12020-03-04T04:08:45  *** jonatack has quit IRC
 22020-03-04T04:40:31  *** pinheadmz has joined ##taproot-bip-review
 32020-03-04T09:04:25  *** jonatack has joined ##taproot-bip-review
 42020-03-04T09:09:35  *** jonatack has quit IRC
 52020-03-04T09:10:47  *** jonatack has joined ##taproot-bip-review
 62020-03-04T09:59:45  *** jonatack_ has joined ##taproot-bip-review
 72020-03-04T10:03:11  *** jonatack has quit IRC
 82020-03-04T11:03:15  *** jonatack_ has quit IRC
 92020-03-04T11:03:41  *** jonatack_ has joined ##taproot-bip-review
102020-03-04T11:54:08  *** belcher has joined ##taproot-bip-review
112020-03-04T12:20:08  *** jonatack_ has quit IRC
122020-03-04T12:22:01  *** jonatack_ has joined ##taproot-bip-review
132020-03-04T12:54:24  *** arik__ has quit IRC
142020-03-04T12:55:25  *** arik__ has joined ##taproot-bip-review
152020-03-04T13:23:26  *** arik__ has quit IRC
162020-03-04T13:23:41  *** arik__ has joined ##taproot-bip-review
172020-03-04T15:21:46  *** pinheadmz has quit IRC
182020-03-04T15:51:19  *** jonatack_ has quit IRC
192020-03-04T15:51:41  *** jonatack has joined ##taproot-bip-review
202020-03-04T17:32:45  *** michaelfolkson has joined ##taproot-bip-review
212020-03-04T20:06:54  *** jonatack has quit IRC
222020-03-04T20:11:53  *** jonatack has joined ##taproot-bip-review
232020-03-04T20:44:04  *** ncantu has joined ##taproot-bip-review
242020-03-04T22:00:16  <instagibbs> idea roconner and I were discussing: Why not have sighash commit to the fact that all inputs are segwit spends(or not)? This makes signing protocols a bit easier when you don't necessarily have access to the full previous transaction or utxo set
252020-03-04T22:01:40  <instagibbs> First thing to do is figure out if that actually solves anything in protocols that have to check this fact e.g., PayJoin(BustaPay?), LN(?)
262020-03-04T22:02:04  <instagibbs> or is making signing "safe" for this fact not enough and there's just more validation to be done
272020-03-04T22:05:57  <sipa> How would it interact with SIGHASH_NONE or SIGHASH_SINGLE?
282020-03-04T22:08:42  <instagibbs> I guess the simplest answer is this is only enforced or only valid with SIGHASH_ALL?
292020-03-04T22:08:50  <instagibbs> just like input values
302020-03-04T22:09:56  <instagibbs> maybe not though, something eltoo-ish may want it
312020-03-04T22:14:55  *** roconnor has joined ##taproot-bip-review
322020-03-04T22:15:05  <instagibbs> roconner suspects it's only useful with sighash_all (told him to get on IRC :P )
332020-03-04T22:16:43  <sipa> the downside of it being a separate sighash flag (="this signature is only valid when all inputs are segwit") is that it revels you're interested in that property; implicitly always committing to it in all signatures does not have that problem
342020-03-04T22:21:04  <roconnor> I don't have a strong preference here.  I think having a "this input is or isn't segwit" flag on every input is also reasonable.
352020-03-04T22:21:39  <roconnor> technically there is a few unused bits in the outpoints index value.
362020-03-04T22:21:49  <roconnor> you could create new fields.
372020-03-04T22:21:52  <roconnor> so many options.
382020-03-04T22:22:30  <sipa> changing the outpoints index value is a hard fork
392020-03-04T22:22:52  <roconnor> I just mean changing it in the sigdata.
402020-03-04T22:23:35  <sipa> oh, sure
412020-03-04T22:31:51  <roconnor> I don't know.  Maybe I'd just add a byte after sha_sequences with a boolean flag for all inputs are segwit.
422020-03-04T22:59:07  <aj> would the "this input is segwit" flag apply for p2sh-encoded-segwit?
432020-03-04T23:00:38  <sipa> aj: i think the context is being able to reason about tzid malleability, so yes
442020-03-04T23:23:52  *** michaelfolkson has quit IRC
452020-03-04T23:44:15  <aj> tzid malleability is horrible, ban daylight savings
462020-03-04T23:46:31  <aj> sipa: for p2sh-encoded you need to know more about the other input than what's available on chain before you can sign for your input, seems slightly weird and gives extra ordering requirements (all the p2sh-segwit inputs get processed/signed before the taproot inputs get signed), but at least it's not an extra round of interaction since there's no p2sh-taproot
472020-03-04T23:47:15  <sipa> aj: i don't follow
482020-03-04T23:48:33  <aj> sipa: input A is p2sh-p2wpkh, input B is taproot. i want to sign B via key path. i have to wait for whoever holds the key for A to reveal the script before I know whether to set the "all-segwit" flag or not, because i can't deduce that from on-chain info
492020-03-04T23:49:37  <sipa> aj: ah, right
502020-03-04T23:49:38  <aj> sipa: (if we had p2sh-taproot, and both A and B were p2sh-taproot; neither A nor B could sign until the other had revealed their script)
512020-03-04T23:49:43  <sipa> though PSBT will have that information
522020-03-04T23:50:09  <aj> currently you can fill out PSBT enough to sign your own input just from on-chain info though?
532020-03-04T23:50:16  <sipa> yup
542020-03-04T23:50:23  <sipa> yeah, this is a concern
552020-03-04T23:51:00  <sipa> and arguably, if this introduces difficulties for signers that cause extra interaction steps... those interaction steps could equally be used to just verify out of band that all inputs are segwit
562020-03-04T23:51:59  <aj> right, revealing the p2sh script and knowing the inputs is sufficient to know if everything's segwit
572020-03-04T23:54:18  <sipa> FWIW, tzid malleability is about preventing one or more 1-character spelling changes in tranzaxions that don't affect the meaning of the word
582020-03-04T23:59:02  <sipa> an alternative that doesn't have this property is a SIGHASH_MUST_BE_ALL_SEGWIT flag instead
592020-03-04T23:59:15  <sipa> which you would just set always in protocols that require it
602020-03-04T23:59:32  <sipa> but that has the downside that it reveals this is something you care about in the first place