On Fri, Jun 01, 2018 at 02:53:01AM +0800, Johnson Lau via bitcoin-dev wrote: > I’ve made a PR to add a new policy to disallow using SIGHASH_SINGLE without > matched output: > > https://github.com/bitcoin/bitcoin/pull/13360 > > Signature of this form is insecure, as it commits to no output while users > might think it commits to one. It is even worse in non-segwit scripts, which > is effectively SIGHASH_NOINPUT|SIGHASH_NONE, so any UTXO of the same key > could be stolen. (It’s restricted to only one UTXO in segwit, but it’s still > like a SIGHASH_NONE.) > > This is one of the earliest unintended consensus behavior. Since these > signatures are inherently unsafe, I think it does no harm to disable this > unintended “feature” with a softfork. But since these signatures are > currently allowed, the first step is to make them non-standard.
I don't see why we should bother to soft fork this out on the basis of security, given that there are many other ways to insecurely use private keys (e.g. reused nonces). Maybe soft-fork it out on the basis of code complexity, but this sounds like a lot of work. Also, I have to wonder if it's just as likely the devs might think the non-standardness means it is secure. -- https://petertodd.org 'peter'[:-1]@petertodd.org
signature.asc
Description: PGP signature
_______________________________________________ bitcoin-dev mailing list [email protected] https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
