Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id BB8D0CA21 for ; Fri, 8 Mar 2019 18:35:48 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from mail.bluematt.me (mail.bluematt.me [192.241.179.72]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id A90075E2 for ; Fri, 8 Mar 2019 18:35:45 +0000 (UTC) Received: from [10.233.42.100] (gw.vpn.bluematt.me [144.217.106.88]) by mail.bluematt.me (Postfix) with ESMTPSA id 398C11841A9; Fri, 8 Mar 2019 18:35:43 +0000 (UTC) To: Russell O'Connor References: <6bb308f5-f478-d5ec-064f-e4972709f29c@mattcorallo.com> From: Matt Corallo Message-ID: Date: Fri, 8 Mar 2019 18:35:42 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Fri, 08 Mar 2019 18:58:57 +0000 Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] OP_CODESEPARATOR Re: BIP Proposal: The Great Consensus Cleanup X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Mar 2019 18:35:48 -0000 Replies inline. On 3/8/19 3:57 PM, Russell O'Connor wrote: > On Thu, Mar 7, 2019 at 2:50 PM Matt Corallo

> wrote: > It's very easy to construct a practical script using OP_CODESEPARATOR. > > IF <2> <2> CHECKMULTISIGVERIFY ELSE > CODESEPARATOR CHECKSIGVERFY ENDIF > > Now when someone hands Alice, the CFO of XYZ corp., some transaction, > she has the option of either signing it unilaterally herself, or > creating a partial signature such that the transaction additionally > needs Bob, the CEOs signature as well, and Alice's choice is committed > to the blockchain for auditing purposes later. > > Now, there are many things you might object about this scheme, but my > point is that (A) regardless of what you think about this scheme, it, or > similar schemes, may have been devised by users, and (B) users may have > already committed funds to such schemes, and due to P2SH you cannot know > that this is not the case. The common way to set that up is to have a separate key, but, ok, fair enough. That said, the argument that "it may be hidden by P2SH!" isn't sufficient here. It has to *both* be hidden by P2SH and have never been spent from (either on mainnet or testnet) or be lock-timed a year in the future. I'm seriously skeptical that someone is using a highly esoteric scheme and has just been pouring money into it without ever having tested it or having withdrawn any money from it whatsoever. This is just a weird argument. > Please don't strawman my position. I am not suggesting we don't fix a > vulnerability in Bitcoin. I am suggesting we find another way. One > that limits the of risk destroying other people's money. > > Here is a more concrete proposal: No matter how bad OP_CODESEPARATOR > is, it cannot be worse than instead including another input that spends > another identically sized UTXO. So how about we soft-fork in a rule > that says that an input's weight is increased by an amount equal to the > number of OP_CODESEPARATORs executed times the sum of weight of the UTXO > being spent and 40 bytes, the weight of a stripped input. The risk of > destroying other people's money is limited and AFAIU it would completely > address the vulnerabilities caused by OP_CODESEPARATOR. You're already arguing that someone has such an esoteric use of script, suggesting they aren't *also* creating pre-signed, long-locktimed transactions with many inputs isn't much of a further stretch (especially since this may result in the fee being non-standardly low if you artificially increase its weight). Note that "just limit number of OP_CODESEPARATOR calls" results in a ton of complexity and reduces the simple analysis that fees (almost) have today vs just removing it allows us to also remove a ton of code. Further note that if you don't remove it getting the efficiency wins right is even harder because instead of being able to cache sighashes you now have to (at a minimum) wipe the cache between each OP_CODESEPARATOR call, which results in a ton of additional implementation complexity. > > > I suggest an alternative whereby the execution of OP_CODESEPARATOR > > increases the transactions weight suitably as to temper the > > vulnerability caused by it. Alternatively there could be some > sort of > > limit (maybe 1) on the maximum number of OP_CODESEPARATORs > allowed to be > > executed per script, but that would require an argument as to why > > exceeding that limit isn't reasonable. > > You could equally argue, however, that any such limit could render some > moderately-large transaction unspendable, so I'm somewhat skeptical of > this argument. Note that OP_CODESEPARATOR is non-standard, so getting > them mined is rather difficult in any case. > > > I already know of people who's funds are tied up due to in other changes > to Bitcoin Core's default relay policy. Non-standardness is not an > excuse to take other people's tied up funds and destroy them permanently. Huh?! The whole point of non-standardness in this context is to (a) make soft-forking something out safer by derisking miners not upgrading right away and (b) signal something that may be a candidate for soft-forking out so that we get feedback. Who is getting things disabled who isn't bothering to *tell* people that their use-case is being hurt?!