From: Luke Dashjr <luke@dashjr.org>
To: Cory Fields <lists@coryfields.com>
Date: Mon, 1 Feb 2016 23:08:34 +0000
User-Agent: KMail/1.13.7 (Linux/4.1.13-gentoo; KDE/4.14.8; x86_64; ; )
References: <201601301850.03469.luke@dashjr.org>
	<201602011946.24405.luke@dashjr.org>
	<CAApLimgF2D97rAL8A9G36ULBE5tqKoXHFawYi35a0JiuQRu4Zg@mail.gmail.com>
In-Reply-To: <CAApLimgF2D97rAL8A9G36ULBE5tqKoXHFawYi35a0JiuQRu4Zg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <201602012308.35215.luke@dashjr.org>
Cc: Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] SegWit GBT updates
Precedence: list

On Monday, February 01, 2016 9:43:33 PM Cory Fields wrote:
> On Mon, Feb 1, 2016 at 2:46 PM, Luke Dashjr <luke@dashjr.org> wrote:
> > Allowing for simpler cases both encourages the lazy case, and enables
> > pools to require miners use it. It also complicates the server-side
> > implementation somewhat, and could in some cases make it more vulnerable
> > to DoS attacks. Keep in mind that GBT is not merely a bitcoind protocol,
> > but is used between pool<->miner as well... For now, it makes sense to
> > leave
> > "default_witness_commitment" as a bitcoind-specific extension to
> > encourage adoption, but it seems better to leave it out of the standard
> > protocol. Let me know if this makes sense or if I'm overlooking
> > something.
> 
> I think that's a bit of a loaded answer. What's to keep a pool from
> building its own commitment and requiring miners to use that? I don't
> see how providing the known-working commitment for the
> passed-in-hashes allows the pool/miner to do anything they couldn't
> already, with the exception of skipping some complexity. Please don't
> confuse encouraging with enabling.

Making it simpler to do a centralised implementation than a decentralised one, 
is both enabling and encouraging. GBT has always been designed to make it 
difficult to do in a centralised manner.

> What's the DoS vector here?

It's more work for the pool to provide it, similar to the "midstate" field was 
with getwork. Someone performing a DoS needs to do less work to force the pool 
to do complex calculations (unless the same transaction tree / commitment is 
used for all miners, which would be an unfortunate limitation).

> >> The issue in particular here is that a non-trivial burden is thrust
> >> upon mining software, increasing the odds of bugs in the process.
> > 
> > It can always use libblkmaker to handle the "heavy lifting"... In any
> > case, the calculation for the commitment isn't significantly more than
> > what it must already do for the stripped merkle tree.
> 
> Agreed. However for the sake of initial adoption, it's much easier to
> have a known-correct value to use. Even if it's just for the sake of
> checking against.

Sure, I'm not suggesting we remove this from bitcoind (probably the only place 
that makes initial adoption easier).

> >> [4]:
> >> https://github.com/theuni/ckpool/commit/7d84b1d76b39591cc1c1ef495ebec513
> >> cb 19a08e
> > 
> > I'm pretty sure this commit is actually /introducing/ a bug in working
> > (albeit ugly) code. The height, while always positive, is serialised as
> > a signed number, so 0x80 needs to be two bytes: 80 00.
> 
> You're right, thanks. The current code breaks on heights of (for ex)
> 16513. I'll fix up my changes to take the sign bit into account.

I'm curious what bug it was fixing? Was it overwriting data beyond the number?

Luke