From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 092711033 for ; Fri, 12 Jan 2018 10:48:56 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-io0-f174.google.com (mail-io0-f174.google.com [209.85.223.174]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id E8ABF12E for ; Fri, 12 Jan 2018 10:48:54 +0000 (UTC) Received: by mail-io0-f174.google.com with SMTP id f34so126874ioi.13 for ; Fri, 12 Jan 2018 02:48:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=blockstream.io; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Y89oJ3zzMmQa1xgHwXc7b7dg+gI21TKOdAy4Gk9ieM0=; b=f6pk+GUmeZ+z23Us+nD5uYjlOb1Jr/kgi36EXNqPVTuy+04wjYIPPSDk3MjyJ9fqSN v8CcHUFzryW4ai6fhW+4nu03Ay9jcJcnbhdbPIft4Ss3rgAMiH92H2LXfLUrCM9yhWGc PPq7Mm3goST3UEV6dOtIAP2g+nANkJFcmt0AY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Y89oJ3zzMmQa1xgHwXc7b7dg+gI21TKOdAy4Gk9ieM0=; b=eZrzv1S7h53B/1U7wLPcOeMFc+BurfYuhuzRC3XiD/k3Sk01fONg0uVn55X/0+Dvx4 LSDkH69/+MBNPx3Bt7c3Si6IOv/+61lPSkUE9PsCRRRxr8hMoeY1Aplt+ZEhQ+tQECZi 4jqHs2yenp/tfFiLumxo7bwg7onCRigtWuyVyEGu6rztEeIcKJDn+FsqT0B8znxgcpKl BkACLsqZWnA4NfaJ4rDn6v+No5+qqC9k4OcKRTxCOEzezEykOzmVvY2/duvHF7plMvKK nAX/gHQv7y0Vfoo2ou5B/NKjt4pUZ3FlYdc4sApumEbfzA3dcEBPyhk7ZyavvA9E6m2Y MrLA== X-Gm-Message-State: AKGB3mJ/vz0TezpPNtSnbpvCOlLINxMTb2G09n/poN0a7q+TpJ6sUm2Y vEoXbg7OkpH8V1UnIW9i9Euy6BVLRkIfbq55lrfgew== X-Google-Smtp-Source: ACJfBosJd7PUGzF8Eiic83dhYEiOmTnP0baTxbP6Ko8SNiY1AQ0a4v2FEpries+PbKdubywq4dvPGlFsGatptRrfi7Y= X-Received: by 10.107.172.69 with SMTP id v66mr24003670ioe.198.1515754134131; Fri, 12 Jan 2018 02:48:54 -0800 (PST) MIME-Version: 1.0 Received: by 10.2.160.194 with HTTP; Fri, 12 Jan 2018 02:48:33 -0800 (PST) In-Reply-To: References: <87608btgyd.fsf@rustcorp.com.au> From: "Russell O'Connor" Date: Fri, 12 Jan 2018 05:48:33 -0500 Message-ID: To: Pieter Wuille Content-Type: multipart/alternative; boundary="94eb2c05921abb6d9e05629202ba" X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Bitcoin Dev , Russell O'Connor , Kalle Alm Subject: Re: [bitcoin-dev] BIP 117 Feedback X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Jan 2018 10:48:56 -0000 --94eb2c05921abb6d9e05629202ba Content-Type: text/plain; charset="UTF-8" Putting aside for the moment the concerns that Pieter and Rusty have raised about BIP 117 (concerns which I agree with), is BIP 117 even a viable soft fork to begin with? When it comes to soft forks of Script, in the past there have been two kinds. The first kind is soft-forking new script semantics into NOPn codes. In this case, everyone ought to know that these op codes are reserved for future extensions and no one should be writing script that depends on NOPn having NOP behavior (For users who want real nop behaviour, there does exist a real NOP opcode). The second kind of soft-forking new script semantics is the reinterpretation of various wholesale scripts (historically via templates). Examples of this are Segwit and P2SH. In the case of Segwit, the scripts gaining new semantics were applied to a form of completely unsecured "anyone-can-spend" programs. Anyone who created such output prior to the activation of Segwit would know that anyone could claim ownership of those outputs, and therefore the possibility of losing the ability to spend legacy forms of these segwit-style outputs is arguably not harmful as no one in particular had ownership of such funds. The story for P2SH is somewhat similar: Prior to the activation of P2SH the creator of of P2SH style outputs would know that anyone could claim ownership of that style of output as soon as the hash preimage is published (in the mempool, for example). However, if I understand correctly, the situation for BIP 117 is entirely different. As far as I understand there is currently no restrictions about terminating a v0 witness program with a non-empty alt-stack, and there are no restrictions on leaving non-canonical boolean values on the main stack. There could already be commitments to V0 witness programs that, when executed in some reasonable context, leave a non-empty alt-stack and/or leave a non-canonical true value on the main stack. Unlike the P2SH or Segwit soft-forks, these existing commitments could be real outputs that currently confer non-trivial ownership over their associated funds. If BIP 117 were activated, these commitments would be subject to a new set of rules that didn't exist when the commitments were made. In particular, these funds could be rendered unspendable. Because segwit commitments are hashes of segwit programs, there is no way to even analyze the blockchain to determine if these commitments currently exist (and even if we could it probably woudln't be adequate protection). Naturally we shouldn't be making new rules that could, in principle, retroactively remove ownership of existing user's funds. > --94eb2c05921abb6d9e05629202ba Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Putting aside for the moment the concerns t= hat Pieter and Rusty have raised about BIP 117 (concerns which I agree with= ), is BIP 117 even a viable soft fork to begin with?

When it c= omes to soft forks of Script, in the past there have been two kinds.
The first kind is soft-forking new script semantics into NOPn codes.= =C2=A0 In this case, everyone ought to know that these op codes are reserve= d for future extensions and no one should be writing script that depends on= NOPn having NOP behavior (For users who want real nop behaviour, there doe= s exist a real NOP opcode).

The second kind of soft-forking ne= w script semantics is the reinterpretation of various wholesale scripts (hi= storically via templates).=C2=A0 Examples of this are Segwit and P2SH.=C2= =A0 In the case of Segwit, the scripts gaining new semantics were applied t= o a form of completely unsecured "anyone-can-spend" programs.=C2= =A0 Anyone who created such output prior to the activation of Segwit would = know that anyone could claim ownership of those outputs, and therefore the = possibility of losing the ability to spend legacy forms of these segwit-sty= le outputs is arguably not harmful as no one in particular had ownership of= such funds.=C2=A0 The story for P2SH is somewhat similar: Prior to the act= ivation of P2SH the creator of of P2SH style outputs would know that anyone= could claim ownership of that style of output as soon as the hash preimage= is published (in the mempool, for example).

However,= if I understand correctly, the situation for BIP 117 is entirely different= .=C2=A0 As far as I understand there is currently no restrictions about ter= minating a v0 witness program with a non-empty alt-stack, and there are no = restrictions on leaving non-canonical boolean values on the main stack.=C2= =A0 There could already be commitments to V0 witness programs that, when ex= ecuted in some reasonable context, leave a non-empty alt-stack and/or leave= a non-canonical true value on the main stack.=C2=A0 Unlike the P2SH or Seg= wit soft-forks, these existing commitments could be real outputs that curre= ntly confer non-trivial ownership over their associated funds.=C2=A0 If BIP= 117 were activated, these commitments would be subject to a new set of rul= es that didn't exist when the commitments were made.=C2=A0 In particula= r, these funds could be rendered unspendable.=C2=A0 Because segwit commitme= nts are hashes of segwit programs, there is no way to even analyze the bloc= kchain to determine if these commitments currently exist (and even if we co= uld it probably woudln't be adequate protection).

Naturally we shouldn&= #39;t be making new rules that could, in principle, retroactively remove ow= nership of existing user's funds.
=C2=A0