Using HASHSIG_NONE and HASHSIG_SINGLE

[fabbit]

Which are real scenario where HASHSIG_NONE and HASHSIG_SINGLE are used?

[1714105798]

1714105798

[1714105798]

1714105798

[1714105798]

1714105798

[1714105798]

1714105798

[BrewMaster]

i haven't seen these in action so it is hard to say what their use cases are.

what i can think of is something like this:
imagine you were working in a company as budget manager and were only responsible for how much bitcoin is being spent not "where and how". for example you say this month we can use 1BTC out of the budget for whatever. they sent you a transaction (it needs to be multi-sig) spending 1BTC and you provide one signature with your key out of n with SIGHASH_NONE saying "i allow spending of 1BTC out of our budget (ie. the txins that the transaction has as input) but don't care where it is being spent" then the other parties that are responsible for spending  set the destination (like paying the employees each 0.01BTC) and provide at least one signature with SIGHASH_ALL.

SIGHASH_SIGNLE could be the same scenario where you say the same thing but it has an addendum "... and i want X amount be paid to this address".
for example in payment scenario, you say pay 0.5 to this address (the CEO's paycheck!) and i don't care what you do with the remaining 0.5, the accounting department sets the rest (0.01 to each employee).

[fabbit]

For SIGHASH_NONE I found this https://raghavsood.com/blog/2018/06/10/bitcoin-signature-types-sighash

This is mostly designed to be used in scenarios where more than one party is contributing inputs. At that point, such a signature essentially means “I agree to spend my money, provided all these other people spend their’s too”. It is expected that one of the other signers will then use SIGHASH_ALL to secure all the outputs of the transaction, and send the money to a mutually agreed output set.

[fabbit]

then the other parties that are responsible for spending  set the destination (like paying the employees each 0.01BTC) and provide at least one signature with SIGHASH_ALL.

Hey, I didn't understand this, why other parties provide one signature with SIGHASH_ALL?

[darosior]

then the other parties that are responsible for spending  set the destination (like paying the employees each 0.01BTC) and provide at least one signature with SIGHASH_ALL.

Hey, I didn't understand this, why other parties provide one signature with SIGHASH_ALL?

To sign the outputs, hence securing the coins' destination.

[BrewMaster]

then the other parties that are responsible for spending  set the destination (like paying the employees each 0.01BTC) and provide at least one signature with SIGHASH_ALL.

Hey, I didn't understand this, why other parties provide one signature with SIGHASH_ALL?

as i explained when you sign with SIGHASH_NONE you are not setting any destination for the coins you are spending, as the result anybody can set the destination (output) and receive the coins. so in the scheme i outlined above, at least one of the signers has to sign everything (namely the outputs) so that they can't be changed. to sign everything you have to use SIGHASH_ALL.

[fabbit]

Yes I understand this, but so the transaction should have at least two input, one for SIGHASH_ALL and the other for SIGHASH_NONE?
And if it is a Bob's transaction so we're talking about Bob's scriptSig, how Alice can put her sign (SIGHASH_ALL) in Bob's inputs?

I mean those kind of transactions look like as collaborative transaction because different parties are contributing in inputs and no as a standard transaction owned by a single 'people', I was reading about PSBT protocol for collaborative transactions.

[BrewMaster]

Yes I understand this, but so the transaction should have at least two input, one for SIGHASH_ALL and the other for SIGHASH_NONE?
And if it is a Bob's transaction so we're talking about Bob's scriptSig, how Alice can put her sign (SIGHASH_ALL) in Bob's inputs?

the example i gave is a multi-signature output which means if it were 2 of 2 then both signature of Bob and Alice are needed and one can sign with NONE and the other with ALL.

i can not think of a safe way to make it work with anything else because the output (assuming it is NOT multi-sig) that was signed with NONE could be extracted and put in any other transaction by a thief.

[fabbit]

Thanks for answer, I was reading about BIP-174 proposal..