Author: Anthony Towns 2019-05-22 20:11:31
Published on: 2019-05-22T20:11:31+00:00
Rusty Russell, a Bitcoin developer, suggested that the bip introduction be changed to explicitly say "THESE SIGNATURE HASHES ARE UNSAFE FOR NORMAL WALLET USAGE" and renamed SIGHASH_UNSAFE_ANYPREVOUT. He also expressed discomfort with the new power in Bitcoin called rebinding but insists that objections must be supported by facts. In his opinion, if something is deemed unsafe enough to require a warning, then it should not be included in the consensus layer. Russell suggests finding a way of making ANYPREVOUT safe enough that it doesn't need warnings. Chaperone sigs were proposed as a solution. Moreover, chaparones can be opt-in and do not need to burden the protocol. Eltoo seems like the most obvious use case for ANYPREVOUT; however, it may not be a good solution if it is going to opt-out or is not going to opt-in. Russell's theory is that as long as individuals only use ANYPREVOUT to sign transactions that pay the money back to themselves, their funds will remain safe. The only way they can lose funds is if they are "sufficiently" buried in confirmations, and once they are, they won't disappear. Replaying signatures is not an issue if they follow this rule. Making ANYPREVOUT only available via script is aligned with this because if one is paying to oneself, complicated rules that need encoding in script are necessary. Russell thinks this covers the major security property for Bitcoin, but other ways in which ANYPREVOUT is scary may be formalized and addressed. It is not compatible with Luke's "malleability proof" wallet idea, but if someone else reuses its addresses, it does not add any systemic risk.
Updated on: 2023-05-20T20:28:36.766610+00:00