Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 2D646BFB for ; Fri, 14 Jul 2017 09:04:41 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-oi0-f66.google.com (mail-oi0-f66.google.com [209.85.218.66]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 1C3F4FF for ; Fri, 14 Jul 2017 09:04:40 +0000 (UTC) Received: by mail-oi0-f66.google.com with SMTP id n2so9571963oig.3 for ; Fri, 14 Jul 2017 02:04:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=pUDEyIP30H+KZ/ELLjoY7w3ls6FdG8aBn2LTfY/eykI=; b=nnIA/TZKfBdBZUvTZr4Jg6KMjA/tpoFaCljvgvrvdkBXMeq6aNxzE5OxGFd3zlOhvS aiNzG3RlISizr9rpjcpCQLTxWFaGBvm4vfy99AY1BHH2EAj+c28pvQMutDBNEfFA/2kq X6cVK3UuceIq5UyG6JZ6s4sQQL6tJ202kVn9qbVgOS3nXQLwDE3PMQabJZ0rjd+qX/mF ati5/OqLNxhvSCY1sirIrvzvkFf+59RV6V4fdbpSYDbLGYAXiWemD4OFKbQ8qv6mkXN/ vhPjFdYsHC9kledxtp+lSAp002XiB4s+ZQZTrQ1i5Gyjht4HouHogCU2P+pYaQUA/cRe /SBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=pUDEyIP30H+KZ/ELLjoY7w3ls6FdG8aBn2LTfY/eykI=; b=jtOjgyy72Ks9FeczlA82EAqBBFa7WqaHB2UPOkVcNSMSLzRRl7UCTdh+MJrD1BdEzt DfpG6lyeIaZgMcXETw+mInDgKzZs8OF0MJc9W+XBKgf2eI8IXxcEz77UEgIz/tigTqgS GuK6tpnM58gMvGhuQ4mrNVa+o7kj3FeEaIUYjdFBuT58i43AqXFV1EkEsC/73gAs+alk YwMgIK4JBUxuqi7xETKfP3jfbmt0z19hRyQ+J71tWyXG1D0fhEhD4voYxxuXeEJK1Znt 7XY3o+toj05gzowelbCsBeih9AvHbUlbeMeqfk+g+XqTnn8G79cT9gFu5wHjcIZetlFP XDaA== X-Gm-Message-State: AIVw110URfgiLdFCdvUKwMmzEl9Qm2FqWUbRZbPUCubUzFhzWjqvnKSJ Yn+RdRiix0xcEePVkwwYGn/cNxc5fbEp X-Received: by 10.202.76.214 with SMTP id z205mr4643159oia.215.1500023078995; Fri, 14 Jul 2017 02:04:38 -0700 (PDT) MIME-Version: 1.0 Received: by 10.74.170.203 with HTTP; Fri, 14 Jul 2017 02:03:58 -0700 (PDT) In-Reply-To: <5af10ca3-8b97-f227-c09f-901bbb6176c3@osc.co.cr> References: <0119661e-a11a-6d4b-c9ec-fd510bd4f144@gmail.com> <1c1d06a9-2e9f-5b2d-42b7-d908ada4b09e@gmail.com> <001b20f2-1f33-3484-8ad2-1420ae1a2df5@gmail.com> <03cf3326-ae84-96f9-5eee-158054341eff@osc.co.cr> <0be972b9-328c-394a-1e90-bd7a37642598@osc.co.cr> <4921ce4f-06bc-8ff1-4e70-5bd55d1ff5ca@osc.co.cr> <5af10ca3-8b97-f227-c09f-901bbb6176c3@osc.co.cr> From: Tier Nolan Date: Fri, 14 Jul 2017 10:03:58 +0100 Message-ID: To: Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="001a11c17df4c74d6b05544356c3" X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_DNSWL_NONE, RCVD_IN_SORBS_SPAM autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Fri, 14 Jul 2017 11:54:09 +0000 Subject: Re: [bitcoin-dev] how to disable segwit in my build? X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jul 2017 09:04:41 -0000 --001a11c17df4c74d6b05544356c3 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Fri, Jul 14, 2017 at 12:20 AM, Dan Libby via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > On 07/13/2017 03:50 PM, Hampus Sj=C3=B6berg wrote: > > 2. Avoid any chain of transaction that contains a SegWit transaction > > sounds good, though I'm unclear on how exactly to achieve (2) given that > any party I have ever transacted with (or otherwise knows an address of > mine) can send me coins at any time. So it seems the only possible way > to be certain is to run a node that has never published an address to a > 3rd party. Is that accurate? > You would also have to ensure that everyone you give your addresses to follows the same rule. As time passes, there would be fewer and fewer people who have "clean" outputs. From the perspective of old nodes, segwit looks like lots of people are transferring money to "anyone-can-spend" outputs. This outputs are completely unprotected. Literally, anyone can spend them. (In practice, miners would spend them, since why would they include a transaction that sends "free money" to someone else). If you run an old node, then someone could send you a transaction that only spends segwit outputs and you would think it is a valid payment. Imagine that there are only 3 UTXOs (Alice, Bob and Carl have all the Bitcoins). UTXO-1: Requires signature by Alice (legacy output) UTXO-2: Anyone can pay (but is actually a segwit output that needs to be signed by Bob) UTXO-3: Anyone can pay (but is actually a segwit output that needs to be signed by Carl) Only Bob can spend UTXO-2, since it needs his signature. Anyone could create a transaction that spends UTXO-2 and it would look good to all legacy nodes. It is an "anyone can spend" output after all. However, if they submit the transaction to the miners, then it will be rejected, because according to the new rules, it is invalid (it needs to be signed by Bob). Once a soft fork goes through, then all miners will enforce the new rules. A miner who added the transaction to one of his blocks (since it is valid under the old rules) would find that no other miners would accept his block and he would get no fees for that block. This means that all miners have an incentive to upgrade once a soft fork activates. His block would be accepted by legacy nodes, for a short while. However, since 95% of the miners are on the main chain, their chain (which rejects his block) would end up the longest. If you are running a legacy client when a soft fork comes in, then you can be tricked with "zero confirm" transactions. The transaction will look good to you, but will be invalid under the new rules. This makes your client think you have received (a lot of) money, but in practice, the transaction will not be accepted by the miners. > Another thing that could be done is to modify my own node so that it > actually rejects such tx, but then I have modified consensus rules > myself, thus defeating the goal of remaining with status-quo rules, and > anyway the rest of the network would accept the tx. I guess the benefit > is that I could be certain of the remaining funds I have. > If you wanted, you could mark any transaction that has a segwit looking output as "dirty" and then all of its descendants as dirty. However, pretty quickly, only a tiny fraction of all bitcoins would be clean. I suppose that it would be possible without modifying any rule to > construct a "certain balance" and an "uncertain balance". > Right. I think a reasonably compromise would be to assume that all transactions buried more than a few hundred blocks deep are probably ok. Only segwit looking outputs would be marked as "uncertain". --001a11c17df4c74d6b05544356c3 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Fri, Jul 14, 2017 at 12:20 AM, Dan Libby via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
O= n 07/13/2017 03:50 PM, Hampus Sj=C3=B6berg wrote:
> 2. Avoid any chain of transaction that contains a SegWit transaction
sounds good, though I'm unclear on how exactly to achieve (2) gi= ven that
any party I have ever transacted with (or otherwise knows an address of
mine) can send me coins at any time.=C2=A0 So it seems the only possible wa= y
to be certain is to run a node that has never published an address to a
3rd party.=C2=A0 Is that accurate?

