bitcoin-dev

Should Graftroot be optional?

Should Graftroot be optional?

Original Postby ZmnSCPxj

Posted on: June 20, 2018 12:12 UTC

Pieter and Tim are discussing the idea that the Graftroot signature is not sign(P, script) but instead sign(P, sighash(tx)).

This has advantages as the Graftroot signature commits to a single outpoint and cannot be used to spend all outpoints that happen to pay to the same P public key. However, it is unsafe for a Graftroot signature to be "the same" as a signature for a 1-input 1-output transaction. A CoinSwap protocol is presented with Alice paying Bob for a hash preimage, with a timeout imposed so that Bob needs to provide the preimage within a specified time. The Graftroot signature should sign a transaction with a specific special nVersion, that is then soft-forked to be invalid on-chain. Alternatively, a completely different sighash() algorithm could be used.