|
| 1 | +<pre> |
| 2 | + BIP: 118 |
| 3 | + Layer: Consensus (soft fork) |
| 4 | + Title: SIGHASH_NOINPUT |
| 5 | + Author: Christian Decker < [email protected]> |
| 6 | + Comments-Summary: No comments yet. |
| 7 | + Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0118 |
| 8 | + Status: Draft |
| 9 | + Type: Standards Track |
| 10 | + Created: 2017-02-28 |
| 11 | + License: BSD-3-Clause |
| 12 | +</pre> |
| 13 | + |
| 14 | +== Abstract == |
| 15 | +This BIP describes a new signature hash flag (<tt>sighash</tt>-flag) for |
| 16 | +segwit transactions. It removes any commitment to the output being |
| 17 | +spent from the signature verification mechanism. This enables dynamic |
| 18 | +binding of transactions to outputs, predicated solely on the |
| 19 | +compatibility of output scripts to input scripts. |
| 20 | + |
| 21 | +== Motivation == |
| 22 | +Off-chain protocols make use of transactions that are not yet |
| 23 | +broadcast to the Bitcoin network in order to renegotiate the final |
| 24 | +state that should be settled on-chain. |
| 25 | +In a number of cases it is desirable to react to a given transaction |
| 26 | +being seen on-chain with a predetermined reaction in the form of |
| 27 | +another transaction. |
| 28 | +Often the reaction is identical, no matter which transaction is seen |
| 29 | +on-chain, but the application still needs to create many identical |
| 30 | +transaction. |
| 31 | +This is because signatures in the input of a transaction uniquely |
| 32 | +commit to the hash of the transaction that created the output being |
| 33 | +spent. |
| 34 | + |
| 35 | +This proposal introduces a new sighash flag that modifies the behavior |
| 36 | +of the transaction digest algorithm used in the signature creation and |
| 37 | +verification, to exclude the previous output commitment. |
| 38 | +By removing the commitment we enable dynamic rebinding of a signed |
| 39 | +transaction to outputs whose <tt>witnessProgram</tt> and value match the ones |
| 40 | +in the <tt>witness</tt> of the spending transaction. |
| 41 | + |
| 42 | +The dynamic binding is opt-in and can further be restricted by using |
| 43 | +unique <tt>witnessProgram</tt> scripts that are specific to the application |
| 44 | +instance, e.g., using public keys that are specific to the off-chain |
| 45 | +protocol instance. |
| 46 | + |
| 47 | +== Specification == |
| 48 | +<tt>SIGHASH_NOINPUT</tt> is a flag with value <tt>0x40</tt> appended to a signature |
| 49 | +to that the signature does not commit to any of the inputs, and |
| 50 | +therefore to the outputs being spent. The flag applies solely to the |
| 51 | +verification of that single signature. |
| 52 | + |
| 53 | +The <tt>SIGHASH_NOINPUT</tt> flag is only active for segwit scripts with |
| 54 | +version 1 or higher. Should the flag be used in a non-segwit script or |
| 55 | +a segwit script of version 0, the current behavior is maintained and |
| 56 | +the script execution MUST abort with a failure. |
| 57 | + |
| 58 | +The transaction digest algorithm from BIP 143 is used when verifying a |
| 59 | +<tt>SIGHASH_NOINPUT</tt> signature, with the following modifications: |
| 60 | + |
| 61 | + 2. hashPrevouts (32-byte hash) is 32 0x00 bytes |
| 62 | + 3. hashSequence (32-byte hash) is 32 0x00 bytes |
| 63 | + 4. outpoint (32-byte hash + 4-byte little endian) is |
| 64 | + set to 36 0x00 bytes |
| 65 | + 5. scriptCode of the input is set to an empty script |
| 66 | + 0x00 |
| 67 | +
|
| 68 | +The <tt>value</tt> of the previous output remains part of the transaction |
| 69 | +digest and is therefore also committed to in the signature. |
| 70 | + |
| 71 | +The <tt>NOINPUT</tt> flag MAY be combined with the <tt>SINGLE</tt> flag in which |
| 72 | +case the <tt>hashOutputs</tt> is modified as per BIP |
| 73 | +143<ref>https://github.com/bitcoin/bips/blob/master/bip-0143.mediawiki</ref>: it |
| 74 | +only commits to the output with the matching index, if such output exists, and |
| 75 | +is a <tt>uint256</tt> <tt>0x0000......0000</tt> otherwise. |
| 76 | + |
| 77 | +Being a change in the digest algorithm, the <tt>NOINPUT</tt> flag applies to |
| 78 | +all segwit signature verification opcodes, specifically it applies to: |
| 79 | + |
| 80 | +* <tt>OP_CHECKSIG</tt> |
| 81 | +
|
| 82 | +* <tt>OP_CHECKSIGVERIFY</tt> |
| 83 | +
|
| 84 | +* <tt>OP_CHECKMULTISIG</tt> |
| 85 | +
|
| 86 | +* <tt>OP_CHECKMULTISIGVERIFY</tt> |
| 87 | +
|
| 88 | +== Binding through scripts == |
| 89 | +Using <tt>NOINPUT</tt> the input containing the signature no longer |
| 90 | +references a specific output. |
| 91 | +Any participant can take a transaction and rewrite it by changing the |
| 92 | +hash reference to the previous output, without invalidating the |
| 93 | +signatures. |
| 94 | +This allows transactions to be bound to any output that matches the |
| 95 | +value committed to in the <tt>witness</tt> and whose <tt>witnessProgram</tt>, |
| 96 | +combined with the spending transaction's <tt>witness</tt> returns <tt>true</tt>. |
| 97 | + |
| 98 | +Previously, all information in the transaction was committed in the |
| 99 | +signature itself, while now the relationship between the spending |
| 100 | +transaction and the output being spent is solely based on the |
| 101 | +compatibility of the <tt>witnessProgram</tt> and the <tt>witness</tt>. |
| 102 | + |
| 103 | +This also means that particular care has to be taken in order to avoid |
| 104 | +unintentionally enabling this rebinding mechanism. <tt>NOINPUT</tt> MUST NOT |
| 105 | +be used, unless it is explicitly needed for the application, i.e., it |
| 106 | +MUST NOT be a default signing flag in a wallet |
| 107 | +implementation. Rebinding is only possible when the outputs the |
| 108 | +transaction may bind to all use the same public keys. Any public key |
| 109 | +that is used in a <tt>NOINPUT</tt> signature MUST only be used for outputs |
| 110 | +that the input may bind to, and they MUST NOT be used for transactions |
| 111 | +that the input may not bind to. For example an application SHOULD |
| 112 | +generate a new key-pair for the application instance using <tt>NOINPUT</tt> |
| 113 | +signatures and MUST NOT reuse them afterwards. |
| 114 | + |
| 115 | +== Deployment == |
| 116 | +The <tt>NOINPUT</tt> sighash flag is to be deployed during a regular segwit |
| 117 | +script update. |
| 118 | + |
| 119 | +== Backward compatibility == |
| 120 | +As a soft fork, older software will continue to operate without |
| 121 | +modification. Non-upgraded nodes, however, will not verify the |
| 122 | +validity of the new sighash flag and will consider the transaction |
| 123 | +valid by default. Being only applicable to segwit transaction, |
| 124 | +non-segwit nodes will see an anyone-can-spend script and will consider |
| 125 | +it valid. |
| 126 | + |
| 127 | +== Acknowledgments == |
| 128 | + |
| 129 | +The <tt>NOINPUT</tt> sighash flag was first proposed by Joseph Poon in |
| 130 | +February 2016<ref>https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016-February/012460.html</ref>, after being mentioned in the original |
| 131 | +Lightning paper<ref>http://lightning.network/lightning-network.pdf</ref>. A formal proposal was however |
| 132 | +deferred until after the activation of segwit. This proposal is a |
| 133 | +continuation of this discussion and attempts to formalize it in such a |
| 134 | +way that it can be included in the Bitcoin protocol. As such we'd like |
| 135 | +acknowledge Joseph Poon and Thaddeus Dryja as the original inventors |
| 136 | +of the <tt>NOINPUT</tt> sighash flag, and its uses in off-chain protocols. |
| 137 | + |
| 138 | +== References == |
| 139 | + |
| 140 | +<references/> |
| 141 | + |
| 142 | +== Copyright == |
| 143 | + |
| 144 | +This document is licensed under the BSD 3 Clause license. |
0 commit comments