On Tue, Sep 12, 2017 at 3:57 PM, Mark Friedenbach via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

>
> 4MB of secp256k1 signatures takes 10s to validate on my 5 year old
> laptop (125,000 signatures, ignoring public keys and other things that
> would consume space). That's much less than bad blocks that can be
> constructed using other vulnerabilities.


If there were no sigops limits, I believe the worst case block could have
closer to 1,000,000 CHECKSIG operations.  Signature checks are cached so
while repeating the sequence "2DUP CHECKSIGVERIFY" does create a lot of
checksig operations, the cached values prevent a lot of work being done.

To defeat the cache one can repeat the sequence "2DUP CHECKSIG DROP
CODESEPARATOR", which will create unique signature validation requests
every 4 bytes.