Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 76CCCDA0 for ; Tue, 18 Dec 2018 23:33:08 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from ozlabs.org (ozlabs.org [203.11.71.1]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id B952D735 for ; Tue, 18 Dec 2018 23:33:07 +0000 (UTC) Received: by ozlabs.org (Postfix, from userid 1011) id 43KDpn22qzz9s7W; Wed, 19 Dec 2018 10:33:05 +1100 (AEDT) From: Rusty Russell To: Johnson Lau , Anthony Towns , bitcoin-dev In-Reply-To: References: <87ftv3xerx.fsf@rustcorp.com.au> <87pnu6s3v5.fsf@rustcorp.com.au> <87h8fiqn1z.fsf@rustcorp.com.au> <20181214093002.p2nvfrlaycqblww3@erisian.com.au> Date: Mon, 17 Dec 2018 13:40:42 +1030 Message-ID: <87mup4hmq5.fsf@rustcorp.com.au> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.6 required=5.0 tests=BAYES_00, DATE_IN_PAST_24_48, RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Wed, 19 Dec 2018 12:40:29 +0000 Subject: Re: [bitcoin-dev] Safer sighashes and more granular SIGHASH_NOINPUT X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Dec 2018 23:33:08 -0000 Johnson Lau writes: > I don=E2=80=99t think this has been mentioned: without signing the script= or masked script, OP_CODESEPARATOR becomes unusable or insecure with NOINP= UT. > > In the new sighash proposal, we will sign the hash of the full script (or= masked script), without any truncation. To make OP_CODESEPARATOR works lik= e before, we will commit to the position of the last executed OP_CODESEPARA= TOR. If NOINPUT doesn=E2=80=99t commit to the masked script, it will just b= lindly committing to a random OP_CODESEPARATOR position, which a wallet cou= ldn=E2=80=99t know what codes are actually being executed. My anti-complexity argument leads me to ask why we'd support OP_CODESEPARATOR at all? Though my argument is weaker here: no wallet need support it. But I don't see how OP_CODESEPARATOR changes anything here, wrt NOINPUT? Remember, anyone can create an output which can be spent by any NOINPUT, whether we go for OP_MASK or simply not commiting to the input script. Confused, Rusty.