From 07e475583bad25a59d57091d92e8fbd3b2f46379 Mon Sep 17 00:00:00 2001 From: "David A. Harding" Date: Sat, 8 Apr 2023 10:58:26 -1000 Subject: [PATCH] CH08: drop paragraph about segwit commiting to input amount This now has a well-known problem and doesn't provide the guarantees that were hoped for. --- chapters/signatures.adoc | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/chapters/signatures.adoc b/chapters/signatures.adoc index d3b82425..2f2ccecc 100644 --- a/chapters/signatures.adoc +++ b/chapters/signatures.adoc @@ -408,17 +408,7 @@ the way the commitment hash is calculated. For segwit version 0 witness programs, signature verification occurs using an improved commitment hash algorithm as specified in BIP-143. -The new algorithm achieves two important goals. Firstly, the number of +The new algorithm allows the number of hash operations increases by a much more gradual O(n) to the number of signature operations, reducing the opportunity to create -denial-of-service attacks with overly complex transactions. Secondly, -the commitment hash now also includes the value (amounts) of each input -as part of the commitment. This means that a signer can commit to a -specific input value without needing to "fetch" and check the previous -transaction referenced by the input. In the case of offline devices, -such as hardware wallets, this greatly simplifies the communication -between the host and the hardware wallet, removing the need to stream -previous transactions for validation. A hardware wallet can accept the -input value "as stated" by an untrusted host. Since the signature is -invalid if that input value is not correct, the hardware wallet doesn't -need to validate the value before signing the input. +denial-of-service attacks with overly complex transactions.