public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
* [bitcoin-dev] Progress on bech32 for future Segwit Versions (BIP-173)
@ 2020-10-08  0:21 Rusty Russell
  2020-10-08 14:59 ` David A. Harding
  2020-10-28  0:20 ` Pieter Wuille
  0 siblings, 2 replies; 24+ messages in thread
From: Rusty Russell @ 2020-10-08  0:21 UTC (permalink / raw)
  To: Bitcoin Protocol Discussion

Hi all,

        I propose an alternative to length restrictions suggested by
Russell in https://github.com/bitcoin/bips/pull/945: use the
https://gist.github.com/sipa/a9845b37c1b298a7301c33a04090b2eb variant,
unless the first byte is 0.

Here's a summary of each proposal:

Length restrictions (future segwits must be 10, 13, 16, 20, 23, 26, 29,
32, 36, or 40 bytes)
  1. Backwards compatible for v1 etc; old code it still works.
  2. Restricts future segwit versions, may require new encoding if we
     want a diff length (or waste chainspace if we need to have a padded
     version for compat).
    
Checksum change based on first byte:
  1. Backwards incompatible for v1 etc; only succeeds 1 in a billion.
  2. Weakens guarantees against typos in first two data-part letters to
     1 in a billion.[1]

I prefer the second because it forces upgrades, since it breaks so
clearly.  And unfortunately we do need to upgrade, because the length
extension bug means it's unwise to accept non-v0 addresses.

(Note non-v0 segwit didn't relay before v0.19.0 anyway, so many places
may already be restricting to v0 segwit).

The sooner a decision is reached on this, the sooner we can begin
upgrading software for a taproot world.

Thanks,
Rusty.
PS. Lightning uses bech32 over longer lengths, but the checksum is less critical; we'd prefer to follow whatever
bitcoin chooses.

[1] Technically less for non-v0: you have a 1 in 8 chance of a typo in the second letter changing the checksum
     algorithm, so it's 1 in 8 billion. 


^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [bitcoin-dev] Progress on bech32 for future Segwit Versions (BIP-173)
  2020-10-08  0:21 [bitcoin-dev] Progress on bech32 for future Segwit Versions (BIP-173) Rusty Russell
@ 2020-10-08 14:59 ` David A. Harding
  2020-10-08 15:21   ` Russell O'Connor
  2020-10-15  1:40   ` Rusty Russell
  2020-10-28  0:20 ` Pieter Wuille
  1 sibling, 2 replies; 24+ messages in thread
From: David A. Harding @ 2020-10-08 14:59 UTC (permalink / raw)
  To: Rusty Russell, Bitcoin Protocol Discussion

[-- Attachment #1: Type: text/plain, Size: 2148 bytes --]

On Thu, Oct 08, 2020 at 10:51:10AM +1030, Rusty Russell via bitcoin-dev wrote:
> Hi all,
> 
>         I propose an alternative to length restrictions suggested by
> Russell in https://github.com/bitcoin/bips/pull/945 : use the
> https://gist.github.com/sipa/a9845b37c1b298a7301c33a04090b2eb variant,
> unless the first byte is 0.
> 
> Here's a summary of each proposal:
> 
> Length restrictions (future segwits must be 10, 13, 16, 20, 23, 26, 29,
> 32, 36, or 40 bytes)
>   1. Backwards compatible for v1 etc; old code it still works.
>   2. Restricts future segwit versions, may require new encoding if we
>      want a diff length (or waste chainspace if we need to have a padded
>      version for compat).
>     
> Checksum change based on first byte:
>   1. Backwards incompatible for v1 etc; only succeeds 1 in a billion.
>   2. Weakens guarantees against typos in first two data-part letters to
>      1 in a billion.[1]

Excellent summary!

> I prefer the second because it forces upgrades, since it breaks so
> clearly.  And unfortunately we do need to upgrade, because the length
> extension bug means it's unwise to accept non-v0 addresses.

I don't think the second option forces upgrades.  It just creates
another opt-in address format that means we'll spend another several
years with every wallet having two address buttons, one for a "segwit
address" (v0) and one for a "taproot address" (v1).  Or maybe three
buttons, with the third being a "taproot-in-a-segwit-address" (v1
witness program using the original bech32 encoding).

It took a lot of community effort to get widespread support for bech32
addresses.  Rather than go through that again, I'd prefer we use the
backwards compatible proposal from BIPs PR#945 and, if we want to
maximize safety, consensus restrict v1 witness program size, e.g. reject
transactions with scriptPubKeys paying v1 witness programs that aren't
exactly 32 bytes.

Hopefully by the time we want to use segwit v2, most software will have
implemented length limits and so we won't need any additional consensus
restrictions from then on forward.

-Dave

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [bitcoin-dev] Progress on bech32 for future Segwit Versions (BIP-173)
  2020-10-08 14:59 ` David A. Harding
@ 2020-10-08 15:21   ` Russell O'Connor
  2020-10-15  1:40   ` Rusty Russell
  1 sibling, 0 replies; 24+ messages in thread
From: Russell O'Connor @ 2020-10-08 15:21 UTC (permalink / raw)
  To: David A. Harding, Bitcoin Protocol Discussion

[-- Attachment #1: Type: text/plain, Size: 780 bytes --]

On Thu, Oct 8, 2020 at 11:00 AM David A. Harding via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> Rather than go through that again, I'd prefer we use the
> backwards compatible proposal from BIPs PR#945 and, if we want to
> maximize safety, consensus restrict v1 witness program size, e.g. reject
> transactions with scriptPubKeys paying v1 witness programs that aren't
> exactly 32 bytes.
>

Adding some kind of relay policy rule would be easier than a consensus
rule, and maybe effective enough.  (This comment is not intended to endorse
any one proposal over another.)


> Hopefully by the time we want to use segwit v2, most software will have
> implemented length limits and so we won't need any additional consensus
> restrictions from then on forward.
>

[-- Attachment #2: Type: text/html, Size: 1284 bytes --]

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [bitcoin-dev] Progress on bech32 for future Segwit Versions (BIP-173)
  2020-10-08 14:59 ` David A. Harding
  2020-10-08 15:21   ` Russell O'Connor
@ 2020-10-15  1:40   ` Rusty Russell
  2020-10-16 21:09     ` Pieter Wuille
  1 sibling, 1 reply; 24+ messages in thread
From: Rusty Russell @ 2020-10-15  1:40 UTC (permalink / raw)
  To: David A. Harding, Bitcoin Protocol Discussion

"David A. Harding" <dave@dtrt.org> writes:
> On Thu, Oct 08, 2020 at 10:51:10AM +1030, Rusty Russell via bitcoin-dev wrote:
>> Hi all,
>> 
>>         I propose an alternative to length restrictions suggested by
>> Russell in https://github.com/bitcoin/bips/pull/945 : use the
>> https://gist.github.com/sipa/a9845b37c1b298a7301c33a04090b2eb variant,
>> unless the first byte is 0.
>> 
>> Here's a summary of each proposal:
>> 
>> Length restrictions (future segwits must be 10, 13, 16, 20, 23, 26, 29,
>> 32, 36, or 40 bytes)
>>   1. Backwards compatible for v1 etc; old code it still works.
>>   2. Restricts future segwit versions, may require new encoding if we
>>      want a diff length (or waste chainspace if we need to have a padded
>>      version for compat).
>>     
>> Checksum change based on first byte:
>>   1. Backwards incompatible for v1 etc; only succeeds 1 in a billion.
>>   2. Weakens guarantees against typos in first two data-part letters to
>>      1 in a billion.[1]
>
> Excellent summary!
>
>> I prefer the second because it forces upgrades, since it breaks so
>> clearly.  And unfortunately we do need to upgrade, because the length
>> extension bug means it's unwise to accept non-v0 addresses.
>
> I don't think the second option forces upgrades.  It just creates
> another opt-in address format that means we'll spend another several
> years with every wallet having two address buttons, one for a "segwit
> address" (v0) and one for a "taproot address" (v1).  Or maybe three
> buttons, with the third being a "taproot-in-a-segwit-address" (v1
> witness program using the original bech32 encoding).

If we go for option 2, v1 (generated from bitcoin core) will simply fail
the first time you try test it.  So it will force an upgrade.  There
are fewer places generating addresses than accepting them, so this
seems the most likely scenario.

OTOH, with option 1, anyone accepting v1 addresses today is going to
become a liability once v1 addresses start being generated.

> It took a lot of community effort to get widespread support for bech32
> addresses.  Rather than go through that again, I'd prefer we use the
> backwards compatible proposal from BIPs PR#945 and, if we want to
> maximize safety, consensus restrict v1 witness program size, e.g. reject
> transactions with scriptPubKeys paying v1 witness programs that aren't
> exactly 32 bytes.

Yes, I too wish we weren't here.  :(

Deferring a hard decision is not useful unless we expect things to be
easier in future, and I only see it getting harder as time passes and
userbases grow.

The good news it that the change is fairly simple and the reference
implementations are widely used so change is not actually that hard
once the decision is made.

> Hopefully by the time we want to use segwit v2, most software will have
> implemented length limits and so we won't need any additional consensus
> restrictions from then on forward.

If we are prepared to commit to restrictions on future addresses.

We don't know enough to do that, however, so I'm reluctant; I worry that
a future scheme where we could save (e.g.) 2 bytes will impractical due
to our encoding restrictions, resulting in unnecessary onchain bloat.

Cheers,
Rusty.


^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [bitcoin-dev] Progress on bech32 for future Segwit Versions (BIP-173)
  2020-10-15  1:40   ` Rusty Russell
@ 2020-10-16 21:09     ` Pieter Wuille
  2020-10-19  0:49       ` Rusty Russell
  0 siblings, 1 reply; 24+ messages in thread
From: Pieter Wuille @ 2020-10-16 21:09 UTC (permalink / raw)
  To: Rusty Russell, Bitcoin Protocol Discussion

Hi Rusty,

thanks for starting this thread. We definitely should make a decision around
this soon.


On Wednesday, October 14, 2020 6:40 PM, Rusty Russell via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
> > > Here's a summary of each proposal:
> > > Length restrictions (future segwits must be 10, 13, 16, 20, 23, 26, 29,
> > > 32, 36, or 40 bytes)
> > >
> > > 1.  Backwards compatible for v1 etc; old code it still works.
> > > 2.  Restricts future segwit versions, may require new encoding if we
> > >     want a diff length (or waste chainspace if we need to have a padded
> > >     version for compat).
> > >
> > > Checksum change based on first byte:
> > >
> > > 1.  Backwards incompatible for v1 etc; only succeeds 1 in a billion.
> > > 2.  Weakens guarantees against typos in first two data-part letters to
> > >     1 in a billion.[1]
> > >

> If we go for option 2, v1 (generated from bitcoin core) will simply fail
> the first time you try test it. So it will force an upgrade. There
> are fewer places generating addresses than accepting them, so this
> seems the most likely scenario.
>
> OTOH, with option 1, anyone accepting v1 addresses today is going to
> become a liability once v1 addresses start being generated.

Today, no witness v1 receivers exist. So it seems to me the only question
is what software/infrastructure exist that supports sending to witness v1,
and whether they (and their userbase) are more or less likely to upgrade
before receivers appear than those that don't.

Clearly if only actively developed software currently supports sending to
v1 right now, then the question of forward compatibility is moot, and I'd
agree the cleanliness of option 2 is preferable.

Does anyone have an up-to-date overview of where to-future-witness sending
is supported? I know Bitcoin Core does.

> > It took a lot of community effort to get widespread support for bech32
> > addresses. Rather than go through that again, I'd prefer we use the
> > backwards compatible proposal from BIPs PR#945 and, if we want to
> > maximize safety, consensus restrict v1 witness program size, e.g. reject
> > transactions with scriptPubKeys paying v1 witness programs that aren't
> > exactly 32 bytes.
>
> Yes, I too wish we weren't here. :(
>
> Deferring a hard decision is not useful unless we expect things to be
> easier in future, and I only see it getting harder as time passes and
> userbases grow.

Possibly, but in the past I think there has existed a pattern where adoption
of new technology is at least partially based on certain infrastructure
and codebases going out of business and/or being replaced with newer ones,
rather than improvements to existing ones.

If that effect is significant, option 1 may be preferable: it means less
compatibility issues in the short term, and longer term all that may be
required is fixing the spec, and waiting long enough for old/unmaintained code
to be replaced.

As for how long: new witness version/length combinations are only rarely needed,
and there are 14 length=32 ones left to pick. We'll likely want to use those
first anyway, as it's the cheapest option with 128-bit collision resistance.
Assuming future constructions have something like BIP341's leaf versioning, new
witness version/length combinations are only required for:

* Changes to the commitment structure of script execution (e.g. Graftroot,
  different hash function for Merkle trees, ...)
* Upgrades to new signing cryptography (EC curve change, PQC, ...).
* Changes to signatures outside of a commitment structure (e.g. new sighash
  modes for the keypath in BIP341, or cross-input aggregation for them).

and in general, not for things like new script opcodes, or even for fairly
invasive redesigns of the script language itself.

> The good news it that the change is fairly simple and the reference
> implementations are widely used so change is not actually that hard
> once the decision is made.

Indeed. Whatever observations we had about adoption of base58 -> bech32 may not
apply because the change to a different checksum is fairly trivial compared to
that. Still, presence of production codebases that just don't update at all
may complicate this.

> > Hopefully by the time we want to use segwit v2, most software will have
> > implemented length limits and so we won't need any additional consensus
> > restrictions from then on forward.
>
> If we are prepared to commit to restrictions on future addresses.
>
> We don't know enough to do that, however, so I'm reluctant; I worry that
> a future scheme where we could save (e.g.) 2 bytes will impractical due
> to our encoding restrictions, resulting in unnecessary onchain bloat.

I'm opposed to consensus-invalidating certain length/version combinations, if
that's what you're suggesting, and I don't think there is a need for it.

TL;DR: what codebases/services/infrastructure exists today that supports
sending to witness v1 BIP173 addresses?

Cheers,

--
Pieter



^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [bitcoin-dev] Progress on bech32 for future Segwit Versions (BIP-173)
  2020-10-16 21:09     ` Pieter Wuille
@ 2020-10-19  0:49       ` Rusty Russell
  2020-10-19 22:55         ` Pieter Wuille
  2020-10-21  3:05         ` ZmnSCPxj
  0 siblings, 2 replies; 24+ messages in thread
From: Rusty Russell @ 2020-10-19  0:49 UTC (permalink / raw)
  To: Pieter Wuille, Bitcoin Protocol Discussion; +Cc: John Barboza

Pieter Wuille <bitcoin-dev@wuille.net> writes:
> Today, no witness v1 receivers exist. So it seems to me the only question
> is what software/infrastructure exist that supports sending to witness v1,
> and whether they (and their userbase) are more or less likely to upgrade
> before receivers appear than those that don't.
>
> Clearly if only actively developed software currently supports sending to
> v1 right now, then the question of forward compatibility is moot, and I'd
> agree the cleanliness of option 2 is preferable.

If software supports v1 today and doesn't get upgraded, and we persue
option 1 then a trailing typo can make trouble.  Not directly lose money
(since the tx won't get propagated), but for most systems (e.g. hosted
wallets) someone has to go in and figure out the error and fix it up.

Option 2 means they're likely to fix their systems the first time
someone tries a v1 send, not the first time someone makes a trailing
typo (which might be years).

> Does anyone have an up-to-date overview of where to-future-witness sending
> is supported? I know Bitcoin Core does.

