summaryrefslogtreecommitdiff
path: root/e9/6042d561837a36d42a2c1ad4f1640674426e21
blob: 32034fa8955743bc8c2422401b133260d5e04460 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
Return-Path: <roconnor@blockstream.io>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 2D701C04E
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Fri,  8 Mar 2019 15:57:38 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-io1-f41.google.com (mail-io1-f41.google.com
	[209.85.166.41])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 366CD12E
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Fri,  8 Mar 2019 15:57:37 +0000 (UTC)
Received: by mail-io1-f41.google.com with SMTP id k21so17076300ior.13
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Fri, 08 Mar 2019 07:57:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=blockstream.io; s=google;
	h=mime-version:references:in-reply-to:from:date:message-id:subject:to
	:cc; bh=D6TgfT3TVwkrdaSpWF04diM2EUB1ejeO1jwDwJkPKOw=;
	b=0Xnwu0C3QnKH+Hd304I/wMtsg0fNNlPHulVVYJgdNrnER2jtBPCna0NGCjOr6vblbw
	wlzl+3TvB65e571VARLz4fbPy/vctj1Y4lFLduP60601xgq9k2/pWGHjbFo8l5eVxJ5Z
	XUKl9SfroHVfgODWUDrNTLylzPxhhHgwIj3nQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:references:in-reply-to:from:date
	:message-id:subject:to:cc;
	bh=D6TgfT3TVwkrdaSpWF04diM2EUB1ejeO1jwDwJkPKOw=;
	b=Rg0hk/ehC1OSN+YjzhMky76mW5vJfNGBQShWRz0zbvKjutZaPc9dgr7ozJWgirVlcp
	fzXNyI8olkdcZ06NQ9xSds/yeLX6krakPC3Jr+Kf+wYKPfWRQVKPUZMPJaXxey8LzL9D
	jnm3TcIH85ycOR4VOR+mOonnKB3Ab2MRGJy968lxpa6W1Vv7sKdNNwgGi54ZxFjzCrb2
	b4Olqe3QT+zQ36RLC8zkjEWmcUU+JDqC4UAHQwxPesidztq/kYlcsGjbhWZJxtMjGLD/
	8OskZV2HMRNknEZeQjJgfyuGK6xOo4MBxGLbu0WCJMcXaVsGqvwlTEDMGCtruUUydJFv
	uRag==
X-Gm-Message-State: APjAAAWZeHm9+vy/E0IDPq+5WDO33pjwfY6EiNNDFsNUCoESXCg66hFU
	NZ6I/kYydYVspv7MMNdycJLIcLA/d/OFK3NxdQiKyy5u
X-Google-Smtp-Source: APXvYqx8dMC7wYPoAyiCf1xyHUK4wBMY53WUx/fEBblLVLBQpz7L+9F5upp2GrXHcmPUrq8VV6yt6R5dYOQEfopcvqs=
X-Received: by 2002:a6b:5905:: with SMTP id n5mr11183917iob.33.1552060656425; 
	Fri, 08 Mar 2019 07:57:36 -0800 (PST)
MIME-Version: 1.0
References: <bf96c2fb-2e2e-a47f-e59f-87e56d83eca3@mattcorallo.com>
	<CAMZUoK=1kgZLR1YZ+cJgzwmEOwrABYFs=2Ri=xGX=BCr+w=VQw@mail.gmail.com>
	<6bb308f5-f478-d5ec-064f-e4972709f29c@mattcorallo.com>
In-Reply-To: <6bb308f5-f478-d5ec-064f-e4972709f29c@mattcorallo.com>
From: "Russell O'Connor" <roconnor@blockstream.io>
Date: Fri, 8 Mar 2019 10:57:25 -0500
Message-ID: <CAMZUoKk3CgatSexAHRuxn3ibCYwgHpTkc0gF0yDi6hLAVcCiNA@mail.gmail.com>
To: Matt Corallo <lf-lists@mattcorallo.com>
Content-Type: multipart/alternative; boundary="00000000000018cebf05839748da"
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
X-Mailman-Approved-At: Fri, 08 Mar 2019 18:58:47 +0000
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] OP_CODESEPARATOR Re: BIP Proposal: The Great
	Consensus Cleanup
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Mar 2019 15:57:38 -0000

