This patch introduces a new way to sign contracts: a signtag instruction. It allows binding a signed program to any contract instance that carries a corresponding tag string.
Summary of changes
New signtag instruction delegates contract to a signed program, with signature tied to the contract's tag (on top of the payload stack).
Existing delegate instruction is renamed to signid, since the signature covers the contract ID.
Instructions signtx, signid, signtag are grouped together in the instruction set.
Rationale
Tagged signatures are more flexible than signid (née delegate), yet safe against replay attacks since a contract has to explicitly choose and store a tag to which a signature is going to be bound. Tagged signatures allow modeling complex logical states of a contract, decoupled from the concrete instantiation of the contract.
The motivating use-case is a payment channel: tagged signature can be applied to any force-closed state of the contract and simultaneously bring the contract to the latest state.
Alternatives
One alternative is signpin (#320): similar to signtag, but coming with a VM-enforced unique Pin type that cannot be duplicated. That would be less flexible, marginally safer and add more complexity to the system by introducing a whole new type and additional instruction to create instances of that type.
Another alternative is to simply allow signature bound to a program and a pubkey. This is as flexible as signtag (enabling oracles to sign predicates usable across independent contracts), but one must not reuse pubkey between independent domains. Making the contract lock in a specific tag upfront adds safety against key reuse.
This patch introduces a new way to sign contracts: a
signtaginstruction. It allows binding a signed program to any contract instance that carries a corresponding tag string.Summary of changes
signtaginstruction delegates contract to a signed program, with signature tied to the contract's tag (on top of the payload stack).delegateinstruction is renamed tosignid, since the signature covers the contract ID.signtx,signid,signtagare grouped together in the instruction set.Rationale
Tagged signatures are more flexible than
signid(néedelegate), yet safe against replay attacks since a contract has to explicitly choose and store a tag to which a signature is going to be bound. Tagged signatures allow modeling complex logical states of a contract, decoupled from the concrete instantiation of the contract.The motivating use-case is a payment channel: tagged signature can be applied to any force-closed state of the contract and simultaneously bring the contract to the latest state.
Alternatives
One alternative is
signpin(#320): similar tosigntag, but coming with a VM-enforced unique Pin type that cannot be duplicated. That would be less flexible, marginally safer and add more complexity to the system by introducing a whole new type and additional instruction to create instances of that type.Another alternative is to simply allow signature bound to a program and a pubkey. This is as flexible as
signtag(enabling oracles to sign predicates usable across independent contracts), but one must not reuse pubkey between independent domains. Making the contract lock in a specific tag upfront adds safety against key reuse.Closes #312.