Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 8A1CBAC8 for ; Fri, 8 Nov 2019 13:04:06 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-io1-f50.google.com (mail-io1-f50.google.com [209.85.166.50]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id D386FEC for ; Fri, 8 Nov 2019 13:04:05 +0000 (UTC) Received: by mail-io1-f50.google.com with SMTP id j13so6309678ioe.0 for ; Fri, 08 Nov 2019 05:04:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=blockstream.io; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+Lvj0e0F6eQ/6GBX7vb453YGJ8lPH3nN/taBPqvvpzw=; b=rFSgXMB9PFE1uzRsgARKrT2KRr2LjLoGb/Lz8s9Xle32b1t1zaHjutA33Lyw45ArlQ h8uu43v9+gTWWJ/o0kuyKp5Bmp9szX3nDzBuC5XY3lN8gpQsJn87C0OsoYi2N9nLbBGG hQlzqE+TGUHvAarsfetyrDLTQaLdXuIkmQuto= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+Lvj0e0F6eQ/6GBX7vb453YGJ8lPH3nN/taBPqvvpzw=; b=ipWNfRQHAEQDQU2nk+1TsComMaZpqVUMBfYicSg6ScJHs2uBDyZ7gaSlDDm4Rg3R8/ +3V27nVBUpjN/j1DqjE65Dr5G2H5SU9vkuLYDFrJh6Zgs+PBD4fdnJVoELUmOIpehFyW qgvfn5dJHZscLMvY0xBQUO6Z4w/jyCU1se2r7632HpQQb+riDW1CgkboGe/ey+IJhGdd OTnyL1JTPx17WsFwSEjI8FRJL1xZHPgPF4QKc/dDd25jHFMfZf3mNRkZ8sSh9x+/ub8t qVCdinYWBE4D9mKEOTc4beBsSa7gJBeOo8nmj6BOr4exZ9zxwElfL1V4D8jh5wP5vlHO bAYQ== X-Gm-Message-State: APjAAAXlApLLo0juEmWOTzoQStHzAoM5CTT0ZkUN6zuHlsVpoQ8PM2KQ Ot8ziyhSpjbmJiRe7/6l+rI4azPqnUvIWbrNshAWvngZ X-Google-Smtp-Source: APXvYqzNz1A/MosWVqMPWtw34o1zKDI4feKfqE/DvDU/pPoLiQf+aBNZc4+ZxBFDafSi6l1ZfYlOWNZoSEvQqJt5iWY= X-Received: by 2002:a5e:d813:: with SMTP id l19mr9790206iok.74.1573218244647; Fri, 08 Nov 2019 05:04:04 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: "Russell O'Connor" Date: Fri, 8 Nov 2019 08:03:52 -0500 Message-ID: To: ZmnSCPxj via bitcoin-dev Content-Type: multipart/alternative; boundary="000000000000a081360596d56a4e" X-Spam-Status: No, score=-0.2 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DOS_RCVD_IP_TWICE_B, HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Pieter Wuille Subject: Re: [bitcoin-dev] Bech32 weakness and impact on bip-taproot addresses X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Nov 2019 13:04:06 -0000 --000000000000a081360596d56a4e Content-Type: text/plain; charset="UTF-8" I do like the idea of length prefixing the witness program. I will note that the 1 byte witness version is really more like a 1 character witness version. There are 17 different segwit versions and there are 32 characters in the bech32 alphabet. That leaves 15 unused characters that we can use for assigning new meanings too. That said, it is probably most sensible to define a new human-readable-prefix for length prefixed bitcoin witness programs. "btc1" anyone? On Fri, Nov 8, 2019 at 12:12 AM ZmnSCPxj via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > Good morning Pieter, and all, > > Can we modify Bech32 SegWit address format for version 1 and above as > below? > > * The data-part values: > ** 1 byte: the witness version > + ** If the witness version is non-zero, 1 byte: the length of the > witness program. > ** A conversion of the 2-to-40-byte witness program (as defined by [ > https://github.com/bitcoin/bips/blob/master/bip-0141.mediawiki BIP141]) > to base32: > *** Start with the bits of the witness program, most significant bit > per byte first. > *** Re-arrange those bits into groups of 5, and pad with zeroes at > the end if needed. > *** Translate those bits to characters using the table above. > > This retains the ability of a bech32 address to specify any valid witness > length and allows future version 1 addresses with lengths other than 32, > while closing this malleation. > > Older software being given the modified v1 address format would mis-send > it to the wrong witness program, however. > > Alternately we could just keep using version 0 in the address format > forever. > The requirement would be to ensure that SegWit vN (N >= 1) output witness > programs would have a data-part value encoded as below: > > * The data-part values: > ** 1 byte: legacy witness version, which must always be 0. > ** 1 byte: actual witness version, which must be non-zero. > ** 1 byte: padding length: 0 or 1. > ** If padding length is 1, 1 byte: padding, which must be 0. > ** 1 byte: witness program length. > ** variable: witness program. > > A writer for a v1 or later address would initially set an empty padding, > then compute: > > 1 // actual witness version > + 1 // padding length > + 1 // witness length > + witness_length > > If the above sum is 20 or 32, then the writer selects a non-zero padding > and inserts the padding byte so that the above sum is now 21 or 33. > > To a reader that understands only bech32 v0, such an encoding would look > like a SegWit v0 invalid-program-length, and be rejected. > A reader which understands the above protocol would, instead of rejecting > a SegWit v0 invalid-program-length, instead attempt to parse it as above > first, and consider it as SegWit v1 or higher if it was parsed correctly as > above. > > The above proposal is of course ridiculous and I am now currently running > diagnostics on my processing units to see if further glitches occur in test > reasoning skills. > > Regards, > ZmnSCPxj > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --000000000000a081360596d56a4e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I do like the idea of length prefixing the witness pr= ogram.=C2=A0 I will note that the 1 byte witness version is really more lik= e a 1 character witness version.=C2=A0 There are 17 different segwit versio= ns and there are 32 characters in the bech32 alphabet.=C2=A0 That leaves 15= unused characters that we can use for assigning new meanings too.

That said, it is probably most sensible to define a new hu= man-readable-prefix for length prefixed bitcoin witness programs.=C2=A0 &qu= ot;btc1" anyone?

On Fri, Nov 8, 2019 at 12:12 AM ZmnSCPxj via bitco= in-dev <bitcoin= -dev@lists.linuxfoundation.org> wrote:
Good morning Pieter, and all,

Can we modify Bech32 SegWit address format for version 1 and above as below= ?

=C2=A0 =C2=A0 =C2=A0 * The data-part values:
=C2=A0 =C2=A0 =C2=A0 ** 1 byte: the witness version
=C2=A0 =C2=A0 + ** If the witness version is non-zero, 1 byte: the length o= f the witness program.
=C2=A0 =C2=A0 =C2=A0 ** A conversion of the 2-to-40-byte witness program (a= s defined by [https://github.com/bitco= in/bips/blob/master/bip-0141.mediawiki BIP141]) to base32:
=C2=A0 =C2=A0 =C2=A0 *** Start with the bits of the witness program, most s= ignificant bit per byte first.
=C2=A0 =C2=A0 =C2=A0 *** Re-arrange those bits into groups of 5, and pad wi= th zeroes at the end if needed.
=C2=A0 =C2=A0 =C2=A0 *** Translate those bits to characters using the table= above.

This retains the ability of a bech32 address to specify any valid witness l= ength and allows future version 1 addresses with lengths other than 32, whi= le closing this malleation.

Older software being given the modified v1 address format would mis-send it= to the wrong witness program, however.

Alternately we could just keep using version 0 in the address format foreve= r.
The requirement would be to ensure that SegWit vN (N >=3D 1) output witn= ess programs would have a data-part value encoded as below:

=C2=A0 =C2=A0 * The data-part values:
=C2=A0 =C2=A0 ** 1 byte: legacy witness version, which must always be 0. =C2=A0 =C2=A0 ** 1 byte: actual witness version, which must be non-zero. =C2=A0 =C2=A0 ** 1 byte: padding length: 0 or 1.
=C2=A0 =C2=A0 ** If padding length is 1, 1 byte: padding, which must be 0.<= br> =C2=A0 =C2=A0 ** 1 byte: witness program length.
=C2=A0 =C2=A0 ** variable: witness program.

A writer for a v1 or later address would initially set an empty padding, th= en compute:

=C2=A0 =C2=A0 =C2=A0 1 // actual witness version
=C2=A0 =C2=A0 + 1 // padding length
=C2=A0 =C2=A0 + 1 // witness length
=C2=A0 =C2=A0 + witness_length

If the above sum is 20 or 32, then the writer selects a non-zero padding an= d inserts the padding byte so that the above sum is now 21 or 33.

To a reader that understands only bech32 v0, such an encoding would look li= ke a SegWit v0 invalid-program-length, and be rejected.
A reader which understands the above protocol would, instead of rejecting a= SegWit v0 invalid-program-length, instead attempt to parse it as above fir= st, and consider it as SegWit v1 or higher if it was parsed correctly as ab= ove.

The above proposal is of course ridiculous and I am now currently running d= iagnostics on my processing units to see if further glitches occur in test = reasoning skills.

Regards,
ZmnSCPxj
_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
--000000000000a081360596d56a4e--