Pieter Wuille [ARCHIVE] on Nostr: 📅 Original date posted:2020-10-16 📝 Original message:Hi Rusty, thanks for ...
📅 Original date posted:2020-10-16
📝 Original message:Hi Rusty,
thanks for starting this thread. We definitely should make a decision around
this soon.
On Wednesday, October 14, 2020 6:40 PM, Rusty Russell via bitcoin-dev <bitcoin-dev at lists.linuxfoundation.org> wrote:
> > > Here's a summary of each proposal:
> > > Length restrictions (future segwits must be 10, 13, 16, 20, 23, 26, 29,
> > > 32, 36, or 40 bytes)
> > >
> > > 1. Backwards compatible for v1 etc; old code it still works.
> > > 2. Restricts future segwit versions, may require new encoding if we
> > > want a diff length (or waste chainspace if we need to have a padded
> > > version for compat).
> > >
> > > Checksum change based on first byte:
> > >
> > > 1. Backwards incompatible for v1 etc; only succeeds 1 in a billion.
> > > 2. Weakens guarantees against typos in first two data-part letters to
> > > 1 in a billion.[1]
> > >
> If we go for option 2, v1 (generated from bitcoin core) will simply fail
> the first time you try test it. So it will force an upgrade. There
> are fewer places generating addresses than accepting them, so this
> seems the most likely scenario.
>
> OTOH, with option 1, anyone accepting v1 addresses today is going to
> become a liability once v1 addresses start being generated.
Today, no witness v1 receivers exist. So it seems to me the only question
is what software/infrastructure exist that supports sending to witness v1,
and whether they (and their userbase) are more or less likely to upgrade
before receivers appear than those that don't.
Clearly if only actively developed software currently supports sending to
v1 right now, then the question of forward compatibility is moot, and I'd
agree the cleanliness of option 2 is preferable.
Does anyone have an up-to-date overview of where to-future-witness sending
is supported? I know Bitcoin Core does.
> > It took a lot of community effort to get widespread support for bech32
> > addresses. Rather than go through that again, I'd prefer we use the
> > backwards compatible proposal from BIPs PR#945 and, if we want to
> > maximize safety, consensus restrict v1 witness program size, e.g. reject
> > transactions with scriptPubKeys paying v1 witness programs that aren't
> > exactly 32 bytes.
>
> Yes, I too wish we weren't here. :(
>
> Deferring a hard decision is not useful unless we expect things to be
> easier in future, and I only see it getting harder as time passes and
> userbases grow.
Possibly, but in the past I think there has existed a pattern where adoption
of new technology is at least partially based on certain infrastructure
and codebases going out of business and/or being replaced with newer ones,
rather than improvements to existing ones.
If that effect is significant, option 1 may be preferable: it means less
compatibility issues in the short term, and longer term all that may be
required is fixing the spec, and waiting long enough for old/unmaintained code
to be replaced.
As for how long: new witness version/length combinations are only rarely needed,
and there are 14 length=32 ones left to pick. We'll likely want to use those
first anyway, as it's the cheapest option with 128-bit collision resistance.
Assuming future constructions have something like BIP341's leaf versioning, new
witness version/length combinations are only required for:
* Changes to the commitment structure of script execution (e.g. Graftroot,
different hash function for Merkle trees, ...)
* Upgrades to new signing cryptography (EC curve change, PQC, ...).
* Changes to signatures outside of a commitment structure (e.g. new sighash
modes for the keypath in BIP341, or cross-input aggregation for them).
and in general, not for things like new script opcodes, or even for fairly
invasive redesigns of the script language itself.
> The good news it that the change is fairly simple and the reference
> implementations are widely used so change is not actually that hard
> once the decision is made.
Indeed. Whatever observations we had about adoption of base58 -> bech32 may not
apply because the change to a different checksum is fairly trivial compared to
that. Still, presence of production codebases that just don't update at all
may complicate this.
> > Hopefully by the time we want to use segwit v2, most software will have
> > implemented length limits and so we won't need any additional consensus
> > restrictions from then on forward.
>
> If we are prepared to commit to restrictions on future addresses.
>
> We don't know enough to do that, however, so I'm reluctant; I worry that
> a future scheme where we could save (e.g.) 2 bytes will impractical due
> to our encoding restrictions, resulting in unnecessary onchain bloat.
I'm opposed to consensus-invalidating certain length/version combinations, if
that's what you're suggesting, and I don't think there is a need for it.
TL;DR: what codebases/services/infrastructure exists today that supports
sending to witness v1 BIP173 addresses?
Cheers,
--
Pieter
Published at
2023-06-07 18:27:22Event JSON
{
"id": "14cec09d44c5279c0b0a3dc1c5d121d2deb5e042f126214c89dbb2d574c39d37",
"pubkey": "5cb21bf5d7f25a9d46879713cbd32433bbc10e40ef813a3c28fe7355f49854d6",
"created_at": 1686162442,
"kind": 1,
"tags": [
[
"e",
"4783c6c909b78f666abf4f62da363dc4a252b6e15f69428bf595d553895a198d",
"",
"root"
],
[
"e",
"0831299bc0eec5ad25c2b4d42fb9e30e603219c2fbbf424a1e7f2cb49c837246",
"",
"reply"
],
[
"p",
"13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425"
]
],
"content": "📅 Original date posted:2020-10-16\n📝 Original message:Hi Rusty,\n\nthanks for starting this thread. We definitely should make a decision around\nthis soon.\n\n\nOn Wednesday, October 14, 2020 6:40 PM, Rusty Russell via bitcoin-dev \u003cbitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\u003e \u003e \u003e Here's a summary of each proposal:\n\u003e \u003e \u003e Length restrictions (future segwits must be 10, 13, 16, 20, 23, 26, 29,\n\u003e \u003e \u003e 32, 36, or 40 bytes)\n\u003e \u003e \u003e\n\u003e \u003e \u003e 1. Backwards compatible for v1 etc; old code it still works.\n\u003e \u003e \u003e 2. Restricts future segwit versions, may require new encoding if we\n\u003e \u003e \u003e want a diff length (or waste chainspace if we need to have a padded\n\u003e \u003e \u003e version for compat).\n\u003e \u003e \u003e\n\u003e \u003e \u003e Checksum change based on first byte:\n\u003e \u003e \u003e\n\u003e \u003e \u003e 1. Backwards incompatible for v1 etc; only succeeds 1 in a billion.\n\u003e \u003e \u003e 2. Weakens guarantees against typos in first two data-part letters to\n\u003e \u003e \u003e 1 in a billion.[1]\n\u003e \u003e \u003e\n\n\u003e If we go for option 2, v1 (generated from bitcoin core) will simply fail\n\u003e the first time you try test it. So it will force an upgrade. There\n\u003e are fewer places generating addresses than accepting them, so this\n\u003e seems the most likely scenario.\n\u003e\n\u003e OTOH, with option 1, anyone accepting v1 addresses today is going to\n\u003e become a liability once v1 addresses start being generated.\n\nToday, no witness v1 receivers exist. So it seems to me the only question\nis what software/infrastructure exist that supports sending to witness v1,\nand whether they (and their userbase) are more or less likely to upgrade\nbefore receivers appear than those that don't.\n\nClearly if only actively developed software currently supports sending to\nv1 right now, then the question of forward compatibility is moot, and I'd\nagree the cleanliness of option 2 is preferable.\n\nDoes anyone have an up-to-date overview of where to-future-witness sending\nis supported? I know Bitcoin Core does.\n\n\u003e \u003e It took a lot of community effort to get widespread support for bech32\n\u003e \u003e addresses. Rather than go through that again, I'd prefer we use the\n\u003e \u003e backwards compatible proposal from BIPs PR#945 and, if we want to\n\u003e \u003e maximize safety, consensus restrict v1 witness program size, e.g. reject\n\u003e \u003e transactions with scriptPubKeys paying v1 witness programs that aren't\n\u003e \u003e exactly 32 bytes.\n\u003e\n\u003e Yes, I too wish we weren't here. :(\n\u003e\n\u003e Deferring a hard decision is not useful unless we expect things to be\n\u003e easier in future, and I only see it getting harder as time passes and\n\u003e userbases grow.\n\nPossibly, but in the past I think there has existed a pattern where adoption\nof new technology is at least partially based on certain infrastructure\nand codebases going out of business and/or being replaced with newer ones,\nrather than improvements to existing ones.\n\nIf that effect is significant, option 1 may be preferable: it means less\ncompatibility issues in the short term, and longer term all that may be\nrequired is fixing the spec, and waiting long enough for old/unmaintained code\nto be replaced.\n\nAs for how long: new witness version/length combinations are only rarely needed,\nand there are 14 length=32 ones left to pick. We'll likely want to use those\nfirst anyway, as it's the cheapest option with 128-bit collision resistance.\nAssuming future constructions have something like BIP341's leaf versioning, new\nwitness version/length combinations are only required for:\n\n* Changes to the commitment structure of script execution (e.g. Graftroot,\n different hash function for Merkle trees, ...)\n* Upgrades to new signing cryptography (EC curve change, PQC, ...).\n* Changes to signatures outside of a commitment structure (e.g. new sighash\n modes for the keypath in BIP341, or cross-input aggregation for them).\n\nand in general, not for things like new script opcodes, or even for fairly\ninvasive redesigns of the script language itself.\n\n\u003e The good news it that the change is fairly simple and the reference\n\u003e implementations are widely used so change is not actually that hard\n\u003e once the decision is made.\n\nIndeed. Whatever observations we had about adoption of base58 -\u003e bech32 may not\napply because the change to a different checksum is fairly trivial compared to\nthat. Still, presence of production codebases that just don't update at all\nmay complicate this.\n\n\u003e \u003e Hopefully by the time we want to use segwit v2, most software will have\n\u003e \u003e implemented length limits and so we won't need any additional consensus\n\u003e \u003e restrictions from then on forward.\n\u003e\n\u003e If we are prepared to commit to restrictions on future addresses.\n\u003e\n\u003e We don't know enough to do that, however, so I'm reluctant; I worry that\n\u003e a future scheme where we could save (e.g.) 2 bytes will impractical due\n\u003e to our encoding restrictions, resulting in unnecessary onchain bloat.\n\nI'm opposed to consensus-invalidating certain length/version combinations, if\nthat's what you're suggesting, and I don't think there is a need for it.\n\nTL;DR: what codebases/services/infrastructure exists today that supports\nsending to witness v1 BIP173 addresses?\n\nCheers,\n\n--\nPieter",
"sig": "3cdfbbd916ad9a994f9247bdee9911b8fc48c9e9c7f0ce42349ea8feb73aa4c44ab0586eda8180ea7d646a10f6a9a6cda13a1e00b6b82ed625d50d3dc3f0c7ab"
}