📅 Original date posted:2019-03-07
📝 Original message:On Wednesday 06 March 2019 21:39:15 Matt Corallo wrote:
> I'd like to ask the BIP editor to assign a BIP number.
Needs a Backward Compatibility section, and should have a bips repo PR opened
after discussion on the ML.
> * The 4th change (making non-standard signature hash types invalid)
> may be worth discussing. In order to limit the number of potential
> signature hashes which could be used per-input (allowing us to cache
> them to avoid re-calculation), we can disable non-standard sighash
> types. Alternatively, however, most of the same effect could be achieved
> by caching the just-before-the-last-byte sighash midstate and hashing
> only the last byte when a checking signatures. Still, them having been
> non-standard for many years makes me doubt there is much risk involved
> in disabling them, and I don't see much potential use-case for keeping
> them around so I'd like to just remove them.
I don't understand what is being removed here.
> As for why the timewarp vulnerability should (IMO rather obviously) be
> fixed, it seems rather clear that the only potential use for exploiting
> it would be either to inflate the currency supply maliciously by miners
> or to fork in what amounts to extension blocks. As for why extension
> blocks are almost certainly not the right approach to such changes, its
> likely worth reading this old post:
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-January/013510
>.html
While I agree that extension blocks are typically a bad choice, I'm not sure
the argument really applies to forward blocks. (That being said, I find
forward blocks overcomplicated and probably not a reason to avoid this.)
> * Transactions smaller than 65 bytes when serialized without witness
> data are invalid.
Rationale should include the reason(s) why the size doesn't count the witness
here.
> ** Note that miners today only enforce increasing timestamps against the
> median-timestamp-of-last-11-blocks, so miners who do not upgrade may
> mine a block which violates this rule at the beginning of a difficulty
> window if the last block in a difficulty window has a timestamp in the
> future. Thus, it is strongly recommended that SPV clients enforce the
> new nTime rules to avoid following any potential forks which occur.
This should probably be moved outside Discussion. (Perhaps to the missing
Backward Compatibility section?)
> * There are several early-stage proposals which may affect the execution
> of scripts, including proposals such as Schnorr signatures, Taproot,
> Graftroot, and MAST. These proposals are not expected to have any
> interaction with the changes in this BIP, as they are likely to only
> apply to SegWit scripts, which are not covered by any of the new rules
> except for the sighash type byte rule. Thus, the sighash type byte rule
> defined above only applies to *current* signature-checking opcodes, as
> any new signature-checking is likely to be implemented via the
> introduction of new opcodes.
It's not clear that new opcodes will necessarily always be used. Probably
would be good to clarify the "non-Segwit or witness v0 only" rule in the
Specification section.
Luke
Luke Dashjr [ARCHIVE] /
npub1tf…rfq0n
2023-06-07 18:16:44
in reply to nevent1q…e6x4
Author Public Key
npub1tfk373zg9dnmtvxnpnq7s2dkdgj37rwfj3yrwld7830qltmv8qps8rfq0nPublished at
2023-06-07 18:16:44Event JSON
{
"id": "847e10b6574d1516000b76c5de1fee6f552c5970702572d4f6bdf7c90679afc6",
"pubkey": "5a6d1f44482b67b5b0d30cc1e829b66a251f0dc99448377dbe3c5e0faf6c3803",
"created_at": 1686161804,
"kind": 1,
"tags": [
[
"e",
"0f85d6f59a6c1d027d0536082a10db1b9823b8c384caa4706f6d6be8ddcf51b4",
"",
"root"
],
[
"e",
"714c0300b1779ce32fd617f8ed0951735c8e1aecdb4456fc0f61c24130f1d159",
"",
"reply"
],
[
"p",
"cd753aa8fbc112e14ffe9fe09d3630f0eff76ca68e376e004b8e77b687adddba"
]
],
"content": "📅 Original date posted:2019-03-07\n📝 Original message:On Wednesday 06 March 2019 21:39:15 Matt Corallo wrote:\n\u003e I'd like to ask the BIP editor to assign a BIP number.\n\nNeeds a Backward Compatibility section, and should have a bips repo PR opened \nafter discussion on the ML.\n\n\u003e * The 4th change (making non-standard signature hash types invalid)\n\u003e may be worth discussing. In order to limit the number of potential\n\u003e signature hashes which could be used per-input (allowing us to cache\n\u003e them to avoid re-calculation), we can disable non-standard sighash\n\u003e types. Alternatively, however, most of the same effect could be achieved\n\u003e by caching the just-before-the-last-byte sighash midstate and hashing\n\u003e only the last byte when a checking signatures. Still, them having been\n\u003e non-standard for many years makes me doubt there is much risk involved\n\u003e in disabling them, and I don't see much potential use-case for keeping\n\u003e them around so I'd like to just remove them.\n\nI don't understand what is being removed here.\n\n\u003e As for why the timewarp vulnerability should (IMO rather obviously) be\n\u003e fixed, it seems rather clear that the only potential use for exploiting\n\u003e it would be either to inflate the currency supply maliciously by miners\n\u003e or to fork in what amounts to extension blocks. As for why extension\n\u003e blocks are almost certainly not the right approach to such changes, its\n\u003e likely worth reading this old post:\n\u003e https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-January/013510\n\u003e.html\n\nWhile I agree that extension blocks are typically a bad choice, I'm not sure \nthe argument really applies to forward blocks. (That being said, I find \nforward blocks overcomplicated and probably not a reason to avoid this.)\n\n\u003e * Transactions smaller than 65 bytes when serialized without witness\n\u003e data are invalid.\n\nRationale should include the reason(s) why the size doesn't count the witness \nhere.\n\n\u003e ** Note that miners today only enforce increasing timestamps against the\n\u003e median-timestamp-of-last-11-blocks, so miners who do not upgrade may\n\u003e mine a block which violates this rule at the beginning of a difficulty\n\u003e window if the last block in a difficulty window has a timestamp in the\n\u003e future. Thus, it is strongly recommended that SPV clients enforce the\n\u003e new nTime rules to avoid following any potential forks which occur.\n\nThis should probably be moved outside Discussion. (Perhaps to the missing \nBackward Compatibility section?)\n\n\u003e * There are several early-stage proposals which may affect the execution\n\u003e of scripts, including proposals such as Schnorr signatures, Taproot,\n\u003e Graftroot, and MAST. These proposals are not expected to have any\n\u003e interaction with the changes in this BIP, as they are likely to only\n\u003e apply to SegWit scripts, which are not covered by any of the new rules\n\u003e except for the sighash type byte rule. Thus, the sighash type byte rule\n\u003e defined above only applies to *current* signature-checking opcodes, as\n\u003e any new signature-checking is likely to be implemented via the\n\u003e introduction of new opcodes.\n\nIt's not clear that new opcodes will necessarily always be used. Probably \nwould be good to clarify the \"non-Segwit or witness v0 only\" rule in the \nSpecification section.\n\nLuke",
"sig": "c8135698e3d5f8f4efbf1cf488fa0e37dd8b0ba87f75aad6dfe070f44f2e07e184f3c8c6ccf3da00a8a5b9a871cf346d126a837372ddc6a09bd4a46fb0c996fe"
}