> On July 20, 2016 at 2:17 AM Luke Dashjr via bitcoin-dev
> <[email protected]> wrote:
>
> On Wednesday, July 20, 2016 5:46:54 AM Peter Todd via bitcoin-dev wrote:
>
> > On Tue, Jul 19, 2016 at 10:35:39PM -0600, Sean Bowe via bitcoin-dev wrote:
> >
> > > I'm requesting feedback for Hash Time-Locked Contract (HTLC) transactions
> > > in Bitcoin.
> > >
> > > HTLC transactions allow you to pay for the preimage of a hash. CSV/CLTV
> > > can be used to recover your funds if the other party is not cooperative.
> > > These
> > >
> > > scripts take the following general form:
> > > [HASHOP] OP_EQUAL
> > > OP_IF
> > >
> > >
> > >
> > > OP_ELSE
> > >
> > > [TIMEOUTOP] OP_DROP
> > >
> > > OP_ENDIF
> > > OP_CHECKSIG
> >
> > Note that because you're hashing the top item on the stack regardless
> > scriptSig's that satisfy HTLC's are malleable: that top stack item can be
> > changed anything in the digest-not-provided case and the script still
> > passes.
>
> OP_SIZE
> OP_IF
> [HASHOP] <digest> OP_EQUALVERIFY
> <seller pubkey>
> OP_ELSE
> <num> [TIMEOUTOP]
> <buyer pubkey>
> OP_ENDIF
> OP_CHECKSIG
>
This is incompatible with my proposal for fixing the OP_IF/NOTIF malleability
in segwit ("MINIMALIF"). In this case only the timeout branch may be executed.
To make it compatible, you may use one of the following 2 scripts:
OP_SIZE OP_0NOTEQUAL
OP_IF
[HASHOP] <digest> OP_EQUALVERIFY
<seller pubkey>
OP_ELSE
<num> [TIMEOUTOP] OP_DROP
<buyer pubkey>
OP_ENDIF
OP_CHECKSIG
or
OP_IF
[HASHOP] <digest> OP_EQUALVERIFY
<seller pubkey>
OP_ELSE
<num> [TIMEOUTOP] OP_DROP
<buyer pubkey>
OP_ENDIF
OP_CHECKSIG
The overall witness size are the same for these scripts. They are 1 byte larger
than Luke's script, in case MINIMALIF is not enforced.
(btw, the OP_DROP after TIMEOUTOP is missing in Luke's script)
_______________________________________________
bitcoin-dev mailing list
[email protected]
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
