message]
2018-09-26 20:40       ` Jonas Nick
2018-05-07 19:40 ` Christian Decker
2018-05-07 20:51   ` Bram Cohen
2018-07-03  6:58     ` [bitcoin-dev] [Lightning-dev] " ZmnSCPxj
2018-07-03 11:54       ` William Casarin
2018-05-08 14:40   ` [bitcoin-dev] " Anthony Towns
2018-05-09 23:01     ` Olaoluwa Osuntokun
2018-05-09 23:04     ` Rusty Russell
2018-05-14  9:23       ` [bitcoin-dev] [Lightning-dev] " Anthony Towns
2018-05-15 14:28         ` Christian Decker
2018-05-07 23:47 ` [bitcoin-dev] " Olaoluwa Osuntokun
2018-05-10 14:12   ` Christian Decker
2018-07-02 18:11 ` Gregory Maxwell
2018-07-03  4:56   ` Rusty Russell
2018-07-03  5:21     ` Peter Todd
2018-07-03 23:45       ` Gregory Maxwell
2018-07-09  9:41         ` Peter Todd
2018-07-03 12:05   ` Christian Decker
2018-07-03 12:13   ` [bitcoin-dev] [Lightning-dev] " Luke Dashjr
2018-07-04 18:08     ` fred savage
2018-07-05  8:18       ` vv01f
     [not found]     ` <CAK_c0Xo0G9-YiOGZK_8WsYNkzjQRaH+u7XOUAozKosggXeXTNg@mail.gmail.com>
2018-07-11  7:43       ` ZmnSCPxj
2018-07-13  0:04       ` Rusty Russell
2018-07-13  9:50         ` fred savage
2018-07-13 11:07           ` Christian Decker

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=D3D0114C-0D5C-4EE4-AD48-B046551BAAD4@xbt.hk \
    --to=jl2012@xbt.hk \
    --cc=bitcoin-dev@lists.linuxfoundation.org \
    --cc=jonasdnick@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox