bitcoin-dev
Should Graftroot be optional?
Posted on: May 23, 2018 17:52 UTC
In a thread on Bitcoin-dev, Andrew Poelstra expressed his concern about Graftroot's potential to break blind signature schemes, but later rescinded this concern.
He explains that as long as graftroot and NOINPUT signatures commit to the public key, it is possible for a server to have unique keys for every output while retaining the same private key and ensure that "one sig can spend only one output" holds. Poelstra then provides a simple scheme for blind signatures to accomplish this, which is vulnerable to Wagner's attack. He also suggests that key-prefixing may not be necessary but makes the security argument clearer since the messagehash contains some data that can be made unique per-utxo and committed in the chain.