* [bitcoin-dev] BIP draft: OP_CHECKBLOCKATHEIGHT
@ 2016-09-23 9:57 Luke Dashjr
2016-09-23 13:43 ` Russell O'Connor
` (3 more replies)
0 siblings, 4 replies; 14+ messages in thread
From: Luke Dashjr @ 2016-09-23 9:57 UTC (permalink / raw)
To: Bitcoin Protocol Discussion
This BIP describes a new opcode (OP_CHECKBLOCKATHEIGHT) for the Bitcoin
scripting system to address reissuing bitcoin transactions when the coins they
spend have been conflicted/double-spent.
https://github.com/luke-jr/bips/blob/bip-cbah/bip-cbah.mediawiki
Does this seem like a good idea/approach?
Luke
^ permalink raw reply [flat|nested] 14+ messages in thread* Re: [bitcoin-dev] BIP draft: OP_CHECKBLOCKATHEIGHT 2016-09-23 9:57 [bitcoin-dev] BIP draft: OP_CHECKBLOCKATHEIGHT Luke Dashjr @ 2016-09-23 13:43 ` Russell O'Connor [not found] ` <CAAS2fgQGC695mkyze+mVTZZoQN1mh+1y32u-D6Yv1R7nXWPDcg@mail.gmail.com> 2016-09-23 22:20 ` Luke Dashjr 2016-09-23 14:37 ` Tom ` (2 subsequent siblings) 3 siblings, 2 replies; 14+ messages in thread From: Russell O'Connor @ 2016-09-23 13:43 UTC (permalink / raw) To: Luke Dashjr, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 961 bytes --] I believe Bitcoin currently enjoys the property that during an "innocent" re-org, i.e. a reorg in which no affected transactions are being double spent, all affected transactions can always eventually get replayed, so long as the re-org depth is less than 100. My concern with this proposed operation is that it would destroy this property. On Fri, Sep 23, 2016 at 5:57 AM, Luke Dashjr via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > This BIP describes a new opcode (OP_CHECKBLOCKATHEIGHT) for the Bitcoin > scripting system to address reissuing bitcoin transactions when the coins > they > spend have been conflicted/double-spent. > > https://github.com/luke-jr/bips/blob/bip-cbah/bip-cbah.mediawiki > > Does this seem like a good idea/approach? > > Luke > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > [-- Attachment #2: Type: text/html, Size: 1641 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
[parent not found: <CAAS2fgQGC695mkyze+mVTZZoQN1mh+1y32u-D6Yv1R7nXWPDcg@mail.gmail.com>]
* Re: [bitcoin-dev] BIP draft: OP_CHECKBLOCKATHEIGHT [not found] ` <CAAS2fgQGC695mkyze+mVTZZoQN1mh+1y32u-D6Yv1R7nXWPDcg@mail.gmail.com> @ 2016-09-23 18:57 ` Gregory Maxwell 2016-09-23 20:02 ` Peter Todd 0 siblings, 1 reply; 14+ messages in thread From: Gregory Maxwell @ 2016-09-23 18:57 UTC (permalink / raw) To: Bitcoin Protocol Discussion On Fri, Sep 23, 2016 at 1:43 PM, Russell O'Connor via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote: > I believe Bitcoin currently enjoys the property that during an "innocent" > re-org, i.e. a reorg in which no affected transactions are being double > spent, all affected transactions can always eventually get replayed, so long > as the re-org depth is less than 100. > My concern with this proposed operation is that it would destroy this > property. The reorg safety impact of this proposal could be eliminated and the mempool handling complexity greatly reduced if the transaction was required to be locktimed at least 100 blocks after the block its referencing. This would also resolve a rather severe DOS weakness that the spec has with the suggestion that nodes would relay this rule without validating it. With the depth restriction nodes could relay one (or a couple) blocks early without creating a situation where someone can consume relay resources with near zero odds of paying a fee for them. Irritatingly, applications of this rule would really want to be applied at signing time (like locktime is), not as part of a scriptpubkey. With it part of a scriptpubkey two moves are required. I think solving this is important. FWIW, this scheme more has been proposed before for another reason-- effectively allowing users to 'vote against' long reorgs by making sure their transactions can't be included in them. Though for that application it was only needed to use 32 bits of the block hash. ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] BIP draft: OP_CHECKBLOCKATHEIGHT 2016-09-23 18:57 ` Gregory Maxwell @ 2016-09-23 20:02 ` Peter Todd 0 siblings, 0 replies; 14+ messages in thread From: Peter Todd @ 2016-09-23 20:02 UTC (permalink / raw) To: Gregory Maxwell, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 2373 bytes --] On Fri, Sep 23, 2016 at 06:57:57PM +0000, Gregory Maxwell via bitcoin-dev wrote: > On Fri, Sep 23, 2016 at 1:43 PM, Russell O'Connor via bitcoin-dev > <bitcoin-dev@lists.linuxfoundation.org> wrote: > > I believe Bitcoin currently enjoys the property that during an "innocent" > > re-org, i.e. a reorg in which no affected transactions are being double > > spent, all affected transactions can always eventually get replayed, so long > > as the re-org depth is less than 100. > > > My concern with this proposed operation is that it would destroy this > > property. > > The reorg safety impact of this proposal could be eliminated and the > mempool handling complexity greatly reduced if the transaction was > required to be locktimed at least 100 blocks after the block its > referencing. However, by doing that we'd also make the functionality not all that useful for this application; by the time you waited 100 blocks for the tx to be minable, the chance of a reorg happening is low enough that I can't imagine many - if any - wallets would bother using the opcode in the first place, and would instead just rely on the fact that a reorg that deep which resulted in the double-spent transaction ending up back in the chain is very unlikely. Specifically I'm referring to the following scenario: 1) Alice pays Bob with tx1a 2) tx1a gets N confirmations, where N is some small number of confirmations. 2) Bob pays Charlie from tx1a's output in tx2a 3) A reorg eliminates the block that tx1a existed, and a conflicting tx1b is mined instead, making tx1a and tx2a invalid. 4) Bob pays Charlie again with tx2b, whose inputs do not conflict with tx2a 5) Another reorg eliminates tx1b, allowing tx1a, tx2a, and tx2b to all be mined. 6) Charlie has now been paid twice. Since you need _two_ reorgs for this scenario to be applicable, it's much easier to just wait for tx1b to be confirmed suffiently deeply in the chain that a reorg undoing it - thus allowing tx1a and tx2a to exist - is sufficiently unlikely; 100 blocks is a lot more than most wallets are going to consider "sufficiently unlikely", so the featureu just won't get used (assuming wallets even bother to handle this case of course!). Unfortunately I think this is an inherent catch-22 of the idea. -- https://petertodd.org 'peter'[:-1]@petertodd.org [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 455 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] BIP draft: OP_CHECKBLOCKATHEIGHT 2016-09-23 13:43 ` Russell O'Connor [not found] ` <CAAS2fgQGC695mkyze+mVTZZoQN1mh+1y32u-D6Yv1R7nXWPDcg@mail.gmail.com> @ 2016-09-23 22:20 ` Luke Dashjr 2016-09-23 23:43 ` Gregory Maxwell 1 sibling, 1 reply; 14+ messages in thread From: Luke Dashjr @ 2016-09-23 22:20 UTC (permalink / raw) To: Russell O'Connor; +Cc: Bitcoin Protocol Discussion In the innocent use case of this opcode, a double-spend has already occurred, and this should be a strict improvement. In the non-innocent abuse of this opcode, I don't see that it's any worse than simply double-spending. Would this proposal be better or otherwise more acceptable, if a specified height more recent than 100 blocks deep causes the script to fail? This would increase delays in recovering the double-spend situation of course... but less than 24h. Luke On Friday, September 23, 2016 1:43:15 PM Russell O'Connor wrote: > I believe Bitcoin currently enjoys the property that during an "innocent" > re-org, i.e. a reorg in which no affected transactions are being double > spent, all affected transactions can always eventually get replayed, so > long as the re-org depth is less than 100. > > My concern with this proposed operation is that it would destroy this > property. > > On Fri, Sep 23, 2016 at 5:57 AM, Luke Dashjr via bitcoin-dev < > > bitcoin-dev@lists.linuxfoundation.org> wrote: > > This BIP describes a new opcode (OP_CHECKBLOCKATHEIGHT) for the Bitcoin > > scripting system to address reissuing bitcoin transactions when the coins > > they > > spend have been conflicted/double-spent. > > > > https://github.com/luke-jr/bips/blob/bip-cbah/bip-cbah.mediawiki > > > > Does this seem like a good idea/approach? > > > > Luke > > _______________________________________________ > > bitcoin-dev mailing list > > bitcoin-dev@lists.linuxfoundation.org > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] BIP draft: OP_CHECKBLOCKATHEIGHT 2016-09-23 22:20 ` Luke Dashjr @ 2016-09-23 23:43 ` Gregory Maxwell 0 siblings, 0 replies; 14+ messages in thread From: Gregory Maxwell @ 2016-09-23 23:43 UTC (permalink / raw) To: Luke Dashjr, Bitcoin Protocol Discussion On Fri, Sep 23, 2016 at 10:20 PM, Luke Dashjr via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote: > In the innocent use case of this opcode, a double-spend has already occurred, > and this should be a strict improvement. In the non-innocent abuse of this > opcode, I don't see that it's any worse than simply double-spending. There is a fungibility hit... right now, absent double spends (and privacy issues), every coin you might get paid is equal. With this script feature as described, you could get paid a coin which has one of these in its recent past, pinning the block immediately before it. A reorg long enough to remove that block-- due to an attack, or an ordinary block race, or some kind of consensus glitch (like we had in March 2013 or around the activation of BIP65)-- is _guaranteed_ to invalidate those coins, even without any double spend. If the scheme doesn't do as I suggest and prevent over-eager usage (perhaps 100 is too much, I just decided to match coinbases); then it should probably have a consensus enforced explicit "maximum survivable reorg" that is traced along with the outputs, so that someone who received exposed coins could handle it sensibly. Just for plain engineering reasons, I still think it is important to now allow overly short back references. If the reference has to be a few blocks back we don't need to worry about short forks breaking propagation, and simple mempool handling like purging all CBAH transactions on a large reorg would work fine. It need not be so long as to implicate Petertodd's concern that you could only use it where it wouldn't matter. (Though I also disagree that a depth of 100 achieves that, consider persistent chain forks). ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] BIP draft: OP_CHECKBLOCKATHEIGHT 2016-09-23 9:57 [bitcoin-dev] BIP draft: OP_CHECKBLOCKATHEIGHT Luke Dashjr 2016-09-23 13:43 ` Russell O'Connor @ 2016-09-23 14:37 ` Tom 2016-09-23 22:34 ` Luke Dashjr 2016-09-23 16:18 ` Peter Todd 2016-10-01 4:01 ` Rusty Russell 3 siblings, 1 reply; 14+ messages in thread From: Tom @ 2016-09-23 14:37 UTC (permalink / raw) To: bitcoin-dev On Friday 23 Sep 2016 09:57:01 Luke Dashjr via bitcoin-dev wrote: > This BIP describes a new opcode (OP_CHECKBLOCKATHEIGHT) for the Bitcoin > scripting system to address reissuing bitcoin transactions when the coins > they spend have been conflicted/double-spent. > > https://github.com/luke-jr/bips/blob/bip-cbah/bip-cbah.mediawiki Can you walk us through a real live usecase which this solves? I read it and I think I understand it, but I can't see the attack every giving the attacker any benefit (or the attacked losing anything). ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] BIP draft: OP_CHECKBLOCKATHEIGHT 2016-09-23 14:37 ` Tom @ 2016-09-23 22:34 ` Luke Dashjr 2016-09-24 0:08 ` Dave Scotese 2016-09-24 9:37 ` Tom 0 siblings, 2 replies; 14+ messages in thread From: Luke Dashjr @ 2016-09-23 22:34 UTC (permalink / raw) To: bitcoin-dev, Tom Joe sends Alice 5 BTC (UTXO 0). Fred sends Alice 4 BTC (UTXO 1). Alice sends Bob 4 BTC using UTXO 1 (creating UTXO 2). Fred double-spends UTXO 1 with UTXO 1-B. This invalidates Alice's transfer to Bob. Alice has UTXO 0 which she can send to Bob (UTXO 3), but if she does so, it is possible that UTXO 0 could be mined, and then both UTXO 2 and UTXO 3 which would result in her giving Bob a total of 8 BTC rather than merely 4 BTC. Even if Alice waits until Fred's UTXO 1-B confirms 10 blocks deep, it is not impossible for a reorganization to reverse those 10 blocks and confirm UTXO 1 again. Using OP_CHECKBLOCKATHEIGHT, however, Alice can create UTXO 3 such that it is valid only in the blockchain where Fred's UTXO 1-B has confirmed. This way, if that block is reorganized out, UTXO 3 is invalid, and either Bob receives only the original UTXO 2, or Alice can create a UTXO 3-B which is valid in the reorganized blockchain if it again confirms the UTXO 1-B double-spend. Luke On Friday, September 23, 2016 2:37:39 PM Tom via bitcoin-dev wrote: > On Friday 23 Sep 2016 09:57:01 Luke Dashjr via bitcoin-dev wrote: > > This BIP describes a new opcode (OP_CHECKBLOCKATHEIGHT) for the Bitcoin > > scripting system to address reissuing bitcoin transactions when the coins > > they spend have been conflicted/double-spent. > > > > https://github.com/luke-jr/bips/blob/bip-cbah/bip-cbah.mediawiki > > Can you walk us through a real live usecase which this solves? I read it > and I think I understand it, but I can't see the attack every giving the > attacker any benefit (or the attacked losing anything). > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] BIP draft: OP_CHECKBLOCKATHEIGHT 2016-09-23 22:34 ` Luke Dashjr @ 2016-09-24 0:08 ` Dave Scotese 2016-09-24 9:37 ` Tom 1 sibling, 0 replies; 14+ messages in thread From: Dave Scotese @ 2016-09-24 0:08 UTC (permalink / raw) To: Luke Dashjr, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 4307 bytes --] If Alice knows enough to see that she needs CHECKBLOCKATHEIGHT to avoid paying Bob twice, then she also knows that Fred owes her 4BTC. If Bob complains about getting paid faster, Alice can let him know that Fred essentially stole his coins and that when she is certain he (and she) can't get them back, she will send a different four coins to Bob. If she can establish trust with Bob (She'd trust Bob to pay her back if he gets back the coins Fred stole), then she can pay him again. Bob could also make a transaction to send the first input from Alice back to her (since he doesn't have those coins anyway), sign it, and send that to her. She can then keep it instead of having to use the new opcode. Or she can let her wallet use the new opcode so that the logic is built in, if we add this opcode. Wallet makers who want to help solve this problem can either implement the new opcode, or they can offer people like Bob the ability to refund orphaned transactions so that they can be duplicated in the valid chain without any risk to the original sender. With the opcode, Alice can solve the problem by herself. Without it, Bob can solve it for Alice. While the opcode adds complexity, it enables victims of double-spends to pay untrusted creditors (Bob) without the risk that orphaned chains create of paying them twice. I'm not sure the added complexity is worth the reward. The reward is to protect Bitcoiners (Alice) from people we'd call "untrusted creditors" (Bob) and I think that might be a mistake. Getting a refund transaction signed and sent back to Alice is similar to how the LN will work (where wallets hold transactions that they don't broadcast). Am I understanding this correctly? On Fri, Sep 23, 2016 at 3:34 PM, Luke Dashjr via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > Joe sends Alice 5 BTC (UTXO 0). > Fred sends Alice 4 BTC (UTXO 1). > Alice sends Bob 4 BTC using UTXO 1 (creating UTXO 2). > Fred double-spends UTXO 1 with UTXO 1-B. This invalidates Alice's transfer > to > Bob. > Alice has UTXO 0 which she can send to Bob (UTXO 3), but if she does so, > it is > possible that UTXO 0 could be mined, and then both UTXO 2 and UTXO 3 which > would result in her giving Bob a total of 8 BTC rather than merely 4 BTC. > Even if Alice waits until Fred's UTXO 1-B confirms 10 blocks deep, it is > not > impossible for a reorganization to reverse those 10 blocks and confirm > UTXO 1 > again. > Using OP_CHECKBLOCKATHEIGHT, however, Alice can create UTXO 3 such that it > is > valid only in the blockchain where Fred's UTXO 1-B has confirmed. This > way, if > that block is reorganized out, UTXO 3 is invalid, and either Bob receives > only > the original UTXO 2, or Alice can create a UTXO 3-B which is valid in the > reorganized blockchain if it again confirms the UTXO 1-B double-spend. > > Luke > > On Friday, September 23, 2016 2:37:39 PM Tom via bitcoin-dev wrote: > > On Friday 23 Sep 2016 09:57:01 Luke Dashjr via bitcoin-dev wrote: > > > This BIP describes a new opcode (OP_CHECKBLOCKATHEIGHT) for the Bitcoin > > > scripting system to address reissuing bitcoin transactions when the > coins > > > they spend have been conflicted/double-spent. > > > > > > https://github.com/luke-jr/bips/blob/bip-cbah/bip-cbah.mediawiki > > > > Can you walk us through a real live usecase which this solves? I read it > > and I think I understand it, but I can't see the attack every giving the > > attacker any benefit (or the attacked losing anything). > > _______________________________________________ > > bitcoin-dev mailing list > > bitcoin-dev@lists.linuxfoundation.org > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > -- I like to provide some work at no charge to prove my value. Do you need a techie? I own Litmocracy <http://www.litmocracy.com> and Meme Racing <http://www.memeracing.net> (in alpha). I'm the webmaster for The Voluntaryist <http://www.voluntaryist.com> which now accepts Bitcoin. I also code for The Dollar Vigilante <http://dollarvigilante.com/>. "He ought to find it more profitable to play by the rules" - Satoshi Nakamoto [-- Attachment #2: Type: text/html, Size: 5864 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] BIP draft: OP_CHECKBLOCKATHEIGHT 2016-09-23 22:34 ` Luke Dashjr 2016-09-24 0:08 ` Dave Scotese @ 2016-09-24 9:37 ` Tom 1 sibling, 0 replies; 14+ messages in thread From: Tom @ 2016-09-24 9:37 UTC (permalink / raw) To: Luke Dashjr; +Cc: bitcoin-dev Thank you Luke, this makes it clearer. It doesn't change that this scenario is an attack that doesn't give the attacker any benefit and the attacked doesn't loose anything either (as Dave pointed out). This is a completely academical problem that assumes so many stupid mistakes from software and from people that its very unlikely. On top of that it assumes a rather lengthy 51% attack in concert with this already extremely unlikely usecase. In the scenario you assume stupid people and then you solve it by requiring the victim to suddenly be super smart and use a solution specifically designed for this super unlikely usecase that probably will never actually happen... I don't buy it. On Friday, 23 September 2016 22:34:41 CEST Luke Dashjr wrote: > Joe sends Alice 5 BTC (UTXO 0). > Fred sends Alice 4 BTC (UTXO 1). > Alice sends Bob 4 BTC using UTXO 1 (creating UTXO 2). > Fred double-spends UTXO 1 with