1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
|
Return-Path: <roconnor@blockstream.io>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 999B725A
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 13 Mar 2019 01:38:57 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-it1-f170.google.com (mail-it1-f170.google.com
[209.85.166.170])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id B62B7826
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 13 Mar 2019 01:38:56 +0000 (UTC)
Received: by mail-it1-f170.google.com with SMTP id w18so367971itj.4
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 12 Mar 2019 18:38:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=blockstream.io; s=google;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=dLb+xG50xXNsCRy6bjr/uu2ampusVB1gjRCTy9ZU/Mc=;
b=gNOj03R5KLq0oIiGQw+bbue/u7cE/4NExOhmRVdMRgLkKeuGCxO1CUrOgnS59ofWWd
TDxnHV/bxxEAU70m1HsTC2kFKotEYdIJIwL2ejr771wRa2IaIeGRO2wPeo/HCBTUt4I3
cTDCcjEakotjQ7UmjKL3AbtaUhGuJEWmLDQC8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=dLb+xG50xXNsCRy6bjr/uu2ampusVB1gjRCTy9ZU/Mc=;
b=Id7qmDwDlDxSiFMgqTU+OJaNFRvQzgQUyrhfqQjTVDg0aXHWoVU7N+mNu6zIFLjOcQ
jCcPKutyFvg7iShnhcDjpz1YKXSY9MBCG2yzjJD/Q5OUGZWAOJugHTBOQuzJ7cr30j3I
tOop4LkrNYSS6RPWA+sEjNP4W3y0N2je7/9/rfEe7G1H7yZvRCXulOZOlW4NeIdqJLGt
sIk2Kugxysm0r6kYi1G46aN0MuVx4j4dsJVVgiiMRAbGhVuMBgb/nfcRc2RgQjDCJwCF
aesdGsG+CyFj8aq3ZLn7WTr2oEe8xoTbBOy1C2b5bDNB0rzHuxmCviyL5x5rqiyV4yNK
HIHw==
X-Gm-Message-State: APjAAAXwHw94K25C2GVhuBFPlnZDUdeAredUxMkiedveWkPAzrW/C66d
oy80opaYdEKJl80s1QqZfQY1sbZfmUM1dKuGJmMlGQ==
X-Google-Smtp-Source: APXvYqz0vwZh4Oki4V9Kd1rQHLn7qS0eK6mhBJVZsOViX9cKbdDxNuyW//KTKqdXktIUwap+R+ztrPebLhUWyHFb7b4=
X-Received: by 2002:a24:3a8b:: with SMTP id m133mr402479itm.26.1552441136037;
Tue, 12 Mar 2019 18:38:56 -0700 (PDT)
MIME-Version: 1.0
References: <bf96c2fb-2e2e-a47f-e59f-87e56d83eca3@mattcorallo.com>
<CAMZUoK=1kgZLR1YZ+cJgzwmEOwrABYFs=2Ri=xGX=BCr+w=VQw@mail.gmail.com>
<6bb308f5-f478-d5ec-064f-e4972709f29c@mattcorallo.com>
<D2014BB7-1EFC-4604-ACF6-3C5AC74B6FC0@sprovoost.nl>
<D631175F-0704-4820-BE3C-110E63F9E3FF@mattcorallo.com>
<PS2P216MB0179EEBB4E8EBF86EB25EACD9D4F0@PS2P216MB0179.KORP216.PROD.OUTLOOK.COM>
<CABLeJxS1sK8x-dgkOJ5f4=vjB4xja6EVeca-aHbeqOyS7SwWWQ@mail.gmail.com>
<CAMZUoKkJY6UpN=OmOsR0tDAwLw++dYrZtuo_Vir-+DHrK3ckNg@mail.gmail.com>
<FD3AE549-3DD4-48E0-9804-73BFBB30A9B0@mattcorallo.com>
In-Reply-To: <FD3AE549-3DD4-48E0-9804-73BFBB30A9B0@mattcorallo.com>
From: "Russell O'Connor" <roconnor@blockstream.io>
Date: Tue, 12 Mar 2019 21:38:44 -0400
Message-ID: <CAMZUoK=NKfxMpDs18R1VUGg5YcwiTXUaTcE+H7RSArn0fBMjDw@mail.gmail.com>
To: Matt Corallo <lf-lists@mattcorallo.com>
Content-Type: multipart/alternative; boundary="00000000000072d15b0583efde8f"
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, HTML_MESSAGE,
RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Wed, 13 Mar 2019 06:46:23 +0000
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] OP_CODESEPARATOR Re: BIP Proposal: The Great
Consensus Cleanup
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2019 01:38:57 -0000
--00000000000072d15b0583efde8f
Content-Type: text/plain; charset="UTF-8"
Hi Matt,
On Mon, Mar 11, 2019 at 10:23 PM Matt Corallo <lf-lists@mattcorallo.com>
wrote:
> I think you may have misunderstood part of the motivation. Yes, part of
> the motivation *is* to remove OP_CODESEPARATOR wholesale, greatly
> simplifying the theoretical operation of checksig operations (thus somewhat
> simplifying the implementation but also simplifying analysis of future
> changes, such as sighash-caching code).
>
I see. I was under the mistaken impression the concerns about of
OP_CODESEPARATOR was simply due to the vulnerability it induces.
I'll say it now then: Simplifying the theoretical operation of Bitcoin is
not a sufficient reason to make changes to the consensus rules, and it is
most certainly not a sufficient reason to remove usable op codes.
Had I understood that this was your motivation I would have presented my
opinion earlier. I understand that the OP_CODESEPARATOR vulnerability is
quite serious and making it non-standard while we address the problem is a
good idea (hence the reason why I never objected before now).
What I don't understand is why you feel that avoiding flushing the sigcache
is so critical that you are willing to go through a risky consensus change
just to achieve it? The sigcache is effectively flushed for each input of
a transaction anyways, so what's the big deal about flushing it during
Script execution as well?
> I think a key part of the analysis here is that no one I've spoken to (and
> we've been discussing removing it for *years*, including many attempts at
> coming up with reasons to keep it) is aware of any real proposals to use
> OP_CODESEPARATOR, let alone anyone using it in the wild. Hiding data in
> invalid pubic keys is a long-discussed-and-implemented idea (despite it's
> discouragement, not to mention it appears on the chain in many places).
>
Well you've spoken to me now, and I believe I have given you good reasons
to keep it. We all used to think that OP_CODESEPARATOR was a useless
operation that no one in their right mind would ever use, but it turns out
that we were wrong. Lesson learned. We should be more humble about
considering these sorts of changes in the future because it seems we might
not understand Bitcoin as well as we think we do. At the very least I was
caught by surprise by the utility of OP_CODESEPARATOR.
You misunderstand my point regarding invalid public keys. My point is that
if no one has spoken up about the invalid public key issue on this mailing
list, something that we know really does affects people, why do you expect
that people would have spoken up about OP_CODESEPARATATOR affecting them?
> It would end up being a huge shame to have all the OP_CORESEPARATOR mess
> left around after all the effort that has gone into removing it for the
> past few years, especially given the stark difference in visibility of a
> fork when compared to a standardness change.
>
> As for your specific proposal of increasing the weight of anything that
> has an OP_CODESEPARATOR in it by the cost of an additional (simple) input,
> this doesn't really solve the issue. After all, if we're assuming some user
> exists who has been using sending money, unspent, to scripts with
> OP_CODESEPARATOR to force signatures to commit to whether some other
> signature was present and who won't see a (invariably media-covered)
> pending soft-fork in time to claim their funds, we should also assume such
> a user has pre-signed transactions which are time-locked and claim a number
> of inputs and have several paths in the script which contain
> OP_CODESEPARATOR, rendering their transcription invalid.
>
Agreed, that's why we will want to not simply count the OP_CODESEPARATORS,
but rather count the maximum number of OP_CODESEPARATORS that can be
executed through the any of the various possible OP_IF branches. Adding
this sort of control-flow analysis is a pretty simple. It just requires a
small stack of pairs of numbers and linear traversal through the Script.
This sort of OP_IF control flow analysis ought to have been done for
counting CHECKSIG operations, but unfortunately it is too late for that
now. I could prototype the sort of analysis I have in mind if you think
that would be helpful.
In fact, it is really alternating uses of OP_CODESEPARATOR and CheckSig
operations that is problematic, so it is probably worth attempting to count
these pairs rather than just OP_CODESEPARATORS.
