From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Fri, 13 Jun 2025 04:15:35 -0700 Received: from mail-qv1-f61.google.com ([209.85.219.61]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1uQ2Ni-0005zO-Rr for bitcoindev@gnusha.org; Fri, 13 Jun 2025 04:15:35 -0700 Received: by mail-qv1-f61.google.com with SMTP id 6a1803df08f44-6fb2494ef24sf55013456d6.2 for ; Fri, 13 Jun 2025 04:15:35 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1749813329; cv=pass; d=google.com; s=arc-20240605; b=LxILl/QWYq2Xpy7n9mx69OsObFOiKl3xybW1TnFQ88ykUiMBIV2RbxpP18sYhiT66Q 1PA5P6/ZF83qgAuQmEKGIqtYY8fWNexJcd9GisAWOhrejMuF+zChahk1Rx7sgWq3ROVL ol+KwWFi7czCPUFkHfEUYMrFdAYWQkrttC8bt6t98A4ctYHGLrXjl0/S0lniXGmekuYY Ejaha9VVhSpOPHJ9DJz2O+jcnlRxWYoaYq9fGdNOCy1U7+TGVUM2h2de3VbPZzGs9vjj AfdISAyXmeS5gd7HIde91tLB8h5VIigh8ZMoeerYaKVwWPwmONntvbHhxGZ3S309/ifO MgtA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:sender:dkim-signature :dkim-signature; bh=2oHyaHK2pq77u2iWa7YI43eXIVK6OBTjQvebRARDwpI=; fh=hHQzCfkjT5brwFPpZYnbF2Di1OXdJjhYBGkUSNgST0U=; b=XnOI+xgA+IQEZN+JxTkKYYd2J0FvT92erPkBgXokwyaV4+dY0E+4j5ZB6kMzcZi8fX dOUi5lmd2luCLgqMnY8W5I4OVUKyOkE+VeTtw28UKjjGRc68plNvPh3lBERlajdNxv3a hqwv+vnpRmfi6268juF+YLc0qmJW11tein/G3yuTX+nsDcVdqAJr5DTH1hCplYcJT1cS 6cK9ZYkJgBgmyai1Kl8OeEc20hqWYYBu+64dfNPnGizkvj+i9hE8Dg2Ex2Ixw96LQDWr hsY2QuYPg4UUVzPXkl7FJqN46BWXx7WdL7SV+BPnXMAs4ZBgYkdSYzccWWPZ5oRwcleN n57w==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=kDk9J+Uu; spf=pass (google.com: domain of antoine.riard@gmail.com designates 2607:f8b0:4864:20::1032 as permitted sender) smtp.mailfrom=antoine.riard@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1749813329; x=1750418129; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:sender:from:to:cc:subject:date:message-id :reply-to; bh=2oHyaHK2pq77u2iWa7YI43eXIVK6OBTjQvebRARDwpI=; b=rsBXCko+HNbc0wP6tcOB/3Y3EP2/bfPEYSt+Lbw1ZUlBiLcf7UxV8R2+cnYw4hVrHP RwieSkLhzmDtCJ/LVDM+KdcYWVSp+ZW9dJtwEUYHn/gKAlSXUSXt7nmKVKaMJcwbAPyw C1z/fmDXClGatV86kLjS9DcmdCn4TPKJJaTUn3AkhetWidEl5nWTIz+mPrmNA/VsK+cG Dza2p+/eypprLrnAqFbNAXOiP1TimB5YcvhOyez7Q7LuypTabcrg5jDo8yVU/Zwb3aGQ D7yAFenyZCaKRW/2y59sltWGMzYUiK5M8D+AG8rn+S32s9dUJ8nYhzvaQP60z6lWQ9yi hQFg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1749813329; x=1750418129; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:from:to:cc:subject:date:message-id:reply-to; bh=2oHyaHK2pq77u2iWa7YI43eXIVK6OBTjQvebRARDwpI=; b=Cq91/0teiU6pYwWYLtMQWFlh3JlqoGyAVAXdFthkxKSh81xyhx1wxRJ+QLM5C99Sct VcQj4mWNlDMMZgjpSGzTGnWc5R6OfZzmHXyktPdrXqnGuYt91agH1eEz0iHyzjOzJduU jv8oJiD+7cl/fmc3NhJYryUsFVHrYWNwTSx9hcP7B4fDiOUZbwdmPoXoj4EO2aYDLgDS BmYRADZrm4X5wco80bYmlbXk8GbD/SYa4aSvWIA1iRj4YB8QSXu/+HOUsYFDtV1vVzTd TSUoQktK0UEjV/4SN+KA3KOr0CZ3BogrEZAlfXDvcv+Og76zTqNAf4NBrvcmYoG59q7M Qesg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749813329; x=1750418129; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:x-beenthere:x-gm-message-state:sender:from :to:cc:subject:date:message-id:reply-to; bh=2oHyaHK2pq77u2iWa7YI43eXIVK6OBTjQvebRARDwpI=; b=J/7gxjyv5g1GqZkvxINVZCCroz7FTBQLAypR9NrrD8GRKheCtcyf2AO/2CktA6rCQx 6ZtJoM7OlwGW+0FXZhNZ1qp7f/EKSod+GeX28R5Su2LT8uiwuKYXI7FdMVEoJWQWOfMz XYXIPcV9SCiqB8r0DzVkb+hEJtRNLNDMn3J/XY8Rt/mK+I5DFCXFjhZqMbvgAc1rhrSz 3EjEVfxsScMbXPhWGrdSF+LbhczKaQNJ7wzge9GaoALJjGsiUfoVFKCkpxMOOLBIZzf7 HxnqIcn/3wl/jjdZZXdfPVJdNghgXJ3GDlBKpyFDjtfHvW5+4kHMfZB5ydYzBV7pySTr