MIME-Version: 1.0
In-Reply-To: <CAAS2fgQ66mQQ6Bdcm7C=CSzjkk3CwZCFLdSsDFdiDaRXhLiO=Q@mail.gmail.com>
References: <1736097121.90204.1471369988809@privateemail.com>
	<201608161937.20748.luke@dashjr.org>
	<20160816194332.GA5888@fedora-21-dvm>
	<CAMZUoKkAkGRFxpyGMxQMz76L7uW6fsQAYVxkrxi5MQCiBtNnqw@mail.gmail.com>
	<CAPg+sBi30SgHHXCyipbNpiMRHYWPCRYz6ejQYKrDg3MLJp39EQ@mail.gmail.com>
	<CAMZUoKktS=Ku4kpD0bocR4X__ZpWXrkPkdOyXBaYxjq+mr9Pmw@mail.gmail.com>
	<CAPg+sBhykn8BU1LAr1izH0z6nFuOv0PzWjuqq7YJX5r35LDa9Q@mail.gmail.com>
	<CAMZUoKnebdULkJXqM38i-SkzoD6ufcxdEhcBD1PG5C78qyjFOw@mail.gmail.com>
	<CAAS2fgQ66mQQ6Bdcm7C=CSzjkk3CwZCFLdSsDFdiDaRXhLiO=Q@mail.gmail.com>
From: "Russell O'Connor" <roconnor@blockstream.io>
Date: Tue, 16 Aug 2016 20:27:54 -0400
Message-ID: <CAMZUoKm2VX=kL7c3QsenQmQeKnR86APwvdNduDOUtOrtzL2B6A@mail.gmail.com>
To: Gregory Maxwell <greg@xiph.org>
Content-Type: multipart/alternative; boundary=001a11425e44810c62053a398adc
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] New BIP: Dealing with OP_IF and OP_NOTIF
 malleability in P2WSH
Precedence: list

--001a11425e44810c62053a398adc
Content-Type: text/plain; charset=UTF-8

Okay.

I'm not really opposed to this BIP, but I am worried that fighting script
malleability is a battle that can never be won; even leaving one avenue of
malleability open is probably just as bad as having many avenues of
malleability, so it just doesn't seem worthwhile to me.

On Tue, Aug 16, 2016 at 8:18 PM, Gregory Maxwell <greg@xiph.org> wrote:

> On Tue, Aug 16, 2016 at 10:52 PM, Russell O'Connor via bitcoin-dev
> <bitcoin-dev@lists.linuxfoundation.org> wrote:
> > I see.
> >
> > But is it really necessary to soft fork over this issue?  Why not just
> make
> > it a relay rule?  Miners are already incentivized to modify transactions
> to
> > drop excess witness data and/or prioritize (versions of) transactions
> based
> > on their cost.  If a miner wants to mine a block with excess witness
> data,
> > it is mostly their own loss.
>
> Relay rules are quite fragile-- people build programs or protocols not
> expecting them to be violated, without proper error handling in those
> cases... and then eventually some miner rips them out because they
> simply don't care about them: not enforcing them won't make their
> blocks invalid.
>
> It's my general view that we should avoid blocking things with relay
> rules unless we think that someday they could be made invalid... not
> necessarily that they will, but that it's plausible. Then the
> elimination at the relay level is just the first exploratory step in
> that direction.
>
> One should also consider adversarial behavior by miners.  For example,
> I can mine blocks with mutated witnesses with a keyed mac that chooses
> the mutation. The key is shared by conspirators or customers, and now
> collectively we have a propagation advantage (since we know the
> mutated version before it shows up).  Not the _biggest_ concern, since
> parties doing this could just create their own new transactions to
> selectively propagate; but doing that would require leaving behind fee
> paying public transactions, while using malleability wouldn't.
>

--001a11425e44810c62053a398adc
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Okay.<br><br>I&#39;m not really opposed to this BIP, but I=
 am worried that fighting script malleability is a battle that can never be=
 won; even leaving one avenue of malleability open is probably just as bad =
as having many avenues of malleability, so it just doesn&#39;t seem worthwh=
ile to me.<br></div><div class=3D"gmail_extra"><br><div class=3D"gmail_quot=
e">On Tue, Aug 16, 2016 at 8:18 PM, Gregory Maxwell <span dir=3D"ltr">&lt;<=
a href=3D"mailto:greg@xiph.org" target=3D"_blank">greg@xiph.org</a>&gt;</sp=
an> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;=
border-left:1px #ccc solid;padding-left:1ex"><span class=3D"">On Tue, Aug 1=
6, 2016 at 10:52 PM, Russell O&#39;Connor via bitcoin-dev<br>
&lt;<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@li=
sts.<wbr>linuxfoundation.org</a>&gt; wrote:<br>
&gt; I see.<br>
&gt;<br>
&gt; But is it really necessary to soft fork over this issue?=C2=A0 Why not=
 just make<br>
&gt; it a relay rule?=C2=A0 Miners are already incentivized to modify trans=
actions to<br>
&gt; drop excess witness data and/or prioritize (versions of) transactions =
based<br>
&gt; on their cost.=C2=A0 If a miner wants to mine a block with excess witn=
ess data,<br>
&gt; it is mostly their own loss.<br>
<br>
</span>Relay rules are quite fragile-- people build programs or protocols n=
ot<br>
expecting them to be violated, without proper error handling in those<br>
cases... and then eventually some miner rips them out because they<br>
simply don&#39;t care about them: not enforcing them won&#39;t make their<b=
r>
blocks invalid.<br>
<br>
It&#39;s my general view that we should avoid blocking things with relay<br=
>
rules unless we think that someday they could be made invalid... not<br>
necessarily that they will, but that it&#39;s plausible. Then the<br>
elimination at the relay level is just the first exploratory step in<br>
that direction.<br>
<br>
One should also consider adversarial behavior by miners.=C2=A0 For example,=
<br>
I can mine blocks with mutated witnesses with a keyed mac that chooses<br>
the mutation. The key is shared by conspirators or customers, and now<br>
collectively we have a propagation advantage (since we know the<br>
mutated version before it shows up).=C2=A0 Not the _biggest_ concern, since=
<br>
parties doing this could just create their own new transactions to<br>
selectively propagate; but doing that would require leaving behind fee<br>
paying public transactions, while using malleability wouldn&#39;t.<br>
</blockquote></div><br></div>

--001a11425e44810c62053a398adc--