Rusty Russell <ru...@rustcorp.com.au> writes: >> However, I’m not sure if there is any useful NOINPUT case with unmasked >> script. > > This is *not* true of Eltoo; the script itself need not change for the > rebinding (Christian, did something change?).
This is wrong, sorry. I re-checked the paper, and the constant for the timelock comparison changes on each new update. (The alternative was a new opcode like OP_TIMELOCKGREATERVERIFY which required remembering the nLocktime for the UTXO). So now my opinion is closer to yours: what's the use for NOINPUT && !NOMASK? And is it worthwhile doing the mask complexity, rather than just removing the commitment to script with NOINPUT? It *feels* safer to restrict what scripts we can sign, but is it? Note that NOINPUT is only useful when you can't just re-sign the tx, and you need to be able to create a new tx even if this input is spent once (an attacker can do this with SIGHASH_MASK or not!). ie. any other inputs need to be signed NOINPUT or this one SIGHASH_SINGLE|ANYONECANPAY. You already need both key-reuse and amount-reuse to be exploited. SIGHASH_MASK only prevents you from reusing this input for a "normal" output; if you used this key for multiple scripts of the same form, you're vulnerable[1]. Which, given the lightning software will be using the One True Script, is more likely that your normal wallet using the same keys. So I don't think it's worth it. SIGHASH_NOINPUT is simply dangerous with key-reuse, and Don't Do That. Cheers, Rusty. [1] Attacker can basically clone channel state to another channel. _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
