1 2017-03-11 19:21:29 <tarantulae> Hi, does anyone have a pointer or some more info regarding the security of using only hash challenge alone for ScriptPubKey ?
 2 2017-03-11 19:22:03 <tarantulae> I read that it is not safe, but isn't the security of this guaranteed by a hash function without a known pre-image attack ?
 3 2017-03-11 19:34:58 <arubi> tarantulae, the moment you broadcast the redeem script for such a scriptpubkey, anyone can use the same preimage and re-create a transaction that pays to them instead
 4 2017-03-11 19:35:11 <arubi> without a signature, your preimage becomes replay-able
 5 2017-03-11 19:37:11 <tarantulae> arubi: it's a matter of timing then right ? there are no guarantees that even if you are the first to broadcast the redeem script, you'll not get it right ? I think I got it.
 6 2017-03-11 19:38:15 <tarantulae> some node may get your broadcast and then keep it hideen and broadcast another one for him with the same pre-image.
 7 2017-03-11 19:38:46 <arubi> transactions are only ordered by blocks
 8 2017-03-11 19:39:27 <arubi> what happens in between isn't important (ignoring how having free bitcoins 1 might also make re-orgs more profitable)
 9 2017-03-11 19:40:04 <arubi> so yes, you can't rely on being first.  you have to sign what you relay because that's the only way to keep it from being messed with
10 2017-03-11 19:40:19 <tarantulae> thanks, I got it !
11 2017-03-11 19:40:42 <arubi> that's not to say you can't get away with using only hash functions to sign it, but I don't think there's anything implemented to support that yet :)
12 2017-03-11 19:40:44 <arubi> welcome