MIME-Version: 1.0
In-Reply-To: <CAPg+sBgRrqZryiETZYCWiqHNOmN2bCfsvr30znjN-gKiU5Vfjg@mail.gmail.com>
References: <87608btgyd.fsf@rustcorp.com.au>
	<DB7E57AC-5588-4BBA-9ABC-B9B4F6BAECE2@friedenbach.org>
	<CAPg+sBgRrqZryiETZYCWiqHNOmN2bCfsvr30znjN-gKiU5Vfjg@mail.gmail.com>
From: "Russell O'Connor" <roconnor@blockstream.io>
Date: Fri, 12 Jan 2018 05:48:33 -0500
Message-ID: <CAMZUoKn4noCEQR6eqf9hiZSMdk-3b8UHR1NrEFrKNoLSMzVjGQ@mail.gmail.com>
To: Pieter Wuille <pieter.wuille@gmail.com>
Content-Type: multipart/alternative; boundary="94eb2c05921abb6d9e05629202ba"
Cc: Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org>,
	Russell O'Connor <roconnor@blockstream.com>,
	Kalle Alm <kalle.alm@gmail.com>
Subject: Re: [bitcoin-dev] BIP 117 Feedback
Precedence: list

--94eb2c05921abb6d9e05629202ba
Content-Type: text/plain; charset="UTF-8"

Putting aside for the moment the concerns that Pieter and Rusty have raised
about BIP 117 (concerns which I agree with), is BIP 117 even a viable soft
fork to begin with?

When it comes to soft forks of Script, in the past there have been two
kinds.

The first kind is soft-forking new script semantics into NOPn codes.  In
this case, everyone ought to know that these op codes are reserved for
future extensions and no one should be writing script that depends on NOPn
having NOP behavior (For users who want real nop behaviour, there does
exist a real NOP opcode).

The second kind of soft-forking new script semantics is the
reinterpretation of various wholesale scripts (historically via
templates).  Examples of this are Segwit and P2SH.  In the case of Segwit,
the scripts gaining new semantics were applied to a form of completely
unsecured "anyone-can-spend" programs.  Anyone who created such output
prior to the activation of Segwit would know that anyone could claim
ownership of those outputs, and therefore the possibility of losing the
ability to spend legacy forms of these segwit-style outputs is arguably not
harmful as no one in particular had ownership of such funds.  The story for
P2SH is somewhat similar: Prior to the activation of P2SH the creator of of
P2SH style outputs would know that anyone could claim ownership of that
style of output as soon as the hash preimage is published (in the mempool,
for example).

However, if I understand correctly, the situation for BIP 117 is entirely
different.  As far as I understand there is currently no restrictions about
terminating a v0 witness program with a non-empty alt-stack, and there are
no restrictions on leaving non-canonical boolean values on the main stack.
There could already be commitments to V0 witness programs that, when
executed in some reasonable context, leave a non-empty alt-stack and/or
leave a non-canonical true value on the main stack.  Unlike the P2SH or
Segwit soft-forks, these existing commitments could be real outputs that
currently confer non-trivial ownership over their associated funds.  If BIP
117 were activated, these commitments would be subject to a new set of
rules that didn't exist when the commitments were made.  In particular,
these funds could be rendered unspendable.  Because segwit commitments are
hashes of segwit programs, there is no way to even analyze the blockchain
to determine if these commitments currently exist (and even if we could it
probably woudln't be adequate protection).

Naturally we shouldn't be making new rules that could, in principle,
retroactively remove ownership of existing user's funds.


>

--94eb2c05921abb6d9e05629202ba
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div><div>Putting aside for the moment the concerns t=
hat Pieter and Rusty have raised about BIP 117 (concerns which I agree with=
), is BIP 117 even a viable soft fork to begin with?<br><br></div>When it c=
omes to soft forks of Script, in the past there have been two kinds.<br><br=
></div>The first kind is soft-forking new script semantics into NOPn codes.=
=C2=A0 In this case, everyone ought to know that these op codes are reserve=
d for future extensions and no one should be writing script that depends on=
 NOPn having NOP behavior (For users who want real nop behaviour, there doe=
s exist a real NOP opcode).<br><br></div>The second kind of soft-forking ne=
w script semantics is the reinterpretation of various wholesale scripts (hi=
storically via templates).=C2=A0 Examples of this are Segwit and P2SH.=C2=
=A0 In the case of Segwit, the scripts gaining new semantics were applied t=
o a form of completely unsecured &quot;anyone-can-spend&quot; programs.=C2=
=A0 Anyone who created such output prior to the activation of Segwit would =
know that anyone could claim ownership of those outputs, and therefore the =
possibility of losing the ability to spend legacy forms of these segwit-sty=
le outputs is arguably not harmful as no one in particular had ownership of=
 such funds.=C2=A0 The story for P2SH is somewhat similar: Prior to the act=
ivation of P2SH the creator of of P2SH style outputs would know that anyone=
 could claim ownership of that style of output as soon as the hash preimage=
 is published (in the mempool, for example).<br><div><div><div><div><div><d=
iv><div class=3D"gmail_extra"><br></div><div class=3D"gmail_extra">However,=
 if I understand correctly, the situation for BIP 117 is entirely different=
.=C2=A0 As far as I understand there is currently no restrictions about ter=
minating a v0 witness program with a non-empty alt-stack, and there are no =
restrictions on leaving non-canonical boolean values on the main stack.=C2=
=A0 There could already be commitments to V0 witness programs that, when ex=
ecuted in some reasonable context, leave a non-empty alt-stack and/or leave=
 a non-canonical true value on the main stack.=C2=A0 Unlike the P2SH or Seg=
wit soft-forks, these existing commitments could be real outputs that curre=
ntly confer non-trivial ownership over their associated funds.=C2=A0 If BIP=
 117 were activated, these commitments would be subject to a new set of rul=
es that didn&#39;t exist when the commitments were made.=C2=A0 In particula=
r, these funds could be rendered unspendable.=C2=A0 Because segwit commitme=
nts are hashes of segwit programs, there is no way to even analyze the bloc=
kchain to determine if these commitments currently exist (and even if we co=
uld it probably woudln&#39;t be adequate protection).<br></div><div class=
=3D"gmail_extra"><br></div><div class=3D"gmail_extra">Naturally we shouldn&=
#39;t be making new rules that could, in principle, retroactively remove ow=
nership of existing user&#39;s funds.<br></div><span class=3D"HOEnZb"><font=
 color=3D"#888888"><div dir=3D"auto">=C2=A0<br></div></font></span><div cla=
ss=3D"gmail_extra"><div class=3D"gmail_quote"><blockquote class=3D"gmail_qu=
ote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex=
">
</blockquote></div><br></div></div></div></div></div></div></div></div>

--94eb2c05921abb6d9e05629202ba--