public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
* [bitcoin-dev] We can trivially fix quadratic CHECKSIG with a simple soft-fork modifying just SignatureHash()
@ 2015-12-29  5:35 Peter Todd
  2015-12-29  7:47 ` jl2012
  0 siblings, 1 reply; 5+ messages in thread
From: Peter Todd @ 2015-12-29  5:35 UTC (permalink / raw)
  To: Bitcoin Dev

[-- Attachment #1: Type: text/plain, Size: 1050 bytes --]

Occured to me that this hasn't been mentioned before...

We can trivially fix the quadratic CHECK(MULTI)SIG execution time issue
by soft-forking in a limitation on just SignatureHash() to only return
true if the tx size is <100KB. (or whatever limit makes sense)

This fix has the advantage over schemes that limit all txs, or try to
count sigops, of being trivial to implement, while still allowing for a
future CHECKSIG2 soft-fork that properly fixes the quadratic hashing
issue; >100KB txs would still be technically allowed, it's just that
(for now) there'd be no way for them to spend coins that are
cryptographically secured.

For example, if we had an issue with a major miner exploiting
slow-to-propagate blocks(1) to harm their competitors, this simple fix
could be deployed as a soft-fork in a matter of days, stopping the
attack quickly.

1) www.mail-archive.com/bitcoin-development@lists•sourceforge.net/msg03200.html

-- 
'peter'[:-1]@petertodd.org
0000000000000000094afcbbad10aa6c82ddd8aad102020e553d50a60b6c678f

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 650 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [bitcoin-dev] We can trivially fix quadratic CHECKSIG with a simple soft-fork modifying just SignatureHash()
  2015-12-29  5:35 [bitcoin-dev] We can trivially fix quadratic CHECKSIG with a simple soft-fork modifying just SignatureHash() Peter Todd
@ 2015-12-29  7:47 ` jl2012
  2015-12-29 12:42   ` Jonathan Toomim
  0 siblings, 1 reply; 5+ messages in thread
From: jl2012 @ 2015-12-29  7:47 UTC (permalink / raw)
  To: Peter Todd; +Cc: Bitcoin Dev

Do we need to consider that someone may have a timelocked big tx, with 
private key lost?

I think we need to tell people not to do this. Related discussion:
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-November/011656.html


Peter Todd via bitcoin-dev 於 2015-12-29 00:35 寫到:
> Occured to me that this hasn't been mentioned before...
> 
> We can trivially fix the quadratic CHECK(MULTI)SIG execution time issue
> by soft-forking in a limitation on just SignatureHash() to only return
> true if the tx size is <100KB. (or whatever limit makes sense)
> 
> This fix has the advantage over schemes that limit all txs, or try to
> count sigops, of being trivial to implement, while still allowing for a
> future CHECKSIG2 soft-fork that properly fixes the quadratic hashing
> issue; >100KB txs would still be technically allowed, it's just that
> (for now) there'd be no way for them to spend coins that are
> cryptographically secured.
> 
> For example, if we had an issue with a major miner exploiting
> slow-to-propagate blocks(1) to harm their competitors, this simple fix
> could be deployed as a soft-fork in a matter of days, stopping the
> attack quickly.
> 
> 1) 
> www.mail-archive.com/bitcoin-development@lists•sourceforge.net/msg03200.html
> 
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [bitcoin-dev] We can trivially fix quadratic CHECKSIG with a simple soft-fork modifying just SignatureHash()
  2015-12-29  7:47 ` jl2012
@ 2015-12-29 12:42   ` Jonathan Toomim
  2015-12-29 12:55     ` jl2012
  0 siblings, 1 reply; 5+ messages in thread
From: Jonathan Toomim @ 2015-12-29 12:42 UTC (permalink / raw)
  To: Bitcoin Dev

[-- Attachment #1: Type: text/plain, Size: 593 bytes --]

That sounds like a rather unlikely scenario. Unless you have a specific reason to suspect that might be the case, I think we don't need to worry about it too much. If we announce the intention to perform such a soft fork a couple of months before the soft fork becomes active, and if nobody complains about it destroying their secret stash, then I think that's fair enough and we could proceed.

On Dec 28, 2015, at 11:47 PM, jl2012 via bitcoin-dev <bitcoin-dev@lists•linuxfoundation.org> wrote:

> Do we need to consider that someone may have a timelocked big tx, with private key lost?

[-- Attachment #2: Message signed with OpenPGP using GPGMail --]
[-- Type: application/pgp-signature, Size: 496 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [bitcoin-dev] We can trivially fix quadratic CHECKSIG with a simple soft-fork modifying just SignatureHash()
  2015-12-29 12:42   ` Jonathan Toomim
@ 2015-12-29 12:55     ` jl2012
  2015-12-29 13:00       ` Jonathan Toomim
  0 siblings, 1 reply; 5+ messages in thread
From: jl2012 @ 2015-12-29 12:55 UTC (permalink / raw)
  To: Jonathan Toomim; +Cc: Bitcoin Dev

What if someone complains? We can't even tell whether a complaint is 
legit or just trolling. That's why I think we need some general 
consensus rules which is not written in code, but as a social contract. 
Breaking those rules would be considered as a hardfork and is allowed 
only in exceptional situation.

Jonathan Toomim via bitcoin-dev 於 2015-12-29 07:42 寫到:
> That sounds like a rather unlikely scenario. Unless you have a
> specific reason to suspect that might be the case, I think we don't
> need to worry about it too much. If we announce the intention to
> perform such a soft fork a couple of months before the soft fork
> becomes active, and if nobody complains about it destroying their
> secret stash, then I think that's fair enough and we could proceed.
> 
> On Dec 28, 2015, at 11:47 PM, jl2012 via bitcoin-dev
> <bitcoin-dev@lists•linuxfoundation.org> wrote:
> 
>> Do we need to consider that someone may have a timelocked big tx, with 
>> private key lost?
> 
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [bitcoin-dev] We can trivially fix quadratic CHECKSIG with a simple soft-fork modifying just SignatureHash()
  2015-12-29 12:55     ` jl2012
@ 2015-12-29 13:00       ` Jonathan Toomim
  0 siblings, 0 replies; 5+ messages in thread
From: Jonathan Toomim @ 2015-12-29 13:00 UTC (permalink / raw)
  To: jl2012; +Cc: Bitcoin Dev

[-- Attachment #1: Type: text/plain, Size: 1607 bytes --]

I suggest we use short-circuit evaluation. If someone complains, we figure it out as we go, maybe depending on the nature of the complaint. If nobody complains, we get it done faster.

We're humans. We have the ability to respond to novel conditions without relying on predetermined rules and algorithms. I suggest we use that ability sometimes.

On Dec 29, 2015, at 4:55 AM, jl2012 <jl2012@xbt•hk> wrote:

> What if someone complains? We can't even tell whether a complaint is legit or just trolling. That's why I think we need some general consensus rules which is not written in code, but as a social contract. Breaking those rules would be considered as a hardfork and is allowed only in exceptional situation.
> 
> Jonathan Toomim via bitcoin-dev 於 2015-12-29 07:42 寫到:
>> That sounds like a rather unlikely scenario. Unless you have a
>> specific reason to suspect that might be the case, I think we don't
>> need to worry about it too much. If we announce the intention to
>> perform such a soft fork a couple of months before the soft fork
>> becomes active, and if nobody complains about it destroying their
>> secret stash, then I think that's fair enough and we could proceed.
>> On Dec 28, 2015, at 11:47 PM, jl2012 via bitcoin-dev
>> <bitcoin-dev@lists•linuxfoundation.org> wrote:
>>> Do we need to consider that someone may have a timelocked big tx, with private key lost?
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists•linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> 


[-- Attachment #2: Message signed with OpenPGP using GPGMail --]
[-- Type: application/pgp-signature, Size: 496 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2015-12-29 12:59 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-12-29  5:35 [bitcoin-dev] We can trivially fix quadratic CHECKSIG with a simple soft-fork modifying just SignatureHash() Peter Todd
2015-12-29  7:47 ` jl2012
2015-12-29 12:42   ` Jonathan Toomim
2015-12-29 12:55     ` jl2012
2015-12-29 13:00       ` Jonathan Toomim

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox