What is Nostr?
Matt Corallo [ARCHIVE] /
npub1e46…xmcu
2023-06-07 18:16:45
in reply to nevent1q…t6uz

Matt Corallo [ARCHIVE] on Nostr: 📅 Original date posted:2019-03-08 📝 Original message:Replies inline. On 3/8/19 ...

📅 Original date posted:2019-03-08
📝 Original message:Replies inline.

On 3/8/19 3:57 PM, Russell O'Connor wrote:
> On Thu, Mar 7, 2019 at 2:50 PM Matt Corallo <lf-lists at mattcorallo.com
> <mailto:lf-lists at mattcorallo.com>> wrote:
> It's very easy to construct a practical script using OP_CODESEPARATOR.
>
> IF <2> <ALICEPUBKEY> <BOBPUBKEY> <2> CHECKMULTISIGVERIFY ELSE
> CODESEPARATOR <ALICEPUBKEY> CHECKSIGVERFY ENDIF
>
> Now when someone hands Alice, the CFO of XYZ corp., some transaction,
> she has the option of either signing it unilaterally herself, or
> creating a partial signature such that the transaction additionally
> needs Bob, the CEOs signature as well, and Alice's choice is committed
> to the blockchain for auditing purposes later.
>
> Now, there are many things you might object about this scheme, but my
> point is that (A) regardless of what you think about this scheme, it, or
> similar schemes, may have been devised by users, and (B) users may have
> already committed funds to such schemes, and due to P2SH you cannot know
> that this is not the case.

The common way to set that up is to have a separate key, but, ok, fair
enough. That said, the argument that "it may be hidden by P2SH!" isn't
sufficient here. It has to *both* be hidden by P2SH and have never been
spent from (either on mainnet or testnet) or be lock-timed a year in the
future. I'm seriously skeptical that someone is using a highly esoteric
scheme and has just been pouring money into it without ever having
tested it or having withdrawn any money from it whatsoever. This is just
a weird argument.


> Please don't strawman my position.  I am not suggesting we don't fix a
> vulnerability in Bitcoin.  I am suggesting we find another way.  One
> that limits the of risk destroying other people's money.
>
> Here is a more concrete proposal:  No matter how bad OP_CODESEPARATOR
> is, it cannot be worse than instead including another input that spends
> another identically sized UTXO.  So how about we soft-fork in a rule
> that says that an input's weight is increased by an amount equal to the
> number of OP_CODESEPARATORs executed times the sum of weight of the UTXO
> being spent and 40 bytes, the weight of a stripped input. The risk of
> destroying other people's money is limited and AFAIU it would completely
> address the vulnerabilities caused by OP_CODESEPARATOR.

You're already arguing that someone has such an esoteric use of script,
suggesting they aren't *also* creating pre-signed, long-locktimed
transactions with many inputs isn't much of a further stretch
(especially since this may result in the fee being non-standardly low if
you artificially increase its weight).

Note that "just limit number of OP_CODESEPARATOR calls" results in a ton
of complexity and reduces the simple analysis that fees (almost) have
today vs just removing it allows us to also remove a ton of code.

Further note that if you don't remove it getting the efficiency wins
right is even harder because instead of being able to cache sighashes
you now have to (at a minimum) wipe the cache between each
OP_CODESEPARATOR call, which results in a ton of additional
implementation complexity.

>
> > I suggest an alternative whereby the execution of OP_CODESEPARATOR
> > increases the transactions weight suitably as to temper the
> > vulnerability caused by it.  Alternatively there could be some
> sort of
> > limit (maybe 1) on the maximum number of OP_CODESEPARATORs
> allowed to be
> > executed per script, but that would require an argument as to why
> > exceeding that limit isn't reasonable.
>
> You could equally argue, however, that any such limit could render some
> moderately-large transaction unspendable, so I'm somewhat skeptical of
> this argument. Note that OP_CODESEPARATOR is non-standard, so getting
> them mined is rather difficult in any case.
>
>
> I already know of people who's funds are tied up due to in other changes
> to Bitcoin Core's default relay policy.  Non-standardness is not an
> excuse to take other people's tied up funds and destroy them permanently.

Huh?! The whole point of non-standardness in this context is to (a) make
soft-forking something out safer by derisking miners not upgrading right
away and (b) signal something that may be a candidate for soft-forking
out so that we get feedback. Who is getting things disabled who isn't
bothering to *tell* people that their use-case is being hurt?!
Author Public Key
npub1e46n428mcyfwznl7nlsf6d3s7rhlwm9x3cmkuqzt3emmdpadmkaqqjxmcu