📅 Original date posted:2015-12-13
📝 Original message:-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Pieter Wuille 2015-12-13 13:07 :
> The use of a NOP opcode to indicate a witness script was something I
> considered at first too, but it's not really needed. You wouldn't be
> able to use that opcode in any place a normal opcode could occur, as
> it needs to be able to inspect the full scriptSig (rather than just
> its resulting stack) anyway. So both in practice and conceptually it
> is only really working as a template that gets assigned a special
> meaning (like P2SH did). We don't need an opcode for that, and instead
> we could say that any scriptPubKey (or redeemscript) that consists of
> a single push is a witness program.
>
>> 5. The most significant byte of serialized script is the version byte,
>> an
>> unsigned number
>> 6. If the version byte is 0x00, the script must fail
>
> What is that good for?
Just to make sure a script like OP_0 OP_SEGWIT will fail.
Anyway, your design may be better so forget it
>> 7. If the version byte is 0x02 to 0xff, the rest of the serialized
>> script is
>> ignored and the output is spendable with any form of witness (even if
>> the
>> witness contains something invalid in the current script system, e.g.
>> OP_RETURN)
>
> Do you mean the scriptPubKey itself, or the script that follows after
> the version byte?
> * The scriptPubKey itself: that's in contradiction with your rule 4,
> as segwit scripts are by definition only a push (+ opcode), so they
> can't be an OP_RETURN.
> * The script after the version byte: agree - though it doesn't
> actually need to be a script at all even (see further).
I am not referring to the serialized script, but the witness. Basically,
it doesn't care what the content look like.
> It is useful however to allow segwit inside P2SH
Agree
> So let me summarize by giving an equivalent to your list above,
> reflecting how my current prototype works:
> A) A scriptPubKey or P2SH redeemscript that consists of a single push
> of 2 to 41 bytes gets a new special meaning, and the byte vector
> pushed by it is called the witness program.
Why 41 bytes? Do you expect all witness program to be P2SH-like?
> The program
> must not fail and result in a single TRUE on the stack, and nothing
> else (to prevent stuffing the witness with pointless data during relay
> of transactions).
Could we just implement this as standardness rule? It is always possible
to stuff the scriptSig with pointless data so I don't think it's a new
attack vector. What if we want to include the height and tx index of
the input for compact fraud proof? Such fraud proof should not be an
opt-in function and not be dependent on the version byte
For the same reason, we should also allow traditional tx to have data
in the witness field, for any potential softfork upgrade
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCAAGBQJWbbugAAoJEO6eVSA0viTSD8oMAKFvd/+KZgH13tErEA+iXzF5
pwT4/eoQWSTvxIDVrFN+9wV79ogO4/aiCDEdmNF2IZD3QqmhKl7iOPw2SEseRTbe
e1r5z67yuudXyEQocZvy5+NOUp3N978b8weuRsHWG1HXgxTRmgZTrEeNtbEUs0X2
n5l6e0scnZAu70svBXr8X9HnOm2P/QLxtAqyNW19caCi+Dg/4Curx48tXQ/I9IxT
SYFVzB++FIoua49Cf1RJN+dUfywg67wT5l9NX4uWAX0qNB+p6BPP8df/72G/u564
NIaJs3IFiUaNktXz9aDM4s7pSzR6PlCK6LFKjE52sBY5uREHGU4PnfX9YqtwiEXA
Hr3YoFiepxAwl6icJi3wHKa6i0NGvj1fR1h6xuJ7ulzNv5mwuzXPOgvTDK4wpejl
ee8wsQZwmzchAfgyfPsgSaPh/jjBwm2S+WDMbL4HDmnWqVDl8dG3I/b3XP0aegY9
4RxPhLOA1qToNDGhnm+JNqT60OKgatpDN/4bRgRscA==
=4B1D
-----END PGP SIGNATURE-----
jl2012 at xbt.hk [ARCHIVE] /
npub1kc…wjfw4
2023-06-07 17:46:09
in reply to nevent1q…sgzj
Author Public Key
npub1kc0zulxt7j4a0ayhzhrz7jk84y7tm4026qcky7w97hlfkxxap24qnwjfw4Published at
2023-06-07 17:46:09Event JSON
{
"id": "e15daeedd36b56973133ecad8ccf7fc64c9abe6c8652372e3d589485baf07235",
"pubkey": "b61e2e7ccbf4abd7f49715c62f4ac7a93cbdd5ead0316279c5f5fe9b18dd0aaa",
"created_at": 1686159969,
"kind": 1,
"tags": [
[
"e",
"12a84dc161497f5ec3fbb3e9fb726708fb1bb0268a8834c07e1f631c1bbca295",
"",
"root"
],
[
"e",
"261875f76141f3862500142b1e9de1444331a1718f384cdc242ae1871d4488c1",
"",
"reply"
],