UTXO 1-B. This invalidates Alice's > transfer to Bob. > Alice has UTXO 0 which she can send to Bob (UTXO 3), but if she does so, > it is possible that UTXO 0 could be mined, and then both UTXO 2 and UTXO > 3 which would result in her giving Bob a total of 8 BTC rather than > merely 4 BTC. Even if Alice waits until Fred's UTXO 1-B confirms 10 > blocks deep, it is not impossible for a reorganization to reverse those > 10 blocks and confirm UTXO 1 again. > Using OP_CHECKBLOCKATHEIGHT, however, Alice can create UTXO 3 such that > it is valid only in the blockchain where Fred's UTXO 1-B has confirmed. > This way, if that block is reorganized out, UTXO 3 is invalid, and > either Bob receives only the original UTXO 2, or Alice can create a UTXO > 3-B which is valid in the reorganized blockchain if it again confirms > the UTXO 1-B double-spend. > > Luke > > On Friday, September 23, 2016 2:37:39 PM Tom via bitcoin-dev wrote: > > On Friday 23 Sep 2016 09:57:01 Luke Dashjr via bitcoin-dev wrote: > > > This BIP describes a new opcode (OP_CHECKBLOCKATHEIGHT) for the > > > Bitcoin > > > scripting system to address reissuing bitcoin transactions when the > > > coins they spend have been conflicted/double-spent. > > > > > > https://github.com/luke-jr/bips/blob/bip-cbah/bip-cbah.mediawiki > > > > Can you walk us through a real live usecase which this solves? I read > > it and I think I understand it, but I can't see the attack every > > giving the attacker any benefit (or the attacked losing anything). > > _______________________________________________ > > bitcoin-dev mailing list > > bitcoin-dev@lists.linuxfoundation.org > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] BIP draft: OP_CHECKBLOCKATHEIGHT 2016-09-23 9:57 [bitcoin-dev] BIP draft: OP_CHECKBLOCKATHEIGHT Luke Dashjr 2016-09-23 13:43 ` Russell O'Connor 2016-09-23 14:37 ` Tom @ 2016-09-23 16:18 ` Peter Todd 2016-10-01 4:01 ` Rusty Russell 3 siblings, 0 replies; 14+ messages in thread From: Peter Todd @ 2016-09-23 16:18 UTC (permalink / raw) To: Luke Dashjr, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 1239 bytes --] On Fri, Sep 23, 2016 at 09:57:01AM +0000, Luke Dashjr via bitcoin-dev wrote: > This BIP describes a new opcode (OP_CHECKBLOCKATHEIGHT) for the Bitcoin > scripting system to address reissuing bitcoin transactions when the coins they > spend have been conflicted/double-spent. > > https://github.com/luke-jr/bips/blob/bip-cbah/bip-cbah.mediawiki > > Does this seem like a good idea/approach? Your BIP is a bit confusing: you say "In some circumstances, users may wish to spend received bitcoins before they have confirmed on the blockchain", but what you're really referring to isn't spending unconfirmed outputs - which OP_CHECKBLOCKATHEIGHT can't protect - but rather spending outputs with a small number of confirmations. In the existing ecosystem, if multi-block reorgs were a regular event Bitcoin would be in a lot of trouble; since they're rare, advising wallet authors to simply refuse to make transactions for some time after such a reorg may be a better solution. After all, a multi-block reorg is a strong indication that there's somehting very wrong with the network, and it'd be safer to stop using Bitcoin for awhile until things settle down. -- https://petertodd.org 'peter'[:-1]@petertodd.org [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 455 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] BIP draft: OP_CHECKBLOCKATHEIGHT 2016-09-23 9:57 [bitcoin-dev] BIP draft: OP_CHECKBLOCKATHEIGHT Luke Dashjr ` (2 preceding siblings ...) 2016-09-23 16:18 ` Peter Todd @ 2016-10-01 4:01 ` Rusty Russell 2016-10-01 5:02 ` Luke Dashjr 3 siblings, 1 reply; 14+ messages in thread From: Rusty Russell @ 2016-10-01 4:01 UTC (permalink / raw) To: Luke Dashjr, Bitcoin Protocol Discussion, Bitcoin Protocol Discussion Luke Dashjr via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> writes: > This BIP describes a new opcode (OP_CHECKBLOCKATHEIGHT) for the Bitcoin > scripting system to address reissuing bitcoin transactions when the coins they > spend have been conflicted/double-spent. > > https://github.com/luke-jr/bips/blob/bip-cbah/bip-cbah.mediawiki > > Does this seem like a good idea/approach? Prefer a three-arg version (gbits-to-compare, blocknum, hash): - If <bits> is 0 or > 256, invalid. - If the hash length is not (<bits> + 7) / 8, invalid. - If the hash unused bits are not 0, invalid. - Otherwise <bits> of hash is compared to lower <bits> of blockhash. This version also lets you play gambling games on-chain! Or maybe I've just put another nail in CBAH's coffin? Cheers, Rusty. ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] BIP draft: OP_CHECKBLOCKATHEIGHT 2016-10-01 4:01 ` Rusty Russell @ 2016-10-01 5:02 ` Luke Dashjr 2016-10-05 2:15 ` Nathan Cook 0 siblings, 1 reply; 14+ messages in thread From: Luke Dashjr @ 2016-10-01 5:02 UTC (permalink / raw) To: Rusty Russell; +Cc: Bitcoin Protocol Discussion On Saturday, October 01, 2016 4:01:04 AM Rusty Russell wrote: > Prefer a three-arg version (gbits-to-compare, blocknum, hash): > - If <bits> is 0 or > 256, invalid. > - If the hash length is not (<bits> + 7) / 8, invalid. This means zero padding on-chain, which would be undesirable. Rather "at most" and have the consensus implementation do the padding. > - If the hash unused bits are not 0, invalid. Why? > - Otherwise <bits> of hash is compared to lower <bits> of blockhash. Lower in what endian? Why only that endian? Why only lower? I can see a possible use case where one wants to look at only the high bits to ensure their transaction is only valid in a block with at least a certain difficulty... > This version also lets you play gambling games on-chain! > > Or maybe I've just put another nail in CBAH's coffin? Or maybe resurrected it... Luke ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] BIP draft: OP_CHECKBLOCKATHEIGHT 2016-10-01 5:02 ` Luke Dashjr @ 2016-10-05 2:15 ` Nathan Cook 0 siblings, 0 replies; 14+ messages in thread From: Nathan Cook @ 2016-10-05 2:15 UTC (permalink / raw) To: Luke Dashjr, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 776 bytes --] On 1 October 2016 at 08:02, Luke Dashjr via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > On Saturday, October 01, 2016 4:01:04 AM Rusty Russell wrote: > > > - Otherwise <bits> of hash is compared to lower <bits> of blockhash. > > Lower in what endian? Why only that endian? Why only lower? I can see a > possible use case where one wants to look at only the high bits to ensure > their transaction is only valid in a block with at least a certain > difficulty... Why not use segwit versioning for all this stuff? That lets you re-enable the bitwise operations like OP_AND, permitting arbitrary bit-masks. Further, the "at least a certain difficulty" problem suggests a solution by extending the validity of opcodes like OP_LESSTHAN etc. to 256-bit inputs. [-- Attachment #2: Type: text/html, Size: 1226 bytes --] ^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2016-10-05 2:15 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-09-23 9:57 [bitcoin-dev] BIP draft: OP_CHECKBLOCKATHEIGHT Luke Dashjr
2016-09-23 13:43 ` Russell O'Connor
[not found] ` <CAAS2fgQGC695mkyze+mVTZZoQN1mh+1y32u-D6Yv1R7nXWPDcg@mail.gmail.com>
2016-09-23 18:57 ` Gregory Maxwell
2016-09-23 20:02 ` Peter Todd
2016-09-23 22:20 ` Luke Dashjr
2016-09-23 23:43 ` Gregory Maxwell
2016-09-23 14:37 ` Tom
2016-09-23 22:34 ` Luke Dashjr
2016-09-24 0:08 ` Dave Scotese
2016-09-24 9:37 ` Tom
2016-09-23 16:18 ` Peter Todd
2016-10-01 4:01 ` Rusty Russell
2016-10-01 5:02 ` Luke Dashjr
2016-10-05 2:15 ` Nathan Cook
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox