* [bitcoindev] Relax OP_RETURN standardness restrictions
@ 2025-04-17 18:52 'Antoine Poinsot' via Bitcoin Development Mailing List
2025-04-18 12:03 ` Sjors Provoost
` (2 more replies)
0 siblings, 3 replies; 12+ messages in thread
From: 'Antoine Poinsot' via Bitcoin Development Mailing List @ 2025-04-17 18:52 UTC (permalink / raw)
To: Bitcoin Development Mailing List
[-- Attachment #1: Type: text/plain, Size: 1877 bytes --]
Hi,
Standardness rules exist for 3 mains reasons: mitigate DoS vectors, provide upgrade hooks, or as a nudge to deter some usages.
Bitcoin Core will by default only relay and mine transactions with at most a single OP_RETURN output, with a scriptPubKey no larger than 83 bytes. This standardness rule falls into the third category: it aims to mildly deter data storage while still allowing a less harmful alternative than using non-provably-unspendable outputs.
Developers are now designing constructions that work around these limitations. An example is Clementine, the recently-announced Citrea bridge, which uses unspendable Taproot outputs to store data in its "WatchtowerChallenge" transaction due to the standardness restrictions on the size of OP_RETURNs[^0]. Meanwhile, we have witnessed in recent years that the nudge is ineffective to deter storing data onchain.
Since the restrictions on the usage of OP_RETURN outputs encourage harmful practices while being ineffective in deterring unwanted usage, i propose to drop them. I suggest to start by lifting the restriction on the size of the scriptPubKey for OP_RETURN outputs, as a first minimal step to stop encouraging harmful behaviour, and to then proceed to lift the restriction on the number of OP_RETURN outputs per transactions.
Antoine Poinsot
[^0]: See section 6.1 of their whitepaper here https://citrea.xyz/clementine_whitepaper.pdf
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/rhfyCHr4RfaEalbfGejVdolYCVWIyf84PT2062DQbs5-eU8BPYty5sGyvI3hKeRZQtVC7rn_ugjUWFnWCymz9e9Chbn7FjWJePllFhZRKYk%3D%40protonmail.com.
[-- Attachment #2: Type: text/html, Size: 3508 bytes --]
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [bitcoindev] Relax OP_RETURN standardness restrictions
2025-04-17 18:52 [bitcoindev] Relax OP_RETURN standardness restrictions 'Antoine Poinsot' via Bitcoin Development Mailing List
@ 2025-04-18 12:03 ` Sjors Provoost
2025-04-18 12:54 ` Greg Sanders
2025-04-20 8:43 ` Peter Todd
2025-04-26 9:50 ` Luke Dashjr
2 siblings, 1 reply; 12+ messages in thread
From: Sjors Provoost @ 2025-04-18 12:03 UTC (permalink / raw)
To: Antoine Poinsot, Bitcoin Development Mailing List
> Op 17 apr 2025, om 20:52 heeft 'Antoine Poinsot' via Bitcoin Development Mailing List <bitcoindev@googlegroups.com> het volgende geschreven:
> Developers are now designing constructions that work around these limitations. An example is Clementine, the recently-announced Citrea bridge, which uses unspendable Taproot outputs to store data in its "WatchtowerChallenge" transaction due to the standardness restrictions on the size of OP_RETURNs[^0]. Meanwhile, we have witnessed in recent years that the nudge is ineffective to deter storing data onchain.
>
> Since the restrictions on the usage of OP_RETURN outputs encourage harmful practices while being ineffective in deterring unwanted usage, i propose to drop them. I suggest to start by lifting the restriction on the size of the scriptPubKey for OP_RETURN outputs, as a first minimal step to stop encouraging harmful behaviour, and to then proceed to lift the restriction on the number of OP_RETURN outputs per transactions.
It might be better to do both, if only to avoid repeating the discussion in a year.
From perusing the Citrea paper (page 18) it seems a single output is enough, and they only need 144 bytes.
1. Regarding size
The current ~80 byte limit was based on Counterparty needing it [0], and otherwise using bare multisig. A similar argument would apply here. At the time there was discussion about how much space Counterparty really needed if their protocol was well implemented.
The 144 bytes consist of a Groth16 proof and the total chain work. Along similar lines we could pick a number based on various cryptographic commitment schemes, and then only raise the limit by that much.
But that just guarantees repeating the argument in a year when some protocol needs a slightly higher limit. In a post-inscription world that seems pointless. My preference is to drop the size limit entirely.
2. Regarding count
IIUC there's no consensus limit on the size of an OP_RETURN [1] and there's also no standardness rule on the size of a scriptPubKey. The size of a single OP_RETURN is limited only by the maximum transaction size, i.e. 100 kvB.
Without a size restriction on individual OP_RETURN outputs, there's no point in limiting their number.
That said, it would be interesting to know if any protocols are thinking of using multiple OP_RETURN outputs.
3. Reminder why we didn't do this earlier
In the August 2023 discussion [2] Murch wrote, in response to John Light:
>> is there ever a case where using OP_RETURN to embed data actually results in fewer bytes onchain than embedding the same data using the segwit/taproot witness space
>
> Yes, a back-of-the-envelope calculation has me thinking that only payloads of 135 bytes would be cheaper with transcriptions than with nulldata outputs. In detail:
[...]
> we learn that nulldata outputs are cheaper up to a payload size of 134 bytes, only above that inscriptions become a more blockspace efficient data carrier.
Since we're discussing raising the limit to at least 144 bytes, the above argument would no longer be relevant.
And from what I recall at the time that was the only remaining reason to keep the OP_RETURN restrictions around a bit longer, despite heavy use of inscriptions.
4. PS - on liveliness assumptions
The paper [3] states the following assumption:
> We consider a secure ledger, i.e., a ledger that is safe and live. Safety and liveness are defined as follows:
>
> ...
>
> Definition 2 (Liveness). A distributed ledger protocol is live with liveness parameter u if all transactions written by any correct party at round r, appear in the ledgers of all correct parties by round r + u.
For standard transactions this already not trivially true. See all of Lightning pinning discussions.
For non-standard transactions, does BitVM2 keep all its transactions under 100 kvB?
Otherwise your liveness assumption requires a direct connection to at least one miner / pool that is trusted to not censor (though you can shop around until the deadline).
Conversely, having actively used protocols that frequently require going over some standardises limit puts pressure on that limit for the reasons Antoine outlined. So for anyone working on such protocols, please let this list know, since these discussions can take a while.
- Sjors
[0] https://www.reddit.com/r/btc/comments/80ycim/a_few_months_after_the_counterparty_developers/?rdt=53592
[1] https://bitcoin.stackexchange.com/a/117595/4948
[2] https://gnusha.org/pi/bitcoindev/03551f0f-272e-2607-e95a-8ec671cbb9f3@murch.one/#t (click on the html attachment)
[3] https://citrea.xyz/clementine_whitepaper.pdf
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/C7E2D805-E70A-455C-BDA1-224024BE93B3%40sprovoost.nl.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [bitcoindev] Relax OP_RETURN standardness restrictions
2025-04-18 12:03 ` Sjors Provoost
@ 2025-04-18 12:54 ` Greg Sanders
2025-04-18 13:06 ` Vojtěch Strnad
2025-04-18 13:29 ` 'Antoine Poinsot' via Bitcoin Development Mailing List
0 siblings, 2 replies; 12+ messages in thread
From: Greg Sanders @ 2025-04-18 12:54 UTC (permalink / raw)
To: Bitcoin Development Mailing List
[-- Attachment #1.1: Type: text/plain, Size: 6305 bytes --]
> From perusing the Citrea paper (page 18) it seems a single output is
enough, and they only need 144 bytes.
From discussion in person it seems as though they could adapt their use to
batch publish these transactions as SIGHASH_SINGLE|ACP transactions, with
each output being a 144-byte OP_RETURN. It's a less pressing issue perhaps,
but if we can derive additional efficiency and don't want to revisit this
conversation again later, may be worth doing.
The only drawback I can see to the second step would be that we *could
have* reserved multi-output as some sort of signaling mechanism since it's
previously not relayable on Bitcoin Core, even with knob fiddling, though I
can't imagine what that would be. Additional OP_RETURNs would be an
expensive signal.
Greg
On Friday, April 18, 2025 at 8:16:00 AM UTC-4 Sjors Provoost wrote:
>
> > Op 17 apr 2025, om 20:52 heeft 'Antoine Poinsot' via Bitcoin Development
> Mailing List <bitco...@googlegroups•com> het volgende geschreven:
>
> > Developers are now designing constructions that work around these
> limitations. An example is Clementine, the recently-announced Citrea
> bridge, which uses unspendable Taproot outputs to store data in its
> "WatchtowerChallenge" transaction due to the standardness restrictions on
> the size of OP_RETURNs[^0]. Meanwhile, we have witnessed in recent years
> that the nudge is ineffective to deter storing data onchain.
> >
> > Since the restrictions on the usage of OP_RETURN outputs encourage
> harmful practices while being ineffective in deterring unwanted usage, i
> propose to drop them. I suggest to start by lifting the restriction on the
> size of the scriptPubKey for OP_RETURN outputs, as a first minimal step to
> stop encouraging harmful behaviour, and to then proceed to lift the
> restriction on the number of OP_RETURN outputs per transactions.
>
> It might be better to do both, if only to avoid repeating the discussion
> in a year.
>
> From perusing the Citrea paper (page 18) it seems a single output is
> enough, and they only need 144 bytes.
>
> 1. Regarding size
>
> The current ~80 byte limit was based on Counterparty needing it [0], and
> otherwise using bare multisig. A similar argument would apply here. At the
> time there was discussion about how much space Counterparty really needed
> if their protocol was well implemented.
>
> The 144 bytes consist of a Groth16 proof and the total chain work. Along
> similar lines we could pick a number based on various cryptographic
> commitment schemes, and then only raise the limit by that much.
>
> But that just guarantees repeating the argument in a year when some
> protocol needs a slightly higher limit. In a post-inscription world that
> seems pointless. My preference is to drop the size limit entirely.
>
> 2. Regarding count
>
> IIUC there's no consensus limit on the size of an OP_RETURN [1] and
> there's also no standardness rule on the size of a scriptPubKey. The size
> of a single OP_RETURN is limited only by the maximum transaction size, i.e.
> 100 kvB.
>
> Without a size restriction on individual OP_RETURN outputs, there's no
> point in limiting their number.
>
> That said, it would be interesting to know if any protocols are thinking
> of using multiple OP_RETURN outputs.
>
> 3. Reminder why we didn't do this earlier
>
> In the August 2023 discussion [2] Murch wrote, in response to John Light:
>
> >> is there ever a case where using OP_RETURN to embed data actually
> results in fewer bytes onchain than embedding the same data using the
> segwit/taproot witness space
> >
> > Yes, a back-of-the-envelope calculation has me thinking that only
> payloads of 135 bytes would be cheaper with transcriptions than with
> nulldata outputs. In detail:
> [...]
> > we learn that nulldata outputs are cheaper up to a payload size of 134
> bytes, only above that inscriptions become a more blockspace efficient data
> carrier.
>
> Since we're discussing raising the limit to at least 144 bytes, the above
> argument would no longer be relevant.
>
> And from what I recall at the time that was the only remaining reason to
> keep the OP_RETURN restrictions around a bit longer, despite heavy use of
> inscriptions.
>
> 4. PS - on liveliness assumptions
>
> The paper [3] states the following assumption:
>
> > We consider a secure ledger, i.e., a ledger that is safe and live.
> Safety and liveness are defined as follows:
> >
> > ...
> >
> > Definition 2 (Liveness). A distributed ledger protocol is live with
> liveness parameter u if all transactions written by any correct party at
> round r, appear in the ledgers of all correct parties by round r + u.
>
> For standard transactions this already not trivially true. See all of
> Lightning pinning discussions.
>
> For non-standard transactions, does BitVM2 keep all its transactions under
> 100 kvB?
>
> Otherwise your liveness assumption requires a direct connection to at
> least one miner / pool that is trusted to not censor (though you can shop
> around until the deadline).
>
> Conversely, having actively used protocols that frequently require going
> over some standardises limit puts pressure on that limit for the reasons
> Antoine outlined. So for anyone working on such protocols, please let this
> list know, since these discussions can take a while.
>
> - Sjors
>
> [0]
> https://www.reddit.com/r/btc/comments/80ycim/a_few_months_after_the_counterparty_developers/?rdt=53592
> [1] https://bitcoin.stackexchange.com/a/117595/4948
> [2] https://gnusha.org/pi/bitcoindev/03551f0f-272e-2607...@murch.one/#t
> <https://gnusha.org/pi/bitcoindev/03551f0f-272e-2607-e95a-8ec671cbb9f3@murch.one/#t>
> (click on the html attachment)
> [3] https://citrea.xyz/clementine_whitepaper.pdf
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/b51b952c-b8ba-4f13-a216-c29095c39d00n%40googlegroups.com.
[-- Attachment #1.2: Type: text/html, Size: 8152 bytes --]
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [bitcoindev] Relax OP_RETURN standardness restrictions
2025-04-18 12:54 ` Greg Sanders
@ 2025-04-18 13:06 ` Vojtěch Strnad
2025-04-18 13:29 ` 'Antoine Poinsot' via Bitcoin Development Mailing List
1 sibling, 0 replies; 12+ messages in thread
From: Vojtěch Strnad @ 2025-04-18 13:06 UTC (permalink / raw)
To: Bitcoin Development Mailing List
[-- Attachment #1: Type: text/plain, Size: 7797 bytes --]
Hi all,
Regarding the size of an OP_RETURN output, I made a calculation [0] a while
ago to compare it to the all too commonly used "inscription envelope"
(<pubkey> OP_CHECKSIG OF_FALSE OP_IF <data> OP_ENDIF). The result was that
OP_RETURN is cheaper for data smaller than 143 bytes or 158 bytes,
depending on whether you count the overhead of the transaction revealing
the inscription.
Personally, I've never been a fan of the OP_RETURN standardness rules. They
could always be easily bypassed in more or less harmful ways with only a
small loss of data encoding efficiency (the most harmful being adding many
unspendable outputs to a transaction, which some protocols do even today).
[0] https://bitcoin.stackexchange.com/q/122321/121614
On Fri, Apr 18, 2025 at 2:58 PM Greg Sanders <gsanders87@gmail•com> wrote:
> > From perusing the Citrea paper (page 18) it seems a single output is
> enough, and they only need 144 bytes.
>
> From discussion in person it seems as though they could adapt their use to
> batch publish these transactions as SIGHASH_SINGLE|ACP transactions, with
> each output being a 144-byte OP_RETURN. It's a less pressing issue perhaps,
> but if we can derive additional efficiency and don't want to revisit this
> conversation again later, may be worth doing.
>
> The only drawback I can see to the second step would be that we *could
> have* reserved multi-output as some sort of signaling mechanism since it's
> previously not relayable on Bitcoin Core, even with knob fiddling, though I
> can't imagine what that would be. Additional OP_RETURNs would be an
> expensive signal.
>
> Greg
>
> On Friday, April 18, 2025 at 8:16:00 AM UTC-4 Sjors Provoost wrote:
>
>>
>> > Op 17 apr 2025, om 20:52 heeft 'Antoine Poinsot' via Bitcoin
>> Development Mailing List <bitco...@googlegroups•com> het volgende
>> geschreven:
>>
>> > Developers are now designing constructions that work around these
>> limitations. An example is Clementine, the recently-announced Citrea
>> bridge, which uses unspendable Taproot outputs to store data in its
>> "WatchtowerChallenge" transaction due to the standardness restrictions on
>> the size of OP_RETURNs[^0]. Meanwhile, we have witnessed in recent years
>> that the nudge is ineffective to deter storing data onchain.
>> >
>> > Since the restrictions on the usage of OP_RETURN outputs encourage
>> harmful practices while being ineffective in deterring unwanted usage, i
>> propose to drop them. I suggest to start by lifting the restriction on the
>> size of the scriptPubKey for OP_RETURN outputs, as a first minimal step to
>> stop encouraging harmful behaviour, and to then proceed to lift the
>> restriction on the number of OP_RETURN outputs per transactions.
>>
>> It might be better to do both, if only to avoid repeating the discussion
>> in a year.
>>
>> From perusing the Citrea paper (page 18) it seems a single output is
>> enough, and they only need 144 bytes.
>>
>> 1. Regarding size
>>
>> The current ~80 byte limit was based on Counterparty needing it [0], and
>> otherwise using bare multisig. A similar argument would apply here. At the
>> time there was discussion about how much space Counterparty really needed
>> if their protocol was well implemented.
>>
>> The 144 bytes consist of a Groth16 proof and the total chain work. Along
>> similar lines we could pick a number based on various cryptographic
>> commitment schemes, and then only raise the limit by that much.
>>
>> But that just guarantees repeating the argument in a year when some
>> protocol needs a slightly higher limit. In a post-inscription world that
>> seems pointless. My preference is to drop the size limit entirely.
>>
>> 2. Regarding count
>>
>> IIUC there's no consensus limit on the size of an OP_RETURN [1] and
>> there's also no standardness rule on the size of a scriptPubKey. The size
>> of a single OP_RETURN is limited only by the maximum transaction size, i.e.
>> 100 kvB.
>>
>> Without a size restriction on individual OP_RETURN outputs, there's no
>> point in limiting their number.
>>
>> That said, it would be interesting to know if any protocols are thinking
>> of using multiple OP_RETURN outputs.
>>
>> 3. Reminder why we didn't do this earlier
>>
>> In the August 2023 discussion [2] Murch wrote, in response to John Light:
>>
>> >> is there ever a case where using OP_RETURN to embed data actually
>> results in fewer bytes onchain than embedding the same data using the
>> segwit/taproot witness space
>> >
>> > Yes, a back-of-the-envelope calculation has me thinking that only
>> payloads of 135 bytes would be cheaper with transcriptions than with
>> nulldata outputs. In detail:
>> [...]
>> > we learn that nulldata outputs are cheaper up to a payload size of 134
>> bytes, only above that inscriptions become a more blockspace efficient data
>> carrier.
>>
>> Since we're discussing raising the limit to at least 144 bytes, the above
>> argument would no longer be relevant.
>>
>> And from what I recall at the time that was the only remaining reason to
>> keep the OP_RETURN restrictions around a bit longer, despite heavy use of
>> inscriptions.
>>
>> 4. PS - on liveliness assumptions
>>
>> The paper [3] states the following assumption:
>>
>> > We consider a secure ledger, i.e., a ledger that is safe and live.
>> Safety and liveness are defined as follows:
>> >
>> > ...
>> >
>> > Definition 2 (Liveness). A distributed ledger protocol is live with
>> liveness parameter u if all transactions written by any correct party at
>> round r, appear in the ledgers of all correct parties by round r + u.
>>
>> For standard transactions this already not trivially true. See all of
>> Lightning pinning discussions.
>>
>> For non-standard transactions, does BitVM2 keep all its transactions
>> under 100 kvB?
>>
>> Otherwise your liveness assumption requires a direct connection to at
>> least one miner / pool that is trusted to not censor (though you can shop
>> around until the deadline).
>>
>> Conversely, having actively used protocols that frequently require going
>> over some standardises limit puts pressure on that limit for the reasons
>> Antoine outlined. So for anyone working on such protocols, please let this
>> list know, since these discussions can take a while.
>>
>> - Sjors
>>
>> [0]
>> https://www.reddit.com/r/btc/comments/80ycim/a_few_months_after_the_counterparty_developers/?rdt=53592
>> [1] https://bitcoin.stackexchange.com/a/117595/4948
>> [2] https://gnusha.org/pi/bitcoindev/03551f0f-272e-2607...@murch.one/#t
>> <https://gnusha.org/pi/bitcoindev/03551f0f-272e-2607-e95a-8ec671cbb9f3@murch.one/#t>
>> (click on the html attachment)
>> [3] https://citrea.xyz/clementine_whitepaper.pdf
>
> --
> You received this message because you are subscribed to the Google Groups
> "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to bitcoindev+unsubscribe@googlegroups•com.
> To view this discussion visit
> https://groups.google.com/d/msgid/bitcoindev/b51b952c-b8ba-4f13-a216-c29095c39d00n%40googlegroups.com
> <https://groups.google.com/d/msgid/bitcoindev/b51b952c-b8ba-4f13-a216-c29095c39d00n%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CADnN-1U1JcbgeWAyMJ7zzbMzYRVy_Gd6fTrRu3wPVg%2Bgxo4Vvw%40mail.gmail.com.
[-- Attachment #2: Type: text/html, Size: 9326 bytes --]
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [bitcoindev] Relax OP_RETURN standardness restrictions
2025-04-18 12:54 ` Greg Sanders
2025-04-18 13:06 ` Vojtěch Strnad
@ 2025-04-18 13:29 ` 'Antoine Poinsot' via Bitcoin Development Mailing List
2025-04-18 21:34 ` Antoine Riard
1 sibling, 1 reply; 12+ messages in thread
From: 'Antoine Poinsot' via Bitcoin Development Mailing List @ 2025-04-18 13:29 UTC (permalink / raw)
To: Greg Sanders, Sjors Provoost; +Cc: Bitcoin Development Mailing List
[-- Attachment #1: Type: text/plain, Size: 7676 bytes --]
> IIUC [..] The size of a single OP_RETURN is limited only by the maximum transaction size, i.e. 100 kvB.
Yes.
>>> is there ever a case where using OP_RETURN to embed data actually results in fewer bytes onchain than embedding the same data using the segwit/taproot witness space> Yes, a back-of-the-envelope calculation [..]
>
For reference Vojtěch Strnad also has a good StackExchange answer with details about this here: https://bitcoin.stackexchange.com/a/122322/101498. TL;DR: OP_RETURN is cheaper for data smaller than 143 bytes. I don't think this is sufficient reason not to drop the limit.
> we *could have* reserved multi-output as some sort of signaling mechanism [..] though I can't imagine what that would be. Additional OP_RETURNs would be an expensive signal.
Exactly, and it's not like we would be running out of upgrade hooks anytime soon.
On Friday, April 18th, 2025 at 8:54 AM, Greg Sanders <gsanders87@gmail•com> wrote:
>> From perusing the Citrea paper (page 18) it seems a single output is enough, and they only need 144 bytes.
>
> From discussion in person it seems as though they could adapt their use to batch publish these transactions as SIGHASH_SINGLE|ACP transactions, with each output being a 144-byte OP_RETURN. It's a less pressing issue perhaps, but if we can derive additional efficiency and don't want to revisit this conversation again later, may be worth doing.
>
> The only drawback I can see to the second step would be that we *could have* reserved multi-output as some sort of signaling mechanism since it's previously not relayable on Bitcoin Core, even with knob fiddling, though I can't imagine what that would be. Additional OP_RETURNs would be an expensive signal.
>
> Greg
> On Friday, April 18, 2025 at 8:16:00 AM UTC-4 Sjors Provoost wrote:
>
>>> Op 17 apr 2025, om 20:52 heeft 'Antoine Poinsot' via Bitcoin Development Mailing List <bitco...@googlegroups•com> het volgende geschreven:
>>
>>> Developers are now designing constructions that work around these limitations. An example is Clementine, the recently-announced Citrea bridge, which uses unspendable Taproot outputs to store data in its "WatchtowerChallenge" transaction due to the standardness restrictions on the size of OP_RETURNs[^0]. Meanwhile, we have witnessed in recent years that the nudge is ineffective to deter storing data onchain.
>>>
>>> Since the restrictions on the usage of OP_RETURN outputs encourage harmful practices while being ineffective in deterring unwanted usage, i propose to drop them. I suggest to start by lifting the restriction on the size of the scriptPubKey for OP_RETURN outputs, as a first minimal step to stop encouraging harmful behaviour, and to then proceed to lift the restriction on the number of OP_RETURN outputs per transactions.
>>
>> It might be better to do both, if only to avoid repeating the discussion in a year.
>>
>> From perusing the Citrea paper (page 18) it seems a single output is enough, and they only need 144 bytes.
>>
>> 1. Regarding size
>>
>> The current ~80 byte limit was based on Counterparty needing it [0], and otherwise using bare multisig. A similar argument would apply here. At the time there was discussion about how much space Counterparty really needed if their protocol was well implemented.
>>
>> The 144 bytes consist of a Groth16 proof and the total chain work. Along similar lines we could pick a number based on various cryptographic commitment schemes, and then only raise the limit by that much.
>>
>> But that just guarantees repeating the argument in a year when some protocol needs a slightly higher limit. In a post-inscription world that seems pointless. My preference is to drop the size limit entirely.
>>
>> 2. Regarding count
>>
>> IIUC there's no consensus limit on the size of an OP_RETURN [1] and there's also no standardness rule on the size of a scriptPubKey. The size of a single OP_RETURN is limited only by the maximum transaction size, i.e. 100 kvB.
>>
>> Without a size restriction on individual OP_RETURN outputs, there's no point in limiting their number.
>>
>> That said, it would be interesting to know if any protocols are thinking of using multiple OP_RETURN outputs.
>>
>> 3. Reminder why we didn't do this earlier
>>
>> In the August 2023 discussion [2] Murch wrote, in response to John Light:
>>
>>>> is there ever a case where using OP_RETURN to embed data actually results in fewer bytes onchain than embedding the same data using the segwit/taproot witness space
>>>
>>> Yes, a back-of-the-envelope calculation has me thinking that only payloads of 135 bytes would be cheaper with transcriptions than with nulldata outputs. In detail:
>> [...]
>>> we learn that nulldata outputs are cheaper up to a payload size of 134 bytes, only above that inscriptions become a more blockspace efficient data carrier.
>>
>> Since we're discussing raising the limit to at least 144 bytes, the above argument would no longer be relevant.
>>
>> And from what I recall at the time that was the only remaining reason to keep the OP_RETURN restrictions around a bit longer, despite heavy use of inscriptions.
>>
>> 4. PS - on liveliness assumptions
>>
>> The paper [3] states the following assumption:
>>
>>> We consider a secure ledger, i.e., a ledger that is safe and live. Safety and liveness are defined as follows:
>>>
>>> ...
>>>
>>> Definition 2 (Liveness). A distributed ledger protocol is live with liveness parameter u if all transactions written by any correct party at round r, appear in the ledgers of all correct parties by round r + u.
>>
>> For standard transactions this already not trivially true. See all of Lightning pinning discussions.
>>
>> For non-standard transactions, does BitVM2 keep all its transactions under 100 kvB?
>>
>> Otherwise your liveness assumption requires a direct connection to at least one miner / pool that is trusted to not censor (though you can shop around until the deadline).
>>
>> Conversely, having actively used protocols that frequently require going over some standardises limit puts pressure on that limit for the reasons Antoine outlined. So for anyone working on such protocols, please let this list know, since these discussions can take a while.
>>
>> - Sjors
>>
>> [0] [https://www.reddit.com/r/btc/comments/80ycim/a_few_months_after_the_counterparty_developers/?rdt=53592](https://www.reddit.com/r/btc/comments/80ycim/a_few_months_after_the_counterparty_developers/)
>> [1] https://bitcoin.stackexchange.com/a/117595/4948
>> [2] [https://gnusha.org/pi/bitcoindev/03551f0f-272e-2607...@murch.one/#t](https://gnusha.org/pi/bitcoindev/03551f0f-272e-2607-e95a-8ec671cbb9f3@murch.one/#t) (click on the html attachment)
>> [3] https://citrea.xyz/clementine_whitepaper.pdf
>
> --
> You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
> To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/b51b952c-b8ba-4f13-a216-c29095c39d00n%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/8nHXu-p_oewEJ1P95eVG57v_qugup8KrgFCQ5sSM88TKMumrjwIdk9cRs3cPon6cEwxSgSiE2OWnoU2xCfa6DtrnT2SSWRsJmT1wkpWh9k0%3D%40protonmail.com.
[-- Attachment #2: Type: text/html, Size: 11815 bytes --]
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [bitcoindev] Relax OP_RETURN standardness restrictions
2025-04-18 13:29 ` 'Antoine Poinsot' via Bitcoin Development Mailing List
@ 2025-04-18 21:34 ` Antoine Riard
0 siblings, 0 replies; 12+ messages in thread
From: Antoine Riard @ 2025-04-18 21:34 UTC (permalink / raw)
To: Bitcoin Development Mailing List
[-- Attachment #1.1: Type: text/plain, Size: 9971 bytes --]
Hello Darosior,
Generally, I'm +1 on relaxing OP_RETURN standardness restrictions.
Few links that can be relevant for the discussions:
- https://github.com/petertodd/bitcoin/pull/6
- https://github.com/ordinals/ord/issues/2405
For adding a `-datacarrierenum`, this might be re-considered, e.g if you're
running a bitcoin full-node with an extended number of op_return outputs,
and
you have callback action when you're seeing said snarg proofs is in the
op_return.
This is assuming that of course additional software is running on top of
the full-node, e.g a custom block explorer, though it could be a source of
DoS, if callbacks are triggered before inclusion in op_return outputs (--
and some might do before inclusion, just for latency gains in their
use-cases).
I think there is one downside I can see of relaxing OP_RETURN standardness
restrictions, namely that a single transaction output "exogeneous" value
might be worth more than the block reward yields in fees (`blockReward`).
That could be an issue where a single transaction output owner with an
"exogeneous" value braodcast a tx for a double-spend where this condition
can only be included if the block is reorged-out (e.g a bridge where 2
withdrawal are valid at the same time to different owners). Somehow
linearity of chain advances is a good property to have.
One can have a look on the ordinals markets at the last halving blocks,
to see it's already can be a concern, as something like ordinals mined
by the coinbase pubkey was trading for a high price.
This is not a problem for now with multi-party transactiosn or contracting
protocols (e.g coinjoins or lightning), as it's always a coin exchanged, or
fees that must be committed to settle an off-chain state.
Best,
Antoine
OTS hash: a3264eaedf79b15d5e9cd32a20d1d82c6981f49a34256d6c961fd39c976ff2c2
Le vendredi 18 avril 2025 à 14:52:03 UTC+1, Antoine Poinsot a écrit :
> IIUC [..] The size of a single OP_RETURN is limited only by the maximum
> transaction size, i.e. 100 kvB.
>
> Yes.
>
> >> is there ever a case where using OP_RETURN to embed data actually
> results in fewer bytes onchain than embedding the same data using the
> segwit/taproot witness space
>
> > Yes, a back-of-the-envelope calculation [..]
>
> For reference Vojtěch Strnad also has a good StackExchange answer with
> details about this here: https://bitcoin.stackexchange.com/a/122322/101498.
> TL;DR: OP_RETURN is cheaper for data smaller than 143 bytes. I don't think
> this is sufficient reason not to drop the limit.
>
> we *could have* reserved multi-output as some sort of signaling mechanism
> [..] though I can't imagine what that would be. Additional OP_RETURNs would
> be an expensive signal.
>
> Exactly, and it's not like we would be running out of upgrade hooks
> anytime soon.
> On Friday, April 18th, 2025 at 8:54 AM, Greg Sanders <gsand...@gmail•com>
> wrote:
>
> > From perusing the Citrea paper (page 18) it seems a single output is
> enough, and they only need 144 bytes.
>
> From discussion in person it seems as though they could adapt their use to
> batch publish these transactions as SIGHASH_SINGLE|ACP transactions, with
> each output being a 144-byte OP_RETURN. It's a less pressing issue perhaps,
> but if we can derive additional efficiency and don't want to revisit this
> conversation again later, may be worth doing.
>
> The only drawback I can see to the second step would be that we *could
> have* reserved multi-output as some sort of signaling mechanism since it's
> previously not relayable on Bitcoin Core, even with knob fiddling, though I
> can't imagine what that would be. Additional OP_RETURNs would be an
> expensive signal.
>
> Greg
>
> On Friday, April 18, 2025 at 8:16:00 AM UTC-4 Sjors Provoost wrote:
>
>>
>> > Op 17 apr 2025, om 20:52 heeft 'Antoine Poinsot' via Bitcoin
>> Development Mailing List <bitco...@googlegroups•com> het volgende
>> geschreven:
>>
>> > Developers are now designing constructions that work around these
>> limitations. An example is Clementine, the recently-announced Citrea
>> bridge, which uses unspendable Taproot outputs to store data in its
>> "WatchtowerChallenge" transaction due to the standardness restrictions on
>> the size of OP_RETURNs[^0]. Meanwhile, we have witnessed in recent years
>> that the nudge is ineffective to deter storing data onchain.
>> >
>> > Since the restrictions on the usage of OP_RETURN outputs encourage
>> harmful practices while being ineffective in deterring unwanted usage, i
>> propose to drop them. I suggest to start by lifting the restriction on the
>> size of the scriptPubKey for OP_RETURN outputs, as a first minimal step to
>> stop encouraging harmful behaviour, and to then proceed to lift the
>> restriction on the number of OP_RETURN outputs per transactions.
>>
>> It might be better to do both, if only to avoid repeating the discussion
>> in a year.
>>
>> From perusing the Citrea paper (page 18) it seems a single output is
>> enough, and they only need 144 bytes.
>>
>> 1. Regarding size
>>
>> The current ~80 byte limit was based on Counterparty needing it [0], and
>> otherwise using bare multisig. A similar argument would apply here. At the
>> time there was discussion about how much space Counterparty really needed
>> if their protocol was well implemented.
>>
>> The 144 bytes consist of a Groth16 proof and the total chain work. Along
>> similar lines we could pick a number based on various cryptographic
>> commitment schemes, and then only raise the limit by that much.
>>
>> But that just guarantees repeating the argument in a year when some
>> protocol needs a slightly higher limit. In a post-inscription world that
>> seems pointless. My preference is to drop the size limit entirely.
>>
>> 2. Regarding count
>>
>> IIUC there's no consensus limit on the size of an OP_RETURN [1] and
>> there's also no standardness rule on the size of a scriptPubKey. The size
>> of a single OP_RETURN is limited only by the maximum transaction size, i.e.
>> 100 kvB.
>>
>> Without a size restriction on individual OP_RETURN outputs, there's no
>> point in limiting their number.
>>
>> That said, it would be interesting to know if any protocols are thinking
>> of using multiple OP_RETURN outputs.
>>
>> 3. Reminder why we didn't do this earlier
>>
>> In the August 2023 discussion [2] Murch wrote, in response to John Light:
>>
>> >> is there ever a case where using OP_RETURN to embed data actually
>> results in fewer bytes onchain than embedding the same data using the
>> segwit/taproot witness space
>> >
>> > Yes, a back-of-the-envelope calculation has me thinking that only
>> payloads of 135 bytes would be cheaper with transcriptions than with
>> nulldata outputs. In detail:
>> [...]
>> > we learn that nulldata outputs are cheaper up to a payload size of 134
>> bytes, only above that inscriptions become a more blockspace efficient data
>> carrier.
>>
>> Since we're discussing raising the limit to at least 144 bytes, the above
>> argument would no longer be relevant.
>>
>> And from what I recall at the time that was the only remaining reason to
>> keep the OP_RETURN restrictions around a bit longer, despite heavy use of
>> inscriptions.
>>
>> 4. PS - on liveliness assumptions
>>
>> The paper [3] states the following assumption:
>>
>> > We consider a secure ledger, i.e., a ledger that is safe and live.
>> Safety and liveness are defined as follows:
>> >
>> > ...
>> >
>> > Definition 2 (Liveness). A distributed ledger protocol is live with
>> liveness parameter u if all transactions written by any correct party at
>> round r, appear in the ledgers of all correct parties by round r + u.
>>
>> For standard transactions this already not trivially true. See all of
>> Lightning pinning discussions.
>>
>> For non-standard transactions, does BitVM2 keep all its transactions
>> under 100 kvB?
>>
>> Otherwise your liveness assumption requires a direct connection to at
>> least one miner / pool that is trusted to not censor (though you can shop
>> around until the deadline).
>>
>> Conversely, having actively used protocols that frequently require going
>> over some standardises limit puts pressure on that limit for the reasons
>> Antoine outlined. So for anyone working on such protocols, please let this
>> list know, since these discussions can take a while.
>>
>> - Sjors
>>
>> [0]
>> https://www.reddit.com/r/btc/comments/80ycim/a_few_months_after_the_counterparty_developers/?rdt=53592
>> <https://www.reddit.com/r/btc/comments/80ycim/a_few_months_after_the_counterparty_developers/>
>> [1] https://bitcoin.stackexchange.com/a/117595/4948
>> [2] https://gnusha.org/pi/bitcoindev/03551f0f-272e-2607...@murch.one/#t
>> <https://gnusha.org/pi/bitcoindev/03551f0f-272e-2607-e95a-8ec671cbb9f3@murch.one/#t>
>> (click on the html attachment)
>> [3] https://citrea.xyz/clementine_whitepaper.pdf
>
> --
>
> You received this message because you are subscribed to the Google Groups
> "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to bitcoindev+...@googlegroups•com.
> To view this discussion visit
> https://groups.google.com/d/msgid/bitcoindev/b51b952c-b8ba-4f13-a216-c29095c39d00n%40googlegroups.com
> .
>
>
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/0fe3d145-826b-4c0b-a420-fa683a2a34a7n%40googlegroups.com.
[-- Attachment #1.2: Type: text/html, Size: 14639 bytes --]
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [bitcoindev] Relax OP_RETURN standardness restrictions
2025-04-17 18:52 [bitcoindev] Relax OP_RETURN standardness restrictions 'Antoine Poinsot' via Bitcoin Development Mailing List
2025-04-18 12:03 ` Sjors Provoost
@ 2025-04-20 8:43 ` Peter Todd
2025-04-26 9:50 ` Luke Dashjr
2 siblings, 0 replies; 12+ messages in thread
From: Peter Todd @ 2025-04-20 8:43 UTC (permalink / raw)
To: Antoine Poinsot; +Cc: Bitcoin Development Mailing List
[-- Attachment #1: Type: text/plain, Size: 2108 bytes --]
On Thu, Apr 17, 2025 at 06:52:34PM +0000, 'Antoine Poinsot' via Bitcoin Development Mailing List wrote:
> Hi,
>
> Standardness rules exist for 3 mains reasons: mitigate DoS vectors, provide upgrade hooks, or as a nudge to deter some usages.
>
> Bitcoin Core will by default only relay and mine transactions with at most a single OP_RETURN output, with a scriptPubKey no larger than 83 bytes. This standardness rule falls into the third category: it aims to mildly deter data storage while still allowing a less harmful alternative than using non-provably-unspendable outputs.
>
> Developers are now designing constructions that work around these limitations. An example is Clementine, the recently-announced Citrea bridge, which uses unspendable Taproot outputs to store data in its "WatchtowerChallenge" transaction due to the standardness restrictions on the size of OP_RETURNs[^0]. Meanwhile, we have witnessed in recent years that the nudge is ineffective to deter storing data onchain.
>
> Since the restrictions on the usage of OP_RETURN outputs encourage harmful practices while being ineffective in deterring unwanted usage, i propose to drop them. I suggest to start by lifting the restriction on the size of the scriptPubKey for OP_RETURN outputs, as a first minimal step to stop encouraging harmful behaviour, and to then proceed to lift the restriction on the number of OP_RETURN outputs per transactions.
I would suggest removing both limits at the same time.
While multiple OP_Return outputs are more expensive than a single one
for the same amount of total data. In some cases they're necessary for
technical reasons, e.g. if signing with SIGHASH_SINGLE.
--
https://petertodd.org 'peter'[:-1]@petertodd.org
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/aASzwkFfGFBYudK_%40petertodd.org.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [bitcoindev] Relax OP_RETURN standardness restrictions
2025-04-17 18:52 [bitcoindev] Relax OP_RETURN standardness restrictions 'Antoine Poinsot' via Bitcoin Development Mailing List
2025-04-18 12:03 ` Sjors Provoost
2025-04-20 8:43 ` Peter Todd
@ 2025-04-26 9:50 ` Luke Dashjr
2025-04-26 10:53 ` Sjors Provoost
2 siblings, 1 reply; 12+ messages in thread
From: Luke Dashjr @ 2025-04-26 9:50 UTC (permalink / raw)
To: bitcoindev
[-- Attachment #1: Type: text/plain, Size: 3142 bytes --]
It should be needless to say, but this idea is utter insanity.
Disappointing to see positive responses, and not one sensible reply
calling it out yet. The bugs should be fixed, not the abuse embraced. If
attackers continue to bypass filters, we can go back to a full whitelist
approach. We're now 2+ years into this wave of attacks, and the damage
it has already done should be more than enough to prove the hands-off
attitude is not viable. Am I the only one left on this list who actually
cares about Bitcoin's survival?
On 4/17/25 14:52, 'Antoine Poinsot' via Bitcoin Development Mailing List
wrote:
> Hi,
>
> Standardness rules exist for 3 mains reasons: mitigate DoS vectors,
> provide upgrade hooks, or as a nudge to deter some usages.
>
> Bitcoin Core will by default only relay and mine transactions with at
> most a single OP_RETURN output, with a scriptPubKey no larger than 83
> bytes. This standardness rule falls into the third category: it aims
> to mildly deter data storage while still allowing a less harmful
> alternative than using non-provably-unspendable outputs.
>
> Developers are now designing constructions that work around these
> limitations. An example is Clementine, the recently-announced Citrea
> bridge, which uses unspendable Taproot outputs to store data in its
> "WatchtowerChallenge" transaction due to the standardness restrictions
> on the size of OP_RETURNs[^0]. Meanwhile, we have witnessed in recent
> years that the nudge is ineffective to deter storing data onchain.
>
> Since the restrictions on the usage of OP_RETURN outputs encourage
> harmful practices while being ineffective in deterring unwanted usage,
> i propose to drop them. I suggest to start by lifting the restriction
> on the size of the scriptPubKey for OP_RETURN outputs, as a first
> minimal step to stop encouraging harmful behaviour, and to then
> proceed to lift the restriction on the number of OP_RETURN outputs per
> transactions.
