-
-
Notifications
You must be signed in to change notification settings - Fork 257
Conversation
It might make sense to fail to sign any transaction inputs for which the previous output script version is not 0. I suggest this because in the future the plan is to have a consensus vote which will enable a new signature hash algorithm that is more efficient and only applies to v1+ scripts. Assuming that change ends up getting voted in, attempts to sign transaction inputs with v1 scripts would result in an invalid signature with the current code in the PR. Obviously this wouldn't result in anything dire since the transaction would just be rejected due to an invalid signature, however I think it probably provides a better user experience to report that only v0 scripts are supported and the user should look for an updated firmware versus just producing a transaction that ends up getting rejected with an invalid signature which would likely be confusing for the user. EDIT: Modified to use the versions in the code per the comment below to avoid confusion. |
@davecgh By script version 1, you mean |
@saleemrashid: Right. I should've used the v0 and v1+ in my comment since that's how it is in the code as opposed to the human-readable 1st and 2nd versions. |
In Phase 1, we are serializing the prefix and computing /cc @jhoenicke |
@davecgh So, I could add a |
When will it be enabled? Can we wait until this is enabled on the network? It would make the user experience much better. |
@saleemrashid That sounds correct, assuming @prusnak Unfortunately, it can't be enabled at the current time because of the strictness checks which are part of the consensus rules prevent it, even though the signature algorithm itself technically supports it. Changing it would be a hard fork, which in Decred, means there would need to be a consensus vote and accompanying DCP. Consequently, since it requires a consensus vote to change anyways, we might as well change the algorithm altogether to improve its efficiency. Along these lines, I would actually like to hear from you guys working on Trezor what else you think would be useful in the signature algorithm to improve the Trezor user experience. For example, I know at a bare minimum the signature should also commit to the amount of the current input, but I suspect that it makes sense to commit to all input values (aka total overall transaction input amount) so the Trezor can safely use an untrusted total amount in calculations such as transaction fees without also needing to be able to verify all of the other signatures, which is, of course, only possible if all inputs are owned by the signer. |
@davecgh The most efficient method would probably be to commit to That being said, writing this has made me realise that I can make this PR more efficient (I still have some leftovers from |
@saleemrashid Thanks for the clarification. That is what I suspected. When I work up a DCP to define an updated signature hash algorithm, I'll make sure it includes a commitment to all input values. If there are any other changes that would allow the Trezor code to be more efficient and help improve its UX, please let me know so I can be sure to include them as well. |
I've removed the round-trip in Phase 3 which was previously necessary for |
For reference, I created an issue to discuss a new signature hash algorithm for the future. It doesn't directly affect this PR as it would be a while (several months) before any new algorithm would be put up for vote and voted in via the stakeholders, however, I'm putting a link here to provide everyone working on the trezor integration ample opportunity to request any changes. |
@davecgh The prefix of the spending transaction? I don't think it is. |
@saleemrashid You are correct that I was mistaken there. I actually noticed that earlier myself when going through it for the purposes of 950 I linked above and, if you've reviewed that yet, you'll noticed I made sure it's included in there in the proposal for the new algorithm. In the current algo, it's committed to in the ouputs, but not for the input script. It isn't an issue though since only v0 scripts are supported currently and v1 scripts will use the new algorithm which is incompatible with the old one, so the signature would fail regardless. |
@davecgh Does the last commit address your concerns about the script version? It aborts signing if the input has a script version of v1+ or if it was told the input has a script version of v0 but the previous output has a script version of v1+. If it does, then I think, after trezor/trezor-common#69, trezor/python-trezor#182 and trezor/trezor-crypto#125 have been merged, this is ready to be merged! |
@saleemrashid That looks correct to me. Thanks! |
Updated @prusnak This is ready for review now. |
Any update on this? Looks like it was being considered for 1.6.1, but that came and went, and now there are submodule conflicts |
Rebased on |
Thank you! |
Support for normal Decred transactions.
I had hoped to use
SigHashAllValue
but, as @davecgh has confirmed, it is disabled at the moment. Therefore, we have to useSTAGE_REQUEST_2_PREV_*
.However, a Decred signature hash is a hash over
hash_type || hash_prefix || hash_witness
. Ashash_prefix
is calculated as part of Phase 1, we do not have to assert that the transaction has not changed in either Phase 2 or Phase 3.Furthermore, as the Decred prefix does not contain signatures, we can serialize the prefix in Phase 1 and skip Phase 2 entirely.
Requires trezor/trezor-common#66
/cc @peterzen