public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Mark Friedenbach <mark@friedenbach•org>
To: Luke Dashjr <luke@dashjr•org>
Cc: bitcoin-dev@lists•linuxfoundation.org
Subject: Re: [bitcoin-dev] cleanstack alt stack & softfork improvements (Was: Merkle branch verification & tail-call semantics for generalized MAST)
Date: Tue, 19 Sep 2017 00:33:54 -0700	[thread overview]
Message-ID: <CAA2B000-6C54-4AD7-B931-43C99D615A61@friedenbach.org> (raw)
In-Reply-To: <201709190309.08669.luke@dashjr.org>


> On Sep 18, 2017, at 8:09 PM, Luke Dashjr <luke@dashjr•org> wrote:
> 
> On Tuesday 19 September 2017 12:46:30 AM Mark Friedenbach via bitcoin-dev 
> wrote:
>> After the main discussion session it was observed that tail-call semantics
>> could still be maintained if the alt stack is used for transferring
>> arguments to the policy script.
> 
> Isn't this a bug in the cleanstack rule?

Well in the sense that "cleanstack" doesn't do what it says, sure.

However cleanstack was introduced as a consensus rule to prevent a
possible denial of service vulnerability where a third party could
intercept any* transaction broadcast and arbitrarily add data to the
witness stack, since witness data is not covered by a checksig.

Cleanstack as-is accomplishes this because any extra items on the
stack would pass through all realistic scripts, remaining on the stack
and thereby violating the rule. There is no reason to prohibit extra
items on the altstack as those items can only arrive there
purposefully as an action of the script itself, not a third party
malleation of witness data. You could of course use DEPTH to write a
script that takes a variable number of parameters and sends them to
the altstack. Such a script would be malleable if those extra
parameters are not used. But that is predicated on the script being
specifically written in such a way as to be vulnerable; why protect
against that?

There are other solutions to this problem that could have been taken
instead, such as committing to the number of items or maximum size of
the stack as part of the sighash data, but cleanstack was the approach
taken. Arguably for a future script version upgrade one of these other
approaches should be taken to allow for shorter tail-call scripts.

Mark

* Well, almost any. You could end the script with DEPTH EQUAL and that
  is a compact way of ensuring the stack is clean (assuming the script
  finished with just "true" on the stack). Nobody does this however
  and burning two witness bytes of every redeem script going forward
  as a protective measure seems like an unnecessary ask.


  reply	other threads:[~2017-09-19  7:33 UTC|newest]

Thread overview: 39+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-09-07  0:38 [bitcoin-dev] Merkle branch verification & tail-call semantics for generalized MAST Mark Friedenbach
2017-09-08  9:21 ` Johnson Lau
2017-09-12  2:03   ` Mark Friedenbach
2017-09-12  2:13     ` Bryan Bishop
2017-09-12  8:55     ` Johnson Lau
2017-09-12 19:57       ` Mark Friedenbach
2017-09-12 23:27         ` Karl Johan Alm
2017-09-13  9:41           ` Peter Todd
2017-09-11 20:37 ` Adán Sánchez de Pedro Crespo
2017-09-19  0:46 ` Mark Friedenbach
2017-09-19  3:09   ` [bitcoin-dev] cleanstack alt stack & softfork improvements (Was: Merkle branch verification & tail-call semantics for generalized MAST) Luke Dashjr
2017-09-19  7:33     ` Mark Friedenbach [this message]
2017-09-22 20:32       ` Sergio Demian Lerner
2017-09-22 21:11         ` Mark Friedenbach
2017-09-22 21:32           ` Sergio Demian Lerner
2017-09-22 21:39             ` Mark Friedenbach
2017-09-22 21:54               ` Sergio Demian Lerner
2017-09-22 22:07                 ` Mark Friedenbach
2017-09-22 22:09                 ` Pieter Wuille
2021-04-09  8:15                   ` [bitcoin-dev] maximum block height on transaction Erik Aronesty
2021-04-09 11:39                     ` Russell O'Connor
2021-04-09 15:54                       ` Jeremy
2021-04-12 20:04                         ` Billy Tetrud
2021-04-16  4:24                           ` ZmnSCPxj
2021-05-03  2:30                             ` ZmnSCPxj
2017-09-20  5:13     ` [bitcoin-dev] cleanstack alt stack & softfork improvements (Was: Merkle branch verification & tail-call semantics for generalized MAST) Johnson Lau
2017-09-20 19:29       ` Mark Friedenbach
2017-09-21  3:58         ` Johnson Lau
2017-09-21  4:11       ` Luke Dashjr
2017-09-21  8:02         ` Johnson Lau
2017-09-21 16:33           ` Luke Dashjr
2017-09-21 17:38             ` Johnson Lau
2017-09-30 23:23 ` [bitcoin-dev] Merkle branch verification & tail-call semantics for generalized MAST Luke Dashjr
2017-09-30 23:51   ` Mark Friedenbach
2017-10-02 17:15     ` Russell O'Connor
2017-10-28  4:40 ` Mark Friedenbach
2017-11-01  8:43   ` Luke Dashjr
2017-11-01 15:08     ` Mark Friedenbach
2017-11-04  7:59       ` Luke Dashjr

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAA2B000-6C54-4AD7-B931-43C99D615A61@friedenbach.org \
    --to=mark@friedenbach$(echo .)org \
    --cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
    --cc=luke@dashjr$(echo .)org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox