📅 Original date posted:2019-03-20
📝 Original message:
Sorry AJ, my prior email was not constructive :(
I consider the "my software reused my keys" the most reasonable attack
scenario, though still small compared to other lightning attack surfaces.
But I understand the general wariness of third-parties reusing
SIGHASH_NOINPUT signatures.
Since "must have a non-SIGHASH_NOINPUT" rule addresses the first reuse
scenario (as well as the second), I'd be content with that proposal.
Future segwit versions may choose to relax it.[1]
Cheers,
Rusty.
[1] Must be consensus, not standardness; my prev suggestion was bogus.
Rusty Russell <rusty at rustcorp.com.au> writes:
> Anthony Towns <aj at erisian.com.au> writes:
>> If you publish to the blockchain:
> ...
>> 4 can be dropped, state 5 and finish can be altered). Since the CSV delay
>> is chosen by the participants, the above is still a possible scenario
>> in eltoo, though, and it means there's some risk for someone accepting
>> bitcoins that result from a non-cooperative close of an eltoo channel.
>
> AJ, this was a meandering random walk which shed very little light.
>
> I don't find the differentiation between malicious and non-malicious
> double-spends convincing. Even if you trust A, you already have to
> worry about person-who-sent-the-coins-to-A. This expands that set to be
> "miner who mined coins sent-to-A", but it's very hard to see what
> difference that makes to how you'd handle coins from A.
>
>> Beyond that, I think NOINPUT has two fundamental ways to cause problems
>> for the people doing NOINPUT sigs:
>>
>> 1) your signature gets applied to a unexpectedly different
>> script, perhaps making it look like you've being dealing
>> with some blacklisted entity. OP_MASK and similar solves
>> this.
>
> ... followed by two paragraphs describing how it's not a "fundamental
> way to cause problems" that you (or I) can see.
>
>> For the second case, that seems a little more concerning. The nightmare
>> scenario is maybe something like:
>>
>> * naive users do silly things with NOINPUT signatures, and end up
>> losing funds due to replays like the above
>
> As we've never seen with SIGHASH_NONE?
>
>> * initial source of funds was some major exchange, who decide it's
>> cheaper to refund the lost funds than deal with the customer complaints
>>
>> * the lost funds end up costing enough that major exchanges just outright
>> ban sending funds to any address capable of NOINPUT, which also bans
>> all taproot/schnorr addresses
>
> I don't find this remotely credible.
>
>> FWIW, I don't have a strong opinion here yet, but:
>>
>> - I'm still inclined to err on the side of putting more safety
>> measures in for NOINPUT, rather than fewer
>
> In theory, sure. But not feel-good and complex "safety measures" which
> don't actually help in practical failure scenarios.
>
>> - the "must have a sig that commits to the input tx" seems like it
>> should be pretty safe, not too expensive, and keeps taproot's privacy
>> benefits in the cases where you end up needing to use NOINPUT
>
> If this is considered necessary, can it be a standardness rule rather
> than consensus?
>
> Thanks,
> Rusty.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-09 14:54:29
in reply to nevent1q…2t4d
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-09 14:54:29Event JSON
{
"id": "6973a8d078cff796b29ff1260cc4853b454ffef439d3d597453ddd8533ebcf0e",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686315269,
"kind": 1,
"tags": [
[
"e",
"86a47a61621252784fd45b6d576812ee01ce9af9bd2a53aeaae914577c5267a8",
"",
"root"
],
[
"e",
"df74f01b8c2c16bc2b6d3aff06324f340532b2ede0515661a9b5b6389e9b73c0",
"",
"reply"
],
[
"p",
"13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425"
]
],
"content": "📅 Original date posted:2019-03-20\n📝 Original message:\nSorry AJ, my prior email was not constructive :(\n\nI consider the \"my software reused my keys\" the most reasonable attack\nscenario, though still small compared to other lightning attack surfaces.\n\nBut I understand the general wariness of third-parties reusing\nSIGHASH_NOINPUT signatures.\n\nSince \"must have a non-SIGHASH_NOINPUT\" rule addresses the first reuse\nscenario (as well as the second), I'd be content with that proposal.\nFuture segwit versions may choose to relax it.[1]\n\nCheers,\nRusty.\n[1] Must be consensus, not standardness; my prev suggestion was bogus.\n\nRusty Russell \u003crusty at rustcorp.com.au\u003e writes:\n\u003e Anthony Towns \u003caj at erisian.com.au\u003e writes:\n\u003e\u003e If you publish to the blockchain:\n\u003e ...\n\u003e\u003e 4 can be dropped, state 5 and finish can be altered). Since the CSV delay\n\u003e\u003e is chosen by the participants, the above is still a possible scenario\n\u003e\u003e in eltoo, though, and it means there's some risk for someone accepting\n\u003e\u003e bitcoins that result from a non-cooperative close of an eltoo channel.\n\u003e\n\u003e AJ, this was a meandering random walk which shed very little light.\n\u003e\n\u003e I don't find the differentiation between malicious and non-malicious\n\u003e double-spends convincing. Even if you trust A, you already have to\n\u003e worry about person-who-sent-the-coins-to-A. This expands that set to be\n\u003e \"miner who mined coins sent-to-A\", but it's very hard to see what\n\u003e difference that makes to how you'd handle coins from A.\n\u003e\n\u003e\u003e Beyond that, I think NOINPUT has two fundamental ways to cause problems\n\u003e\u003e for the people doing NOINPUT sigs:\n\u003e\u003e\n\u003e\u003e 1) your signature gets applied to a unexpectedly different\n\u003e\u003e script, perhaps making it look like you've being dealing\n\u003e\u003e with some blacklisted entity. OP_MASK and similar solves\n\u003e\u003e this.\n\u003e\n\u003e ... followed by two paragraphs describing how it's not a \"fundamental\n\u003e way to cause problems\" that you (or I) can see.\n\u003e\n\u003e\u003e For the second case, that seems a little more concerning. The nightmare\n\u003e\u003e scenario is maybe something like:\n\u003e\u003e\n\u003e\u003e * naive users do silly things with NOINPUT signatures, and end up\n\u003e\u003e losing funds due to replays like the above\n\u003e\n\u003e As we've never seen with SIGHASH_NONE?\n\u003e\n\u003e\u003e * initial source of funds was some major exchange, who decide it's\n\u003e\u003e cheaper to refund the lost funds than deal with the customer complaints\n\u003e\u003e\n\u003e\u003e * the lost funds end up costing enough that major exchanges just outright\n\u003e\u003e ban sending funds to any address capable of NOINPUT, which also bans\n\u003e\u003e all taproot/schnorr addresses\n\u003e\n\u003e I don't find this remotely credible.\n\u003e\n\u003e\u003e FWIW, I don't have a strong opinion here yet, but:\n\u003e\u003e\n\u003e\u003e - I'm still inclined to err on the side of putting more safety\n\u003e\u003e measures in for NOINPUT, rather than fewer\n\u003e\n\u003e In theory, sure. But not feel-good and complex \"safety measures\" which\n\u003e don't actually help in practical failure scenarios.\n\u003e\n\u003e\u003e - the \"must have a sig that commits to the input tx\" seems like it\n\u003e\u003e should be pretty safe, not too expensive, and keeps taproot's privacy\n\u003e\u003e benefits in the cases where you end up needing to use NOINPUT\n\u003e\n\u003e If this is considered necessary, can it be a standardness rule rather\n\u003e than consensus?\n\u003e\n\u003e Thanks,\n\u003e Rusty.",
"sig": "95c590c29e012acfc62d0ce5c6dd40a36027ba86d57ca7641963f75257ee538c7d93cf7addde54d6ad47b94794fb31e532fa560ec9ddf01f822a835a0503aac9"
}