On Wed, Jun 20, 2018 at 12:12 PM, ZmnSCPxj via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote: > This has the advantage that the Graftroot signature commits to a single > outpoint and cannot be used to spend all outpoints that happen to pay to the > same `P` public key.
If it isn't possible to make a graftroot signature independent of the outpoint then the functionality is _greatly_ reduced to the point of largely mooting it-- because you could no longer prepare the grafts before the coins to be spent existed, and meaning you must stay online and sign new grafts as coins show up. In my view graft's two main gains are being able to delegate before coins exist and making the conditional transfer atomic (e.g. compared to just pre-signing a transaction). Making outpoint binding optional, so that you could choose to either sign for particular outputs or in a blanket way would be a lot more useful. Though I had assumed outpoint binding could best be achieved by checking the outpoint in the graft-script-- this is general for whatever kinds of arbitrary graft conditions you might want to specify (e.g. locktimes, value checks, or conditions on subsequent outputs)... but perhaps binding a particular outpoint is enough of a special case that it's worth avoiding the overhead of expressing a match condition in the script, since that would probably end up blowing 36 bytes for the match condition in the witness when instead it could just be covered by the signature, and people should probably prefer to do output binding grafts whenever its reasonably possible. _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