--00000000000018cebf05839748da
Content-Type: text/plain; charset="UTF-8"

On Thu, Mar 7, 2019 at 2:50 PM Matt Corallo <lf-lists@mattcorallo.com>
wrote:

> Replies inline.
>
> Matt
>
> On 3/7/19 3:03 PM, Russell O'Connor wrote:
> >
> >     * OP_CODESEPARATOR in non-BIP 143 scripts fails the script
> validation.
> >     This includes OP_CODESEPARATORs in unexecuted branches of if
> >     statements,
> >     similar to other disabled opcodes, but unlike OP_RETURN.
> >
> >
> > OP_CODESEPARATOR is the only mechanism available that allows users to
> > sign which particular branch they are authorizing for within scripts
> > that have multiple possible conditions that reuse the same public key.
>
> This is true, and yet it does not appear to actually be practically
> usable. Thus far, despite a ton of effort, I have not yet seen a
> practical use-case for OP_CODESEPARATOR (except for one example of it
> being used to make SegWit scripts ever-so-slightly more effecient in
> TumbleBit, hence why this BIP does not propose disabling it for SegWit).
>

It's very easy to construct a practical script using OP_CODESEPARATOR.

IF <2> <ALICEPUBKEY> <BOBPUBKEY> <2> CHECKMULTISIGVERIFY ELSE CODESEPARATOR
<ALICEPUBKEY> CHECKSIGVERFY ENDIF

Now when someone hands Alice, the CFO of XYZ corp., some transaction, she
has the option of either signing it unilaterally herself, or creating a
partial signature such that the transaction additionally needs Bob, the
CEOs signature as well, and Alice's choice is committed to the blockchain
for auditing purposes later.

Now, there are many things you might object about this scheme, but my point
is that (A) regardless of what you think about this scheme, it, or similar
schemes, may have been devised by users, and (B) users may have already
committed funds to such schemes, and due to P2SH you cannot know that this
is not the case.


> > Because of P2SH you cannot know that no one is currently using this
> > feature.  Activating a soft-fork as describe above means these sorts of
> > funds would be permanently lost.  It is not acceptable to risk people's
> > money like this.
>
> (1) It has been well documented again and again that there is desire to
> remove OP_CODESEPARATOR, (2) it is well-documented OP_CODESEPARATOR in
> non-segwit scripts represents a rather significant vulnerability in
> Bitcoin today, and (3) lots of effort has gone into attempting to find
> practical use-cases for OP_CODESEPARATOR's specific construction, with
> no successes as of yet. I strongly, strongly disagree that the
> highly-unlikely remote possibility that someone created something before
> which could be rendered unspendable is sufficient reason to not fix a
> vulnerability in Bitcoin today.
>

Please don't strawman my position.  I am not suggesting we don't fix a
vulnerability in Bitcoin.  I am suggesting we find another way.  One that
limits the of risk destroying other people's money.

Here is a more concrete proposal:  No matter how bad OP_CODESEPARATOR is,
it cannot be worse than instead including another input that spends another
identically sized UTXO.  So how about we soft-fork in a rule that says that
an input's weight is increased by an amount equal to the number of
OP_CODESEPARATORs executed times the sum of weight of the UTXO being spent
and 40 bytes, the weight of a stripped input. The risk of destroying other
people's money is limited and AFAIU it would completely address the
vulnerabilities caused by OP_CODESEPARATOR.

Even soft forking a rule like, "it is illegal to execute an
OP_CODESEPARATOR after any CHECKSIG/CHECKMULTISIG operation", would be
vastly better than the current proposal, even though I would still object
to it.


