Author: ZmnSCPxj 2018-06-20 12:12:28
Published on: 2018-06-20T12:12:28+00:00
Pieter and Tim are discussing the idea that the Graftroot signature is not `sign(P, script)` but instead `sign(P, sighash(tx))`. This has advantages as the Graftroot signature commits to a single outpoint and cannot be used to spend all outpoints that happen to pay to the same `P` public key. However, it is unsafe for a Graftroot signature to be "the same" as a signature for a 1-input 1-output transaction. A CoinSwap protocol is presented with Alice paying Bob for a hash preimage, with a timeout imposed so that Bob needs to provide the preimage within a specified time. The Graftroot signature should sign a transaction with a specific special `nVersion`, that is then soft-forked to be invalid on-chain. Alternatively, a completely different `sighash()` algorithm could be used.
Updated on: 2023-06-13T02:48:43.368815+00:00