š
Original date posted:2011-12-29
šļø Summary of this message: Gavin Andresen discusses the proposed alternative to OP_EVAL and suggests amending BIP 12 to make it less subject to abuse.
š Original message:First, thanks very much to Russell for looking more closely at both
BIP 12 and the patch than anybody else-- he's found two bugs and two
things the BIP isn't clear enough on (so far).
And I've got to say, I'm very sympathetic to the "OP_EVAL starts down
the code-as-data path, and There Be Dragons" argument.
But:
I don't think the proposed alternative would be, in practice, any
better. I see two main disadvantages over OP_EVAL:
about 20-bytes larger
it means going back to where we were two months ago, writing more
code, reviewing it, finding bugs in it, backporting it so miners
running old software can support it, etc.
... and some other minor disadvantages:
'standard' scripts will need to be slightly different in the
scriptSig and the scriptPubKey
(e.g. <signature> CHECKSIG becomes <signature> CHECKSIGVERIFY
with OP_CODEHASH)
OP_EVALs are not executed, and so the code associated with them does
not have to be part of the transaction, if they are in the
non-executed branch of an OP_IF. That could be good for privacy, and
could be good for reducing block-chain size.
----------------------
In discussions in IRC yesterday, we talked a little about possible
changes to the OP_EVAL BIP to make it less subject to abuse. In
particular, the big can of worms is allowing arithmetic or bit
operations on the serialized script that will be EVAL'ed:
<serialized script> <other_data> OP_ADD OP_EVAL <-- Look! Dragons!
If <serialized script> is more than 4 bytes, that is actually illegal
right now (all of the arithmetic operations are limited to operating
on numbers that are 4 bytes of less, and I believe we could prove that
no series of operations will ever produce a value more than 5 bytes
big given the current limitations).
Which leads me to suggest that BIP 12 be amended to state that:
OP_EVAL shall cause script validation to fail if the top item on the
stack is less than 8 bytes long.
I'm tempted to propose a rule:
OP_EVAL shall fail if the top item on the stack is the result of any
calculation
... but I don't think the extra code it would take to implement that
(keep track of which items on the stack were the results of
OP_ADD/etc) is worth it.
On the "you can't tell how many CHECKSIG operations will be performed
before executing the script" issue:
That is already true, because the parameters to CHECKMULTISIG that
determine how many signatures it checks might be computed.
Finally, I would echo theymos' observation that I think we'll
eventually do something very much like OP_EVAL in the future-- maybe
to support (in a backwards-compatible way) a
quantum-computing-resistant signature algorithm or SHA3. When that is
done, I think it might make sense to do a bottom-up redesign of Script
based on what we've learned.
--
--
Gavin Andresen
Gavin Andresen [ARCHIVE] /
npub1s4ā¦d44kw
2023-06-07 02:53:25
in reply to nevent1qā¦t997
Author Public Key
npub1s4lj77xuzcu7wy04afcr487f0r3za0f8n2775xrpkld2sv639mjqsd44kwPublished at
2023-06-07 02:53:25Event JSON
{
"id": "b353e4d5861bdc3e215f9aa28db1c7450ba8be60c029d81a1925526f1457e666",
"pubkey": "857f2f78dc1639e711f5ea703a9fc978e22ebd279abdea1861b7daa833512ee4",
"created_at": 1686106405,
"kind": 1,
"tags": [
[
"e",
"9a940b93a02313cdd87199fd3d7a873bc06ba92e835205564dcc696f8e0046db",
"",
"root"
],
[
"e",
"0cf4ace47b82699934678e54c7fd379695abcfba9c269f4b60f3ed5bae96e4b2",
"",
"reply"
],
[
"p",
"2bf5127c73a113bf09a0766d9cd9f0ee9ff75b959ed881d65f2d036610ad4b16"
]
],
"content": "š
Original date posted:2011-12-29\nšļø Summary of this message: Gavin Andresen discusses the proposed alternative to OP_EVAL and suggests amending BIP 12 to make it less subject to abuse.\nš Original message:First, thanks very much to Russell for looking more closely at both\nBIP 12 and the patch than anybody else-- he's found two bugs and two\nthings the BIP isn't clear enough on (so far).\n\nAnd I've got to say, I'm very sympathetic to the \"OP_EVAL starts down\nthe code-as-data path, and There Be Dragons\" argument.\n\nBut:\n\nI don't think the proposed alternative would be, in practice, any\nbetter. I see two main disadvantages over OP_EVAL:\n\n about 20-bytes larger\n\n it means going back to where we were two months ago, writing more\ncode, reviewing it, finding bugs in it, backporting it so miners\nrunning old software can support it, etc.\n\n... and some other minor disadvantages:\n\n 'standard' scripts will need to be slightly different in the\nscriptSig and the scriptPubKey\n (e.g. \u003csignature\u003e CHECKSIG becomes \u003csignature\u003e CHECKSIGVERIFY\nwith OP_CODEHASH)\n\n OP_EVALs are not executed, and so the code associated with them does\nnot have to be part of the transaction, if they are in the\nnon-executed branch of an OP_IF. That could be good for privacy, and\ncould be good for reducing block-chain size.\n\n----------------------\n\nIn discussions in IRC yesterday, we talked a little about possible\nchanges to the OP_EVAL BIP to make it less subject to abuse. In\nparticular, the big can of worms is allowing arithmetic or bit\noperations on the serialized script that will be EVAL'ed:\n \u003cserialized script\u003e \u003cother_data\u003e OP_ADD OP_EVAL \u003c-- Look! Dragons!\n\nIf \u003cserialized script\u003e is more than 4 bytes, that is actually illegal\nright now (all of the arithmetic operations are limited to operating\non numbers that are 4 bytes of less, and I believe we could prove that\nno series of operations will ever produce a value more than 5 bytes\nbig given the current limitations).\n\nWhich leads me to suggest that BIP 12 be amended to state that:\n OP_EVAL shall cause script validation to fail if the top item on the\nstack is less than 8 bytes long.\n\nI'm tempted to propose a rule:\n OP_EVAL shall fail if the top item on the stack is the result of any\ncalculation\n\n... but I don't think the extra code it would take to implement that\n(keep track of which items on the stack were the results of\nOP_ADD/etc) is worth it.\n\n\nOn the \"you can't tell how many CHECKSIG operations will be performed\nbefore executing the script\" issue:\n\nThat is already true, because the parameters to CHECKMULTISIG that\ndetermine how many signatures it checks might be computed.\n\nFinally, I would echo theymos' observation that I think we'll\neventually do something very much like OP_EVAL in the future-- maybe\nto support (in a backwards-compatible way) a\nquantum-computing-resistant signature algorithm or SHA3. When that is\ndone, I think it might make sense to do a bottom-up redesign of Script\nbased on what we've learned.\n\n-- \n--\nGavin Andresen",
"sig": "7a55a29e9139c23c38e9b03a23b6cc648e753bca8aa66a05b82dc18b29ff3a09106b5c9e348bfeea8ef08b34c68d341a166bb476eeb06a59d5b5916f518f17df"
}