|
|
|
@ -408,17 +408,7 @@ the way the commitment hash is calculated. For segwit version 0 witness
|
|
|
|
|
programs, signature verification occurs using an improved commitment
|
|
|
|
|
hash algorithm as specified in BIP-143.
|
|
|
|
|
|
|
|
|
|
The new algorithm achieves two important goals. Firstly, the number of
|
|
|
|
|
The new algorithm allows the number of
|
|
|
|
|
hash operations increases by a much more gradual O(n) to the number of
|
|
|
|
|
signature operations, reducing the opportunity to create
|
|
|
|
|
denial-of-service attacks with overly complex transactions. Secondly,
|
|
|
|
|
the commitment hash now also includes the value (amounts) of each input
|
|
|
|
|
as part of the commitment. This means that a signer can commit to a
|
|
|
|
|
specific input value without needing to "fetch" and check the previous
|
|
|
|
|
transaction referenced by the input. In the case of offline devices,
|
|
|
|
|
such as hardware wallets, this greatly simplifies the communication
|
|
|
|
|
between the host and the hardware wallet, removing the need to stream
|
|
|
|
|
previous transactions for validation. A hardware wallet can accept the
|
|
|
|
|
input value "as stated" by an untrusted host. Since the signature is
|
|
|
|
|
invalid if that input value is not correct, the hardware wallet doesn't
|
|
|
|
|
need to validate the value before signing the input.
|
|
|
|
|
denial-of-service attacks with overly complex transactions.
|
|
|
|
|