On Thu, Feb 22, 2018 at 7:44 PM, Daniel Edgecumbe via bitcoin-dev <[email protected]> wrote: > I don't think that binding grafts to a particular transaction requires this > aggregation. > It seems to me that you could just sign H(txid, script) rather than H(script). > I'm not aware of whether this would break aggregation.
That would require that you know the txid in advance. Sometimes you do-- and a graftroot sighash flag could handle that... but usually you wouldn't. The case where you already do know it can sort of be covered today without using the graftroot: Sign a transaction spending the multisig coin to the graft. This isn't a strict alternative however, because it's not atomic: you could imagine that txn being announced and then the graft not being spent, while someone would like to spend a different graft. That non-atomiticity could be addressed by making the graft spends an OR of all the other graft spends but that isn't scalable or private. Regardless, still doesn't work if the graft isn't created after the fact. The aggregation bit has the property of working just in time, even on grafts created in advance. _______________________________________________ bitcoin-dev mailing list [email protected] https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