[
"p",
"5cb21bf5d7f25a9d46879713cbd32433bbc10e40ef813a3c28fe7355f49854d6"
]
],
"content": "📅 Original date posted:2015-12-13\n📝 Original message:-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\nPieter Wuille 2015-12-13 13:07 :\n\n\u003e The use of a NOP opcode to indicate a witness script was something I\n\u003e considered at first too, but it's not really needed. You wouldn't be\n\u003e able to use that opcode in any place a normal opcode could occur, as\n\u003e it needs to be able to inspect the full scriptSig (rather than just\n\u003e its resulting stack) anyway. So both in practice and conceptually it\n\u003e is only really working as a template that gets assigned a special\n\u003e meaning (like P2SH did). We don't need an opcode for that, and instead\n\u003e we could say that any scriptPubKey (or redeemscript) that consists of\n\u003e a single push is a witness program.\n\u003e \n\u003e\u003e 5. The most significant byte of serialized script is the version byte, \n\u003e\u003e an\n\u003e\u003e unsigned number\n\u003e\u003e 6. If the version byte is 0x00, the script must fail\n\u003e \n\u003e What is that good for?\n\nJust to make sure a script like OP_0 OP_SEGWIT will fail.\n\nAnyway, your design may be better so forget it\n\n\u003e\u003e 7. If the version byte is 0x02 to 0xff, the rest of the serialized \n\u003e\u003e script is\n\u003e\u003e ignored and the output is spendable with any form of witness (even if \n\u003e\u003e the\n\u003e\u003e witness contains something invalid in the current script system, e.g.\n\u003e\u003e OP_RETURN)\n\u003e \n\u003e Do you mean the scriptPubKey itself, or the script that follows after\n\u003e the version byte?\n\u003e * The scriptPubKey itself: that's in contradiction with your rule 4,\n\u003e as segwit scripts are by definition only a push (+ opcode), so they\n\u003e can't be an OP_RETURN.\n\u003e * The script after the version byte: agree - though it doesn't\n\u003e actually need to be a script at all even (see further).\n\nI am not referring to the serialized script, but the witness. Basically,\nit doesn't care what the content look like.\n\n\n\u003e It is useful however to allow segwit inside P2SH\n\nAgree\n\n\u003e So let me summarize by giving an equivalent to your list above,\n\u003e reflecting how my current prototype works:\n\u003e A) A scriptPubKey or P2SH redeemscript that consists of a single push\n\u003e of 2 to 41 bytes gets a new special meaning, and the byte vector\n\u003e pushed by it is called the witness program.\n\nWhy 41 bytes? Do you expect all witness program to be P2SH-like?\n\n\u003e The program\n\u003e must not fail and result in a single TRUE on the stack, and nothing\n\u003e else (to prevent stuffing the witness with pointless data during relay\n\u003e of transactions).\n\nCould we just implement this as standardness rule? It is always possible\nto stuff the scriptSig with pointless data so I don't think it's a new\nattack vector. What if we want to include the height and tx index of\nthe input for compact fraud proof? Such fraud proof should not be an\nopt-in function and not be dependent on the version byte\n\nFor the same reason, we should also allow traditional tx to have data\nin the witness field, for any potential softfork upgrade\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v2\n\niQGcBAEBCAAGBQJWbbugAAoJEO6eVSA0viTSD8oMAKFvd/+KZgH13tErEA+iXzF5\npwT4/eoQWSTvxIDVrFN+9wV79ogO4/aiCDEdmNF2IZD3QqmhKl7iOPw2SEseRTbe\ne1r5z67yuudXyEQocZvy5+NOUp3N978b8weuRsHWG1HXgxTRmgZTrEeNtbEUs0X2\nn5l6e0scnZAu70svBXr8X9HnOm2P/QLxtAqyNW19caCi+Dg/4Curx48tXQ/I9IxT\nSYFVzB++FIoua49Cf1RJN+dUfywg67wT5l9NX4uWAX0qNB+p6BPP8df/72G/u564\nNIaJs3IFiUaNktXz9aDM4s7pSzR6PlCK6LFKjE52sBY5uREHGU4PnfX9YqtwiEXA\nHr3YoFiepxAwl6icJi3wHKa6i0NGvj1fR1h6xuJ7ulzNv5mwuzXPOgvTDK4wpejl\nee8wsQZwmzchAfgyfPsgSaPh/jjBwm2S+WDMbL4HDmnWqVDl8dG3I/b3XP0aegY9\n4RxPhLOA1qToNDGhnm+JNqT60OKgatpDN/4bRgRscA==\n=4B1D\n-----END PGP SIGNATURE-----",
"sig": "083faaf938d2e9b68e109a00fc5a6c21ecdf008aef7f0292b7fffc2161bfe2d77d2013fc13cd3b6edc122d0e1c2fd6da7a4141f8df10ad006492748a080410ef"
}