> > I suggest an alternative whereby the execution of OP_CODESEPARATOR
> > increases the transactions weight suitably as to temper the
> > vulnerability caused by it.  Alternatively there could be some sort of
> > limit (maybe 1) on the maximum number of OP_CODESEPARATORs allowed to be
> > executed per script, but that would require an argument as to why
> > exceeding that limit isn't reasonable.
>
> You could equally argue, however, that any such limit could render some
> moderately-large transaction unspendable, so I'm somewhat skeptical of
> this argument. Note that OP_CODESEPARATOR is non-standard, so getting
> them mined is rather difficult in any case.
>

I already know of people who's funds are tied up due to in other changes to
Bitcoin Core's default relay policy.  Non-standardness is not an excuse to
take other people's tied up funds and destroy them permanently.

There is some sort of crisis in the Bitcoin protocol stemming from the
possible excessive usage of OP_CODESEPARTOR otherwise we wouldn't even be
considering this soft fork.  Fine.  But presumably it is impossible for a
transaction to both be produced in good faith for legitimate use and at the
same time are expensive enough to be used as an attack vector, and
hopefully there is a wide gap between these two cases.  So let's draw a
line between the two cases to rule out attacks while allowing legitimate
uses by simply suitably pricing the OP_CODESEPARATOR opcode by weight.  At
worst case this moderately-large transaction is very expensive, reflecting
its true cost, or is was so expensive that it couldn't possibly have been
legitimate to begin with since the resources to validate it exceed the
amount that are reasonable to validate an entire block of regular
transactions.

--00000000000018cebf05839748da
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail=
_attr">On Thu, Mar 7, 2019 at 2:50 PM Matt Corallo &lt;<a href=3D"mailto:lf=
-lists@mattcorallo.com" target=3D"_blank">lf-lists@mattcorallo.com</a>&gt; =
wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0=
px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Replies i=
nline.<br>
<br>
Matt<br>
<br>
On 3/7/19 3:03 PM, Russell O&#39;Connor wrote:<br>
&gt; <br>
&gt;=C2=A0 =C2=A0 =C2=A0* OP_CODESEPARATOR in non-BIP 143 scripts fails the=
 script validation.<br>
&gt;=C2=A0 =C2=A0 =C2=A0This includes OP_CODESEPARATORs in unexecuted branc=
hes of if<br>
&gt;=C2=A0 =C2=A0 =C2=A0statements,<br>
&gt;=C2=A0 =C2=A0 =C2=A0similar to other disabled opcodes, but unlike OP_RE=
TURN.<br>
&gt; <br>
&gt; <br>
&gt; OP_CODESEPARATOR is the only mechanism available that allows users to =
<br>
&gt; sign which particular branch they are authorizing for within scripts <=
br>
&gt; that have multiple possible conditions that reuse the same public key.=
<br>
<br>
This is true, and yet it does not appear to actually be practically <br>
usable. Thus far, despite a ton of effort, I have not yet seen a <br>
practical use-case for OP_CODESEPARATOR (except for one example of it <br>
being used to make SegWit scripts ever-so-slightly more effecient in <br>
TumbleBit, hence why this BIP does not propose disabling it for SegWit).<br=
></blockquote><div><br></div><div>It&#39;s very easy to construct a practic=
al script using OP_CODESEPARATOR.</div><div><br></div><div>IF &lt;2&gt; &lt=
;ALICEPUBKEY&gt; &lt;BOBPUBKEY&gt; &lt;2&gt; CHECKMULTISIGVERIFY ELSE CODES=
EPARATOR  &lt;ALICEPUBKEY&gt; CHECKSIGVERFY ENDIF<br></div><div><br></div><=
div>Now when someone hands Alice, the CFO of XYZ corp., some transaction, s=
he has the option of either signing it unilaterally herself, or creating a =
partial signature such that the transaction additionally needs Bob, the CEO=
s signature as well, and Alice&#39;s choice is committed to the blockchain =
for auditing purposes later.<br></div><div><br></div><div>Now, there are ma=
ny things you might object about this scheme, but my point is that (A) rega=
rdless of what you think about this scheme, it, or similar schemes, may hav=
e been devised by users, and (B) users may have already committed funds to =
such schemes, and due to P2SH you cannot know that this is not the case.<br=
></div><div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0=
px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
&gt; Because of P2SH you cannot know that no one is currently using this <b=
r>
&gt; feature.=C2=A0 Activating a soft-fork as describe above means these so=
rts of <br>
&gt; funds would be permanently lost.=C2=A0 It is not acceptable to risk pe=
ople&#39;s <br>
&gt; money like this.<br>
<br>
(1) It has been well documented again and again that there is desire to <br=
>
remove OP_CODESEPARATOR, (2) it is well-documented OP_CODESEPARATOR in <br>
non-segwit scripts represents a rather significant vulnerability in <br>
Bitcoin today, and (3) lots of effort has gone into attempting to find <br>
practical use-cases for OP_CODESEPARATOR&#39;s specific construction, with =
<br>
no successes as of yet. I strongly, strongly disagree that the <br>
highly-unlikely remote possibility that someone created something before <b=
r>
which could be rendered unspendable is sufficient reason to not fix a <br>
vulnerability in Bitcoin today.<br></blockquote><div><br></div><div>Please =
don&#39;t strawman my position.=C2=A0 I am not suggesting we don&#39;t fix =
a vulnerability in Bitcoin.=C2=A0 I am suggesting we find another way.=C2=
=A0 One that limits the of risk destroying other people&#39;s money.</div><=
div><br></div><div>Here is a more concrete proposal:=C2=A0 No matter how ba=
d OP_CODESEPARATOR is, it cannot be worse than instead including another in=
put that spends another identically sized UTXO.=C2=A0 So how about we soft-=
fork in a rule that says that an input&#39;s weight is increased by an amou=
nt equal to the number of OP_CODESEPARATORs executed times the sum of weigh=
t of the UTXO being spent and 40 bytes, the weight of a stripped input. The=
 risk of destroying other people&#39;s money is limited and AFAIU it would =
completely address the vulnerabilities caused by OP_CODESEPARATOR.</div><di=
v><br></div><div>Even soft forking a rule like, &quot;it is illegal to exec=
ute an OP_CODESEPARATOR after any CHECKSIG/CHECKMULTISIG operation&quot;, w=
ould be vastly better than the current proposal, even though I would still =
object to it.<br></div><div>=C2=A0</div><blockquote class=3D"gmail_quote" s=
tyle=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);pad=
ding-left:1ex">
&gt; I suggest an alternative whereby the execution of OP_CODESEPARATOR <br=
>
&gt; increases the transactions weight suitably as to temper the <br>
&gt; vulnerability caused by it.=C2=A0 Alternatively there could be some so=
rt of <br>
&gt; limit (maybe 1) on the maximum number of OP_CODESEPARATORs allowed to =
be <br>
&gt; executed per script, but that would require an argument as to why <br>
&gt; exceeding that limit isn&#39;t reasonable.<br>
<br>
You could equally argue, however, that any such limit could render some <br=
>
moderately-large transaction unspendable, so I&#39;m somewhat skeptical of =
<br>
this argument. Note that OP_CODESEPARATOR is non-standard, so getting <br>
them mined is rather difficult in any case.<br></blockquote><div><br></div>=
<div>I already know of people who&#39;s funds are tied up due to in other c=
hanges to Bitcoin Core&#39;s default relay policy.=C2=A0 Non-standardness i=
s not an excuse to take other people&#39;s tied up funds and destroy them p=
ermanently.</div><br><div>There is some sort of crisis in the Bitcoin proto=
col stemming from the possible excessive usage of OP_CODESEPARTOR otherwise=
 we wouldn&#39;t even be considering this soft fork.=C2=A0 Fine.=C2=A0 But =
presumably it is impossible for a transaction to both be produced in good f=
aith for legitimate use and at the same time are expensive enough to be use=
d as an attack vector, and hopefully there is a wide gap between these two =
cases.=C2=A0 So let&#39;s draw a line between the two cases to rule out att=
acks while allowing legitimate uses by simply suitably pricing the OP_CODES=
EPARATOR opcode by weight.=C2=A0 At worst case this moderately-large transa=
ction is very expensive, reflecting its true cost, or is was so expensive t=
hat it couldn&#39;t possibly have been legitimate to begin with since the r=
esources to validate it exceed the amount that are reasonable to validate a=
n entire block of regular transactions.</div></div></div>

--00000000000018cebf05839748da--