📅 Original date posted:2018-12-12
📝 Original message:On Tue, Dec 11, 2018 at 05:50:24PM -0500, Russell O'Connor via bitcoin-dev wrote:
> On Sun, Dec 9, 2018 at 2:13 PM Johnson Lau <jl2012 at xbt.hk> wrote:
> The current proposal is that a 64-byte signature will be used for the
> default “signing all” sighash, and 65-byte for other sighash types. The
> space saved will allow a few more txs in a block, so I think it worths
> doing. However, this also makes witness weight estimation more difficult in
> multisig cases.
This seems strange to me -- why wouldn't you just assume every signature
is 65 witness bytes, and just be grateful for the prioritisation benefit
if someone chooses a shorter signature? Your error margin is just 0.25
vbytes per signature.
> I tend to think in opposite terms. Is there a proof that any script can be
> transformed into an equivalent one that avoids witness weight malleability?
An alternative generalisation: is there a proof that all valid witnesses
will have a weight within some small range?
> Moreover, even if witness weight malleability is entirely avoidable, it always
> seems to come at a cost. Taking as an example libwally's proposed "
> csv_2of3_then_2" Script, it begins with "OP_DEPTH OP_1SUB OP_1SUB"
(DEPTH 2 NUMNOTEQUAL seems like it would have been more obvious...)
Cheers,
aj
Anthony Towns [ARCHIVE] /
npub17r…x9l2h
2023-06-07 18:15:34
in reply to nevent1q…76ja
Author Public Key
npub17rld56k4365lfphyd8u8kwuejey5xcazdxptserx03wc4jc9g24stx9l2hPublished at
2023-06-07 18:15:34Event JSON
{
"id": "65a8102dfa85c12af5b8fa9d64cae2e406545cd8c8e5fdb9040d902cd9f34eb1",
"pubkey": "f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab",
"created_at": 1686161734,
"kind": 1,
"tags": [
[
"e",
"77c824d861e497590991b7dc940a75787db11a7b2eab6adcf5563d0847a4df18",
"",
"root"
],
[
"e",
"469d855075e1ea2b9f06d4d511522fa5cf46893a1c09db2c82b1b4d68bbe9cc7",
"",
"reply"
],
[
"p",
"6b8e77368804013d7126ba4b77c7963bcfeff909135791531097d7a0f03ca85d"
]
],
"content": "📅 Original date posted:2018-12-12\n📝 Original message:On Tue, Dec 11, 2018 at 05:50:24PM -0500, Russell O'Connor via bitcoin-dev wrote:\n\u003e On Sun, Dec 9, 2018 at 2:13 PM Johnson Lau \u003cjl2012 at xbt.hk\u003e wrote:\n\u003e The current proposal is that a 64-byte signature will be used for the\n\u003e default “signing all” sighash, and 65-byte for other sighash types. The\n\u003e space saved will allow a few more txs in a block, so I think it worths\n\u003e doing. However, this also makes witness weight estimation more difficult in\n\u003e multisig cases.\n\nThis seems strange to me -- why wouldn't you just assume every signature\nis 65 witness bytes, and just be grateful for the prioritisation benefit\nif someone chooses a shorter signature? Your error margin is just 0.25\nvbytes per signature.\n\n\u003e I tend to think in opposite terms. Is there a proof that any script can be\n\u003e transformed into an equivalent one that avoids witness weight malleability?\n\nAn alternative generalisation: is there a proof that all valid witnesses\nwill have a weight within some small range?\n\n\u003e Moreover, even if witness weight malleability is entirely avoidable, it always\n\u003e seems to come at a cost. Taking as an example libwally's proposed \"\n\u003e csv_2of3_then_2\" Script, it begins with \"OP_DEPTH OP_1SUB OP_1SUB\"\n\n(DEPTH 2 NUMNOTEQUAL seems like it would have been more obvious...)\n\nCheers,\naj",
"sig": "6c16e650e377c996cc2049e5bae2f18c943efdbc832011a8ac4263222fdc72756d48c35a6e34bd23f12c321e56e5f315fd3b5e85e1de7477156505cc6794f642"
}