bitcoin-dev
Should Graftroot be optional?
Posted on: June 6, 2018 17:04 UTC
The bitcoin-dev mailing list discussed the implications of Graftroot, a proposal to delegate control over a script to another party.
One argument against making Graftroot optional was that delegation is not strictly less powerful than using a normal transaction since the signer could have signed an arbitrary transaction instead. However, Tim Ruffing disagreed and argued that Graftroot enables delegation in such a way that the delegation itself cannot be fixed in the chain, which is not currently possible. He suggested defining the semantics of Graftroot transactions to make them identical to the signature hash of an implicit transaction spending the coin and creating a new output with the delegated script as sPK, and the same amount. However, Pieter Wuille pointed out that this would introduce malleability because the created outpoint will be different in both cases (different txid). Additionally, the implicit transaction would be 0 fee and this sounds very similar to the issue SIGHASH_NOINPUT is intended to solve. Wuille suggested that Graftroot spending should become a special sighash flag that builds an implicit transaction, moves all the coins to a newly provided script, computes the sighash of that transaction, and requires a signature with that. The delegated script is then evaluated in the context of that implicit transaction. However, to avoid the malleability issue, the actual signature should still be different, possibly by simply passing through the Graftroot sighash flag into the sighash being computed.