You = would also have to ensure that everyone you give your addresses to follows = the same rule.=C2=A0 As time passes, there would be fewer and fewer people = who have "clean" outputs.

From the perspective = of old nodes, segwit looks like lots of people are transferring money to &q= uot;anyone-can-spend" outputs.=C2=A0 This outputs are completely unpro= tected.=C2=A0 Literally, anyone can spend them.=C2=A0 (In practice, miners = would spend them, since why would they include a transaction that sends &qu= ot;free money" to someone else).

If you run an old n= ode, then someone could send you a transaction that only spends segwit outp= uts and you would think it is a valid payment.

Imagine th= at there are only 3 UTXOs (Alice, Bob and Carl have all the Bitcoins).=C2= =A0

UTXO-1:=C2=A0 Requires signature by Alice= (legacy output)

UTXO-2: Anyone can pay (but is actually = a segwit output that needs to be signed by Bob)

UTXO-3: A= nyone can pay (but is actually a segwit output that needs to be signed by C= arl)

Only Bob can spend UTXO-2, since it needs his= signature.

Anyone could create a transaction that spends= UTXO-2 and it would look good to all legacy nodes.=C2=A0 It is an "an= yone can spend" output after all.

However, if they s= ubmit the transaction to the miners, then it will be rejected, because acco= rding to the new rules, it is invalid (it needs to be signed by Bob).=C2=A0=

Once a soft fork goes through, then all miners will enforce the ne= w rules.

A miner who added the transaction to one of his = blocks (since it is valid under the old rules) would find that no other min= ers would accept his block and he would get no fees for that block.=C2=A0 T= his means that all miners have an incentive to upgrade once a soft fork act= ivates.

His block would be accepted by legacy = nodes, for a short while.=C2=A0 However, since 95% of the miners are on the= main chain, their chain (which rejects his block) would end up the longest= .

If you are running a legacy client when a soft fork com= es in, then you can be tricked with "zero confirm" transactions.= =C2=A0 The transaction will look good to you, but will be invalid under the= new rules.=C2=A0 This makes your client think you have received (a lot of)= money, but in practice, the transaction will not be accepted by the miners= .


Another thing that could be done is to modify my own node so that it
actually rejects such tx, but then I have modified consensus rules
myself, thus defeating the goal of remaining with status-quo rules, and
anyway the rest of the network would accept the tx.=C2=A0 I guess the benef= it
is that I could be certain of the remaining funds I have.
<= div>
If you wanted, you could mark any transaction that has a= segwit looking output as "dirty" and then all of its descendants= as dirty.

However, pretty quickly, only a tiny fraction = of all bitcoins would be clean.

I suppose that it would be possible without modifying any rule to
construct a "certain balance" and an "uncertain balance"= ;.

Right.

I think a r= easonably compromise would be to assume that all transactions buried more t= han a few hundred blocks deep are probably ok.=C2=A0 Only segwit looking ou= tputs would be marked as "uncertain".
--001a11c17df4c74d6b05544356c3--