Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id B80903C8 for ; Tue, 21 Jul 2015 18:18:21 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-wi0-f181.google.com (mail-wi0-f181.google.com [209.85.212.181]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id E39D51C2 for ; Tue, 21 Jul 2015 18:18:20 +0000 (UTC) Received: by wibxm9 with SMTP id xm9so130254724wib.0 for ; Tue, 21 Jul 2015 11:18:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=gyi/h0oqgV5mCHbdQnl7t0Gc+YIQWZ02dEQSiol6Dek=; b=S+3VjtF9TpU11Tg4J4LwwjUdhh9jG4+XV61uY5uF3Y+RkmfkbUW+RgLTqIwfSLrx53 s2fgOGE5PtXOu8rD3i2jiQVasOMZTiGYSKZb7RlQ2GQwM0S6w8copzy9aGmKZuL8yOvf TwgWcnPkNcydcw++k9Llu4fdH4OttCOVd7fE8TmMdLzl+MEFYDy8cyUxg02B+tc4BaKw K8P7RI6DP35haxhnZRJ05UBwsKjNI/51u9k62II2Zq7ghpktN9Y7OJY7dZ/Mg2PH33E8 KKjuimsY3ga+W4BWpBhbkvCikvzFTAlZvYvlU6Edi1Ug58pjqoecniMGIQZ0HocESFIY PUfA== X-Received: by 10.194.89.98 with SMTP id bn2mr74527887wjb.153.1437502699751; Tue, 21 Jul 2015 11:18:19 -0700 (PDT) MIME-Version: 1.0 Received: by 10.28.229.195 with HTTP; Tue, 21 Jul 2015 11:18:00 -0700 (PDT) In-Reply-To: References: From: Jeremy Rubin Date: Wed, 22 Jul 2015 02:18:00 +0800 Message-ID: To: Gavin Andresen Content-Type: multipart/alternative; boundary=089e010d8b24c84e86051b66ad25 X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: bitcoin-dev@lists.linuxfoundation.org Subject: Re: [bitcoin-dev] For discussion: limit transaction size to mitigate CVE-2013-2292 X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Development Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jul 2015 18:18:21 -0000 --089e010d8b24c84e86051b66ad25 Content-Type: text/plain; charset=UTF-8 I think it's not a horrible idea to just add a field into the transaction metadata for N_SIG_OPS in the script_sig It is much simpler in implementation if the concern is complexity (once a transaction goes above N_SIG_OPS it could be considered invalid, number computed must be equal). It wouldn't even need to be stored permanently as it can be pruned easily and recomputed later (hashes would protect against buggy complicated sig counting code). Furthermore, it would differentiate a branch with different counts well. On Wed, Jul 22, 2015 at 2:09 AM, Gavin Andresen via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > On Mon, Jul 20, 2015 at 4:55 PM, Gregory Maxwell > wrote: > >> On Mon, Jul 20, 2015 at 7:10 PM, Gavin Andresen via bitcoin-dev >> wrote: >> > Mitigate a potential CPU exhaustion denial-of-service attack by limiting >> > the maximum size of a transaction included in a block. >> >> This seems like a fairly indirect approach. The resource being watched >> for is not the size (otherwise two transactions for 200k would be >> strictly worse than one 200k transactions) but the potential of N^2 >> costs related to repeated hashing in checksig; which this ignores. >> > > Yes. The tradeoff is implementation complexity: it is trivial to check > transaction size, > not as trivial to count signature operations, because > number-of-bytes-in-transaction > doesn't require any context. > > But I would REALLY hate myself if in ten years a future version of me was > struggling to > get consensus to move away from some stupid 100,000 byte transaction size > limit > I imposed to mitigate a potential DoS attack. > > So I agree, a limit on sigops is the right way to go. And if that is being > changed, > might as well accurately count exactly how many sigops a transaction > actually > requires to be validated... > > -- > -- > Gavin Andresen > > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > > --089e010d8b24c84e86051b66ad25 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
I think it's not a horrible idea to just add a field i= nto the transaction metadata for N_SIG_OPS in the script_sig

=
It is much simpler in implementation if the concern is complexity (onc= e a transaction goes above N_SIG_OPS it could be considered invalid, number= computed must be equal). It wouldn't even need to be stored permanentl= y as it can be pruned easily and recomputed later (hashes would protect aga= inst buggy complicated sig counting code).

Further= more, it would differentiate a branch with different counts well.



On Wed, Jul 22, 2015 at 2:09 AM, Gavin Andresen via bitcoi= n-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
On Mon, Jul 20= , 2015 at 4:55 PM, Gregory Maxwell <gmaxwell@gmail.com> wro= te:
On Mon,= Jul 20, 2015 at 7:10 PM, Gavin Andresen via bitcoin-dev
<bitcoin-dev@lists.linuxfoundation.org> wrote:
> Mitigate a potential CPU exhaustion denial-of-service attack by limiti= ng
> the maximum size of a transaction included in a block.

This seems like a fairly indirect approach. = The resource being watched
for is not the size (otherwise two transactions for 200k would be
strictly worse than one 200k transactions) but the potential of N^2
costs related to repeated hashing in checksig; which this ignores.

Yes.=C2=A0 The tradeoff is implementatio= n complexity: it is trivial to check transaction size,
not as tri= vial to count signature operations, because number-of-bytes-in-transaction<= /div>
doesn't require any context.

But I w= ould REALLY hate myself if in ten years a future version of me was struggli= ng to
get consensus to move away from some stupid 100,000 byte tr= ansaction size limit
I imposed to mitigate a potential DoS attack= .

So I agree, a limit on sigops is the right way t= o go. And if that is being changed,
might as well accurately coun= t exactly how many sigops a transaction actually
requires to be v= alidated...
=
--
--
Gavin Andresen


_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.= linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev


--089e010d8b24c84e86051b66ad25--