1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
|
Return-Path: <apoelstra@wpsoftware.net>
Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])
by lists.linuxfoundation.org (Postfix) with ESMTP id 9A0A6C002B
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 7 Feb 2023 13:46:26 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp3.osuosl.org (Postfix) with ESMTP id 6165B60B8B
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 7 Feb 2023 13:46:26 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 6165B60B8B
Authentication-Results: smtp3.osuosl.org;
dkim=pass (2048-bit key) header.d=mail.wpsoftware.net
header.i=@mail.wpsoftware.net header.a=rsa-sha256 header.s=default
header.b=kbJB+flj
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -1.107
X-Spam-Level:
X-Spam-Status: No, score=-1.107 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001]
autolearn=no autolearn_force=no
Received: from smtp3.osuosl.org ([127.0.0.1])
by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id dHpRNVq0e1wS
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 7 Feb 2023 13:46:24 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.8.0
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org A95CF60E22
Received: from mail.wpsoftware.net (unknown [66.183.0.205])
by smtp3.osuosl.org (Postfix) with ESMTP id A95CF60E22
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 7 Feb 2023 13:46:24 +0000 (UTC)
Received: from camus (camus-andrew.lan [192.168.0.190])
by mail.wpsoftware.net (Postfix) with ESMTPSA id 027F2400D3;
Tue, 7 Feb 2023 13:46:24 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mail.wpsoftware.net;
s=default; t=1675777584;
bh=4H4Ngx8kGxIKgN61ZkXtuAwthDCzfTcatGLUX3FCY/I=;
h=Date:From:To:Subject:References:In-Reply-To;
b=kbJB+fljAZiKPNnRd7HkcbOQ/tc1/oGTpwWjYUjP4w8CgOfuqpkVpamLMT6tshnBK
UPSKITxZisWC8sPTSM+hADwLCyoL8ZmAiDx58cfP1mozfeh/U/qEYTZkdyaKQQ1im5
zAInSKRTEV3BFE7M27DittHksJdnqzTMythoN7Ga3XmIWtQIN6I73a28DVKzABRaLY
tKLULHSRPfnwFBZ4M+vIm5Tq0HwuNs/PxH4prE55nqaGMvnw3Sa87TSYciLtfqYmDh
7GOsUxBDW7vH6xAwhhdmXF3WUtAvFJnseAmKWzus4cfCz45Vk+MXpPW+rV3Yk6WSh4
08u7bPZ9cVs6w==
Date: Tue, 7 Feb 2023 13:46:22 +0000
From: Andrew Poelstra <apoelstra@wpsoftware.net>
To: Yuval Kogman <nothingmuch@woobling.org>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Message-ID: <Y+JWLsc80gxL4kpG@camus>
References: <CAAQdECCH=YOcu4g6Ku1_G4CnRg6rsaFPFPwbABx9aZin9A8+2A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature"; boundary="bAgrOVScsKO5Sq5R"
Content-Disposition: inline
In-Reply-To: <CAAQdECCH=YOcu4g6Ku1_G4CnRg6rsaFPFPwbABx9aZin9A8+2A@mail.gmail.com>
Subject: Re: [bitcoin-dev] Unenforceable fee obligations in multiparty
protocols with Taproot inputs
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2023 13:46:26 -0000
--bAgrOVScsKO5Sq5R
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Feb 07, 2023 at 04:49:28AM +0200, Yuval Kogman via bitcoin-dev wrot=
e:
>=20
> Since Taproot (more generally any kind of MAST) spends have variable size=
which
> depends on the path being used, the last such input to be signed in a mul=
tiparty
> transaction can always use a larger than estimated signature to unfairly =
extract
> a fee contribution from the other parties to the transaction (keeping the
> absolute fees the same and reducing the feerate for the transaction).
>
Using Miniscript [1] it is possible for all participants to determine
the maximum witness size of the tree, which can bound the size of this
attack. In fact, they can bound the size *given that their own signature
is used*, or subject to other whatever other conditions they would like,
and only sign under those conditions.
Furthermore, under Taproot individual signatures have a maximum size of
65 bytes; an "attacker" can reduce this to 64 by not including a sighash
flag, but he has one byte of play. (Pre-Taproot signatures could take up
to 73 bytes with significant room to reduce this by using crypto tricks
and/or grinding).
Peter Todd also suggests in this thread that the use of uncompressed
keys can cause "surprise" witness inflation, but (a) since segwit
uncompressed keys are also banned, so keys are a fixed 33 bytes (32 in
Taproot), and (b) we expect users of Miniscript to always know all the
keys used in a script that they're signing. Except perhaps in obscure
cases where, say, the "victim" is a somewhat passive countersigner of
a transaction, e.g. BitGo, ... in which case they're not the one putting
up fees or with an interest in the transaction going through.
With Miniscript, the problem is narrower:
* There is some more-expensive branch that could be taken without
Alice's signature. In which case Alice is only signing at all to
optimistically reduce the witness size... but she cannot assume
that she is going to be successful!
Notably, in this case Alice does not really have any interest in the
coins, in the sense that they can move entirely without her consent,
so it's hard to imagine that she has an interest in the transaction's
speedy confirmation.
* There is some more-expensive branch that could be taken by moving
Alice's signature. This is the case that you identify in the thread.
While the attack remains in both cases, fortunately Miniscript gives
Alice the tools to (a) determine which, if any, case applies to the
script under question, and (b) determine what the maximum witness size
might be, and just sign assuming that, treating any savings as "bonus".
[1] https://bitcoin.sipa.be/miniscript/
[2] In Taproot, if you want to prevent signatures migrating to another
branch or within a branch, you can use the CODESEPARATOR opcode
which was redisegned in Taproot for exactly this purpose... we
really did about witness malleation in its design!
If you want to prevent signatures from moving around *within* a
branch,
--=20
Andrew Poelstra
Director of Research, Blockstream
Email: apoelstra at wpsoftware.net
Web: https://www.wpsoftware.net/andrew
The sun is always shining in space
-Justin Lewis-Webster
--bAgrOVScsKO5Sq5R
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEkPnKPD7Je+ki35VexYjWPOQbl8EFAmPiVi0ACgkQxYjWPOQb
l8H24gf+Ml1E9iSksNjlM1kzIZmSh6eB8kq2JHLz/hrzlrqAPRAHnqLNNepkJGkE
CRj8nf5qC1fkymozOulE3safWKE+8dgA6DmWtV4Jv4fB5h+UEmGyqZDmV8tDtSng
aJMvxZ+5VizTZoBUk9+wW24p1Mfb3UtFCD5LQUrohFXMd2m4/Vx5WS0iT5zFgI6e
bH99gDKvsaK3DlSj0uqSEP/rZ1gbiOFv6hZvDchk6b1yn6E0aaNHhAITVrkxSfA0
fsVxvqSeEhdGa7OW7+cH8Z23VGfpNKRtEdtPOTbwb/DRNMUdN+jFgosj12sijil7
8NDlf2XZi1s4xJyVGRxugvS78TJAgQ==
=+Q0Y
-----END PGP SIGNATURE-----
--bAgrOVScsKO5Sq5R--
|
