Introduce SIGHASH_SPENDANYOUTPUT
AbandonedPublic
Actions

Authored by jasonbcox on Oct 12 2017, 15:06.

Details

Reviewers

deadalnix
tomtomtom7

Group Reviewers

Restricted Owners Package	(Owns No Changed Paths)
Restricted Project

Summary

This allows non-malleable transactions for use in off-chain chaining.

This is step 1/3

Introduce SIGHASH_SPENDANYOUTPUT with unit tests
Add BIP9 activation with integration tests
Add flag to tooling

Test Plan

WIP

Diff Detail

Repository

rABC Bitcoin ABC

Branch

sighash2

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 982
Build 982: arc lint + arc unit

Event Timeline

tomtomtom7 created this revision.Oct 12 2017, 15:06

Owners added a reviewer: Restricted Owners Package.Oct 12 2017, 15:06

Herald added a reviewer: Restricted Project. · View Herald TranscriptOct 12 2017, 15:06

Harbormaster completed remote builds in B982: Diff 1543.Oct 12 2017, 15:06

I don't think this is a good change. This make a signature reusable. This is not a new proposal, it was discussed ages ago under the name SIGHASH_NOINPUT or something similar. This makes addresses reuse vulnerable. Yes I know, one should not reuse addresses, but that's not a good reason to make them more insecure, just like 0-conf not being 100% secure do not make RBF ok.

This revision now requires changes to proceed.Oct 12 2017, 23:30

My apologies for stubbornly reopening the discussion but I believe one is still needed; hopefully short yet open. Please consider (along the arguments on the ml):

MalFix (like this) doesn't "fix" malleability as TXIDs are still malleable. It only serves off-chain chaining transactions by making prev-tx-out invariant on the signature. The primary (if not only) use case for this is a payment channel's "punishment" transaction.

From the explanation of Joseph Poon (https://lists.linuxfoundation.org/pipermail/lightning-dev/2016-February/000445.html), this flag may actually be needed for LN to function efficiently. If this is the case, not only MalFix would be rather moot, but using this instead would give Cash an edge.

Yes, transactions with this flag can be replayed to other transactions with the same public key. That is exactly the point of this flag. This is bad in the same way "SIGHASH_NONE" is bad; it has very specific use cases.

We need to look at our goal: if we want to enable more automated trickery that that relies on off chain chaining, this serves our purpose better.

If we want want to solve the other inconveniences of malleability (which I'm sceptical we should), neither MalFix nor this helps.

Technical arguments aside, I think this provides us with a better narrative as we are in some ways ahead of SegWit on the matter

deadalnix mentioned this in D597: MalFix: Drop lookup in UTXO set to prevent unneeded relay.Oct 13 2017, 15:39

Added note that scriptPubKey / scriptCode committing obstructs Eltoo.

src/script/interpreter.cpp
1410	Worth noting that this prevents implementing the floating transactions of Eltoo, which require that the UTXO script not be committed in the signature. Preferably scriptCode shouldn't be committed either, so it's not necessary to modify Eltoo scripts to use OP_CODESEPARATOR. (Easy modification in the case of Eltoo updates, but perhaps not so easy for more complex scripts). https://blockstream.com/eltoo.pdf