Rusty Russell [ARCHIVE] on Nostr: 📅 Original date posted:2018-12-12 📝 Original message:Rusty Russell <rusty at ...
📅 Original date posted:2018-12-12
📝 Original message:Rusty Russell <rusty at rustcorp.com.au> writes:
>> However, I’m not sure if there is any useful NOINPUT case with unmasked script.
>
> This is *not* true of Eltoo; the script itself need not change for the
> rebinding (Christian, did something change?).
This is wrong, sorry. I re-checked the paper, and the constant for the
timelock comparison changes on each new update.
(The alternative was a new opcode like OP_TIMELOCKGREATERVERIFY which
required remembering the nLocktime for the UTXO).
So now my opinion is closer to yours: what's the use for NOINPUT &&
!NOMASK?
And is it worthwhile doing the mask complexity, rather than just
removing the commitment to script with NOINPUT? It *feels* safer to
restrict what scripts we can sign, but is it?
Note that NOINPUT is only useful when you can't just re-sign the tx, and
you need to be able to create a new tx even if this input is spent once
(an attacker can do this with SIGHASH_MASK or not!). ie. any other
inputs need to be signed NOINPUT or this one
SIGHASH_SINGLE|ANYONECANPAY.
You already need both key-reuse and amount-reuse to be exploited.
SIGHASH_MASK only prevents you from reusing this input for a "normal"
output; if you used this key for multiple scripts of the same form,
you're vulnerable[1]. Which, given the lightning software will be using
the One True Script, is more likely that your normal wallet using the
same keys.
So I don't think it's worth it. SIGHASH_NOINPUT is simply dangerous
with key-reuse, and Don't Do That.
Cheers,
Rusty.
[1] Attacker can basically clone channel state to another channel.
📝 Original message:Rusty Russell <rusty at rustcorp.com.au> writes:
>> However, I’m not sure if there is any useful NOINPUT case with unmasked script.
>
> This is *not* true of Eltoo; the script itself need not change for the
> rebinding (Christian, did something change?).
This is wrong, sorry. I re-checked the paper, and the constant for the
timelock comparison changes on each new update.
(The alternative was a new opcode like OP_TIMELOCKGREATERVERIFY which
required remembering the nLocktime for the UTXO).
So now my opinion is closer to yours: what's the use for NOINPUT &&
!NOMASK?
And is it worthwhile doing the mask complexity, rather than just
removing the commitment to script with NOINPUT? It *feels* safer to
restrict what scripts we can sign, but is it?
Note that NOINPUT is only useful when you can't just re-sign the tx, and
you need to be able to create a new tx even if this input is spent once
(an attacker can do this with SIGHASH_MASK or not!). ie. any other
inputs need to be signed NOINPUT or this one
SIGHASH_SINGLE|ANYONECANPAY.
You already need both key-reuse and amount-reuse to be exploited.
SIGHASH_MASK only prevents you from reusing this input for a "normal"
output; if you used this key for multiple scripts of the same form,
you're vulnerable[1]. Which, given the lightning software will be using
the One True Script, is more likely that your normal wallet using the
same keys.
So I don't think it's worth it. SIGHASH_NOINPUT is simply dangerous
with key-reuse, and Don't Do That.
Cheers,
Rusty.
[1] Attacker can basically clone channel state to another channel.