1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
|
Delivery-date: Tue, 26 Mar 2024 12:15:14 -0700
Received: from mail-yw1-f187.google.com ([209.85.128.187])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBC3PT7FYWAMRBON5RSYAMGQEXK7Y4WA@googlegroups.com>)
id 1rpCGP-0006C3-9X
for bitcoindev@gnusha.org; Tue, 26 Mar 2024 12:15:13 -0700
Received: by mail-yw1-f187.google.com with SMTP id 00721157ae682-60a54004e9fsf104728727b3.3
for <bitcoindev@gnusha.org>; Tue, 26 Mar 2024 12:15:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1711480507; x=1712085307; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:sender:from
:to:cc:subject:date:message-id:reply-to;
bh=OVImNhbqOL4fCy7lc+XH7kO9Qi0cHJNOEpY2FQ2ghG8=;
b=hdA5m2p/BBzGF2iNXILJWjxzkYsY3yU9eN43LDNoUdbNYgSPxDfvBp6zJyQBbfbXJ2
DRa5VR8CCvCtdvmgvxNY/Bjfqtsgrb44h2TlCHEpR6nkxTRJVPKqTpTpQzi9EhSQQIoO
k6FrMTqbQKpj0l+w0dbQbJR1dUjfRHdSCmAWM+vZ+G/7iVZ7SCHVMk6GmN0tyILA9Urc
I+jHfNOhUn0M2Z5g7MeNA7lV0hw3RVxc7n1KrJKypX8/Rq+V3VylvrBluwgwU5xE517O
mlUiI2whc+IWpRMGPpm1hxPrbvaT6KrQjGyHnjTLtfkZyt2BSPvEYd85CuAZLP61wXBQ
NKoA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1711480507; x=1712085307; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:from:to:cc
:subject:date:message-id:reply-to;
bh=OVImNhbqOL4fCy7lc+XH7kO9Qi0cHJNOEpY2FQ2ghG8=;
b=PviVJqss/uEGHwPWKJRGbpK4Xab/iGiIjLPmJosoiNNLTxsA1Xk7IP8MIZwvP+8ghA
c5WlxgOGgp3TDHq4AcpZknJfaCAv7ZIEBWsRG2Zz4r50WOO1L0EoUUBduE/usOz4kXNR
vk4mYGbTEQod4qD1b0E0b9QBpJBg9r3zRG+qaZ7dsmdwf62ccRzLfbNgdMperw5SI3Pv
5xSudcb+1US5N6l/HaJ6vft3K+NOqH8bQ3xQY7NP1JBgNqrJYLO2YSkCIf9f2nFfI+NO
X+JWWpFtmPEO0Agq85jTMD+rrtAKFQhzUBoYqipLsx7GLGpr1TFSjjtHMKybe3BgSlfb
ODYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1711480507; x=1712085307;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:x-beenthere
:x-gm-message-state:sender:from:to:cc:subject:date:message-id
:reply-to;
bh=OVImNhbqOL4fCy7lc+XH7kO9Qi0cHJNOEpY2FQ2ghG8=;
b=XfT+Jtz1AWgJkajMVFwIa4tAaD+daq5bkh+ZGDxBVsZEMeA/SC1/dDVZ8gGeuugDFG
0UJsUPzSz+zyUmPk+1cz+KxmZcu/xByYrM55ZSAOm7au+8XDfqb2U7AH5JFcheRzwDiV
IswxxDhQw4VnQn72QHXuKWY8AsylSXEo//IcDvya/ey5DE5ZSnExKkHaAXQ2UOAxfaGG
Z3+ypXMLURDvzHE0dygCR9I77Fmyf8vYZ3D56rN24wRDr1TjpEEHh0PffDid8XDMRGf5
/3fsU31WHr1h7Cyz5q9GGHVC0h75+aIi0plKGjkabhAKAc9gPY9Jq/TcPPU++qnLaFMA
g+5Q==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=1; AJvYcCVEVy0iU2nSbJ0IqNQuZEnAJvy2EMQ6R7+eGfeb0WBq33z3NBlK4UMy1BjcWGHutus948U+wd1KOlM+SEEnaCFnKFhP+Y0=
X-Gm-Message-State: AOJu0Yy/QpBX4goNvsVK/JMqFl8PO8WFcsiVEYvdDdwyMGPjbgxyf/i0
Y6fL6isMliDvSJua8u/VWLrThlGIajuOPzXkmL+sf55zXNii8ArE
X-Google-Smtp-Source: AGHT+IFhmsNC55+bUn/BWnkQ8XllQrK4Aeon+ou+lT6DCxtGoxz6H8DFW9aewGYjztKtDwMfnM5mVg==
X-Received: by 2002:a25:60b:0:b0:dd0:c2a:26f9 with SMTP id 11-20020a25060b000000b00dd00c2a26f9mr8192707ybg.27.1711480506575;
Tue, 26 Mar 2024 12:15:06 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com
Received: by 2002:a25:e0d2:0:b0:dcc:4b24:c0da with SMTP id x201-20020a25e0d2000000b00dcc4b24c0dals2122144ybg.2.-pod-prod-02-us;
Tue, 26 Mar 2024 12:15:05 -0700 (PDT)
X-Received: by 2002:a05:6902:1b8e:b0:dd9:3922:fc0e with SMTP id ei14-20020a0569021b8e00b00dd93922fc0emr511299ybb.13.1711480505420;
Tue, 26 Mar 2024 12:15:05 -0700 (PDT)
Received: by 2002:a05:690c:ecc:b0:611:2a20:d0cc with SMTP id 00721157ae682-613f27c0326ms7b3;
Tue, 26 Mar 2024 12:11:30 -0700 (PDT)
X-Received: by 2002:a25:ce51:0:b0:dd3:f55f:ff02 with SMTP id x78-20020a25ce51000000b00dd3f55fff02mr426405ybe.1.1711480289043;
Tue, 26 Mar 2024 12:11:29 -0700 (PDT)
Date: Tue, 26 Mar 2024 12:11:28 -0700 (PDT)
From: Antoine Riard <antoine.riard@gmail.com>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Message-Id: <dc2cc46f-e697-4b14-91b3-34cf11de29a3n@googlegroups.com>
In-Reply-To: <gnM89sIQ7MhDgI62JciQEGy63DassEv7YZAMhj0IEuIo0EdnafykF6RH4OqjTTHIHsIoZvC2MnTUzJI7EfET4o-UQoD-XAQRDcct994VarE=@protonmail.com>
References: <gnM89sIQ7MhDgI62JciQEGy63DassEv7YZAMhj0IEuIo0EdnafykF6RH4OqjTTHIHsIoZvC2MnTUzJI7EfET4o-UQoD-XAQRDcct994VarE=@protonmail.com>
Subject: [bitcoindev] Re: Great Consensus Cleanup Revival
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_69708_410503362.1711480288616"
X-Original-Sender: antoine.riard@gmail.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.5 (/)
------=_Part_69708_410503362.1711480288616
Content-Type: multipart/alternative;
boundary="----=_Part_69709_1111808445.1711480288616"
------=_Part_69709_1111808445.1711480288616
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hi Poinsot,
I think fixing the timewarp attack is a good idea, especially w.r.t safety=
=20
implications of long-term timelocks usage.
The only beneficial case I can remember about the timewarp issue is=20
"forwarding blocks" by maaku for on-chain scaling:
http://freico.in/forward-blocks-scalingbitcoin-paper.pdf
Shall we as a community completely disregard this approach for on-chain=20
settlement throughput scaling ?
Personally, I think you can still design extension-block / side-chains like=
=20
protocols by using other today available
Bitcoin Script mechanisms and get roughly (?) the same security /=20
scalability trade-offs. Shall be fine to me to fix timewarp.
Worst-block validation time is concerning. I bet you can do worst than your=
=20
examples if you're playing with other vectors like
low-level ECC tricks and micro-architectural layout of modern processors.
Consensus invalidation of old legacy scripts was quite controversial last=
=20
time a consensus cleanup was proposed:
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-March/016714.h=
tml
Only making scripts invalid after a given block height (let's say the=20
consensus cleanup activation height) is obviously a
way to solve the concern and any remaining sleeping DoSy unspent coins can=
=20
be handled with newly crafted and dedicated
transaction-relay rules (e.g at max 1000 DoSy coins can be spent per block=
=20
for a given IBT span).
