MIME-Version: 1.0
References: <CALFqKjQkQwuxjeYkGWO_Y_HhNQmJgrjqF3m04hbORV7FSbsi3Q@mail.gmail.com>
	<CAAQdECAyQB0E0PxwBOxXoEtQO_HU5b3JGQpsqp_OfB8dOKqiUQ@mail.gmail.com>
	<CALFqKjTHT7XaREK7ewwKKBjrZcty7ueNBMtSLEW7B-o9uwXgmw@mail.gmail.com>
In-Reply-To: <CALFqKjTHT7XaREK7ewwKKBjrZcty7ueNBMtSLEW7B-o9uwXgmw@mail.gmail.com>
From: Yuval Kogman <nothingmuch@woobling.org>
Date: Fri, 19 Jul 2019 22:48:43 +0000
Message-ID: <CAAQdECAxdUvwSo2byukgevZF56gadMN1+P9cvH2wQMCVPrA38Q@mail.gmail.com>
To: Mike Brooks <m@ib.tc>, bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="000000000000fa678d058e108733"
Subject: Re: [bitcoin-dev] PubRef - Script OP Code For Public Data References
Precedence: list

--000000000000fa678d058e108733
Content-Type: text/plain; charset="UTF-8"

Hi,

On Fri, 19 Jul 2019 at 17:49, Mike Brooks <m@ib.tc> wrote:

> Users will adopt whatever the client accepts - this feature would be
> transparent.
>

My skepticism was based in an assumption on my part that most such data is
produced by actors with a track record of neglecting transaction
efficiency. I'd be happy to be proven wrong, but considering say usage
rates of native witness outputs, or the fraction of transactions with more
than 2 outputs so far I see little evidence in support of widespread
adoption of cost saving measures. Assuming this is intended as a new script
version, all fully validating nodes need to commit to keeping all data
indefinitely before they can enforce the rules that make transactions
benefiting from this opcode safe to broadcast.

That said, if successful, the main concern is still that of address reuse -
currently there is no incentive in the protocol to do that, and with BIP32
wallets fewer reasons to do it as well, but this proposal introduces such
an incentive for users which would otherwise generate new addresses
(disregarding the ones that already reuse addresses anyway), and this is
problematic for privacy and fungibility.

Since address reuse has privacy concerns, I think it's important to draw a
distinction between clients accepting and producing such transactions, if
the latter were done transparently that would be very concerning IMO, and
even the former would not be transparent for users who run currently
pruning nodes.

I'm not sure how an O(1) time complexity leads to DoS, that seems like a
> very creative jump.
>

For what it's worth, that was in reference to hypothetical deduplication
only at the p2p layer, similar to compact blocks, but on further reflection
I'd like to retract that, as since both scenarios which I had in mind seem
easily mitigated.

  Based on this response, it makes me want to calculate the savings, what
> if it was a staggering reduction in the tree size?
>

Assuming past address reuse rates are predictive this only places an upper
bound on the potential size savings, so personally I would not find that
very compelling. Even if the realized size savings would be substantial,
I'm not convinced the benefits outweigh the downsides (increased validation
costs, monotonically growing unprunable data, and direct incentive for
address reuse), especially when compared to other methods/proposals that
can reduce on chain footprint generally improve privacy while reducing
validation costs for others (e.g. batching, lightning, MAST for
sufficiently large scripts, Schnorr signatures (musig, adaptor signatures),
{tap,graft}root, ).

Regards,
Yuval

--000000000000fa678d058e108733
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hi,</div><div><div><br><div class=3D"gmail_quote"><di=
v dir=3D"ltr" class=3D"gmail_attr">On Fri, 19 Jul 2019 at 17:49, Mike Brook=
s &lt;<a href=3D"mailto:m@ib.tc">m@ib.tc</a>&gt; wrote:<br></div><blockquot=
e class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px s=
olid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr">Users will adopt w=
hatever the client accepts - this feature would be transparent.=C2=A0<br></=
div></blockquote></div><div class=3D"gmail_quote"><br><div class=3D"gmail_q=
uote">My=20
skepticism was based in an assumption on my part that most such data is pro=
duced by actors with a track record of neglecting transaction efficiency. I=
&#39;d be happy to be proven wrong, but considering say usage rates of nati=
ve witness outputs, or the fraction of transactions with more than 2 output=
s so far I see little evidence in support of widespread adoption of cost sa=
ving measures. Assuming this is intended as a new script version, all fully=
 validating nodes need to commit to keeping all data indefinitely before th=
ey can enforce the rules that make transactions benefiting from this opcode=
 safe to broadcast.</div><div class=3D"gmail_quote"><br></div><div class=3D=
"gmail_quote">That said, if successful, the main concern is still that of a=
ddress reuse - currently there is no incentive in the protocol to do that, =
and with BIP32 wallets fewer reasons to do it as well, but this proposal in=
troduces such an incentive for users which would otherwise generate new add=
resses (disregarding the ones that already reuse addresses anyway), and thi=
s is problematic for privacy and fungibility.<br></div><div class=3D"gmail_=
quote"><br></div><div class=3D"gmail_quote">Since address reuse has privacy=
 concerns, I think it&#39;s important to draw a distinction between clients=
 accepting and producing such transactions, if the latter were done transpa=
rently that would be very concerning IMO, and even the former would not be =
transparent for users who run currently pruning nodes.<br></div></div></div=
></div><div><div><br><div class=3D"gmail_quote"><div class=3D"gmail_quote">=
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr">I&#39;m =
not sure how an O(1) time complexity leads to DoS, that seems like a very c=
reative jump.</div></blockquote><div><br></div><div class=3D"gmail_quote">F=
or what it&#39;s worth, that was in reference to hypothetical deduplication=
 only at the p2p layer, similar to compact blocks, but on further reflectio=
n I&#39;d like to retract that, as since both scenarios which I had in mind=
 seem easily mitigated.<br></div><div class=3D"gmail_quote"><br></div><div =
class=3D"gmail_quote"><blockquote class=3D"gmail_quote" style=3D"margin:0px=
 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><di=
v dir=3D"ltr">=C2=A0 Based on this response, it makes me want to calculate =
the savings, what if it was a staggering reduction in the tree size?</div><=
/blockquote></div></div></div></div><div><br><div class=3D"gmail_quote"><di=
v>Assuming past address reuse rates are predictive this only places an uppe=
r bound on the potential size savings, so personally I would not find that =
very compelling. Even if the realized size savings would be substantial, I&=
#39;m not convinced the benefits outweigh the downsides (increased validati=
on costs, monotonically growing unprunable data, and direct incentive for a=
ddress reuse), especially when compared to other methods/proposals that can=
 reduce on chain footprint generally improve privacy while reducing validat=
ion costs for others (e.g. batching, lightning, MAST for sufficiently large=
 scripts, Schnorr signatures (musig, adaptor signatures), {tap,graft}root, =
).</div><div><br></div><div>Regards,</div><div>Yuval<br></div></div></div><=
/div></div>

--000000000000fa678d058e108733--