Anecdata: c-lightning doesn't allow withdraw to segwit > 0.  It seems
that the contributor John Barboza (CC'd) assumed that future versions
should be invalid:

	if (bip173) {
		bool witness_ok = false;
		if (witness_version == 0 && (witness_program_len == 20 ||
					     witness_program_len == 32)) {
			witness_ok = true;
		}
		/* Insert other witness versions here. */

>> Deferring a hard decision is not useful unless we expect things to be
>> easier in future, and I only see it getting harder as time passes and
>> userbases grow.
>
> Possibly, but in the past I think there has existed a pattern where adoption
> of new technology is at least partially based on certain infrastructure
> and codebases going out of business and/or being replaced with newer ones,
> rather than improvements to existing ones.
>
> If that effect is significant, option 1 may be preferable: it means less
> compatibility issues in the short term, and longer term all that may be
> required is fixing the spec, and waiting long enough for old/unmaintained code
> to be replaced.

Hmm, I'd rather cleanly break zombie infra, since they're exactly the
kind that won't/cant fix the case where someone trailing-typos?

> As for how long: new witness version/length combinations are only rarely needed,
> and there are 14 length=32 ones left to pick. We'll likely want to use those
> first anyway, as it's the cheapest option with 128-bit collision resistance.
> Assuming future constructions have something like BIP341's leaf versioning, new
> witness version/length combinations are only required for:
>
> * Changes to the commitment structure of script execution (e.g. Graftroot,
>   different hash function for Merkle trees, ...)
> * Upgrades to new signing cryptography (EC curve change, PQC, ...).
> * Changes to signatures outside of a commitment structure (e.g. new sighash
>   modes for the keypath in BIP341, or cross-input aggregation for them).
>
> and in general, not for things like new script opcodes, or even for fairly
> invasive redesigns of the script language itself.

Hmm, good point.  These can all be done with version bumps.

The only use for extra bytes I can see is per-UTXO flags, but even then
I can't see why you'd need to know them until their spent (in which case
you stash the flag in the input, not the output).

And fewer bytes seems bad for fungibility, since multisig would be
dangerous.

But the future keeps surprising me, so I'm still hesitant.

>> The good news it that the change is fairly simple and the reference
>> implementations are widely used so change is not actually that hard
>> once the decision is made.
>
> Indeed. Whatever observations we had about adoption of base58 -> bech32 may not
> apply because the change to a different checksum is fairly trivial compared to
> that. Still, presence of production codebases that just don't update at all
> may complicate this.
>
>> > Hopefully by the time we want to use segwit v2, most software will have
>> > implemented length limits and so we won't need any additional consensus
>> > restrictions from then on forward.
>>
>> If we are prepared to commit to restrictions on future addresses.
>>
>> We don't know enough to do that, however, so I'm reluctant; I worry that
>> a future scheme where we could save (e.g.) 2 bytes will impractical due
>> to our encoding restrictions, resulting in unnecessary onchain bloat.
>
> I'm opposed to consensus-invalidating certain length/version combinations, if
> that's what you're suggesting, and I don't think there is a need for it.

This *seems* to leave the option of later removing size restrictions,
but I think this is an illusion.  Upgrading will only get harder over
time: we would instead opt for some kind of backward compatiblity hack
(i.e. 33 byte address, but you can optionally add 3 zero pad bytes)
which *will* have consensus effect.

> TL;DR: what codebases/services/infrastructure exists today that supports
> sending to witness v1 BIP173 addresses?

OK, time to waste some money!

Can you provide a mainnet v1 address, and I'll try to spam it from as
many things as I can find.  If we're really lucky, you can collect it
post-fork and donate it to charity.  Or a miner can steal it pre-fork :)

Thanks!
Rusty.


^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [bitcoin-dev] Progress on bech32 for future Segwit Versions (BIP-173)
  2020-10-19  0:49       ` Rusty Russell
@ 2020-10-19 22:55         ` Pieter Wuille
  2020-10-20  0:42           ` Rusty Russell
  2020-10-21  3:05         ` ZmnSCPxj
  1 sibling, 1 reply; 24+ messages in thread
From: Pieter Wuille @ 2020-10-19 22:55 UTC (permalink / raw)
  To: Rusty Russell; +Cc: Bitcoin Protocol Discussion, John Barboza

On Sunday, October 18, 2020 5:49 PM, Rusty Russell <rusty@rustcorp.com.au> wrote:

> Pieter Wuille bitcoin-dev@wuille.net writes:
>
> > Today, no witness v1 receivers exist. So it seems to me the only question
> > is what software/infrastructure exist that supports sending to witness v1,
> > and whether they (and their userbase) are more or less likely to upgrade
> > before receivers appear than those that don't.
> > Clearly if only actively developed software currently supports sending to
> > v1 right now, then the question of forward compatibility is moot, and I'd
> > agree the cleanliness of option 2 is preferable.
>
> If software supports v1 today and doesn't get upgraded, and we persue
> option 1 then a trailing typo can make trouble. Not directly lose money
> (since the tx won't get propagated), but for most systems (e.g. hosted
> wallets) someone has to go in and figure out the error and fix it up.

It depends. As is, they'd be relayed even as sending to future witness versions
or lengths is standard. If option 1 is chosen there may be reasons to add
safeguards using relay policy, though.

> Option 2 means they're likely to fix their systems the first time
> someone tries a v1 send, not the first time someone makes a trailing
> typo (which might be years).

Possibly, but it's also possible that it won't get fixed at all, and instead
receiver software just has to wait a few years longer before being able to start
giving out v1 addresses and have a reasonable chance the sender supports it.

You're right though that protecting old sender software from being protected
against the insertion bug is a good argument in favor of Option 2.

Strictly speaking it also has an issue, as the error detection properties aren't
guaranteed for new-scheme-address + intended-detected-error interpreted as
old-scheme-address (in particular, you can make 4 substitution errors in
a new-scheme address and have it be a valid old-scheme address). This is much
less of an issue than the insertion bug that remains present with Option 1 in
old senders.

> > As for how long: new witness version/length combinations are only rarely needed,
> > and there are 14 length=32 ones left to pick. We'll likely want to use those
> > first anyway, as it's the cheapest option with 128-bit collision resistance.
> > Assuming future constructions have something like BIP341's leaf versioning, new
> > witness version/length combinations are only required for:
> >
> > -   Changes to the commitment structure of script execution (e.g. Graftroot,
> >     different hash function for Merkle trees, ...)
> >
> > -   Upgrades to new signing cryptography (EC curve change, PQC, ...).
> > -   Changes to signatures outside of a commitment structure (e.g. new sighash
> >     modes for the keypath in BIP341, or cross-input aggregation for them).
> >
> >
> > and in general, not for things like new script opcodes, or even for fairly
> > invasive redesigns of the script language itself.
>
> Hmm, good point. These can all be done with version bumps.
>
> The only use for extra bytes I can see is per-UTXO flags, but even then
> I can't see why you'd need to know them until their spent (in which case
> you stash the flag in the input, not the output).
>
> And fewer bytes seems bad for fungibility, since multisig would be
> dangerous.
>
> But the future keeps surprising me, so I'm still hesitant.

Of course, our thinking here may change significantly over time - still, I expect
it'll be years before something other than 32-byte addresses is desired.

> > TL;DR: what codebases/services/infrastructure exists today that supports
> > sending to witness v1 BIP173 addresses?
>
> OK, time to waste some money!
>
> Can you provide a mainnet v1 address, and I'll try to spam it from as
> many things as I can find. If we're really lucky, you can collect it
> post-fork and donate it to charity. Or a miner can steal it pre-fork :)

Here is a BIP341 witness v1 address, corresponding to just the generator as
inner public key (using TapTweak(pubkey) as tweak, as suggested by the BIP):

bc1pmfr3p9 YOU j00pfxjh WILL 0zmgp99y8zf LOSE tmd3s5pmedqhy MONEY ptwy6lm87hf5ss52r5n8


Cheers,

--
Pieter



^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [bitcoin-dev] Progress on bech32 for future Segwit Versions (BIP-173)
  2020-10-19 22:55         ` Pieter Wuille
@ 2020-10-20  0:42           ` Rusty Russell
  2020-10-20  3:31             ` Rusty Russell
  2020-10-20 10:29             ` David A. Harding
  0 siblings, 2 replies; 24+ messages in thread
From: Rusty Russell @ 2020-10-20  0:42 UTC (permalink / raw)
  To: Pieter Wuille; +Cc: Bitcoin Protocol Discussion, John Barboza

Pieter Wuille <bitcoin-dev@wuille.net> writes:
> Here is a BIP341 witness v1 address, corresponding to just the generator as
> inner public key (using TapTweak(pubkey) as tweak, as suggested by the BIP):
>
> bc1pmfr3p9 YOU j00pfxjh WILL 0zmgp99y8zf LOSE tmd3s5pmedqhy MONEY ptwy6lm87hf5ss52r5n8

Here are my initial results:

Rejects
-------

c-lightning: "Could not parse destination address, destination should be a valid address"
Phoenix: "Invalid data.  Please try again."

Accepts
-------
Green: ef1662fd2eb736612afb1b60e3efabfdf700b1c4822733d9dbe1bfee607a5b9b
blockchain.info: 64b0fcb22d57b3c920fee1a97b9facec5b128d9c895a49c7d321292fb4156c21

Will keep exploring (and others are welcome to try too!)

Cheers,
Rusty.


^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [bitcoin-dev] Progress on bech32 for future Segwit Versions (BIP-173)
  2020-10-20  0:42           ` Rusty Russell
@ 2020-10-20  3:31             ` Rusty Russell
  2020-10-20  9:21               ` Riccardo Casatta
  2020-10-20 10:29             ` David A. Harding
  1 sibling, 1 reply; 24+ messages in thread
From: Rusty Russell @ 2020-10-20  3:31 UTC (permalink / raw)
  To: Pieter Wuille; +Cc: Bitcoin Protocol Discussion, John Barboza

Rusty Russell <rusty@rustcorp.com.au> writes:
> Accepts
> -------
> Green: ef1662fd2eb736612afb1b60e3efabfdf700b1c4822733d9dbe1bfee607a5b9b
> blockchain.info: 64b0fcb22d57b3c920fee1a97b9facec5b128d9c895a49c7d321292fb4156c21

PEBKAC.  Pasted wrong address.  Here are correct results:

Rejects
-------
c-lightning: "Could not parse destination address, destination should be a valid address"
Phoenix: "Invalid data.  Please try again."
blockchain.info: "Your Bitcoin transaction failed to send. Please try again."

Accepts
-------
Green: 9e4ab6617a2983439181a304f0b4647b63f51af08fdd84b0676221beb71a8f21

Cheers,
Rusty.


^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [bitcoin-dev] Progress on bech32 for future Segwit Versions (BIP-173)
  2020-10-20  3:31             ` Rusty Russell
@ 2020-10-20  9:21               ` Riccardo Casatta
  0 siblings, 0 replies; 24+ messages in thread
From: Riccardo Casatta @ 2020-10-20  9:21 UTC (permalink / raw)
  To: Rusty Russell, Bitcoin Protocol Discussion; +Cc: John Barboza

[-- Attachment #1: Type: text/plain, Size: 1299 bytes --]

Here is a mainnet tx done with aqua wallet, which is based on rust-bitcoin
https://blockstream.info/tx/b48a59fa9e036e997ba733904f631b1a64f5274be646698e49fd542141ca9404?expand

I am not sure about the scriptpubkey starting with 51 so I opened this
https://github.com/rust-bitcoin/rust-bitcoin/pull/504


Il giorno mar 20 ott 2020 alle ore 05:32 Rusty Russell via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> ha scritto:
>
> Rusty Russell <rusty@rustcorp.com.au> writes:
> > Accepts
> > -------
> > Green: ef1662fd2eb736612afb1b60e3efabfdf700b1c4822733d9dbe1bfee607a5b9b
> > blockchain.info:
64b0fcb22d57b3c920fee1a97b9facec5b128d9c895a49c7d321292fb4156c21
>
> PEBKAC.  Pasted wrong address.  Here are correct results:
>
> Rejects
> -------
> c-lightning: "Could not parse destination address, destination should be
a valid address"
> Phoenix: "Invalid data.  Please try again."
> blockchain.info: "Your Bitcoin transaction failed to send. Please try
again."
>
> Accepts
> -------
> Green: 9e4ab6617a2983439181a304f0b4647b63f51af08fdd84b0676221beb71a8f21
>
> Cheers,
> Rusty.
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev



--
Riccardo Casatta - @RCasatta

[-- Attachment #2: Type: text/html, Size: 2054 bytes --]

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [bitcoin-dev] Progress on bech32 for future Segwit Versions (BIP-173)
  2020-10-20  0:42           ` Rusty Russell
  2020-10-20  3:31             ` Rusty Russell
@ 2020-10-20 10:29             ` David A. Harding
  2020-10-20 20:12               ` Pieter Wuille
  1 sibling, 1 reply; 24+ messages in thread
From: David A. Harding @ 2020-10-20 10:29 UTC (permalink / raw)
  To: Rusty Russell; +Cc: Bitcoin Protocol Discussion, John Barboza

[-- Attachment #1: Type: text/plain, Size: 2520 bytes --]

On Tue, Oct 20, 2020 at 11:12:06AM +1030, Rusty Russell wrote:
> Here are my initial results:

A while ago, around the Bitcoin Core 0.19.0 release that enabled
relaying v1+ segwit addresses, Mike Schmidt was working on the Optech
Compatibility Matrix[1] and tested a variety of software and services
with a v1 address using the original BIP341 specification (33 byte
pubkeys; we now use 32 byte keys).  Here's a summary of his results,
posted with his permission:

- abra: Bech32 not supported.

- binance: Does not pass front end javascript validation

- bitgo: Error occurs during sending process, after validation.

- bitmex: Bech32 not supported.

- bitrefill: Address does not pass validation.

- bitstamp: Address text input doesn’t allow bech32 addresses due to
  character limits.

- blockchain.info: Error occurs during sending process, after
  validation.

- brd: Allows sending workflow to complete in the UI. Transaction stays
  as pending in the transaction list.

- casa: Fails on signing attempt.

- coinbase: Fails address validation client side in the UI.

- conio: Server error 500 while attemping to send.

- copay: Allows v1 address to be entered in the UI. Fails during
  broadcast.

- edge: Allows sending workflow to complete. Transaction stays in
  pending state. Appears to causes issues with the balance calculation
  as well as ability to send subsequent transactions.

- electrum: Error message during broadcasting of transaction.

- green: Fails on validation of the address.

- jaxx: Fails on validation of the address.

- ledger live: Fails when transaction is sent to the hardwave device for
  signing.

- mycelium: Fails during address validation.

- purse: Transaction can be created and broadcast, relayed by peers
  compatible with Bitcoin Core v0.19.0.1 or above.

- river: Transaction can be created and broadcast, relayed by peers
  compatible with Bitcoin Core v0.19.0.1 or above.

- samourai: Fails on broadcast of transaction to the network.

- trezor: Fails on validation of the address.

- wasabi: Fails on validation of the address.

- xapo: Xapo allows users to create segwit v1 transactions in the UI.
  However, the transaction gets stuck as pending for an indeterminate
  period of time

I would guess that some of the failures / stuck transactions might now
be successes if the backend infrastructure has upgraded to Bitcoin Core
>= 0.19.

-Dave

[1] https://bitcoinops.org/en/compatibility/

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [bitcoin-dev] Progress on bech32 for future Segwit Versions (BIP-173)
  2020-10-20 10:29             ` David A. Harding
@ 2020-10-20 20:12               ` Pieter Wuille
  2020-10-20 23:52                 ` Mike Schmidt
  0 siblings, 1 reply; 24+ messages in thread
From: Pieter Wuille @ 2020-10-20 20:12 UTC (permalink / raw)
  To: David A. Harding; +Cc: Bitcoin Protocol Discussion, John Barboza

On Tuesday, October 20, 2020 3:29 AM, David A. Harding <dave@dtrt.org> wrote:


> I would guess that some of the failures / stuck transactions might now be successes if the backend infrastructure has upgraded to Bitcoin Core > = 0.19.

Yeah, it would be good to re-test them since a ~year has passed since the 0.19.0 release.

Cheers,

--
Pieter





^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [bitcoin-dev] Progress on bech32 for future Segwit Versions (BIP-173)
  2020-10-20 20:12               ` Pieter Wuille
@ 2020-10-20 23:52                 ` Mike Schmidt
  2020-10-21  4:51                   ` Rusty Russell
  2020-11-06 19:49                   ` Mike Schmidt
  0 siblings, 2 replies; 24+ messages in thread
From: Mike Schmidt @ 2020-10-20 23:52 UTC (permalink / raw)
  To: Bitcoin Protocol Discussion, Pieter Wuille; +Cc: John Barboza

[-- Attachment #1: Type: text/plain, Size: 860 bytes --]

I am happy to re-test the services Harding listed previously for v1 send
support next week.

Suggestions of additional services that would be valuable to test are
welcome as well.

Mike


On Tue, Oct 20, 2020 at 3:38 PM Pieter Wuille via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> On Tuesday, October 20, 2020 3:29 AM, David A. Harding <dave@dtrt.org>
> wrote:
>
>
> > I would guess that some of the failures / stuck transactions might now
> be successes if the backend infrastructure has upgraded to Bitcoin Core > =
> 0.19.
>
> Yeah, it would be good to re-test them since a ~year has passed since the
> 0.19.0 release.
>
> Cheers,
>
> --
> Pieter
>
>
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>

[-- Attachment #2: Type: text/html, Size: 1671 bytes --]

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [bitcoin-dev] Progress on bech32 for future Segwit Versions (BIP-173)
  2020-10-19  0:49       ` Rusty Russell
  2020-10-19 22:55         ` Pieter Wuille
@ 2020-10-21  3:05         ` ZmnSCPxj
  2020-10-21  4:39           ` Rusty Russell
  1 sibling, 1 reply; 24+ messages in thread
From: ZmnSCPxj @ 2020-10-21  3:05 UTC (permalink / raw)
  To: Rusty Russell, Bitcoin Protocol Discussion; +Cc: John Barboza



> Anecdata: c-lightning doesn't allow withdraw to segwit > 0. It seems
> that the contributor John Barboza (CC'd) assumed that future versions
> should be invalid:
>
> if (bip173) {
> bool witness_ok = false;
> if (witness_version == 0 && (witness_program_len == 20 ||
> witness_program_len == 32)) {
> witness_ok = true;
> }
> /* Insert other witness versions here. */

I believe this is actually my code, which was later refactored by John Barboza when we were standardizing the `param` system.

This was intended only as a simple precaution against creating non-standard transaction, and not an assumption that future versions should be invalid.
The intent is that further `else if` branches would be added for newer witness versions and whatever length restrictions they may have, as the `/* Insert other witness versions here.  */` comment implies.

Regards,
ZmnSCPxj


^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [bitcoin-dev] Progress on bech32 for future Segwit Versions (BIP-173)
  2020-10-21  3:05         ` ZmnSCPxj
@ 2020-10-21  4:39           ` Rusty Russell
  0 siblings, 0 replies; 24+ messages in thread
From: Rusty Russell @ 2020-10-21  4:39 UTC (permalink / raw)
  To: ZmnSCPxj, Bitcoin Protocol Discussion; +Cc: John Barboza

ZmnSCPxj <ZmnSCPxj@protonmail.com> writes:
> I believe this is actually my code, which was later refactored by John Barboza when we were standardizing the `param` system.

Ah, sorry!

> This was intended only as a simple precaution against creating non-standard transaction, and not an assumption that future versions should be invalid.
> The intent is that further `else if` branches would be added for newer witness versions and whatever length restrictions they may have, as the `/* Insert other witness versions here.  */` comment implies.

Yes, I mentioned it here because I've found this to be a common
misconception; the *idea* was that application's segwit code would not
have to be reworked for future upgrades, but that information propagated
poorly.

(Just as well, because of overly strict standardness rules, the overflow
bug, and now the proposed validation changes, turns out this lack of
forward compat is a feature!)

Thanks!
Rusty.


^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [bitcoin-dev] Progress on bech32 for future Segwit Versions (BIP-173)
  2020-10-20 23:52                 ` Mike Schmidt
@ 2020-10-21  4:51                   ` Rusty Russell
  2020-11-06 19:49                   ` Mike Schmidt
  1 sibling, 0 replies; 24+ messages in thread
From: Rusty Russell @ 2020-10-21  4:51 UTC (permalink / raw)
  To: Mike Schmidt, Bitcoin Protocol Discussion,
	Bitcoin Protocol Discussion, Pieter Wuille
  Cc: John Barboza

Mike Schmidt via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org>
writes:
> I am happy to re-test the services Harding listed previously for v1 send
> support next week.
>
> Suggestions of additional services that would be valuable to test are
> welcome as well.

Thanks!  I am a little disappointed that I won't get to ask Bitcoin
Twitter to send tips to Pieter[1] though...

I would like to hear from the services who currently support v1+ (who
thus *would* have to change their software) whether they have a
technical preference for option 1 or 2.

Cheers,
Rusty.
[1] Or just maybe, tips to some random miner...


^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [bitcoin-dev] Progress on bech32 for future Segwit Versions (BIP-173)
  2020-10-08  0:21 [bitcoin-dev] Progress on bech32 for future Segwit Versions (BIP-173) Rusty Russell
  2020-10-08 14:59 ` David A. Harding
@ 2020-10-28  0:20 ` Pieter Wuille
  2020-12-05 22:59   ` Pieter Wuille
  1 sibling, 1 reply; 24+ messages in thread
From: Pieter Wuille @ 2020-10-28  0:20 UTC (permalink / raw)
  To: Rusty Russell, Bitcoin Protocol Discussion

On Wednesday, October 7, 2020 5:21 PM, Rusty Russell via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:

> I propose an alternative to length restrictions suggested by
> Russell in https://github.com/bitcoin/bips/pull/945: use the
> https://gist.github.com/sipa/a9845b37c1b298a7301c33a04090b2eb variant,
> unless the first byte is 0.

Hi all,

starting a slight side-thread here.

The discussion here made me realize that as we're introducing (at some point) a new checksum scheme, we don't just care about the new scheme's own error detection capabilities, but also about the probability that a new style address + errors is incorrectly accepted as an old style address.


Clearly these properties are less of a priority than just the new-style + error being misinterpreted as a new-style address, as problems will only occur when entering a new address with errors in old software that supports the old scheme (which this thread shows, is not very common). Still, all other things being equal, it can't hurt to see if some choices are better than others.

https://gist.github.com/sipa/a9845b37c1b298a7301c33a04090b2eb suggested the use of constant M = 0x3FFFFFFF. It turns out this is slightly suboptimal in two ways:

* It's possible to take a new-style address with that constant, make 3 substitution errors, and obtain an old-style address.
* If a new-style address ends with '7', inserting 'g78u' just before it will result in a valid old-style address (ignoring length constraints).

I don't think either of these is serious, but it's possible to improve upon them:

* Guaranteeing that 4 substitution errors are always detected while switching schemes seems impossible, but a constant can be picked that guarantees 3 errors always are.
* Insertion/deletion errors can be restricted to patterns that require 6 fixed characters (which, assuming uniformly random characters, implies a probability of 2^-30).

It seems M=0x3ffeffff has both these properties.

I'm going to do some more analysis (swapping, and insertion/erasure near the start), and then update my gist, but so far it seems this is a strictly (albeit only slightly) better choice.

Cheers,

--
Pieter



^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [bitcoin-dev] Progress on bech32 for future Segwit Versions (BIP-173)
  2020-10-20 23:52                 ` Mike Schmidt
  2020-10-21  4:51                   ` Rusty Russell
@ 2020-11-06 19:49                   ` Mike Schmidt
  2020-12-05 23:10                     ` Pieter Wuille
  1 sibling, 1 reply; 24+ messages in thread
From: Mike Schmidt @ 2020-11-06 19:49 UTC (permalink / raw)
  To: Bitcoin Protocol Discussion

[-- Attachment #1: Type: text/plain, Size: 1755 bytes --]

Well I sure picked a bad couple weeks to volunteer to send a bunch of
Bitcoin test transactions...

While I tested less than I would have liked, there are some notable results:

- Green wallet segwit v1 send resulted in funds being sent to the wrong
address (bc1qmfr3p9j00pfxjh0zmgp99y8zftmd3s5pmedqhyptwy6lm87hf5sstpn3we
instead of my intended destination, Pieter's r5n8 address. You can see this
with Rusty's test transaction as well:
ef1662fd2eb736612afb1b60e3efabfdf700b1c4822733d9dbe1bfee607a5b9b
Blockstream is aware of the issue and has fixes.
- Blockchain.com's wallet behaved similarly, sending to the same, incorrect
address. Rusty's blockchain.com transaction for reference:
64b0fcb22d57b3c920fee1a97b9facec5b128d9c895a49c7d321292fb4156c21
I will be reaching out to Blockchain's team to let them know about this.
- Blockchain.info's explorer suffers similarly, "Unable to decode output
address" when viewing a tx with v1 output, and inability to display address
details for a v1 address
- Bitgo accepts a v1 send address, but then a “Server error” during send
occurs
- Coinbase (web) reported on final step of sending: Your send failed Please
enter a valid email or Bitcoin address
- brd sends successfully to v1
- bitrefill, casa, xapo, wasabi, all previously failed address validation,
and still fail address validation
- binance, bitmex, kraken, all previously failed address validation, but
now accept v1 addresses. I did not attempt full send with these services,
simply passing initial validations.
- While Riccardo noted that Aqua successfully sent to Pieter's address
(b48a59fa9e036e997ba733904f631b1a64f5274be646698e49fd542141ca9404) Ive been
informed Aqua has disabled send to v1 addresses for now.

[-- Attachment #2: Type: text/html, Size: 2115 bytes --]

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [bitcoin-dev] Progress on bech32 for future Segwit Versions (BIP-173)
  2020-10-28  0:20 ` Pieter Wuille
@ 2020-12-05 22:59   ` Pieter Wuille
  0 siblings, 0 replies; 24+ messages in thread
From: Pieter Wuille @ 2020-12-05 22:59 UTC (permalink / raw)
  To: Rusty Russell, Bitcoin Protocol Discussion

> On Wednesday, October 7, 2020 5:21 PM, Rusty Russell via bitcoin-dev bitcoin-dev@lists.linuxfoundation.org wrote:
>
> > I propose an alternative to length restrictions suggested by
> > Russell in https://github.com/bitcoin/bips/pull/945: use the
> > https://gist.github.com/sipa/a9845b37c1b298a7301c33a04090b2eb variant,
> > unless the first byte is 0.
>
> Hi all,
>
> starting a slight side-thread here.

Another update, and a longer write-up.


Introduction
------------

Bech32's checksum algorithm was designed to be strong against substitution
errors, but it also provides some protection against more general classes of
errors. The final constant M that is XOR'ed into the checksum influences that
protection. BIP173 today uses M=1, but it is now known that this has a
weakness: if the final character is a "p", any number of "q" characters can be
inserted or erased right before it, without invalidating the checksum.

As it was recognized that other constants do not have this issue, the obvious
question is whether this is the only possible type of weakness, and if not, if
there is an optimal constant to use that minimizes the largest number of
weaknesses.

Since my last mail I've realized that it is actually possible to analyse the
behavior of these final constants under a wide variety of error classes
(substitutions, deletions, insertions, swaps, duplications) programatically.
Greg Maxwell and I have used this to perform an exhaustive analysis of certain
error patterns for all 2^30 possible M values, selected a number of criteria
to optimize for, and conclude that we should use as constant:

  M = 0x2bc830a3

The code used to do this analysis, as well as the code used to verify some
expected properties of the final result, and more, can be found on
https://gist.github.com/sipa/14c248c288c3880a3b191f978a34508e

See results_final.txt to see how this constant compares with the previously
suggested constants 1, 0x3fffffff, and 0x3fefffff.

Properties
----------

If we define an error as a deletion of one position, a swap of adjacent
positions, a substitution in a specific position with a random character, an
insertion of one random character in a specific position, or a duplication of
the character in a specific position, then this M constant above gives us the
following properties:

* For generic HRPs and errors that don't affect the first 6 data characters,
  or alternatively averaged over all HRPs (see details futher):
  * Always detected:
    * (P) Up to 4 substitution errors (true for any constant).
    * (Q) Any valid code with the new constant, fed without modification to
          software that uses the old constant 1 (true for any constant).
  * Any error pattern has failure to detect probability <= 2^-30:
    * (L) Any number of errors restricted to a single window of up to 4
          characters.
    * (B) Up to two errors restricted to a window of up to 68 characters.
    * (D) Any one error made to a valid code with the new constant, and fed to
          software that uses the old constant 1
  * Most error patterns have probability <= 2^-30:
    * (C) Up to two errors in general: out of 23926796 such error patterns,
          0.0040% have probability 2^-25.
    * (N) Up to three errors restricted to a window of up to 69 characters:
          out of 284708444 such patterns, 0.033% have probability 2^-25.
    * (O) Up to three errors in general: out of 295744442 such error patterns,
          0.034% have probability 2^-25; 0.000065% have probability 2^-20.
    * (G) Up to two errors made to a valid code with the new constant, and fed
          to software that uses the old constant 1: out of 2831622 such error
          patterns, 0.048% have probability 2^-25.

* Specifically for the bc1 HRP, with the BIP173 length restrictions:
  * Always detected:
    * (R) Up to 4 substitution errors (true for any constant).
    * (A) Up to 3 substitution errors made to a valid code with the new
          constant, and fed to software that uses the old constant 1.
  * Any error pattern has failure to detect probability <= 2^-30:
    * (E) Any one error.
    * (F) Any one error made to a valid code with the new constant, and fed to
          software that uses the old constant 1.
    * (H) Up to two errors restricted to a window of 28 characters.
  * Most error patterns have probability <= 2^-30:
    * (J) Up to two errors in general: out of 455916 such error patterns,
          0.039% have probability 2^-25; 0.0053% have 2^-20.
    * (K) Any number of errors restricted to a window of 4 characters: out of
          5813139 such error patterns, 0.0016% have probability 2^-25.
    * (M) Up to three errors: out of 50713466 such error patterns, 0.078% have
          probability 2^-25; 0.00063% have 2^-20.
    * (I) Up to two errors made to a valid code with the new constant, and fed
          to software that uses the old constant 1: out of 610683 such error
          patterns, 0.092% have probability 2^-25; 0.00049% have probability
          2^-20.

To give an idea of what these probabilities mean, consider the known BIP173
insertion issue. It admits an error pattern of 1 error (insertion in
penultimate position) that has a failure to detect probability of 2^-10:
it requires the final character to be 'p', and the inserted character to be
'q'. Assuming those are both random, we have a chance of 1 in 32*32 to hit it.
Note that the choice of *what* the error pattern is (whether it's insertion,
and where) isn't part of our probabilities: we try to make sure that *every*
pattern behaves well, not just randomly chosen ones, because presumably humans
make some kinds of errors more than others, and we don't know which ones.

All the analyzed patterns above are guaranteed to be detected with probability
2^-20 or better (and most are 2^-30). Of course, if we'd search for even
larger classes of errors, say any 4 independent errors of any type, we would
probably discover patterns with worse probabilities, but at that point the
probability of the pattern itself being hit should be taken into account.

The selection was made based on these same properties:
* Start with the set of all 2^30 constants.
* The generic properties (L), (B), (D), (C), (N), (O), and (G) were selected
  for by rejecting all constants that left any worse error patterns (e.g.
  all codes for which patterns matching (N) existed with failure probability
  above 2^-25 were removed). All these restrictions are as strong as they
  can be: making them over longer strings, wider windows, or more errors with
  the same restrictions removes all remaining constants. This leaves us with
  just 12054 acceptable constants.
* The same was then done for the bc1/BIP173 specific properties (A), (E), (J),
  (F), (H), (K), (M), and (I). This reduces the set further to 79 acceptable
  constants. The full analysis output for all of these can be found in
  output.txt.
* Finally, the constant with the minimal number of worst-probability patterns
  was chosen for the generic property (N). The single constant 0x2bc830a3
  remains.
* This solution and a few of its expected properties were then validated using
  a simple program that makes random errors (see the monte_carlo.py file).


Technical details
-----------------

For the purpose of this analysis, define an "error pattern" as a starting
length (of a valid string consisting of otherwise randomly chosen characters)
combined with a sequence of the following (in this order):
* 0 or more deletions of characters at specific positions (without
  constraining what those characters are)
* 0 or more swaps of characters at specific positions with the character
  following it
* 0 or more substitutions of characters at specific positions with a uniformly
  randomly selected character
* 0 or more insertions of uniformly randomly selected characters at specific
  positions
* 0 or more duplications of characters at specific positions (including
  duplications of characters inserted/substituted in the previous steps)

Examples:
* "Start with a random valid 58 character string, remove the 17th character,
  swap the 11th character with the 12th character, and insert a random
  character in the 24th position" is an error pattern.
* "Replace the 17th through 24th characters in a 78 character string with
  'aardvark'" is not an error pattern, because substituted characters have to
  be random, and can't be specific values.

Given such a pattern, assign variable names to every input character, and to
every inserted/substituted character. For example, the pattern "Start with
a 6 character string, delete the 1st character, swap the 2nd and 3rd
character, and insert a random character between those" would be represented
as [v0 v1 v2 v3 v4 v5] and [v1 v3 v6 v2 v4 v5]. Treat these variables as
elements of GF(32), and write out the equations that both the first and second
list have a valid checksum. Due to the fact that BCH codes are linear, this is
just a linear set of equations over GF(32), and we can use Gaussian
elimination to find the size of the solution space. If the input and output
are the same length, we need to subtract the number of solutions for which the
input and output are exactly the same, which is easy to find with another set
of equations. Now compute the ratio of this number divided by (32^numvars /
32^6), where the 32^6 is due to the precondition that the input string is
valid. This gives us the probability of failure, assuming input and output are
random, apart from the known relation between the two, and the fact that both
are valid.

This technique has an important limitation: it can only reason about randomly-
chosen input strings, and the presence of the HRP and version numbers at the
start violates that assumption. These are not random, and we're forced to
make one of these concessions:
1) Ignore the problem, and treat the HRP as random. This lets us derive
   properties that hold over all potential HRPs on average, but will thus fail
   to account for the possibility that for a small numbers of potential HRPs
   some error patterns may exist that behave worse. For technical reasons,
   this averaging makes all constants behave identically for error patterns
   that don't change the length of the string. Given that substitution/swap
   only errors are already dealt with well due to the BCH design this is
   perhaps not too important. One exception is frame-shifting errors (a
   deletion in one place compensated with an insertion in another place).
2) Restrict analysis to error patterns that don't affect the first 6 actual
   characters. Doing so "masks" the effect of the HRP completely.
3) Do analysis for specific HRPs only, allowing much more accurate statements,
   but HRP-specific ones that may not hold for every HRP.

Our final selection primarily optimizes for 1) and 2) as those benefit all
potential uses of the encoding, but do optimize for 3) the "bc1" prefix
specifically (and the BIP173 length restriction) as a tiebreaker.

The code for this can be found under the link above, in const_analysis.cpp.

Cheers,

--
Pieter



^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [bitcoin-dev] Progress on bech32 for future Segwit Versions (BIP-173)
  2020-11-06 19:49                   ` Mike Schmidt
@ 2020-12-05 23:10                     ` Pieter Wuille
  2020-12-06 13:04                       ` David A. Harding
  0 siblings, 1 reply; 24+ messages in thread
From: Pieter Wuille @ 2020-12-05 23:10 UTC (permalink / raw)
  To: Mike Schmidt, Bitcoin Protocol Discussion

[-- Attachment #1: Type: text/plain, Size: 1112 bytes --]

On Friday, November 6, 2020 11:49 AM, Mike Schmidt via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:

> Well I sure picked a bad couple weeks to volunteer to send a bunch of Bitcoin test transactions...
>
> While I tested less than I would have liked, there are some notable results:

I think these results really show there is no reason to try to maintain the old-software-can-send-to-future-segwit-versions property, given that more than one not just didn't support it, but actually sent coins into a black hole.

Thus, I agree with Rusty that we should change the checksum for v1+ unconditionally. That also means that old senders are protected from the insertion issue (by failing, as we can guarantee that new-checksum addresses, even after a few errors, are invalid to old software).

I've sent another mail in this thread with details, but the TL;DR is that we should use the constant M=0x2bc830a3 rather than 0x3fffffff as previous suggested. More information on https://gist.github.com/sipa/14c248c288c3880a3b191f978a34508e.

Absent objections, I'll write up a BIP soon.

Cheers,

--
Pieter

[-- Attachment #2: Type: text/html, Size: 1605 bytes --]

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [bitcoin-dev] Progress on bech32 for future Segwit Versions (BIP-173)
  2020-12-05 23:10                     ` Pieter Wuille
@ 2020-12-06 13:04                       ` David A. Harding
  2020-12-06 20:43                         ` Pieter Wuille
  2020-12-08 17:39                         ` Ryan Grant
  0 siblings, 2 replies; 24+ messages in thread
From: David A. Harding @ 2020-12-06 13:04 UTC (permalink / raw)
  To: Pieter Wuille, Bitcoin Protocol Discussion

[-- Attachment #1: Type: text/plain, Size: 1427 bytes --]

On Sat, Dec 05, 2020 at 11:10:51PM +0000, Pieter Wuille via bitcoin-dev wrote:
> I think these results really show there is no reason to try to
> maintain the old-software-can-send-to-future-segwit-versions property,
> given that more than one not just didn't support it, but actually sent
> coins into a black hole.

I don't think this is a good criteria to use for making a decision.  We
shouldn't deny users of working implementations the benefit of a feature
because some other developers didn't implement it correctly.

> Thus, I agree with Rusty that we should change the checksum for v1+
> unconditionally. 

I disagreed with Rusty previously and he proposed we check to see how
disruptive an address format change would be by seeing how many wallets
already provide forward compatibility and how many would need to be
updated for taproot no matter what address format is used.  I think that
instead is a good criteria for making a decision.

I understand the results of that survey to be that only two wallets
correctly handled v1+ BIP173 addresses.  One of those wallets is Bitcoin
Core, which I personally believe will unhesitatingly update to a new
address format that's technically sound and which has widespread support
(doubly so if it's just a tweak to an already-implemented checksum
algorithm).

Given that, I also now agree with changing the checksum for v1+.

Thanks,

-Dave


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [bitcoin-dev] Progress on bech32 for future Segwit Versions (BIP-173)
  2020-12-06 13:04                       ` David A. Harding
@ 2020-12-06 20:43                         ` Pieter Wuille
  2020-12-08 17:39                         ` Ryan Grant
  1 sibling, 0 replies; 24+ messages in thread
From: Pieter Wuille @ 2020-12-06 20:43 UTC (permalink / raw)
  To: David A. Harding; +Cc: Bitcoin Protocol Discussion






‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Sunday, December 6, 2020 5:04 AM, David A. Harding <dave@dtrt.org> wrote:

> On Sat, Dec 05, 2020 at 11:10:51PM +0000, Pieter Wuille via bitcoin-dev wrote:
>
> > I think these results really show there is no reason to try to
> > maintain the old-software-can-send-to-future-segwit-versions property,
> > given that more than one not just didn't support it, but actually sent
> > coins into a black hole.
>
> I don't think this is a good criteria to use for making a decision. We
> shouldn't deny users of working implementations the benefit of a feature
> because some other developers didn't implement it correctly.
>
> > Thus, I agree with Rusty that we should change the checksum for v1+
> > unconditionally.
>
> I disagreed with Rusty previously and he proposed we check to see how
> disruptive an address format change would be by seeing how many wallets
> already provide forward compatibility and how many would need to be
> updated for taproot no matter what address format is used. I think that
> instead is a good criteria for making a decision.
>
> I understand the results of that survey to be that only two wallets
> correctly handled v1+ BIP173 addresses. One of those wallets is Bitcoin
> Core, which I personally believe will unhesitatingly update to a new
> address format that's technically sound and which has widespread support
> (doubly so if it's just a tweak to an already-implemented checksum
> algorithm).

Hi Dave,

You're right to point out there is nuance I skipped over.

Let's look at the behavior of different classes of software/services that exist today when trying to send to v1+ addresses:

(A) Supports sending to v1+ today
  * Old proposal: works, but subject to bech32 insertion issue
  * New proposal: fails
(B) Fails to send to v1+ today
  * Old proposal: fails
  * New proposal: fails
(C) Incorrectly sends to v1+ today
  * Old proposal: lost funds
  * New proposal: fails

So the question is how the support for sending to v1+ in (a) software weighs up against protecting both (a) from the insertion issue, and (c) from lost funds. I do think (c) matters in this equation - people may choose to avoid adopting v1+ witnesses if it were to be known that some senders out there would misdirect funds. But the fact that (a) is small also means there is very little to gain from the old proposal.

So perhaps I should have formulated it as: the small number of v1+ compatible senders today (regardless of the reasons for that) shows how futile the attempt to have one address type for all witness versions was, and the fact that there are even some who misdirect(ed) funds is the final nail in the coffin. Changing the checksum unconditionally gives us a new attempt at that.

> Given that, I also now agree with changing the checksum for v1+.

Great.

Cheers,

--
Pieter



^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [bitcoin-dev] Progress on bech32 for future Segwit Versions (BIP-173)
  2020-12-06 13:04                       ` David A. Harding
  2020-12-06 20:43                         ` Pieter Wuille
@ 2020-12-08 17:39                         ` Ryan Grant
  2020-12-18  2:02                           ` Pieter Wuille
  1 sibling, 1 reply; 24+ messages in thread
From: Ryan Grant @ 2020-12-08 17:39 UTC (permalink / raw)
  To: Bitcoin Protocol Discussion

It looks like a good strategy for a bech32 library that is external to
Bitcoin Core would be:

  - Default to the new M, under the same bech32 brand.

  - Provide an interface to explicitly use both M=1 and M=0x2bc830a3.

  - If decoding fails, throw an error; but in constructing that error
    inform whether the other M would have succeeded.

  - Provide an interface for a BIP173 implementation to peek at the
    witness version byte of the data part, which may also involve
    sanity-checking that byte for errors using a BIP173-specific
    understanding of the appropriate checksum.

    Return values for this special interface might currently be:
      "it's version zero, based on a clean decoding",
      "it's version one,  based on a clean decoding",
      "it's version zero, based on an auto-corrected byte",
      "it's version one,  based on an auto-corrected byte",
      "no result, due to a decoding error on this byte", and
      "too many errors to say anything more about decoding".

Although the reasoning is clear for doing so, looking into the data
that is supposed to be checksummed to determine which checksum to use
is not very elegant.  There are two trips into a bech32 library for a
BIP173 decoding, and an indeterminate result on the version byte would
require heuristics for deciding what to do with the rest of the data
part to even advise the user on the error.  Because of this, as a
library writer I would be tempted to auto-correct the witness version
byte (against the "SHOULD NOT" advice of BIP173's current version), if
it were the only one corrupted, as per the example return values
above.  Please advise.

Some of the libraries that will be contemplating these steps include:
  https://github.com/topics/bech32?o=desc&s=stars

Here are three existing uses of bech32 that are external to Bitcoin Core:

  https://github.com/lightningnetwork/lightning-rfc/blob/master/11-payment-encoding.md
  https://github.com/btcontract/lnurl-rfc
  https://github.com/bitcoin/bips/blob/master/bip-0136.mediawiki

Of the above, I think BIP136 can be unconditionally moved to
M=0x2bc830a3 due to having little legacy burden.


^ permalink raw reply	[flat|nested] 24+ messages in thread

* Re: [bitcoin-dev] Progress on bech32 for future Segwit Versions (BIP-173)
  2020-12-08 17:39                         ` Ryan Grant
@ 2020-12-18  2:02                           ` Pieter Wuille
  0 siblings, 0 replies; 24+ messages in thread
From: Pieter Wuille @ 2020-12-18  2:02 UTC (permalink / raw)
  To: Ryan Grant; +Cc: Bitcoin Protocol Discussion

On Tuesday, December 8, 2020 9:39 AM, Ryan Grant <bitcoin-dev@rgrant.org> wrote:

> It looks like a good strategy for a bech32 library that is external to
> Bitcoin Core would be:
>
> -   Default to the new M, under the same bech32 brand.
> -   Provide an interface to explicitly use both M=1 and M=0x2bc830a3.
> -   If decoding fails, throw an error; but in constructing that error
>     inform whether the other M would have succeeded.
>
> -   Provide an interface for a BIP173 implementation to peek at the
>     witness version byte of the data part, which may also involve
>     sanity-checking that byte for errors using a BIP173-specific
>     understanding of the appropriate checksum.

I think there are two possible interfaces that make sense:

- Have the caller explicitly specify whether they want bech32 or bech32m (which someone - I think Rusty? - started using in reference to this new code and I'm going to adopt now).

- Have the bech32 decoding function return a tristate (failed, valid as bech32, valid as bech32m). No string is ever valid as both, so there is no loss of information here.

The former is a bit cleaner, and also the only real choice if error location hinting is desired. The second is more efficient if decoding twice is a performance concern.

Cheers,

--
Pieter



^ permalink raw reply	[flat|nested] 24+ messages in thread

end of thread, other threads:[~2020-12-18  2:02 UTC | newest]

Thread overview: 24+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-08  0:21 [bitcoin-dev] Progress on bech32 for future Segwit Versions (BIP-173) Rusty Russell
2020-10-08 14:59 ` David A. Harding
2020-10-08 15:21   ` Russell O'Connor
2020-10-15  1:40   ` Rusty Russell
2020-10-16 21:09     ` Pieter Wuille
2020-10-19  0:49       ` Rusty Russell
2020-10-19 22:55         ` Pieter Wuille
2020-10-20  0:42           ` Rusty Russell
2020-10-20  3:31             ` Rusty Russell
2020-10-20  9:21               ` Riccardo Casatta
2020-10-20 10:29             ` David A. Harding
2020-10-20 20:12               ` Pieter Wuille
2020-10-20 23:52                 ` Mike Schmidt
2020-10-21  4:51                   ` Rusty Russell
2020-11-06 19:49                   ` Mike Schmidt
2020-12-05 23:10                     ` Pieter Wuille
2020-12-06 13:04                       ` David A. Harding
2020-12-06 20:43                         ` Pieter Wuille
2020-12-08 17:39                         ` Ryan Grant
2020-12-18  2:02                           ` Pieter Wuille
2020-10-21  3:05         ` ZmnSCPxj
2020-10-21  4:39           ` Rusty Russell
2020-10-28  0:20 ` Pieter Wuille
2020-12-05 22:59   ` Pieter Wuille

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox