> On July 20, 2016 at 2:17 AM Luke Dashjr via bitcoin-dev > <bitcoin-dev@lists.linuxfoundation.org> wrote: > > On Wednesday, July 20, 2016 5:46:54 AM Peter Todd via bitcoin-dev wrote: > > > On Tue, Jul 19, 2016 at 10:35:39PM -0600, Sean Bowe via bitcoin-dev wrote: > > > > > I'm requesting feedback for Hash Time-Locked Contract (HTLC) transactions > > > in Bitcoin. > > > > > > HTLC transactions allow you to pay for the preimage of a hash. CSV/CLTV > > > can be used to recover your funds if the other party is not cooperative. > > > These > > > > > > scripts take the following general form: > > > [HASHOP] OP_EQUAL > > > OP_IF > > > > > > > > > > > > OP_ELSE > > > > > > [TIMEOUTOP] OP_DROP > > > > > > OP_ENDIF > > > OP_CHECKSIG > > > > Note that because you're hashing the top item on the stack regardless > > scriptSig's that satisfy HTLC's are malleable: that top stack item can be > > changed anything in the digest-not-provided case and the script still > > passes. > > OP_SIZE > OP_IF > [HASHOP] <digest> OP_EQUALVERIFY > <seller pubkey> > OP_ELSE > <num> [TIMEOUTOP] > <buyer pubkey> > OP_ENDIF > OP_CHECKSIG >
This is incompatible with my proposal for fixing the OP_IF/NOTIF malleability in segwit ("MINIMALIF"). In this case only the timeout branch may be executed. To make it compatible, you may use one of the following 2 scripts: OP_SIZE OP_0NOTEQUAL OP_IF [HASHOP] <digest> OP_EQUALVERIFY <seller pubkey> OP_ELSE <num> [TIMEOUTOP] OP_DROP <buyer pubkey> OP_ENDIF OP_CHECKSIG or OP_IF [HASHOP] <digest> OP_EQUALVERIFY <seller pubkey> OP_ELSE <num> [TIMEOUTOP] OP_DROP <buyer pubkey> OP_ENDIF OP_CHECKSIG The overall witness size are the same for these scripts. They are 1 byte larger than Luke's script, in case MINIMALIF is not enforced. (btw, the OP_DROP after TIMEOUTOP is missing in Luke's script) _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev