Return-Path: Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 46D62C0733 for ; Wed, 15 Jul 2020 20:56:25 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 3C7BC8AD8D for ; Wed, 15 Jul 2020 20:56:25 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pN7otkDqEYTb for ; Wed, 15 Jul 2020 20:56:24 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from mail-io1-f51.google.com (mail-io1-f51.google.com [209.85.166.51]) by hemlock.osuosl.org (Postfix) with ESMTPS id 6DB678AD8A for ; Wed, 15 Jul 2020 20:56:24 +0000 (UTC) Received: by mail-io1-f51.google.com with SMTP id l1so3757672ioh.5 for ; Wed, 15 Jul 2020 13:56:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=blockstream-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=vCf7AAu90dVKsw+By64V7NyyKwuxhy4ydWYXNH9gsOs=; b=VpA/OnCzMfxBCKi52Sj6SIo6MRKNRNE8EGgNNkQ06lL5sFK1bWybxdvVWLxnfhNTi+ fCVhlDQX/G61hryZ2c8/jQxLmixQ4kopESz9J/qt0npRF9aEBhNrOgzHQhZ+ryEYlWyV DEYd+PFeuySkkZVVQDHNI7bs78OzTFnzhnYCdg0IV7Te9RREdWULaVW1UxSaEVAbhci5 LgIgy1PS+wfQ9W+46gGZwFlZSGBup5fxfsBDBYRE6+1pXJ2BhTxdyjJ5gHkEbEMRxqjZ uOlQzuoBx58mcJLVOyjMPuWQDS+/uZiBkSAIy4CnbtOqG5B+KSpzVtkGY88OPBLgvPhu FmsA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=vCf7AAu90dVKsw+By64V7NyyKwuxhy4ydWYXNH9gsOs=; b=tmJWZ49YAZl03OBWZRWngRfAcuZQk8hpxmZRht/CTCjgzLbVaFMw+nFWCyD7gt1vmG 2Nzp+lTFcSJFisZzu9uNPxoQfqL+TXaeVqrRJY5dSob0zC5FQezidKNOvL67JC953meo B0TQER5YAoO93M27iOxW/PG4/LFpLTtDUXsMwKmelYdTgyoyQcSce4dyEuEiNh2OJLxc djuAYorCu+91SPsPkJ4wx/mXQIO2MdJJ5OmuMnLtKKBoP+CT7hDBfrXO5CwN1+LIw1na 9pxREVO7wI/fVWcJbws0yhXUnrsIytEFDfRLMHeG0qiiWGyvOj1cC+gl/ZgmKZ0zqNV+ twqw== X-Gm-Message-State: AOAM533H0DcCB5RPGR1++Xk4V6QDmb2dy6Io8MxSVU1Iikk5b9PixGDF WtMcqGPTaFq2a+RMzZfu9EQKgNHFjfs+/Xkji2feNg== X-Google-Smtp-Source: ABdhPJwkbOab4JWLtWmvl6dWh9qXZzUZtDAxkryubWxWSpGgslqsCQUAIprMZJdjgKo5pxRivvBAqw7q6DigBnBFyoE= X-Received: by 2002:a6b:ee02:: with SMTP id i2mr1206400ioh.110.1594846583680; Wed, 15 Jul 2020 13:56:23 -0700 (PDT) MIME-Version: 1.0 References: <20191108021541.n3jk54vucplryrbl@ganymede> <611b4e5b-e7cf-adc7-31e1-b5ff24b6574b@mattcorallo.com> <2sU6YozN9nn30cofkAMhffgjDLZwjG3mvF0nBgOsVQQEY9ROmP72GuHWjnBlF_qa8eeQPU8bxleZqcvRGJgS-uJ2xWYmAm9HjrFWWx_9o8k=@protonmail.com> In-Reply-To: From: "Russell O'Connor" Date: Wed, 15 Jul 2020 16:56:12 -0400 Message-ID: To: Pieter Wuille , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="000000000000178e5a05aa81282e" Subject: Re: [bitcoin-dev] Bech32 weakness and impact on bip-taproot addresses X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Jul 2020 20:56:25 -0000 --000000000000178e5a05aa81282e Content-Type: text/plain; charset="UTF-8" On Wed, Nov 13, 2019 at 1:31 AM Pieter Wuille via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > > That brings me to Matt's point: there is no need to do this right now. We > can simply amend BIP173 to only permit length 20 and length 32 (and only > length 20 for v0, if you like; but they're so far apart that permitting > both shouldn't hurt), for now. Introducing the "new" address format (the > one using an improved checksum algorithm) only needs to be there in time > for when a non-32-byte-witness-program would come in sight. > As a prerequisite to taproot activation, I was looking into amending BIP173 as stated above. However after reviewing https://gist.github.com/sipa/a9845b37c1b298a7301c33a04090b2eb#detection-of-insertion-errors it seems that insertions of 5 characters or more is "safe" in the sense that there is low probability of creating a valid checksum by doing so randomly. This means we could safely allow witness programs of lengths *20*, 23, 26, 29, *32*, 36, and 40 (or 39). These correspond to Bech32 addresses of length *42*, 47, 52, 57, *62*, 68, and 74 (or 73). We could also support a set of shorter addresses, but given the lack of entropy in such short addresses, it is hard to believe that such witness programs could be used to secure anything. I'm not sure what the motivation for allowing such short witness programs was, but I'm somewhat inclined to exclude them from the segwit address format. Given that we would only be able to support one of 39 or 40 byte witness programs, it is sensible to choose to allow 40 byte witness programs to be addressable. This is the maximum witness program size allowed by BIP 141. So my proposal would be to amend BIP173 in such a way to restrict "bc" and "tb" segwit address formats to require witness programs be of size *20*, 23, 26, 29, *32*, 36, or 40. Witness programs of other sizes (between 2 and 40) would, of course, still be legal in accordance with BIP 141; however they would be unaddressable by using this "bc" and "tb" prefix. Another address format would be needed to support other witness sizes, should the need ever arise. -- Russell O'Connor --000000000000178e5a05aa81282e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Wed, Nov 13, 2019 at 1:31 AM Pieter Wuille via bitcoin-dev <bi= tcoin-dev@lists.linuxfoundation.org> wrote:

