Author: Andrew Poelstra 2023-02-07 13:46:22
Published on: 2023-02-07T13:46:22+00:00
In a Bitcoin developer mailing list, Yuval Kogman raised concerns regarding the Taproot feature, which could allow one party in a multiparty transaction to extract an unfair fee contribution from other parties. This is done by using a larger-than-estimated signature on the last input in the transaction while keeping absolute fees the same, thus reducing the feerate for the transaction. However, using Miniscript, participants can determine the maximum witness size of the tree and sign under their desired conditions. The use of uncompressed keys can also cause "surprise" witness inflation, but this is expected to be rare. Miniscript allows users to optimize witness size by signing only under specific conditions rather than just optimistically reducing witness size. There are two cases where the attack can still occur: if there is a more expensive branch that could be taken without Alice's signature, or if there is a more expensive branch that could be taken by moving Alice's signature. Fortunately, Miniscript provides tools for Alice to identify which case applies and determine the maximum witness size. Taproot features CODESEPARATOR opcode to prevent signatures from migrating to another branch or within a branch. The redesign of CODESEPARATOR for Taproot was specifically intended to address issues of witness malleation.
Updated on: 2023-06-16T15:26:57.542255+00:00