📅 Original date posted:2018-03-15
📝 Original message:I like this proposal, it seems sufficiently general.
How are scripts with OP_CLTV and OP_CSV handled by verifiers? Do they
always succeed? Or should an nLockTime and nSequence also be included in
the proof in a way that can be parsed out and displayed to verifiers?
I assume any signatures in the scriptSig/witness data would have no sighash
type?
On Wed, Mar 14, 2018 at 8:01 PM, Karl Johan Alm via bitcoin-dev <
bitcoin-dev at lists.linuxfoundation.org> wrote:
> On Wed, Mar 14, 2018 at 5:46 AM, Kalle Rosenbaum <kalle at rosenbaum.se>
> wrote:
> > I can't really see from your proposal if you had thought of this: A soft
> > fork can make old nodes accept invalid message signatures as valid. For
> > example, a "signer" can use a witness version unknown to the verifier to
> > fool the verifier. Witness version is detectable (just reject unknown
> > witness versions) but there may be more subtle changes. Segwit was not
> > "detectable" in that way, for example.
> >
> > This is the reason why I withdrew BIP120. If you have thought about the
> > above, I'd be very interested.
>
> I'm not sure I see the problem. The scriptPubKey is derived directly
> from the address in all cases, which means the unknown witness version
> would have to be committed to in the address itself.
>
> So yeah, I can make a P2SH address with a witness version > 0 and a to
> me unknown pubkey and then fool you into thinking I own it, but I
> don't really see why you'd ultimately care. In other words, if I can
> SPEND funds sent to that address today, I can prove that I can spend
> today, which is the purpose of the tool, I think.
>
> For the case where the witness version HAS been upgraded, the above
> still applies, but I'm not sure it's a big issue. And it doesn't
> really require an old node. I just need to set witness version >
> current witness version and the problem applies to all nodes.
>
> On Wed, Mar 14, 2018 at 8:36 AM, Luke Dashjr <luke at dashjr.org> wrote:
> > I don't see a need for a new RPC interface, just a new signature format.
>
> All right.
>
> > Ideally, it should support not only just "proof I receive at this
> address",
> > but also "proof of funds" (as a separate feature) since this is a popular
> > misuse of the current message signing (which doesn't actually prove
> funds at
> > all). To do this, it needs to be capable of signing for multiple inputs.
>
> I assume by inputs you mean addresses/keys. The address field could
> optionally be an array. That'd be enough?
>
> > Preferably, it should also avoid disclosing the public key for existing
> or
> > future UTXOs. But I don't think it's possible to avoid this without
> something
> > MAST-like first. Perhaps it can be a MAST upgrade later on, but the new
> > signature scheme should probably be designed with it in mind.
>
> I'd love to not have to reveal the public key, but I'm not sure how it
> would be done, even with MAST.
>
> On Wed, Mar 14, 2018 at 12:12 PM, Anthony Towns <aj at erisian.com.au> wrote:
> > Wouldn't it be sufficient for old nodes to check for standardness of the
> spending script and report non-standard scripts as either invalid outright,
> or at least highly questionable? That should prevent confusion as long as
> soft forks are only making nonstandard behaviours invalid.
>
> That seems sensible to me. A warning would probably be useful, in case
> the verifier is running old software.
>
> -Kalle.
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20180314/0281bc39/attachment-0001.html>;
Jim Posen [ARCHIVE] /
npub1nc…lqt2n
2023-06-07 20:11:13
in reply to nevent1q…l9ms
Author Public Key
npub1ncnj8arudstdxzfhxk7k4nwgkrw3hyw8sgt0wqqmm5hh2c4knmgs2lqt2nSeen on
wss://relay.noswhere.comPublished at
2023-06-07 20:11:13Event JSON
{
"id": "e36b50c558594bdcd14a516619ff3584b7cd8a1d67f1ecc75107a2df507d9612",
"pubkey": "9e2723f47c6c16d3093735bd6acdc8b0dd1b91c78216f7001bdd2f7562b69ed1",
"created_at": 1686161473,
"kind": 1,
"tags": [
[
"e",
"fde6d8b8cd384fa838810364bd9a6edd18aea9246ae8127a644187087642ae18",
"",
"root"
],
[
"e",
"e5ee588fa44959aecd37f464504dcd4f1b1fd69c1211102f7f7a107c5a0255b6",
"",
"reply"
],
[
"p",
"cf98d015f410ea690e93370543fcb2c3129303ca3921fd6d463206f557722518"
]
],
"content": "📅 Original date posted:2018-03-15\n📝 Original message:I like this proposal, it seems sufficiently general.\n\nHow are scripts with OP_CLTV and OP_CSV handled by verifiers? Do they\nalways succeed? Or should an nLockTime and nSequence also be included in\nthe proof in a way that can be parsed out and displayed to verifiers?\n\nI assume any signatures in the scriptSig/witness data would have no sighash\ntype?\n\nOn Wed, Mar 14, 2018 at 8:01 PM, Karl Johan Alm via bitcoin-dev \u003c\nbitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\n\u003e On Wed, Mar 14, 2018 at 5:46 AM, Kalle Rosenbaum \u003ckalle at rosenbaum.se\u003e\n\u003e wrote:\n\u003e \u003e I can't really see from your proposal if you had thought of this: A soft\n\u003e \u003e fork can make old nodes accept invalid message signatures as valid. For\n\u003e \u003e example, a \"signer\" can use a witness version unknown to the verifier to\n\u003e \u003e fool the verifier. Witness version is detectable (just reject unknown\n\u003e \u003e witness versions) but there may be more subtle changes. Segwit was not\n\u003e \u003e \"detectable\" in that way, for example.\n\u003e \u003e\n\u003e \u003e This is the reason why I withdrew BIP120. If you have thought about the\n\u003e \u003e above, I'd be very interested.\n\u003e\n\u003e I'm not sure I see the problem. The scriptPubKey is derived directly\n\u003e from the address in all cases, which means the unknown witness version\n\u003e would have to be committed to in the address itself.\n\u003e\n\u003e So yeah, I can make a P2SH address with a witness version \u003e 0 and a to\n\u003e me unknown pubkey and then fool you into thinking I own it, but I\n\u003e don't really see why you'd ultimately care. In other words, if I can\n\u003e SPEND funds sent to that address today, I can prove that I can spend\n\u003e today, which is the purpose of the tool, I think.\n\u003e\n\u003e For the case where the witness version HAS been upgraded, the above\n\u003e still applies, but I'm not sure it's a big issue. And it doesn't\n\u003e really require an old node. I just need to set witness version \u003e\n\u003e current witness version and the problem applies to all nodes.\n\u003e\n\u003e On Wed, Mar 14, 2018 at 8:36 AM, Luke Dashjr \u003cluke at dashjr.org\u003e wrote:\n\u003e \u003e I don't see a need for a new RPC interface, just a new signature format.\n\u003e\n\u003e All right.\n\u003e\n\u003e \u003e Ideally, it should support not only just \"proof I receive at this\n\u003e address\",\n\u003e \u003e but also \"proof of funds\" (as a separate feature) since this is a popular\n\u003e \u003e misuse of the current message signing (which doesn't actually prove\n\u003e funds at\n\u003e \u003e all). To do this, it needs to be capable of signing for multiple inputs.\n\u003e\n\u003e I assume by inputs you mean addresses/keys. The address field could\n\u003e optionally be an array. That'd be enough?\n\u003e\n\u003e \u003e Preferably, it should also avoid disclosing the public key for existing\n\u003e or\n\u003e \u003e future UTXOs. But I don't think it's possible to avoid this without\n\u003e something\n\u003e \u003e MAST-like first. Perhaps it can be a MAST upgrade later on, but the new\n\u003e \u003e signature scheme should probably be designed with it in mind.\n\u003e\n\u003e I'd love to not have to reveal the public key, but I'm not sure how it\n\u003e would be done, even with MAST.\n\u003e\n\u003e On Wed, Mar 14, 2018 at 12:12 PM, Anthony Towns \u003caj at erisian.com.au\u003e wrote:\n\u003e \u003e Wouldn't it be sufficient for old nodes to check for standardness of the\n\u003e spending script and report non-standard scripts as either invalid outright,\n\u003e or at least highly questionable? That should prevent confusion as long as\n\u003e soft forks are only making nonstandard behaviours invalid.\n\u003e\n\u003e That seems sensible to me. A warning would probably be useful, in case\n\u003e the verifier is running old software.\n\u003e\n\u003e -Kalle.\n\u003e _______________________________________________\n\u003e bitcoin-dev mailing list\n\u003e bitcoin-dev at lists.linuxfoundation.org\n\u003e https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev\n\u003e\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20180314/0281bc39/attachment-0001.html\u003e",
"sig": "899131c05ad138cbe847997c6b334cf6997fd214f9737ca4872f2f9e0ec21b9053f9b97b47a96378deb0b920d0f2d5b56df0e6f1d7a8dbed181e5ec2ff4152d8"
}