--00000000000072d15b0583efde8f
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div dir=3D"auto"><div dir=3D"ltr"><div>Hi Matt,<br></div>=
<br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Mon=
, Mar 11, 2019 at 10:23 PM Matt Corallo <<a href=3D"mailto:lf-lists@matt=
corallo.com" rel=3D"noreferrer" target=3D"_blank">lf-lists@mattcorallo.com<=
/a>> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0=
px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><=
div dir=3D"auto"><div dir=3D"ltr"></div><div dir=3D"ltr">I think you may ha=
ve misunderstood part of the motivation. Yes, part of the motivation *is* t=
o remove OP_CODESEPARATOR wholesale, greatly simplifying the theoretical op=
eration of checksig operations (thus somewhat simplifying the implementatio=
n but also simplifying analysis of future changes, such as sighash-caching =
code).</div></div></blockquote><div><br></div><div>I see.=C2=A0 I was under=
the mistaken impression the concerns about of OP_CODESEPARATOR was simply =
due to the vulnerability it induces.<br></div><div><br></div><div>I'll =
say it now then: Simplifying the theoretical operation of Bitcoin is not a =
sufficient reason to make changes to the consensus rules, and it is most ce=
rtainly not a sufficient reason to remove usable op codes.<br></div><div><b=
r></div><div>Had I understood that this was your motivation I would have pr=
esented my opinion earlier. I understand that the OP_CODESEPARATOR vulnerab=
ility is quite serious and making it non-standard while we address the prob=
lem is a good idea (hence the reason why I never objected before now).</div=
><div><br></div><div>What I don't understand is why you feel that avoid=
ing flushing the sigcache is so critical that you are willing to go through=
a risky consensus change just to achieve it?=C2=A0 The sigcache is effecti=
vely flushed for each input of a transaction anyways, so what's the big=
deal about flushing it during Script execution as well?<br></div><div>=C2=
=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8e=
x;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"auto=
"><div dir=3D"ltr">I think a key part of the analysis here is that no one I=
've spoken to (and we've been discussing removing it for *years*, i=
ncluding many attempts at coming up with reasons to keep it) is aware of an=
y real proposals to use OP_CODESEPARATOR, let alone anyone using it in the =
wild. Hiding data in invalid pubic keys is a long-discussed-and-implemented=
idea (despite it's discouragement, not to mention it appears on the ch=
ain in many places).</div></div></blockquote><div><br></div><div>Well you&#=
39;ve spoken to me now, and I believe I have given you good reasons to keep=
it.=C2=A0 We all used to think that OP_CODESEPARATOR was a useless operati=
on that no one in their right mind would ever use, but it turns out that we=
were wrong.=C2=A0 Lesson learned.=C2=A0 We should be more humble about con=
sidering these sorts of changes in the future because it seems we might not=
understand Bitcoin as well as we think we do.=C2=A0 At the very least I wa=
s caught by surprise by the utility of OP_CODESEPARATOR.<br></div><div><br>=
</div><div>You misunderstand my point regarding invalid public keys.=C2=A0 =
My point is that if no one has spoken up about the invalid public key issue=
on this mailing list, something that we know really does affects people, w=
hy do you expect that people would have spoken up about OP_CODESEPARATATOR =
affecting them?<br></div><div>=C2=A0</div><blockquote class=3D"gmail_quote"=
style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);p=
adding-left:1ex"><div dir=3D"auto"><div dir=3D"ltr">It would end up being a=
huge shame to have all the OP_CORESEPARATOR mess left around after all the=
effort that has gone into removing it for the past few years, especially g=
iven the stark difference in visibility of a fork when compared to a standa=
rdness change.</div><div dir=3D"ltr"><br></div><div dir=3D"ltr">As for your=
specific proposal of increasing the weight of anything that has an OP_CODE=
SEPARATOR in it by the cost of an additional (simple) input, this doesn'=
;t really solve the issue. After all, if we're assuming some user exist=
s who has been using sending money, unspent, to scripts with OP_CODESEPARAT=
OR to force signatures to commit to whether some other signature was presen=
t and who won't see a (invariably media-covered) pending soft-fork in t=
ime to claim their funds, we should also assume such a user has pre-signed =
transactions which are time-locked and claim a number of inputs and have se=
veral paths in the script which contain OP_CODESEPARATOR, rendering their t=
ranscription invalid.</div></div></blockquote><div><br></div><div>Agreed, t=
hat's why we will want to not simply count the OP_CODESEPARATORS, but r=
ather count the maximum number of OP_CODESEPARATORS that can be executed th=
rough the any of the various possible OP_IF branches.=C2=A0 Adding this sor=
t of control-flow analysis is a pretty simple. It just requires a small sta=
ck of pairs of numbers and linear traversal through the Script.=C2=A0 This =
sort of OP_IF control flow analysis ought to have been done for counting CH=
ECKSIG operations, but unfortunately it is too late for that now.=C2=A0 I c=
ould prototype the sort of analysis I have in mind if you think that would =
be helpful.<br></div><div><br></div><div>In fact, it is really alternating =
uses of OP_CODESEPARATOR and CheckSig operations that is problematic, so it=
is probably worth attempting to count these pairs rather than just OP_CODE=
SEPARATORS.<br></div></div></div></div>
</div>
--00000000000072d15b0583efde8f--
|
