Something like this might also be useful for several use cases related to
RBF. For example:
Alice sends Bob an RBF-activated transaction T1 with the intention of
bumping its fee if necessary. Bob wants to send these funds to Carol, but
cannot wait until T1 confirms, so he crafts a transaction T2 that spends T1
using SIGHASH_NOINPUT, and pays Carol. Carol can now make sure she receives
the money even if Alice fee-bumps T1, as long as the outputs of the
replaced transactions are compatible.
Extra care should be taken to avoid rebinding, maybe by including an extra
input in T2 that doesn't use SIGHASH_NOINPUT.
On Mon, Apr 30, 2018 at 1:29 PM, Christian Decker via bitcoin-dev <
> Hi all,
> I'd like to pick up the discussion from a few months ago, and propose a new
> sighash flag, `SIGHASH_NOINPUT`, that removes the commitment to the
> output. This was previously mentioned on the list by Joseph Poon , but
> never formally proposed, so I wrote a proposal .
> We have long known that `SIGHASH_NOINPUT` would be a great fit for
> They enable simple watch-towers, i.e., outsource the need to watch the
> blockchain for channel closures, and react appropriately if our
> misbehaves. In addition to this we just released the eltoo [3,4] paper
> describes a simplified update mechanism that can be used in Lightning, and
> off-chain contracts, with any number of participants.
> By not committing to the previous output being spent by the transaction,
> we can
> rebind an input to point to any outpoint with a matching output script and
> value. The binding therefore is no longer explicit through a reference, but
> through script compatibility, and the transaction ID reference in the
> input is a
> hint to validators. The sighash flag is meant to enable some off-chain
> and should not be used unless the tradeoffs are well-known. In particular
> suggest using contract specific key-pairs, in order to avoid having any
> rebinding opportunities.
> The proposal is very minimalistic, and simple. However, there are a few
> where we'd like to hear the input of the wider community with regards to
> implementation details though. We had some discussions internally on
> whether to
> use a separate opcode or a sighash flag, some feeling that the sighash flag
> could lead to some confusion with existing wallets, but given that we have
> `SIGHASH_NONE`, and that existing wallets will not sign things with unknown
> flags, we decided to go the sighash way. Another thing is that we still
> to the amount of the outpoint being spent. The rationale behind this is
> while rebinding to outpoints with the same value maintains the value
> relationship between input and output, we will probably not want to bind to
> something with a different value and suddenly pay a gigantic fee.
> The deployment part of the proposal is left vague on purpose in order not
> collide with any other proposals. It should be possible to introduce it by
> bumping the segwit script version and adding the new behavior.
> I hope the proposal is well received, and I'm looking forward to discussing
> variants and tradeoffs here. I think the applications we proposed so far
> quite interesting, and I'm sure there are many more we can enable with this
>  https://lists.linuxfoundation.org/pipermail/bitcoin-dev/
>  https://github.com/cdecker/bips/blob/noinput/bip-xyz.mediawiki
>  https://blockstream.com/2018/04/30/eltoo-next-lightning.html
>  https://blockstream.com/eltoo.pdf
> bitcoin-dev mailing list
Lightning-dev mailing list