Anthony Towns via bitcoin-dev
2017-06-28 07:01:33 UTC
I thought of a possibly interesting way to prevent transaction replay in
the event of a chain split, that seems better to the other approaches
I've seen. Basically, update OP_CHECKSIG (and MULTISIG and the VERIFY
variants, presumably via segwit versioning or using a NOP opcode) so that
signatures can optionally specify an additional integer block-height. If
this is provided, the message hash is combined with the block hash at
the given height, before the signature is created/verified, and therefore
the signature becomes invalid if used on a chain that does not have that
particular block in its history .
It adds four bytes to a signature that uses the feature , along with
a block hash lookup, and some extra sha ops when verifying the signature,
but it otherwise seems pretty lightweight, and scales to an arbitrary
number of forks including a pretty fair range of hard forks, as far
as I can see, without requiring any coordination between any of the
chains. So I think it's superior to what Johnson Lau proposed in January
 or BIP 115 from last year .
Thoughts? Has this been proposed before and found wanting already?
 For consistency, you could use the genesis block hash if the signature
doesn't specify a block height, which would lock a given signature to
"bitcoin" or "testnet" or "litecoin", which might be beneficial.
 Conceivably a little less if you allow "-5" to mean "5 blocks ago"
and miners replace a four byte absolute reference ("473000") with a
one or two byte relative reference ("-206") when grabbing transactions
from the mempool to put in the block template.