public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Matt Corallo <lf-lists@mattcorallo.com>
To: Russell O'Connor <roconnor@blockstream.io>
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] OP_CODESEPARATOR Re: BIP Proposal: The Great Consensus Cleanup
Date: Fri, 8 Mar 2019 18:35:42 +0000	[thread overview]
Message-ID: <db3405ef-7e06-9538-0700-df37abaa602d@mattcorallo.com> (raw)
In-Reply-To: <CAMZUoKk3CgatSexAHRuxn3ibCYwgHpTkc0gF0yDi6hLAVcCiNA@mail.gmail.com>

Replies inline.

On 3/8/19 3:57 PM, Russell O'Connor wrote:
> On Thu, Mar 7, 2019 at 2:50 PM Matt Corallo <lf-lists@mattcorallo.com 
> <mailto:lf-lists@mattcorallo.com>> wrote:
> It's very easy to construct a practical script using OP_CODESEPARATOR.
> 
> IF <2> <ALICEPUBKEY> <BOBPUBKEY> <2> CHECKMULTISIGVERIFY ELSE 
> CODESEPARATOR <ALICEPUBKEY> CHECKSIGVERFY ENDIF
> 
> Now when someone hands Alice, the CFO of XYZ corp., some transaction, 
> she has the option of either signing it unilaterally herself, or 
> creating a partial signature such that the transaction additionally 
> needs Bob, the CEOs signature as well, and Alice's choice is committed 
> to the blockchain for auditing purposes later.
> 
> Now, there are many things you might object about this scheme, but my 
> point is that (A) regardless of what you think about this scheme, it, or 
> similar schemes, may have been devised by users, and (B) users may have 
> already committed funds to such schemes, and due to P2SH you cannot know 
> that this is not the case.

The common way to set that up is to have a separate key, but, ok, fair 
enough. That said, the argument that "it may be hidden by P2SH!" isn't 
sufficient here. It has to *both* be hidden by P2SH and have never been 
spent from (either on mainnet or testnet) or be lock-timed a year in the 
future. I'm seriously skeptical that someone is using a highly esoteric 
scheme and has just been pouring money into it without ever having 
tested it or having withdrawn any money from it whatsoever. This is just 
a weird argument.


> Please don't strawman my position.  I am not suggesting we don't fix a 
> vulnerability in Bitcoin.  I am suggesting we find another way.  One 
> that limits the of risk destroying other people's money.
> 
> Here is a more concrete proposal:  No matter how bad OP_CODESEPARATOR 
> is, it cannot be worse than instead including another input that spends 
> another identically sized UTXO.  So how about we soft-fork in a rule 
> that says that an input's weight is increased by an amount equal to the 
> number of OP_CODESEPARATORs executed times the sum of weight of the UTXO 
> being spent and 40 bytes, the weight of a stripped input. The risk of 
> destroying other people's money is limited and AFAIU it would completely 
> address the vulnerabilities caused by OP_CODESEPARATOR.

You're already arguing that someone has such an esoteric use of script, 
suggesting they aren't *also* creating pre-signed, long-locktimed 
transactions with many inputs isn't much of a further stretch 
(especially since this may result in the fee being non-standardly low if 
you artificially increase its weight).

Note that "just limit number of OP_CODESEPARATOR calls" results in a ton 
of complexity and reduces the simple analysis that fees (almost) have 
today vs just removing it allows us to also remove a ton of code.

Further note that if you don't remove it getting the efficiency wins 
right is even harder because instead of being able to cache sighashes 
you now have to (at a minimum) wipe the cache between each 
OP_CODESEPARATOR call, which results in a ton of additional 
implementation complexity.

> 
>      > I suggest an alternative whereby the execution of OP_CODESEPARATOR
>      > increases the transactions weight suitably as to temper the
>      > vulnerability caused by it.  Alternatively there could be some
>     sort of
>      > limit (maybe 1) on the maximum number of OP_CODESEPARATORs
>     allowed to be
>      > executed per script, but that would require an argument as to why
>      > exceeding that limit isn't reasonable.
> 
>     You could equally argue, however, that any such limit could render some
>     moderately-large transaction unspendable, so I'm somewhat skeptical of
>     this argument. Note that OP_CODESEPARATOR is non-standard, so getting
>     them mined is rather difficult in any case.
> 
> 
> I already know of people who's funds are tied up due to in other changes 
> to Bitcoin Core's default relay policy.  Non-standardness is not an 
> excuse to take other people's tied up funds and destroy them permanently.

Huh?! The whole point of non-standardness in this context is to (a) make 
soft-forking something out safer by derisking miners not upgrading right 
away and (b) signal something that may be a candidate for soft-forking 
out so that we get feedback. Who is getting things disabled who isn't 
bothering to *tell* people that their use-case is being hurt?!


  reply	other threads:[~2019-03-08 18:35 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-03-06 21:39 [bitcoin-dev] BIP Proposal: The Great Consensus Cleanup Matt Corallo
2019-03-07 10:44 ` Luke Dashjr
2019-03-07 19:44   ` Matt Corallo
2019-03-07 15:03 ` [bitcoin-dev] OP_CODESEPARATOR " Russell O'Connor
2019-03-07 19:50   ` Matt Corallo
2019-03-08 15:57     ` Russell O'Connor
2019-03-08 18:35       ` Matt Corallo [this message]
2019-03-09 18:29         ` Russell O'Connor
2019-03-10  3:25           ` Jacob Eliosoff
2019-03-11 17:49             ` Russell O'Connor
2019-03-12 21:08           ` Matt Corallo
2019-03-12 22:39             ` Jacob Eliosoff
2019-03-13  0:54               ` Gregory Maxwell
2019-03-13  1:34               ` Russell O'Connor
2019-03-08 19:12     ` Sjors Provoost
2019-03-08 20:14       ` Matt Corallo
2019-03-10 14:25         ` LORD HIS EXCELLENCY JAMES HRMH
2019-03-10 18:24           ` Moral Agent
2019-03-12  7:34             ` LORD HIS EXCELLENCY JAMES HRMH
2019-03-10 18:28           ` Dustin Dettmer
2019-03-11 19:15             ` Russell O'Connor
2019-03-12  2:23               ` Matt Corallo
2019-03-13  1:38                 ` Russell O'Connor
2019-03-09 18:29       ` Russell O'Connor
     [not found]       ` <PS2P216MB0179EFBEF7BEEE1C3F251F719D4E0@PS2P216MB0179.KORP216.PROD.OUTLOOK.COM>
2019-03-10 15:22         ` Russell O'Connor
2019-03-07 15:16 ` [bitcoin-dev] Sighash Type Byte; " Russell O'Connor
2019-03-07 19:57   ` Matt Corallo
2019-03-08 15:57     ` Russell O'Connor
2019-03-13  1:34       ` Russell O'Connor

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=db3405ef-7e06-9538-0700-df37abaa602d@mattcorallo.com \
    --to=lf-lists@mattcorallo.com \
    --cc=bitcoin-dev@lists.linuxfoundation.org \
    --cc=roconnor@blockstream.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox