path: root/35/e458d490ca90155befe2e3f891740187637499

Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191]
	helo=mx.sourceforge.net)
	by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
	(envelope-from <pete@petertodd.org>) id 1V3ian-0002Jh-82
	for bitcoin-development@lists.sourceforge.net;
	Mon, 29 Jul 2013 08:14:09 +0000
Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of petertodd.org
	designates 62.13.148.111 as permitted sender)
	client-ip=62.13.148.111; envelope-from=pete@petertodd.org;
	helo=outmail148111.authsmtp.net; 
Received: from outmail148111.authsmtp.net ([62.13.148.111])
	by sog-mx-1.v43.ch3.sourceforge.com with esmtp (Exim 4.76)
	id 1V3ial-00019i-DO for bitcoin-development@lists.sourceforge.net;
	Mon, 29 Jul 2013 08:14:09 +0000
Received: from mail-c226.authsmtp.com (mail-c226.authsmtp.com [62.13.128.226])
	by punt8.authsmtp.com (8.14.2/8.14.2/Kp) with ESMTP id
	r6T8E0bc079455; Mon, 29 Jul 2013 09:14:00 +0100 (BST)
Received: from savin (76-10-178-109.dsl.teksavvy.com [76.10.178.109])
	(authenticated bits=128)
	by mail.authsmtp.com (8.14.2/8.14.2/) with ESMTP id r6T8DtaN093130
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO);
	Mon, 29 Jul 2013 09:13:58 +0100 (BST)
Date: Mon, 29 Jul 2013 04:13:55 -0400
From: Peter Todd <pete@petertodd.org>
To: John Dillon <john.dillon892@googlemail.com>
Message-ID: <20130729081355.GB23180@savin>
References: <CAPaL=UV9ytoDc-0U148QSbtq=QHFAY1N=nV_1h_dRW12F6YVhA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="1UWUbFP1cBYEclgG"
Content-Disposition: inline
In-Reply-To: <CAPaL=UV9ytoDc-0U148QSbtq=QHFAY1N=nV_1h_dRW12F6YVhA@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Server-Quench: d20af01f-f826-11e2-98a9-0025907ec6c5
X-AuthReport-Spam: If SPAM / abuse - report it at:
	http://www.authsmtp.com/abuse
X-AuthRoute: OCd2Yg0TA1ZNQRgX IjsJECJaVQIpKltL GxAVKBZePFsRUQkR
	aAdMdAsUEkAYAgsB AmUbW11eUV57XGo7 bAxPbAVDY01GQQRq
	WVdMSlVNFUsqB3gJ clpPLBl7dARFeDBx YERiWj4PXkQrI0Z8
	FFMCHW8AeGZhPWIC WUgJfh5UcAFPdx9C PwN5B3ZDAzANdhES
	HhM4ODE3eDlSNilR RRkIIFQOdA4sBjU7 Sx1KAjUuAUABRj4v
	ZxIhMBYkRn0xZS0A 
X-Authentic-SMTP: 61633532353630.1020:706
X-AuthFastPath: 0 (Was 255)
X-AuthSMTP-Origin: 76.10.178.109/587
X-AuthVirus-Status: No virus detected - but ensure you scan with your own
	anti-virus system.
X-Spam-Score: -0.4 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
	See http://spamassassin.org/tag/ for more details.
	-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
	sender-domain
	-0.0 SPF_PASS               SPF: sender matches SPF record
	1.1 TRACKER_ID             BODY: Incorporates a tracking ID number
X-Headers-End: 1V3ial-00019i-DO
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] Opcode whitelist for P2SH?
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Mon, 29 Jul 2013 08:14:09 -0000


--1UWUbFP1cBYEclgG
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Jul 28, 2013 at 07:39:08PM +0000, John Dillon wrote:
> Peter Todd recently came up with two related, and IMO very good, uses for
> non-standard transactions to implement both oracles and one-time-password
> protection of wallet funds. While the wallet fund case could be implement=
ed as
> only a single standard type, at the cost of generality, the oracle case w=
ould
> be most useful with more arbitrary rules. More generally it is also usefu=
l to
> be able to have scriptPubKeys like the following:
>=20
>     n <pubkey>...<pubkey> m CHECKMULTISIG <master pubkey> CHECKSIG BOOLOR
>=20
> and many other similar constructions.
>=20
> What are your thoughts on creating a whitelist for specific opcodes that =
would
> apply to scripts serialized using P2SH, retaining the existing standard
> whitelist for scriptPubKeys? (I would still recommend dropping pay-to-pub=
key
> and pay-to-multisig due to their potential for dumping data in the UTXO s=
et)

One subtlety of what you are proposing is that we should still retain
the IsStandard() check, or to be exact the AreInputsStandard() check, if
a P2SH serialized script follows a standard form.

The reason is transaction mutability. Right now other than BIP11
CHECKMULTISIG only miners can mutate transactions because any change to
the scriptSig will render the transaction non-standard. As you know this
is a good thing because it means unconfirmed transaction chains don't
get broken in flight.

BIP11 is an interesting case because CHECKMULTISIG consumes one extra
stack item, so when you spend a BIP11 n <pubkey>...<pubkey> m
CHECKMULTISIG scriptPubKey you have to provide an additional item prior
to the signatures; usually OP_0 is used.

But we don't actually check that! You can put anything there provided it
doesn't make the scriptSig go over the standard allowed scriptSig size
of 500 bytes; for instance I (ab)used that feature just now to timestamp
my Litecoin v0.8.3.6 audit report SHA256 hash:

d0dfe270e8e8e4c0196f780d42e34d8a1121f2f8a249586aa1a2c5ebcada10b1

in transaction:

15bb08318335f94a8de154dc39b03db2cdebcc7a96ab6cec0379978676d00301

It's been suggested that we consider transactions non-standard, or just
now allowed at all in a future soft-fork, if at the end of execution
there is more than one stack item left; a opcode whitelist should
probably do this. On the other hand I've come up with some soft-fork
upgrade mechanisms that would leave extra items on the stack for
non-upgraded nodes, suggesting a soft-fork imposing this is a bad idea.
(though note how it suggests considering such tx's non-standard is
reasonable in a few ways)

CHECKMULTISIG isn't helped here because the value really is ignored - a
soft-fork to force it to always be zero might not be a bad idea, though
it's far from the only example of mutability.

I'd be interested if you can come up with an example where imposing a
one stack item at the end of execution rule causes problems.


More generally, and getting a bit off topic, I think Bitcoin should have
been designed so that CHECKSIG signed hashes of scriptPubKeys, rather
than txid:vout outputs, so that malleability wouldn't affect the
validity of a signature. Of course, this would mean that signatures
could be reused if scriptPubKeys were reused, but address re-use is a
bad thing anyway! Not that I'll fault Satoshi here, type 2 deterministic
wallets were unknown back then. (though we should be careful that a
future CHECKSIG design can go back to txid:vout references - ECC is
unique in allowing for type 2 wallets)

--=20
'peter'[:-1]@petertodd.org
0000000000000053ef658095fb45c7a86955d70c76b44264c7abce79683a8a90

--1UWUbFP1cBYEclgG
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBCAAGBQJR9iRDAAoJECSBQD2l8JH7EAYH/jwWU2Ww4hfqxrrJgOxwERfS
7somJMz2xq9/fWXsLKP5u+G4FG+ANFHvfOHLnioxuMCR+Ju339MpP25BHjM8YC84
/6o7tSLKHojr/W0BMvcJSK7a3V2b8kftypKe1lrNBDrY8r4RX+toPKXnVczS3BiM
gB5MBW3arflQlbTEf/saw+eNfQwYrRj7aWVCKKM0glsFPn2NnZqO6pJWPSxluxJe
6UlRHimtxq7YG+lsz4UyNkNlTexS7hfPA24REHaJ3hJsCoSb/IbIp9b4xAsXOSWP
d8ZlMW0DHjd5BdyjzENdzBgGypThuiq6Bkx+2n+oExp+p/SHMhrqKdMJg432gRo=
=QMmk
-----END PGP SIGNATURE-----

--1UWUbFP1cBYEclgG--