q3Yg== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCUpJTn2F+BpcADM4x/ybkZpmfpTzaASw1JCV8KeTYcDl6ywY7V1k1eaTecJMmIGj4j2KpcNOp+/eCaM@gnusha.org X-Gm-Message-State: AOJu0YxJrS/sggcngOMVl7PFUDTswIBRre4CB2GjWAqPjGmpl4/Idadd JjgifRrBbBy/fQWws2suysghE8atuTvmwweJ/GyHmS3j6w1csH6FHGzG X-Google-Smtp-Source: AGHT+IEmdNdXJ0VIAUHcwCBMGoBMEpmksztCFGAliJF0VINhlAFjRu04hP1pOzRNp7hNbWd6rLlscA== X-Received: by 2002:ad4:5c46:0:b0:6fa:ccb6:6038 with SMTP id 6a1803df08f44-6fb3e55cd3emr37984326d6.4.1749813329002; Fri, 13 Jun 2025 04:15:29 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h=AZMbMZcLk1/Tzq9aT/bTaEElfsre4RMtZhzJYtfGMF4iOVe7cA== Received: by 2002:a05:622a:11d5:b0:4a6:f986:ef80 with SMTP id d75a77b69052e-4a722c744cfls37866881cf.1.-pod-prod-04-us; Fri, 13 Jun 2025 04:15:25 -0700 (PDT) X-Received: by 2002:a05:620a:190c:b0:7c5:5cd6:5cea with SMTP id af79cd13be357-7d3bc390d24mr441417485a.15.1749813324896; Fri, 13 Jun 2025 04:15:24 -0700 (PDT) Received: by 2002:a05:620a:a702:b0:7c5:3b15:3956 with SMTP id af79cd13be357-7d3b38a75c2ms85a; Thu, 12 Jun 2025 18:19:10 -0700 (PDT) X-Received: by 2002:a05:6122:3208:b0:531:2afc:463e with SMTP id 71dfb90a1353d-5313ca7259dmr780131e0c.5.1749777549583; Thu, 12 Jun 2025 18:19:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1749777549; cv=none; d=google.com; s=arc-20240605; b=LGdMMEdGXQDQh+MFTQOy+UZgeQ/fe2O9b5ZvdpMsSZ/qXYjdBSqVL5yt0B3qUBMbKa MLcxNIMmXJLe7hOUT0O723FhMja2zQELsRcKZUqETsXLJF/4JWkFaH+6Z1VCRUYI9cvL jNVxekTvFBUM88a6cC+kFkoeg/yEcCCwcw1HpE+fZO3Ky9tWxFjLqFefkKfFrTWMvsJ6 KmLsAedzCEDj7y5GaM8Fs3Bip8vUi5OklQnFNmTdySogm5YqhcBJJD4i0nieSoSohbSk nOpo8Z6EWT81vQdZRsI4/VpE7HEuE0SHL7RPyI+4LivtaPbyXrRznxpm9a8Sojc0y6aJ jjSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=yIvi3tnQ/HLo7dgV6PHT5JsBtKNwmwlbqazK0sMVIfE=; fh=skq0ZBTFRWo7o51Q2kNvyBkgC5sF8HQPebRcIVmikNw=; b=HmZsRAjTUtzeq+VIlaCiLv4NVQEK19d6sgVL00fsx7zMTYRh3ofJaWThWIvIe12Tvu EA/C3xOOFw7nRPb37pnqLj8i46CoB1gmR2bpwNUUttF1RoWJWzRj//GAcFK46xTDTwNs OT6MmIMB1L8jaZOtKBTB9RD0Y6nvyKYe+5lT4yD0QfKCRDUJLa5akUyqweUyRpRco7nV YqfQNSwSxkxs6du3NXp/6sXx9gTjelsQlchd6vIB/tKA7c7X39Su2O26R+EVIbXX3NCe kmEOoIXJ4zKFt57Opsb/LHvQxB3xAyiOOd9mHq1dzKkk3DQtMK0EqgLZZiT2ZaPDkCiN gGhw==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=kDk9J+Uu; spf=pass (google.com: domain of antoine.riard@gmail.com designates 2607:f8b0:4864:20::1032 as permitted sender) smtp.mailfrom=antoine.riard@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com. [2607:f8b0:4864:20::1032]) by gmr-mx.google.com with ESMTPS id 71dfb90a1353d-5313dfbf303si17036e0c.3.2025.06.12.18.19.09 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 12 Jun 2025 18:19:09 -0700 (PDT) Received-SPF: pass (google.com: domain of antoine.riard@gmail.com designates 2607:f8b0:4864:20::1032 as permitted sender) client-ip=2607:f8b0:4864:20::1032; Received: by mail-pj1-x1032.google.com with SMTP id 98e67ed59e1d1-311bd8ce7e4so1434325a91.3 for ; Thu, 12 Jun 2025 18:19:09 -0700 (PDT) X-Gm-Gg: ASbGncs8XGX2PjqUQ3Wb+aGyE4uHY4OGwgiORTD+SE7EaKrXLDQfNOeA3zVC6L3rMKU 4aWHPgvEO5lKk4OL7Ap+O7gHUaYUpR1jm3w5J24YDHJmHqvDgBRD4C7t+9TFG3Xhz3FdXdSlsQ3 3v1PsrYvzQRoAuD0I1Q2IokNkdjITfH74jTE2Gxf8lccS0mXypZ/DFeHI= X-Received: by 2002:a17:90b:3b4e:b0:311:afd1:745b with SMTP id 98e67ed59e1d1-313d9c40188mr1939529a91.11.1749777548316; Thu, 12 Jun 2025 18:19:08 -0700 (PDT) MIME-Version: 1.0 References: <195051b7c393b9a28727e87647ac002b@dtrt.org> <1147a254-5033-4663-99f0-7e98a5b6b6c0@mattcorallo.com> <9fa96f90-dd9c-45e4-947f-0ce1049ef534n@googlegroups.com> In-Reply-To: From: Antoine Riard Date: Fri, 13 Jun 2025 02:18:57 +0100 X-Gm-Features: AX0GCFtoPwDty4ml1-CBq7-aZ7V7DbRueUE9PMEGCQ32e0eZUPkNajtwfgVOaKk Message-ID: Subject: Re: [bitcoindev] CTV + CSFS: a letter To: "James O'Beirne" Cc: Bitcoin Development Mailing List Content-Type: multipart/alternative; boundary="000000000000341402063769d526" X-Original-Sender: antoine.riard@gmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=kDk9J+Uu; spf=pass (google.com: domain of antoine.riard@gmail.com designates 2607:f8b0:4864:20::1032 as permitted sender) smtp.mailfrom=antoine.riard@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) --000000000000341402063769d526 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi James, Thanks for the additional thoughts. > In your example script, you're not making use of the template hash or OP_NOP4. I think this is where we're talking past each other as in example of the script previosuly given, there is a CTV opcode used in the first OP_IF branch. Here again the script: OP_IF OP_CHECKTEMPLATEVERIFY OP_ELSE OP_CHECKSIG OP_ENDIF Correct if I'm wrong, but in my understanding of BIP119, if the first path is taken, the templating will be checked on the spending transaction from the stack element. Of course, this is not a concern specific to OP_CTV and it's concerning all the non bitcoin witness v1 traffic. Though, apart of the additional work to change BIP119 and its code, I don't see why it's not technically rational to make BIP119 a bitcoin witness v1 only. Reducing the attack surface now, it's always less attack surface for funds locked in the future thanks to CTV. Indeed, if you see technical rational not to do CTV a segwit v1 and keep it as a legacy or you would like I explain better such "blocksig overflow attack", I'm all hear. The letter was asking for technical review. So here some "troubleshoot" review of CTV, which I believe it's worthy to fix in its design. I don't think it's a lot of work to make CTV a segwit v1, though I can suggest pseudo-code if you wish so. Re-iterating my previous commitment to advance on the review of CTV+ CSFS (and BIP54) during the next 6 months. Your letter was asking for some kind of goodwill signaling, here mine. Thanks for the degree of professionalism you're upholding in the wish to move the lines forward. Best, Antoine OTS hash: 03eedd0ff78d4417c53cb0eb5660c89d5d13f6e1c4fc55a8d7f2bb83f209ce5b Le jeu. 12 juin 2025 =C3=A0 04:34, James O'Beirne = a =C3=A9crit : > Hey Antoine, > > Thanks for the post. Based on my read of what you're describing > nothing in particular in your attack is specific to CTV. In your example > script, you're not making use of the template hash or OP_NOP4. > > As far as I can tell, the DoS you're describing basically affects all non > witness v1 activity on bitcoin - i.e. some malicious user filling blocks > up to their sigops limit to deny other users service. > > Given that probably most activity on bitcoin is not witness v1, > I don't see how this is a CTV-specific issue. > > Thanks, > James > > --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= CALZpt%2BE5o3wLW6VMk5boyYBstM7AYt2PUaMPYR5jHt9EKXvvow%40mail.gmail.com. --000000000000341402063769d526 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi James,

Thanks for the additional thoughts.
> In your example script, you're not making use of the template ha= sh or OP_NOP4.

I think this is where we're talking past each oth= er as in example of the
script previosuly given, there is a CTV opcode u= sed in the first OP_IF
branch.

Here again the script:

=C2= =A0 =C2=A0 =C2=A0 =C2=A0 OP_IF
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A0 =C2=A0 <my_little_vault_hash> OP_CHECKTEMPLATEVERIFY
=C2= =A0 =C2=A0 =C2=A0 =C2=A0 OP_ELSE
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 <alice_bob_their_family_aggregated_pubkey> OP_CHECK= SIG
=C2=A0 =C2=A0 =C2=A0 =C2=A0 OP_ENDIF

Correct if I'm wrong= , but in my understanding of BIP119, if the first
path is taken, the tem= plating will be checked on the spending transaction
from the <my_litt= le_vault_hash> stack element.

Of course, this is not a concern sp= ecific to OP_CTV and it's concerning
all the non bitcoin witness v1 = traffic. Though, apart of the additional
work to change BIP119 and its c= ode, I don't see why it's not technically
rational to make BIP11= 9 a bitcoin witness v1 only.

Reducing the attack surface now, it'= ;s always less attack surface for
funds locked in the future thanks to C= TV. Indeed, if you see technical
rational not to do CTV a segwit v1 and = keep it as a legacy or you would
like I explain better such "blocks= ig overflow attack", I'm all hear.

The letter was asking fo= r technical review. So here some "troubleshoot"
review of CTV,= which I believe it's worthy to fix in its design. I don't
think= it's a lot of work to make CTV a segwit v1, though I can suggest
ps= eudo-code if you wish so.

Re-iterating my previous commitment to adv= ance on the review of CTV+ CSFS
(and BIP54) during the next 6 months. Yo= ur letter was asking for some kind
of goodwill signaling, here mine.
=
Thanks for the degree of professionalism you're upholding in the wi= sh
to move the lines forward.

Best,
Antoine
OTS hash: 03eed= d0ff78d4417c53cb0eb5660c89d5d13f6e1c4fc55a8d7f2bb83f209ce5b

Le=C2=A0jeu. 12 juin 2025 =C3=A0=C2=A004:34, James O'Beirne <<= a href=3D"mailto:james.obeirne@gmail.com">james.obeirne@gmail.com> a= =C3=A9crit=C2=A0:
Hey Antoine,

=
Thanks for the post. Based on my read of what you're describing
nothing in particular in your attack is specific to CTV. In your ex= ample
script, you're not making use of the template hash or O= P_NOP4.

As far as I can tell, the DoS you're d= escribing basically affects all non
witness v1 activity on bitcoi= n - i.e. some malicious user filling blocks
up to their sigops li= mit to deny other users service.

Given that probab= ly most=C2=A0activity on bitcoin is not witness v1,
I don't s= ee how this is a CTV-specific issue.

Thanks,
=
James

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/= msgid/bitcoindev/CALZpt%2BE5o3wLW6VMk5boyYBstM7AYt2PUaMPYR5jHt9EKXvvow%40ma= il.gmail.com.
--000000000000341402063769d526--