Re: [bitcoin-dev] New BIP: Dealing with OP_IF and OP_NOTIF malleability in P2WSH

public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed

From: Johnson Lau <jl2012@xbt.hk>
To: Gregory Maxwell <greg@xiph.org>,
	 Russell O'Connor <roconnor@blockstream.io>,
	 Bitcoin Protocol Discussion
	<bitcoin-dev@lists.linuxfoundation.org>,
	 pete@petertodd.org
Subject: Re: [bitcoin-dev] New BIP: Dealing with OP_IF and OP_NOTIF malleability in P2WSH
Date: Tue, 16 Aug 2016 23:02:53 -0400 (EDT)	[thread overview]
Message-ID: <976728541.94211.1471402973613@privateemail.com> (raw)
In-Reply-To: <CAMZUoKm2VX=kL7c3QsenQmQeKnR86APwvdNduDOUtOrtzL2B6A@mail.gmail.com>

> On August 16, 2016 at 8:27 PM Russell O'Connor via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
> 
> Okay.
> 
> I'm not really opposed to this BIP, but I am worried that fighting script malleability is a battle that can never be won; even leaving one avenue of malleability open is probably just as bad as having many avenues of malleability, so it just doesn't seem worthwhile to me.

Not really. I think the goal is to protect as many common scripts as possible.

For example:
1) BIP146 (Low S values signatures) will eliminate all malleability for P2WPKH
2) BIP146 + null dummy value for CHECKMULTISIG ("NULLDUMMY") will eliminate all malleability for simple multi-sig in P2WSH. This is particularly interesting since without NULLDUMMY, attackers are able to replace the dummy value with anything.
3) BIP146 + NULLDUMMY + minimal IF argument ("MINIMALIF") will eliminate malleability for any Lightening Network scripts that I'm aware of.

With 3), 99.99% of segwit transactions in foreseeable future should be fully protected.

The plan is to implement MINIMALIF as a relay policy first, and enforce the softfork after further risks assessment. This BIP serves as a warning to users for not using incompatible script.

Peter Todd:
> Having said that, a better approach may be a separate CHECKBOOLVERIFY opcode that fails unless the top item on the stack is a minimally encoded true or false value, to allow script writers to opt into this behavior; it's not always ideal.

I believe all Lightening Network scripts (the only real users of IF/NOTIF in foreseeable future) are already compatible with MINIMALIF. It may not be a good idea for them to spend 1 more byte to get protected.

If people want to have the original OP_IF behaviour, a simple way would be using "0NOTEQUAL IF". However, this works only if the argument is a valid number (also beware of MINIMALDATA rule in BIP62).

To completely replicate the original behaviour, one may use:
"DEPTH TOALTSTACK IFDUP DEPTH FROMALTSTACK NUMNOTEQUAL IF 2DROP {if script} ELSE DROP {else script} ENDIF"

This is because we don't have a simple OP_CASTTOBOOL, and IFDUP is 1 of the 4 codes that perform CastToBool on top stack item (the others are VERIFY, IF, and NOTIF; and VERIFY can't be used here since it terminates the script with a False).

next prev parent reply	other threads:[~2016-08-17  3:02 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-08-16 17:53 [bitcoin-dev] New BIP: Dealing with OP_IF and OP_NOTIF malleability in P2WSH Johnson Lau
2016-08-16 19:37 ` Luke Dashjr
2016-08-16 19:43   ` Peter Todd
2016-08-16 21:58     ` Joseph Poon
2016-08-16 22:23     ` Russell O'Connor
2016-08-16 22:30       ` Pieter Wuille
2016-08-16 22:36         ` Russell O'Connor
2016-08-16 22:39           ` Pieter Wuille
2016-08-16 22:52             ` Russell O'Connor
2016-08-17  0:18               ` Gregory Maxwell
2016-08-17  0:27                 ` Russell O'Connor
2016-08-17  2:30                   ` Peter Todd
2016-08-17  3:02                   ` Johnson Lau [this message]
2016-08-17  4:40                     ` Luke Dashjr
2016-08-17 10:15                       ` Johnson Lau
2016-08-18  0:11                         ` Sergio Demian Lerner
     [not found]                           ` <CAAS2fgQ=Z+xmg0DcANV4vhp+XhpL1Vz0HNkJwNGdHTxtK1q1kg@mail.gmail.com>
2016-08-18  0:33                             ` Sergio Demian Lerner
2016-08-18  3:00                               ` Peter Todd
2016-09-05 14:55             ` Russell O'Connor
2016-09-01 11:39 ` Johnson Lau
2016-09-05  1:32   ` Rusty Russell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=976728541.94211.1471402973613@privateemail.com \
    --to=jl2012@xbt.hk \
    --cc=bitcoin-dev@lists.linuxfoundation.org \
    --cc=greg@xiph.org \
    --cc=pete@petertodd.org \
    --cc=roconnor@blockstream.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox