Is there any useful place where OP_CODESEPARATOR is used?

[vjudeu]

I don't see how.

In exactly the same way, how you don't have to provide a public key in your output. You don't have to use "<pubkey> OP_CHECKSIG" as your output and "<signature>" as your input, you can also use "OP_CHECKSIG" as your output, and "<signature> <pubkey>" as your input. So, in the same way, you can use "OP_CHECKLOCKTIMEVERIFY OP_DROP OP_TRUE" as your output, and "<locktime>" as your input. So yes, the hash of the previous transaction is now fixed, so you always commit to the whole script, but on the other hand, that script can be flexible enough to allow you to change the locktime.

So, what about that script?

Code:

OP_DUP <minLocktime> <maxLocktime> OP_WITHIN OP_VERIFY OP_CHECKLOCKTIMEVERIFY OP_DROP OP_TRUE

Also note that there are only N possible valid input scripts, that means there are only N possible transaction hashes, that you can reach. You can imagine, how it could affect the next transaction, if it will be used as an input, and if there is no Segwit, so the input script affects the transaction hash (other inputs can use Segwit, only this input can be non-Segwit on purpose, just to reach N possible options, another option could require deterministic signatures, but it is hard to enforce in the current script).

[pooya87]

In exactly the same way, how you don't have to provide a public key in your output. You don't have to use "<pubkey> OP_CHECKSIG" as your output and "<signature>" as your input, you can also use "OP_CHECKSIG" as your output, and "<signature> <pubkey>" as your input.

True, but the problem is that such scripts make no sense since anybody could spend a OP_CHECKSIG output script.

So, in the same way, you can use "OP_CHECKLOCKTIMEVERIFY OP_DROP OP_TRUE" as your output, and "<locktime>" as your input.

Similarly it won't make sense to use OP_CHECKLOCKTIMEVERIFY in first place if the spender is setting it and it can be changed specially if you add OP_CODESEPERATOR which would mean it would also make the transaction malleable.

So, what about that script?

Code:

OP_DUP <minLocktime> <maxLocktime> OP_WITHIN OP_VERIFY OP_CHECKLOCKTIMEVERIFY OP_DROP OP_TRUE

That would work fine since the locking script is defining a strict condition of the locktime so it can't be arbitrary. Although I'm not sure you need the final OP_TRUE though.

[garlonicon]

What about conditional multisig? It is non-standard, but it is possible with OP_CODESEPARATOR.

In a non-segwit transaction, any change in the signature can change the transaction ID. It is usually not desired, but it can be useful in some cases, for example: it is possible to make a conditional multisig, where coins will be signed by one key, or by two keys, and when they will be signed only by one key, the second key will be entirely hidden.

The output script is: "<pubkeyAlice> OP_CHECKSIG". And then, the whole magic is in using OP_CODESEPARATOR inside the input script.
The input script is: "<signatureBob> <pubkeyBob> OP_CHECKSIGVERIFY OP_CODESEPARATOR <signatureAlice>".

Then, both parties can make their signatures upfront, so the next transaction could use the previous transaction hash as an input. And that transaction could trigger something, and will be valid only if both parties will sign everything with their upfront-prepared, deterministic signatures. But if anyone will refuse to sign, or use another signature, then this transaction will not be confirmed, because of no matching txid.

The benefit is that if Alice will use any signature on such output, it will be perfectly valid and standard, so nobody will notice that any multisig was even planned.

[pooya87]

The output script is: "<pubkeyAlice> OP_CHECKSIG". And then, the whole magic is in using OP_CODESEPARATOR inside the input script.
The input script is: "<signatureBob> <pubkeyBob> OP_CHECKSIGVERIFY OP_CODESEPARATOR <signatureAlice>".

The bold part of the signature script can be discarded or be replaced by anything else and the transaction would still be valid. In other words your scripts are examples of the malleability attack.

[garlonicon]

or be replaced by anything else

Any signature can be replaced by anything else, because we don't have deterministic signatures, so "<signatureAlice>" can be also replaced. Anyone using legacy addresses should be aware of that.

The bold part of the signature script can be discarded

It can be discarded in the same way, as any pushes in P2SH before the script itself can be discarded, and in the same way, as all Segwit inputs can be. So, they can be discarded, because there is no soft-fork preventing people from doing so. But I can imagine a Taproot implementation, where some part of the input is committed to the public key, then that system would be safe.

So, historically, P2SH could be introduced as a OP_CODESEPARATOR commitment to the public key, instead of creating a new address type. It is all about privacy, where you can hide anything behind some output that looks the same. But yes, in Taproot, we can currently reach the same thing.

[pooya87]

or be replaced by anything else

Any signature can be replaced by anything else, because we don't have deterministic signatures, so "<signatureAlice>" can be also replaced. Anyone using legacy addresses should be aware of that.

By anything I meant literary anything not just another signature. For example it could be replaced by an arbitrary message like <foobar> OP_CODESEPARATOR

The bold part of the signature script can be discarded

It can be discarded in the same way, as any pushes in P2SH before the script itself can be discarded, and in the same way, as all Segwit inputs can be.

If it can be discarded that means it is pointless and is not solving anything.
You see, the locking script should be designed in a way that it mandates all the unlocking script parts. For example in a P2PKH locking script, it requires 2 items: a signature and a public key and neither one can change meaning you can't use someone else's public key or use a different script to spend that output.

[garlonicon]

By anything I meant literary anything not just another signature. For example it could be replaced by an arbitrary message like <foobar> OP_CODESEPARATOR

Well, any miner can do that today on any legacy address, just because it is possible.

If it can be discarded that means it is pointless and is not solving anything.

It can be discarded in the current consensus. But OP_CODESEPARATOR can decide, what is signed, and what is not, so by introducing new sighashes, the signed parts of the input script can be controlled by signatures.

you can't use someone else's public key or use a different script to spend that output

You can always use a different script, because you can always extend it, if you are a miner. In Segwit, it just does not matter, because txid is not affected.

[vjudeu]

I found some clue, why OP_CODESEPARATOR is still in Taproot: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2023-February/021448.html

Code:

[2] In Taproot, if you want to prevent signatures migrating to another
    branch or within a branch, you can use the CODESEPARATOR opcode
    which was redisegned in Taproot for exactly this purpose... we
    really did about witness malleation in its design!

[pooya87]

I found some clue, why OP_CODESEPARATOR is still in Taproot: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2023-February/021448.html

Code:

[2] In Taproot, if you want to prevent signatures migrating to another
    branch or within a branch, you can use the CODESEPARATOR opcode
    which was redisegned in Taproot for exactly this purpose... we
    really did about witness malleation in its design!

Thanks for the update.
I need to investigate the implementation again but I don't think it works the way that is explained here because of how Taproot scripts were designed so that the leaf hash is covered by the signature.