I think any consensus boundaries on the minimal transaction size would need=
=20
to be done carefully and have all lightweight
clients update their own transaction acceptance logic to enforce the check=
=20
to avoid years-long transitory massive double-spend
due to software incoordination. I doubt `MIN_STANDARD_TX_NON_WITNESS_SIZE`=
=20
is implemented correctly by all transaction-relay
backends and it's a mess in this area. Quid if we have < 64 bytes=20
transaction where the only witness is enforced to be a minimal 1-byte
as witness elements are only used for higher layers protocols semantics ?=
=20
Shall get its own "only-after-height-X" exemption, I think.
Making coinbase unique by requesting the block height to be enforced in=20
nLocktime, sounds more robust to take a monotonic counter
in the past in case of accidental or provoked shallow reorgs. I can see of=
=20
you would have to re-compute a block template, loss a round-trip
compare to your mining competitors. Better if it doesn't introduce a new=20
DoS vector at mining job distribution and control.
Beyond, I don't deny other mentioned issues (e.g UTXO entries growth limit)=
=20
could be source of denial-of-service but a) I think it's hard
to tell if they're economically neutral on modern Bitcoin use-cases and=20
their plausible evolvability and b) it's already a lot of careful consensus
code to get right :)
Best,
Antoine
Le dimanche 24 mars 2024 =C3=A0 19:06:57 UTC, Antoine Poinsot a =C3=A9crit =
:
> Hey all,
>
> I've recently posted about the Great Consensus Cleanup there:=20
> https://delvingbitcoin.org/t/great-consensus-cleanup-revival/710.
>
> I'm starting a thread on the mailing list as well to get comments and=20
> opinions from people who are not on Delving.
>
> TL;DR:
> - i think the worst block validation time is concerning. The mitigations=
=20
> proposed by Matt are effective, but i think we should also limit the=20
> maximum size of legacy transactions for an additional safety margin;
> - i believe it's more important to fix the timewarp bug than people=20
> usually think;
> - it would be nice to include a fix to make coinbase transactions unique=
=20
> once and for all, to avoid having to resort back to doing BIP30 validatio=
n=20
> after block 1,983,702;
> - 64 bytes transactions should definitely be made invalid, but i don't=20
> think there is a strong case for making less than 64 bytes transactions=
=20
> invalid.
>
> Anything in there that people disagree with conceptually?
> Anything in there that people think shouldn't (or don't need to) be fixed=
?
> Anything in there which can be improved (a simpler, or better fix)?
> Anything NOT in there that people think should be fixed?
>
>
> Antoine Poinsot
>
--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/=
bitcoindev/dc2cc46f-e697-4b14-91b3-34cf11de29a3n%40googlegroups.com.
------=_Part_69709_1111808445.1711480288616
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hi Poinsot,<div><br /></div><div>I think fixing the timewarp attack is a go=
od idea, especially w.r.t safety implications of long-term timelocks usage.=
</div><div><br /></div><div>The only beneficial case I can remember about t=
he timewarp issue is "forwarding blocks" by maaku for on-chain scaling:</di=
v><div>http://freico.in/forward-blocks-scalingbitcoin-paper.pdf<br /></div>=
<div><br /></div><div>Shall we as a community completely disregard this app=
roach for on-chain settlement throughput scaling ?</div><div>Personally, I =
think you can still design extension-block / side-chains like protocols by =
using other today available</div><div>Bitcoin Script mechanisms and get rou=
ghly (?) the same security / scalability trade-offs. Shall be fine to me to=
fix timewarp.</div><div><br /></div><div>Worst-block validation time is co=
ncerning. I bet you can do worst than your examples if you're playing with =
other vectors like</div><div>low-level ECC tricks and micro-architectural l=
ayout of modern processors.</div><div><br /></div><div>Consensus invalidati=
on of old legacy scripts was quite controversial last time a consensus clea=
nup was proposed:</div><div>https://lists.linuxfoundation.org/pipermail/bit=
coin-dev/2019-March/016714.html<br /></div><div><br /></div><div>Only makin=
g scripts invalid after a given block height (let's say the consensus clean=
up activation height) is obviously a</div><div>way to solve the concern and=
any remaining sleeping DoSy unspent coins can be handled with =C2=A0newly =
crafted and dedicated</div><div>transaction-relay rules (e.g at max 1000 Do=
Sy coins can be spent per block for a given IBT span).</div><div><br /></di=
v><div>I think any consensus boundaries on the minimal transaction size wou=
ld need to be done carefully and have all lightweight</div><div>clients upd=
ate their own transaction acceptance logic to enforce the check to avoid ye=
ars-long transitory massive double-spend</div><div>due to software incoordi=
nation. I doubt `MIN_STANDARD_TX_NON_WITNESS_SIZE` is implemented correctly=
by all transaction-relay</div><div>backends and it's a mess in this area. =
Quid if we have =C2=A0< 64 bytes transaction where the only witness is e=
nforced to be a minimal 1-byte</div><div>as witness elements are only used =
for higher layers protocols semantics =C2=A0? Shall get its own "only-after=
-height-X" exemption, I think.</div><div><br /></div><div>Making coinbase u=
nique by requesting the block height to be enforced in nLocktime, sounds mo=
re robust to take a monotonic counter</div><div>in the past in case of acci=
dental or provoked shallow reorgs. I can see of you would have to re-comput=
e a block template, loss a round-trip</div><div>compare to your mining comp=
etitors. Better if it doesn't introduce a new DoS vector at mining job dist=
ribution and control.</div><div><br /></div><div>Beyond, I don't deny other=
mentioned issues (e.g UTXO entries growth limit) could be source of denial=
-of-service but a) I think it's hard</div><div>to tell if they're economica=
lly neutral on modern Bitcoin use-cases and their plausible evolvability an=
d b) it's already a lot of careful consensus</div><div>code to get right :)=
</div><div><br /></div><div>Best,</div><div>Antoine</div><div><br /></div><=
div class=3D"gmail_quote"><div dir=3D"auto" class=3D"gmail_attr">Le dimanch=
e 24 mars 2024 =C3=A0 19:06:57 UTC, Antoine Poinsot a =C3=A9crit=C2=A0:<br/=
></div><blockquote class=3D"gmail_quote" style=3D"margin: 0 0 0 0.8ex; bord=
er-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">Hey all,
<br>
<br>I've recently posted about the Great Consensus Cleanup there: <a hr=
ef=3D"https://delvingbitcoin.org/t/great-consensus-cleanup-revival/710" tar=
get=3D"_blank" rel=3D"nofollow" data-saferedirecturl=3D"https://www.google.=
com/url?hl=3Dfr&q=3Dhttps://delvingbitcoin.org/t/great-consensus-cleanu=
p-revival/710&source=3Dgmail&ust=3D1711565663390000&usg=3DAOvVa=
w0H-vWJQFB5_UBHVBwhQ1qE">https://delvingbitcoin.org/t/great-consensus-clean=
up-revival/710</a>.
<br>
<br>I'm starting a thread on the mailing list as well to get comments a=
nd opinions from people who are not on Delving.
<br>
<br>TL;DR:
<br>- i think the worst block validation time is concerning. The mitigation=
s proposed by Matt are effective, but i think we should also limit the maxi=
mum size of legacy transactions for an additional safety margin;
<br>- i believe it's more important to fix the timewarp bug than people=
usually think;
<br>- it would be nice to include a fix to make coinbase transactions uniqu=
e once and for all, to avoid having to resort back to doing BIP30 validatio=
n after block 1,983,702;
<br>- 64 bytes transactions should definitely be made invalid, but i don=
9;t think there is a strong case for making less than 64 bytes transactions=
invalid.
<br>
<br>Anything in there that people disagree with conceptually?
<br>Anything in there that people think shouldn't (or don't need to=
) be fixed?
<br>Anything in there which can be improved (a simpler, or better fix)?
<br>Anything NOT in there that people think should be fixed?
<br>
<br>
<br>Antoine Poinsot
<br></blockquote></div>
<p></p>
-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List" group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion on the web visit <a href=3D"https://groups.google.c=
om/d/msgid/bitcoindev/dc2cc46f-e697-4b14-91b3-34cf11de29a3n%40googlegroups.=
com?utm_medium=3Demail&utm_source=3Dfooter">https://groups.google.com/d/msg=
id/bitcoindev/dc2cc46f-e697-4b14-91b3-34cf11de29a3n%40googlegroups.com</a>.=
<br />
------=_Part_69709_1111808445.1711480288616--
------=_Part_69708_410503362.1711480288616--
|