📅 Original date posted:2015-04-09
📝 Original message:Regarding the re-hashing the transaction data once per input being a
bottleneck, I was mistakenly only thinking about this from the point of
view of the signer. Full nodes have to check all transactions' inputs,
which is much more costly, as the link Gavin posted shows.
On Thu, Apr 9, 2015 at 10:45 AM, Mike Hearn <mike at plan99.net> wrote:
>
> Right, good point. I wonder if this sort of auto forwarding could even be
> a useful feature. I can't think of one right now.
>
I can think of a few convoluted use cases, but not any good ones. People
have definitely looked for this feature before, though, just look at this
Bitcoin SE post
<http://bitcoin.stackexchange.com/questions/1495/is-there-a-way-to-automatically-send-bitcoins-from-one-wallet-to-another>;.
I think there are better ways to handle key management than
auto-forwarding, though. Anyone looking for this feature probably just
wasn't aware that there are better solutions.
On Thu, Apr 9, 2015 at 10:45 AM, Mike Hearn <mike at plan99.net> wrote:
>
> Yes but is that fundamental or is there a way to avoid it? That's what I'm
> getting at.
>
In the bitcointalk article referenced, Sergio actually gave us the answer:
> Hash(Tx,previn-index) = Hash ( Hash(outputs) || Hash
(Inputs-with-script-cleared) || <previn-index> )
> (for SIGHASH_ALL)
> This way the values "Hash(outputs)" and
"Hash(Inputs-with-script-cleared)" can be cached and reused.
Basically, just re-order the way stuff is serialized. Put the stuff that is
nearly always signed at the beginning, and vice versa. I'll see if I can
update the proposal to make this optimization possible. What I suspect,
though, is that with all the new controls, blocks with ordinary
transactions will verify faster, but an attacker could still create a very
CPU intensive block by signing inputs with a wide variety of nHashTypes and
then signing the last one with the equivalent of SIGHASH_ALL. I don't think
that's a big limitation, though, the attack is already somewhat possible,
and would be very hard to do, and doesn't really gain the attacker anything
(other than infamy).
On Thu, Apr 9, 2015 at 1:28 PM, Peter Todd <pete at petertodd.org> wrote:
> For the OP: Have you looked at how CODESEPARATOR allows the signature to
> sign code to run as part of verifying the signature? E.g. my signature
> can say "valid if you run these additional opcodes and they return true"
> where those additional opcodes take the transaction, hash it in the
> defined way, and verify that the ECC signature correctly signs that
> hash and the hash of the additional opcodes. For instance in this case
> making a signature that's only valid if the tx fee is less than the
> defined amount would be a matter of GET_FEE <max fee + 1> LESSTHAN VERIFY
>
I've never been able to really see a good use case for OP_CODESEPARATOR,
and I'm not sure I completely have my head wrapped around what you're
proposing. From this
<http://bitcoin.stackexchange.com/questions/34013/what-is-op-codeseparator-used-for>;
and this
<https://bitcointalk.org/index.php?topic=52949.msg631255#msg631255>;,
though, it seems like OP_CODESEPARATOR cannot really be made useful unless
you already have a way to sign without hashing the TXIDs referenced by your
input, in which case you need to modify the nHashType.
Best,
Stephen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20150409/f55fb600/attachment.html>;
Stephen Morse [ARCHIVE] /
npub1ja…q0j2u
2023-06-07 15:32:25
in reply to nevent1q…tn9v
Author Public Key
npub1ja0fa5k6j04r2h7jp33lvdy2kzpv5yj60ce4wvcca7fvxe99hw5qqq0j2uPublished at
2023-06-07 15:32:25Event JSON
{
"id": "41dccbeb0e26140a93d355e7267735dd00093a935ef5f52aab5eeb0fada7e2c5",
"pubkey": "975e9ed2da93ea355fd20c63f6348ab082ca125a7e33573318ef92c364a5bba8",
"created_at": 1686151945,
"kind": 1,
"tags": [
[
"e",
"5206ce2c8620dd8f1134d6ac01a117c32a073608bbe0cb98c349a3703407d0c0",
"",
"root"
],
[
"e",
"44b887d539ee1d75658e7370992e671feb1c7841f7e9873a958c584891907918",
"",
"reply"
],
[
"p",
"daa2fc676a25e3b5b45644540bcbd1e1168b111427cd0e3cf19c56194fb231aa"
]
],
"content": "📅 Original date posted:2015-04-09\n📝 Original message:Regarding the re-hashing the transaction data once per input being a\nbottleneck, I was mistakenly only thinking about this from the point of\nview of the signer. Full nodes have to check all transactions' inputs,\nwhich is much more costly, as the link Gavin posted shows.\n\nOn Thu, Apr 9, 2015 at 10:45 AM, Mike Hearn \u003cmike at plan99.net\u003e wrote:\n\u003e\n\u003e Right, good point. I wonder if this sort of auto forwarding could even be\n\u003e a useful feature. I can't think of one right now.\n\u003e\n\nI can think of a few convoluted use cases, but not any good ones. People\nhave definitely looked for this feature before, though, just look at this\nBitcoin SE post\n\u003chttp://bitcoin.stackexchange.com/questions/1495/is-there-a-way-to-automatically-send-bitcoins-from-one-wallet-to-another\u003e.\nI think there are better ways to handle key management than\nauto-forwarding, though. Anyone looking for this feature probably just\nwasn't aware that there are better solutions.\n\nOn Thu, Apr 9, 2015 at 10:45 AM, Mike Hearn \u003cmike at plan99.net\u003e wrote:\n\u003e\n\u003e Yes but is that fundamental or is there a way to avoid it? That's what I'm\n\u003e getting at.\n\u003e\n\nIn the bitcointalk article referenced, Sergio actually gave us the answer:\n\n\u003e Hash(Tx,previn-index) = Hash ( Hash(outputs) || Hash\n(Inputs-with-script-cleared) || \u003cprevin-index\u003e )\n\u003e (for SIGHASH_ALL)\n\u003e This way the values \"Hash(outputs)\" and\n\"Hash(Inputs-with-script-cleared)\" can be cached and reused.\n\nBasically, just re-order the way stuff is serialized. Put the stuff that is\nnearly always signed at the beginning, and vice versa. I'll see if I can\nupdate the proposal to make this optimization possible. What I suspect,\nthough, is that with all the new controls, blocks with ordinary\ntransactions will verify faster, but an attacker could still create a very\nCPU intensive block by signing inputs with a wide variety of nHashTypes and\nthen signing the last one with the equivalent of SIGHASH_ALL. I don't think\nthat's a big limitation, though, the attack is already somewhat possible,\nand would be very hard to do, and doesn't really gain the attacker anything\n(other than infamy).\n\nOn Thu, Apr 9, 2015 at 1:28 PM, Peter Todd \u003cpete at petertodd.org\u003e wrote:\n\n\u003e For the OP: Have you looked at how CODESEPARATOR allows the signature to\n\u003e sign code to run as part of verifying the signature? E.g. my signature\n\u003e can say \"valid if you run these additional opcodes and they return true\"\n\u003e where those additional opcodes take the transaction, hash it in the\n\u003e defined way, and verify that the ECC signature correctly signs that\n\u003e hash and the hash of the additional opcodes. For instance in this case\n\u003e making a signature that's only valid if the tx fee is less than the\n\u003e defined amount would be a matter of GET_FEE \u003cmax fee + 1\u003e LESSTHAN VERIFY\n\u003e\n\nI've never been able to really see a good use case for OP_CODESEPARATOR,\nand I'm not sure I completely have my head wrapped around what you're\nproposing. From this\n\u003chttp://bitcoin.stackexchange.com/questions/34013/what-is-op-codeseparator-used-for\u003e\n and this\n\u003chttps://bitcointalk.org/index.php?topic=52949.msg631255#msg631255\u003e,\nthough, it seems like OP_CODESEPARATOR cannot really be made useful unless\nyou already have a way to sign without hashing the TXIDs referenced by your\ninput, in which case you need to modify the nHashType.\n\nBest,\nStephen\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20150409/f55fb600/attachment.html\u003e",
"sig": "088ab65fb529b77437c3e80272569d10a4fb3a8d8d6db40cb94bf0c4ef689f142dbba91395946f1d5b5c5efab849afb0ae4ac04f478c91b0c25ce7c4628f04a3"
}