= That brings me to Matt's point: there is no need to do this right now. = We can simply amend BIP173 to only permit length 20 and length 32 (and only= length 20 for v0, if you like; but they're so far apart that permittin= g both shouldn't hurt), for now. Introducing the "new" addres= s format (the one using an improved checksum algorithm) only needs to be th= ere in time for when a non-32-byte-witness-program would come in sight.

As a prerequisite to taproot activ= ation, I was looking into amending BIP173 as stated above.=C2=A0 However af= ter reviewing https://gist.g= ithub.com/sipa/a9845b37c1b298a7301c33a04090b2eb#detection-of-insertion-erro= rs it seems that insertions of 5 characters or more is "safe"= in the sense that there is low probability of creating a valid checksum by= doing so randomly.

This means we could safely all= ow witness programs of lengths 20, 23, 26, 29, 32, 36, and 40= (or 39).=C2=A0 These correspond to Bech32 addresses of length 42, 4= 7, 52, 57, 62, 68, and 74 (or 73).=C2=A0 We could also support a set= of shorter addresses, but given the lack of entropy in such short addresse= s, it is hard to believe that such witness programs could be used to secure= anything.=C2=A0 I'm not sure what the motivation for allowing such sho= rt witness programs was, but I'm somewhat inclined to exclude them from= the segwit address format.

Given that we woul= d only be able to support one of 39 or 40 byte witness programs, it is sens= ible to choose to allow 40 byte witness programs to be addressable.=C2=A0 T= his is the maximum witness program size allowed by BIP 141.

<= /div>
So my proposal would be to amend BIP173 in such a way to restrict= "bc" and "tb" segwit address formats to require witnes= s programs be of size 20, 23, 26, 29, 32, 36, or 40.=C2=A0 Wi= tness programs of other sizes (between 2 and 40) would, of course, still be= legal in accordance with BIP 141; however they would be unaddressable by u= sing this "bc" and "tb" prefix.=C2=A0 Another address f= ormat would be needed to support other witness sizes, should the need ever = arise.

--
Russell O'Connor<= br>
--000000000000178e5a05aa81282e--