From: Mark Friedenbach <mark@friedenbach•org>
To: Johnson Lau <jl2012@xbt•hk>
Cc: bitcoin-dev <bitcoin-dev@lists•linuxfoundation.org>
Subject: Re: [bitcoin-dev] Merkle branch verification & tail-call semantics for generalized MAST
Date: Tue, 12 Sep 2017 12:57:10 -0700 [thread overview]
Message-ID: <61D84B62-0F3F-48E1-B749-F628AD91BC12@friedenbach.org> (raw)
In-Reply-To: <DA22C531-2FAE-4332-B158-A3F96BF34002@xbt.hk>
On Sep 12, 2017, at 1:55 AM, Johnson Lau <jl2012@xbt•hk> wrote:
> This is ugly and actually broken, as different script path may
> require different number of stack items, so you don't know how many
> OP_TOALTSTACK do you need. Easier to just use a new witness version
DEPTH makes this relatively easy to do. Just repeat the following for
the maximum number of stack elements that might be used:
DEPTH 1SUB IF SWAP TOALTSTACK ENDIF
There are probably more compact alternatives.
Using a new script version is easier, but not faster. There's a number
of things that might be fixed in a v1 upgrade, and various design
decisions to sort out regarding specification of a witness version
(version in the witness rather than the scriptPubKey).
Tree signatures and MAST are immediately useful to many services,
however, and I would hate to delay usage by six months to a year or
more by serializing dependencies instead of doing them in parallel.
> Otherwise, one could attack relay and mining nodes by sending many
> small size txs with many sigops, forcing them to validate, and
> discard due to insufficient fees.
>
> Technically it might be ok if we commit the total validation cost
> (sigop + hashop + whatever) as the first witness stack item
That is what I'm suggesting. And yes, there are changes that would
have to be made to the p2p layer and transaction processing to handle
this safely. I'm arguing that the cost of doing so is worth it, and a
better path forward.
> Without the limit I think we would be DoS-ed to dead
4MB of secp256k1 signatures takes 10s to validate on my 5 year old
laptop (125,000 signatures, ignoring public keys and other things that
would consume space). That's much less than bad blocks that can be
constructed using other vulnerabilities.
> So to make it functionally comparable with your proposal, the
> IsMSV0Stack() function is not needed. The new 249-254 lines in
> interpreter.cpp could be removed. The new 1480-1519 lines could be
> replaced by a few lines copied from the existing P2WSH code. I can
> make a minimal version if you want to see how it looks like
That's alright, I don't think it's necessary to purposefully restrict
one to compare them head to head with the same features. They are
different proposals with different pros and cons.
Kind regards,
Mark Friedenbach
next prev parent reply other threads:[~2017-09-12 19:57 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-07 0:38 Mark Friedenbach
2017-09-08 9:21 ` Johnson Lau
2017-09-12 2:03 ` Mark Friedenbach
2017-09-12 2:13 ` Bryan Bishop
2017-09-12 8:55 ` Johnson Lau
2017-09-12 19:57 ` Mark Friedenbach [this message]
2017-09-12 23:27 ` Karl Johan Alm
2017-09-13 9:41 ` Peter Todd
2017-09-11 20:37 ` Adán Sánchez de Pedro Crespo
2017-09-19 0:46 ` Mark Friedenbach
2017-09-19 3:09 ` [bitcoin-dev] cleanstack alt stack & softfork improvements (Was: Merkle branch verification & tail-call semantics for generalized MAST) Luke Dashjr
2017-09-19 7:33 ` Mark Friedenbach
2017-09-22 20:32 ` Sergio Demian Lerner
2017-09-22 21:11 ` Mark Friedenbach
2017-09-22 21:32 ` Sergio Demian Lerner
2017-09-22 21:39 ` Mark Friedenbach
2017-09-22 21:54 ` Sergio Demian Lerner
2017-09-22 22:07 ` Mark Friedenbach
2017-09-22 22:09 ` Pieter Wuille
2021-04-09 8:15 ` [bitcoin-dev] maximum block height on transaction Erik Aronesty
2021-04-09 11:39 ` Russell O'Connor
2021-04-09 15:54 ` Jeremy
2021-04-12 20:04 ` Billy Tetrud
2021-04-16 4:24 ` ZmnSCPxj
2021-05-03 2:30 ` ZmnSCPxj
2017-09-20 5:13 ` [bitcoin-dev] cleanstack alt stack & softfork improvements (Was: Merkle branch verification & tail-call semantics for generalized MAST) Johnson Lau
2017-09-20 19:29 ` Mark Friedenbach
2017-09-21 3:58 ` Johnson Lau
2017-09-21 4:11 ` Luke Dashjr
2017-09-21 8:02 ` Johnson Lau
2017-09-21 16:33 ` Luke Dashjr
2017-09-21 17:38 ` Johnson Lau
2017-09-30 23:23 ` [bitcoin-dev] Merkle branch verification & tail-call semantics for generalized MAST Luke Dashjr
2017-09-30 23:51 ` Mark Friedenbach
2017-10-02 17:15 ` Russell O'Connor
2017-10-28 4:40 ` Mark Friedenbach
2017-11-01 8:43 ` Luke Dashjr
2017-11-01 15:08 ` Mark Friedenbach
2017-11-04 7:59 ` Luke Dashjr
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=61D84B62-0F3F-48E1-B749-F628AD91BC12@friedenbach.org \
--to=mark@friedenbach$(echo .)org \
--cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
--cc=jl2012@xbt$(echo .)hk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox