Question: At Input Registration only native SegWit should be allowed?

nopara73 / ZeroLink

The Bitcoin Fungibility Framework

MIT License

350 stars 77 forks source link

Question: At Input Registration only native SegWit should be allowed? #45

Closed nopara73 closed 6 years ago

nopara73 commented 7 years ago

ZeroLink don't allow traditional addresses to be registered for CoinJoin, so the transaction won't be malleated.

The paper states:

All Chaumian CoinJoin input MUST be Segregated Witness input. This prevents the transaction to be malleated, as a result the Tumbler can accept unconfirmed Chaumian CoinJoin change outputs from the user in the next round.

Can P2SH over P2WPKH (wrapped segwit) be differentiated from normal P2SH before signing? If not, then only P2WPKH (native segwit) should be allowed to be registered.

SamouraiDev commented 7 years ago

Yes. P2SH-P2WPKH can be differentiated from normal P2SH before signing. The address cannot be differentiated but the input can be.

harding commented 7 years ago

The address by itself can't be differentiated, since it's just a hash. However, you can also demand the person (software) registering provide the redeemScript, which will be identifiable as using the BIP141 structure; see https://github.com/bitcoin/bips/blob/master/bip-0141.mediawiki#P2WSH_nested_in_BIP16_P2SH

nopara73 commented 7 years ago

Thank you! Then no change to the design is needed.
Actually in my implementation I only require a txid and an output index so that the Tumbler must check everything else anyway.

nopara73 commented 6 years ago

While I conveniently postphoned adding p2sh wrapped segwit to the tumbler, I think another issue came up here.

Since the proof must be provided at input registration that the owner can spend the input he registers and p2sh wrapped segwit address apparently cannot do that we have a problem: https://github.com/bitcoin/bitcoin/issues/10542

I didn't have the time yet to look through that issue, if there is a clever trick around it, but this issue must be reopened. https://github.com/bitcoin/bitcoin/issues/10542

SamouraiDev commented 6 years ago

This can be done with p2sh wrapped segwit since the script format is known beforehand (as opposed to other p2sh). Pubkey is recovered from signature and used to derive p2sh-p2wpkh address.

harding commented 6 years ago

The spendability proof can be a correctly-signed transaction that is either invalid or won't-be-valid-for-a-very-long-time. E.g., the transaction can spend 22 million BTC or it can have it's nLocktime set to 499,999,999 indicating it won't be valid until just before block height 500 million---just under 10,000 years from now.

nopara73 commented 6 years ago

The trick works like charm: https://github.com/MetacoSA/NBitcoin/pull/403