Rusty Russell [ARCHIVE] on Nostr: 📅 Original date posted:2018-01-15 📝 Original message:"Russell O'Connor" ...
📅 Original date posted:2018-01-15
📝 Original message:"Russell O'Connor" <roconnor at blockstream.io> writes:
> However, if I understand correctly, the situation for BIP 117 is entirely
> different. As far as I understand there is currently no restrictions about
> terminating a v0 witness program with a non-empty alt-stack, and there are
> no restrictions on leaving non-canonical boolean values on the main stack.
BIP-141: "The script must not fail, and result in exactly a single TRUE
on the stack." And it has long been non-standard for P2SH scripts to
not do the same (don't know exactly when).
> There could already be commitments to V0 witness programs that, when
> executed in some reasonable context, leave a non-empty alt-stack and/or
> leave a non-canonical true value on the main stack. Unlike the P2SH or
> Segwit soft-forks, these existing commitments could be real outputs that
> currently confer non-trivial ownership over their associated funds. If BIP
> 117 were activated, these commitments would be subject to a new set of
> rules that didn't exist when the commitments were made. In particular,
> these funds could be rendered unspendable. Because segwit commitments are
> hashes of segwit programs, there is no way to even analyze the blockchain
> to determine if these commitments currently exist (and even if we could it
> probably woudln't be adequate protection).
The rule AFAICT is "standard transactions must still work". This was
violated with low-S, but the transformation was arguably trivial.
OTOH, use of altstack is completely standard, though in practice it's
unused and so only a theoretical concern.
My concern remains unanswered: I want hard numbers on the worst-case
time taken by sigops with the limit removed. It's about 120 usec per
sigop (from [1]), so how bad could it be? I think Russell had an
estimate like 1 in 3 ops, so 160 seconds to validate a block?
Thanks,
Rusty.
[1] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-December/015346.html
📝 Original message:"Russell O'Connor" <roconnor at blockstream.io> writes:
> However, if I understand correctly, the situation for BIP 117 is entirely
> different. As far as I understand there is currently no restrictions about
> terminating a v0 witness program with a non-empty alt-stack, and there are
> no restrictions on leaving non-canonical boolean values on the main stack.
BIP-141: "The script must not fail, and result in exactly a single TRUE
on the stack." And it has long been non-standard for P2SH scripts to
not do the same (don't know exactly when).
> There could already be commitments to V0 witness programs that, when
> executed in some reasonable context, leave a non-empty alt-stack and/or
> leave a non-canonical true value on the main stack. Unlike the P2SH or
> Segwit soft-forks, these existing commitments could be real outputs that
> currently confer non-trivial ownership over their associated funds. If BIP
> 117 were activated, these commitments would be subject to a new set of
> rules that didn't exist when the commitments were made. In particular,
> these funds could be rendered unspendable. Because segwit commitments are
> hashes of segwit programs, there is no way to even analyze the blockchain
> to determine if these commitments currently exist (and even if we could it
> probably woudln't be adequate protection).
The rule AFAICT is "standard transactions must still work". This was
violated with low-S, but the transformation was arguably trivial.
OTOH, use of altstack is completely standard, though in practice it's
unused and so only a theoretical concern.
My concern remains unanswered: I want hard numbers on the worst-case
time taken by sigops with the limit removed. It's about 120 usec per
sigop (from [1]), so how bad could it be? I think Russell had an
estimate like 1 in 3 ops, so 160 seconds to validate a block?
Thanks,
Rusty.
[1] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-December/015346.html