Author: Johnson Lau 2018-08-31 07:42:07
Published on: 2018-08-31T07:42:07+00:00
Bitcoin researcher Johnson Lau has proposed an updated version of BIP 143 that focuses on improving security and reducing the number of optional features. The proposal, called SIGHASH2, is a superset of the existing SIGHASH and BIP118 SIGHASH_NOINPUT, with further flexibility but not being too complicated. Some of the key features include signing both scriptCode and previous scriptPubKey, committing to scriptPubKey and scriptCode in SIGHASH2_NOINPUT to prevent signature replay if the same public key is used in different scripts, and signing the amount of fees and witness size. Lau also seeks feedback on whether NOINPUT should commit to scriptCode and/or scriptPubKey, whether LASTOUTPUT and DUALOUTPUT should be added, and whether a fully flexible way to sign a subset of outputs should be implemented.Christian Decker, however, has raised concerns about the proposed SIGHASH_NOINPUT variant, stating that it would compromise the whole idea of BIP 118's floating transactions that can be bound to predecessors. In eltoo's case, the state number needs to be smaller than the state number of the transaction being rewritten, and this is part of the scriptPubKey, making it impossible to commit to the scriptPubKey in the signature since it is unclear which output (and thus its scriptPubKey) is being signed at the time.The proposed SIGHASH2 format is a new signature format that saves around 8 bytes compared to the current DER format. The format includes various new hashtype definitions, with the default and most commonly used case being SIGHASH2_ALL. Bit flags are defined in a negative way (e.g. NOLOCKTIME) and certain combinations are missing to save bits for useless flags. Users must not set reserved bits until they are defined by a future proposal, or they may lose money. A sigversion is used to ensure the message digest won't collide with SIGHASH schemes in the past and future. Examples of equivalent SIGHASH2 values for other SIGHASH schemes are provided, including for Legacy/BIP143 ALL, Legacy/BIP143 SINGLE with matching output, Legacy/BIP143 ANYONECANPAY|ALL, and BIP118 NOINPUT.The proposed update defines public key and signature formats as well as new hash type definitions. The public key must be exactly 33 bytes and if the first byte of the public key is a 0x02 or 0x03, it must be a compressed public key. The signature format is defined based on its size and the first byte of the public key. The new hash type definitions are based on double SHA256 of the serialization of various transaction elements. The bit values of the hash type denote different values between 0 and 15, with each value corresponding to a different input element. Similarly, the bit values of the hash type also denote different values between 0 and 3, with each value corresponding to a different output element.Lau's proposal is part of the larger development of Taproot and Graftroot by Maxwell. These new functions are designed to implement MAST and other new script functions within them. Backward compatibility is ensured as this is a soft-fork, with exact deployment details to be determined. The reference implementation can be found on GitHub, and the document is licensed under BSD 3-clause.
Updated on: 2023-05-20T16:42:01.311292+00:00