MIME-Version: 1.0
References: <CAPg+sBjC-D2iWYywj_X-evQoWx56nb0YnASLVwCSCzWT6Guu3A@mail.gmail.com>
 <20191108021541.n3jk54vucplryrbl@ganymede>
 <CAPg+sBgus6HgYPVbXaAx51nO2ArsR3-6=obe2AwkO8kh11fB6Q@mail.gmail.com>
 <611b4e5b-e7cf-adc7-31e1-b5ff24b6574b@mattcorallo.com>
 <CAHGSxGv_BQAAkdcxsqVsjphqaoE=Xm05jXhdBnGw+m+vRxeQYQ@mail.gmail.com>
 <2sU6YozN9nn30cofkAMhffgjDLZwjG3mvF0nBgOsVQQEY9ROmP72GuHWjnBlF_qa8eeQPU8bxleZqcvRGJgS-uJ2xWYmAm9HjrFWWx_9o8k=@protonmail.com>
 <CAPg+sBio_8vT9NNp39rz7m+omfaRs0Mf6JkET1=caoVwvziJSA@mail.gmail.com>
 <CAMZUoKn4OmyGOMBH==2Fx2N7GYbw2RbYK98pxu_pD5QTmDw9KQ@mail.gmail.com>
In-Reply-To: <CAMZUoKn4OmyGOMBH==2Fx2N7GYbw2RbYK98pxu_pD5QTmDw9KQ@mail.gmail.com>
From: Greg Sanders <gsanders87@gmail.com>
Date: Wed, 15 Jul 2020 17:05:22 -0400
Message-ID: <CAB3F3Dv4evEZ_b7Z3Vc+wFCvD8UMOvJdFGyOAajrHpEUqz+g=g@mail.gmail.com>
To: "Russell O'Connor" <roconnor@blockstream.com>, 
 Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="000000000000df2fdc05aa81484f"
Cc: Pieter Wuille <pieter.wuille@gmail.com>
Subject: Re: [bitcoin-dev] Bech32 weakness and impact on bip-taproot
	addresses
Precedence: list

--000000000000df2fdc05aa81484f
Content-Type: text/plain; charset="UTF-8"

Can you make it clear what the bold vs not-bold numbers mean?

On Wed, Jul 15, 2020 at 4:56 PM Russell O'Connor via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> On Wed, Nov 13, 2019 at 1:31 AM Pieter Wuille via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>>
>> That brings me to Matt's point: there is no need to do this right now. We
>> can simply amend BIP173 to only permit length 20 and length 32 (and only
>> length 20 for v0, if you like; but they're so far apart that permitting
>> both shouldn't hurt), for now. Introducing the "new" address format (the
>> one using an improved checksum algorithm) only needs to be there in time
>> for when a non-32-byte-witness-program would come in sight.
>>
>
> As a prerequisite to taproot activation, I was looking into amending
> BIP173 as stated above.  However after reviewing
> https://gist.github.com/sipa/a9845b37c1b298a7301c33a04090b2eb#detection-of-insertion-errors
> it seems that insertions of 5 characters or more is "safe" in the sense
> that there is low probability of creating a valid checksum by doing so
> randomly.
>
> This means we could safely allow witness programs of lengths *20*, 23,
> 26, 29, *32*, 36, and 40 (or 39).  These correspond to Bech32 addresses
> of length *42*, 47, 52, 57, *62*, 68, and 74 (or 73).  We could also
> support a set of shorter addresses, but given the lack of entropy in such
> short addresses, it is hard to believe that such witness programs could be
> used to secure anything.  I'm not sure what the motivation for allowing
> such short witness programs was, but I'm somewhat inclined to exclude them
> from the segwit address format.
>
> Given that we would only be able to support one of 39 or 40 byte witness
> programs, it is sensible to choose to allow 40 byte witness programs to be
> addressable.  This is the maximum witness program size allowed by BIP 141.
>
> So my proposal would be to amend BIP173 in such a way to restrict "bc" and
> "tb" segwit address formats to require witness programs be of size *20*,
> 23, 26, 29, *32*, 36, or 40.  Witness programs of other sizes (between 2
> and 40) would, of course, still be legal in accordance with BIP 141;
> however they would be unaddressable by using this "bc" and "tb" prefix.
> Another address format would be needed to support other witness sizes,
> should the need ever arise.
>
> --
> Russell O'Connor
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>

--000000000000df2fdc05aa81484f
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Can you make it clear what the bold vs not-bold numbers me=
an?</div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_att=
r">On Wed, Jul 15, 2020 at 4:56 PM Russell O&#39;Connor via bitcoin-dev &lt=
;<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists=
.linuxfoundation.org</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quo=
te" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204=
);padding-left:1ex"><div dir=3D"ltr"><div class=3D"gmail_quote"><div dir=3D=
"ltr" class=3D"gmail_attr">On Wed, Nov 13, 2019 at 1:31 AM Pieter Wuille vi=
a bitcoin-dev &lt;<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" =
target=3D"_blank">bitcoin-dev@lists.linuxfoundation.org</a>&gt; wrote:<br><=
/div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bo=
rder-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"auto"><b=
r><div dir=3D"auto">That brings me to Matt&#39;s point: there is no need to=
 do this right now. We can simply amend BIP173 to only permit length 20 and=
 length 32 (and only length 20 for v0, if you like; but they&#39;re so far =
apart that permitting both shouldn&#39;t hurt), for now. Introducing the &q=
uot;new&quot; address format (the one using an improved checksum algorithm)=
 only needs to be there in time for when a non-32-byte-witness-program woul=
d come in sight.</div></div></blockquote><div><br></div><div>As a prerequis=
ite to taproot activation, I was looking into amending BIP173 as stated abo=
ve.=C2=A0 However after reviewing <a href=3D"https://gist.github.com/sipa/a=
9845b37c1b298a7301c33a04090b2eb#detection-of-insertion-errors" target=3D"_b=
lank">https://gist.github.com/sipa/a9845b37c1b298a7301c33a04090b2eb#detecti=
on-of-insertion-errors</a> it seems that insertions of 5 characters or more=
 is &quot;safe&quot; in the sense that there is low probability of creating=
 a valid checksum by doing so randomly.</div><div><br></div><div>This means=
 we could safely allow witness programs of lengths <b>20</b>, 23, 26, 29, <=
b>32</b>, 36, and 40 (or 39).=C2=A0 These correspond to Bech32 addresses of=
 length <b>42</b>, 47, 52, 57, <b>62</b>, 68, and 74 (or 73).=C2=A0 We coul=
d also support a set of shorter addresses, but given the lack of entropy in=
 such short addresses, it is hard to believe that such witness programs cou=
ld be used to secure anything.=C2=A0 I&#39;m not sure what the motivation f=
or allowing such short witness programs was, but I&#39;m somewhat inclined =
to exclude them from the segwit address format.<br></div><div><br></div><di=
v>Given that we would only be able to support one of 39 or 40 byte witness =
programs, it is sensible to choose to allow 40 byte witness programs to be =
addressable.=C2=A0 This is the maximum witness program size allowed by BIP =
141.</div><div><br></div><div>So my proposal would be to amend BIP173 in su=
ch a way to restrict &quot;bc&quot; and &quot;tb&quot; segwit address forma=
ts to require witness programs be of size <b>20</b>, 23, 26, 29, <b>32</b>,=
 36, or 40.=C2=A0 Witness programs of other sizes (between 2 and 40) would,=
 of course, still be legal in accordance with BIP 141; however they would b=
e unaddressable by using this &quot;bc&quot; and &quot;tb&quot; prefix.=C2=
=A0 Another address format would be needed to support other witness sizes, =
should the need ever arise.<br></div><div><br></div><div>-- <br></div><div>=
Russell O&#39;Connor<br></div></div></div>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div>

--000000000000df2fdc05aa81484f--