Using SIGHASH_NONE in P2SH address

Question

I know that using SIGHASH_NONE in signatures is safe for a transaction only if at least one of the inputs is signed with SIGHASH_ALL, so that a miner can't change the outputs and reclaim the inputs. This kind of transaction is useful when the parties signing their inputs want to leave the capability to decide the outputs to a trusted coordinator.

Let's now suppose that we have a transaction consisting of inputs using P2SH address implementing a 2of2 multisig signature scheme. Since two signatures are required for each input, what does it happen if one of the signatures is made with SIGHASH_NONE and the second one with SIGHASH_ALL?

My understanding is that the party signing with SIGHASH_NONE leaves the capability to the cosigner to choose the outputs at will and the resulting transaction will be safe (from malicious miners) since all inputs are signed also with one SIGHASH_ALL signature.

Is that correct?

I think that is correct, but doesn't that defeat the point of using 2of2 multisig? — Nick ODell, Nov 12 '15 at 23:02
Of course, but it's a special application I'm thinking about. — Alessandro Polverini, Nov 13 '15 at 06:52

score 1 · Answer 1 · answered May 12 '16 at 15:53

First, it should be said it's not possible to enforce which sighash flags may be used in a P2SH address. Signing is a concern for only the parties to wish to spend funds. Their intent can be captured using SIGHASH flags when signing.

OP is right, and certainly can mix SIGHASH flags in an input script. Signatures in the same script are considered separately, meaning each specifies its own SIGHASH flags. This informs validating nodes how to verify the signature, and mixing them

Using SIGHASH_NONE in P2SH address

1 Answers1