>
> Antoine Poinsot
>
> [^0]: See section 6.1 of their whitepaper here
> https://citrea.xyz/clementine_whitepaper.pdf
> --
> You received this message because you are subscribed to the Google
> Groups "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to bitcoindev+unsubscribe@googlegroups•com.
> To view this discussion visit
> https://groups.google.com/d/msgid/bitcoindev/rhfyCHr4RfaEalbfGejVdolYCVWIyf84PT2062DQbs5-eU8BPYty5sGyvI3hKeRZQtVC7rn_ugjUWFnWCymz9e9Chbn7FjWJePllFhZRKYk%3D%40protonmail.com
> <https://groups.google.com/d/msgid/bitcoindev/rhfyCHr4RfaEalbfGejVdolYCVWIyf84PT2062DQbs5-eU8BPYty5sGyvI3hKeRZQtVC7rn_ugjUWFnWCymz9e9Chbn7FjWJePllFhZRKYk%3D%40protonmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/03be4934-f0ff-4b58-880d-861d63a4f970%40dashjr.org.
[-- Attachment #2: Type: text/html, Size: 5065 bytes --]
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [bitcoindev] Relax OP_RETURN standardness restrictions
2025-04-26 9:50 ` Luke Dashjr
@ 2025-04-26 10:53 ` Sjors Provoost
2025-04-26 11:35 ` Luke Dashjr
0 siblings, 1 reply; 12+ messages in thread
From: Sjors Provoost @ 2025-04-26 10:53 UTC (permalink / raw)
To: bitcoindev; +Cc: Luke Dashjr
[-- Attachment #1: Type: text/plain, Size: 2810 bytes --]
Op 26 apr 2025, om 11:50 heeft Luke Dashjr <luke@dashjr•org> het volgende geschreven:
> It should be needless to say, but this idea is utter insanity. Disappointing to see positive responses, and not one sensible reply calling it out yet. The bugs should be fixed, not the abuse embraced. If attackers continue to bypass filters, we can go back to a full whitelist approach.
>
Are you proposing a whitelist of authorised public keys? Or a transaction size increase?
Your earlier proposal [0] to whitelist certain script forms is not relevant here, because the Citrea white paper uses unspendable public keys to encode the data that doesn't fit in OP_RETURN.
To stop that, you'd have to introduce a rule that only allows spendable public keys to be put on chain. Afaik, the only way to do that is to require a signature. That would dramatically increase the size of all output scripts.
And that won't fix "spam" either, because you can still grind the first N bits of every public key and/signature, maybe encode things in the nonce, etc.
The cost of that would be trivial for a bridge system. And "art" systems mightly actually like the extra scarcity.
As for your earlier proposals (Ordisrespector, etc), they were not useful in general, because they rely too heavily on having standardness rules go against financial incentives. Only consensus changes can work, but so far you haven't proposed those. Since "spam" is a cat-and-mouse game, and consensus changes take ages to design, implement and roll out, it's also not a viable solution.
Increasing the OP_RETURN limit reduces harm compared to the two alternatives:
1. UTXO set bloating with fake public keys
2. Large scale bypassing of the (default) mempool, which leads to
a) compact block relay failures (mempool fragmentation)
b) centralisation
Custom-but-public relay networks like Libre Relay don't cause (2b), but (likely) do cause (2a). So it's not good if Bitcoin Core default policy heavily incentives such an alternative network. That's one reason why -mempoolfullrbf is now a default.
You're also not specifying what problem you're trying to solve. Nor what "damage" is done. If blocks are too big in your opinion, then why not simply propose a block size decrease (again)? I would not expect meaningful support for that either, but at least it's simple.
- Sjors
[0] https://github.com/bitcoin/bitcoin/issues/29187
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CEB83B34-6C5B-469E-9914-20940F27EEC0%40sprovoost.nl.
[-- Attachment #2: Type: text/html, Size: 3720 bytes --]
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [bitcoindev] Relax OP_RETURN standardness restrictions
2025-04-26 10:53 ` Sjors Provoost
@ 2025-04-26 11:35 ` Luke Dashjr
2025-04-26 11:45 ` Sjors Provoost
2025-04-26 12:48 ` Pieter Wuille
0 siblings, 2 replies; 12+ messages in thread
From: Luke Dashjr @ 2025-04-26 11:35 UTC (permalink / raw)
To: Sjors Provoost, bitcoindev
On 4/26/25 06:53, Sjors Provoost wrote:
>
> Op 26 apr 2025, om 11:50 heeft Luke Dashjr <luke@dashjr•org> het
> volgende geschreven:
>>
>> It should be needless to say, but this idea is utter insanity.
>> Disappointing to see positive responses, and not one sensible reply
>> calling it out yet. The bugs should be fixed, not the abuse embraced.
>> If attackers continue to bypass filters, we can go back to a full
>> whitelist approach.
>>
> Are you proposing a whitelist of authorised public keys?
Scripts, of course, not specific keys. Just like we had early on. But
that is only necessary if the simpler filter steps are insufficient,
which is unlikely.
> Your earlier proposal [0] to whitelist certain script forms is not
> relevant here, because the Citrea white paper uses unspendable public
> keys to encode the data that doesn't fit in OP_RETURN.
>
> To stop that, you'd have to introduce a rule that only allows
> spendable public keys to be put on chain. Afaik, the only way to do
> that is to require a signature. That would dramatically increase the
> size of all output scripts.
Only during flood relay. They don't need to be included in blocks. Even
a softfork, should it become necessary, could potentially get away with
pruning them after being buried a certain depth.
> And that won't fix "spam" either, because you can still grind the
> first N bits of every public key and/signature, maybe encode things in
> the nonce, etc.
It's sufficient to make spam unwelcome and costly. No spam filtration
solution needs to be perfect. Every little bit helps.
> As for your earlier proposals (Ordisrespector, etc), they were not
> useful in general, because they rely too heavily on having
> standardness rules go against financial incentives. Only consensus
> changes can work, but so far you haven't proposed those.
That's nonsense. They were and continue to be very effective, even with
only a small amount of adoption. Further, mining centralization and
pools denying miners options has been the biggest barrier to that
adoption. There is no significant financial impact either, that's just
FUD; miners using the fixed and improved spam filters have in fact
earned significantly more than miners using Core.
> Since "spam" is a cat-and-mouse game, and consensus changes take ages
> to design, implement and roll out, it's also not a viable solution.
It would be a pain, but it is definitely viable. Thankfully, policy
works just fine for spam filtration, and can be adapted much quicker.
> Increasing the OP_RETURN limit reduces harm compared to the two
> alternatives:
> 1. UTXO set bloating with fake public keys
> 2. Large scale bypassing of the (default) mempool, which leads to
> a) compact block relay failures (mempool fragmentation)
The entire reason compact blocks were acceptable, is that miners are
incentivized to conform to non-miner node policies. Now you're trying to
bait-and-switch it to nodes conforming to malicious miner policies instead.
> b) centralisation
No, this is more FUD.
> Custom-but-public relay networks like Libre Relay don't cause (2b),
> but (likely) do cause (2a). So it's not good if Bitcoin Core default
> policy heavily incentives such an alternative network. That's one
> reason why -mempoolfullrbf is now a default.
>
> You're also not specifying what problem you're trying to solve. Nor
> what "damage" is done. If blocks are too big in your opinion, then why
> not simply propose a block size decrease (again)? I would not expect
> meaningful support for that either, but at least it's simple.
>
> - Sjors
>
> [0] https://github.com/bitcoin/bitcoin/issues/29187
>
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/d18b4149-5523-44bd-8332-2b7962f4b674%40dashjr.org.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [bitcoindev] Relax OP_RETURN standardness restrictions
2025-04-26 11:35 ` Luke Dashjr
@ 2025-04-26 11:45 ` Sjors Provoost
2025-04-26 12:48 ` Pieter Wuille
1 sibling, 0 replies; 12+ messages in thread
From: Sjors Provoost @ 2025-04-26 11:45 UTC (permalink / raw)
To: Luke Dashjr, 'Bitcoin Development Mailing List'
> >> As for your earlier proposals (Ordisrespector, etc), they were not
>> useful in general, because they rely too heavily on having
>> standardness rules go against financial incentives. Only consensus
>> changes can work, but so far you haven't proposed those.
>
> That's nonsense. They were and continue to be very effective, even with
> only a small amount of adoption.
Further, mining centralization and
> pools denying miners options has been the biggest barrier to that
> adoption. There is no significant financial impact either, that's just
> FUD; miners using the fixed and improved spam filters have in fact
> earned significantly more than miners using Core.
I'll reply to your arguments when Ocean Pool reorgs a competitor block with inscriptions in it.
- Sjors
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/f348e4bf-ccc4-48e3-9745-ac72b1b131f5%40app.fastmail.com.
^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [bitcoindev] Relax OP_RETURN standardness restrictions
2025-04-26 11:35 ` Luke Dashjr
2025-04-26 11:45 ` Sjors Provoost
@ 2025-04-26 12:48 ` Pieter Wuille
1 sibling, 0 replies; 12+ messages in thread
From: Pieter Wuille @ 2025-04-26 12:48 UTC (permalink / raw)
To: Luke Dashjr; +Cc: Sjors Provoost, bitcoindev
On Saturday, April 26th, 2025 at 7:45 AM, Luke Dashjr <luke@dashjr•org> wrote:
> That's nonsense. They were and continue to be very effective, even with
> only a small amount of adoption. Further, mining centralization and
Standardness rules have definitely been effective in the past, if we go far enough back in time. But back then:
* There were far less financial incentives to bypass them. Standardness adds inconvenience to people developing infrastructure on top, which can nudge in another direction. But I don't see how million-dollar (or more) business incentives would be thwarted by the need to communicate with miners directly (see below). These incentives will only increase as the subsidy dwindles.
* There was far more reason for rules of this kind; the network was small and far less valuable, and there were significant concerns about increased node operation cost with a quickly-growing blockchain. With blocks consistently full for most of the time for years now, even at times without so-called "spam", that concern just does not exist; nodes will be processing the same amount of transaction data anyway. I think I share Luke's feelings around non-financially-relevant transactions on-chain, but given sufficient demand for block space anyway, there just is no need to discriminate.
> pools denying miners options has been the biggest barrier to that
> adoption. There is no significant financial impact either, that's just
> FUD; miners using the fixed and improved spam filters have in fact
> earned significantly more than miners using Core.
I am doubtful of this claim, and would like to see evidence of it.
> It would be a pain, but it is definitely viable. Thankfully, policy
> works just fine for spam filtration, and can be adapted much quicker.
Nobody is required to adopt policy, and I think you're burying your head in the sand if you believe even in a world with more decentralized hashpower, miners/hashers would voluntarily choose to disregard transactions that pay a significant fee, if the potential gains from accepting them exceed the cost of building infrastructure to bypass whatever policy exists.
Bitcoin users do have a means to deny usage of the chain to truly damaging use: consensus changes. Those are not optional, apply to everyone equally, do not create incentives for bypass, and - and I believe that is a good thing - can only be adopted with very wide agreement.
> > b) centralisation
>
> No, this is more FUD.
The **entire** reason why Bitcoin uses PoW, as opposed to using a traditional consensus system with a federation of block-builders, is to avoid censorship. If anyone dislikes the choices current miners make in what transactions they accept, they can - without asking anyone for permission - join the set of miners, and earn a proportional piece of the pie. While it is the case that today mining power is quite concentrated in a number of businesses, the set of such businesses can, and has, changed over time. This is a very valuable property.
Part of the puzzle to make that permissionlessness of mining work is access to fee-paying transactions from the public. If sufficient economic demand exist for transactions that the public network denies, miners and creators of such transaction will develop transaction rails that bypass that network.
If it comes to a point where that economic demand is so high that miners need to rely on private transaction rails to realistically compete, I feel we'd be giving up on one of the most valuable properties the network has. I realize this is a slipstreamery-slope argument, but it is already happening, and once the rails are ubiquitous, it will be very hard to go back to a public network.
---
Because of all these reasons, Concept ACK on relaxing the OP_RETURN limits, including removing them entirely. I have been a strong proponent of these limits in the past, and I'm not happy with seeing the demand for those transactions. But I also recognize the reality that that demand exists, and the alternative of pushing that demand to bypass the public network is far more damaging.
I will add that I am not in favor of relaxing many other standardness rules in Bitcoin Core, such as transaction sizes and other resource limitations. These have significant impact on the public's ability to verify and relay transactions, and reason about incentive compatibility while doing so. Significant and sustained economic demand for such transactions may at some point too mean the policy needs to be revised to avoid an even worse outcome, but I'm hopeful that is not the case. However, these arguments do not apply to OP_RETURN limits, which don't serve an objective harm reduction beyond a subjective "that isn't what you should be using the chain for".
--
Pieter
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/QMywWcEgJgWmiQzASR17Dt42oLGgG-t3bkf0vzGemDVNVnvVaD64eM34nOQHlBLv8nDmeBEyTXvBUkM2hZEfjwMTrzzoLl1_62MYPz8ZThs%3D%40wuille.net.
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2025-04-26 12:51 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-04-17 18:52 [bitcoindev] Relax OP_RETURN standardness restrictions 'Antoine Poinsot' via Bitcoin Development Mailing List
2025-04-18 12:03 ` Sjors Provoost
2025-04-18 12:54 ` Greg Sanders
2025-04-18 13:06 ` Vojtěch Strnad
2025-04-18 13:29 ` 'Antoine Poinsot' via Bitcoin Development Mailing List
2025-04-18 21:34 ` Antoine Riard
2025-04-20 8:43 ` Peter Todd
2025-04-26 9:50 ` Luke Dashjr
2025-04-26 10:53 ` Sjors Provoost
2025-04-26 11:35 ` Luke Dashjr
2025-04-26 11:45 ` Sjors Provoost
2025-04-26 12:48 ` Pieter Wuille
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox