On Fri, Jan 8, 2016 at 2:54 AM, Gavin Andresen via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
> I'm saying we can eliminate one somewhat unlikely attack (that there is a
> bug in the code or test cases, today or some future version, that has to
> decide what to do with "version 0" versus "version 1" witness programs) by
> accepting the risk of another insanely, extremely unlikely attack.

Ok, just having one witness program version now is a somewhat different proposal. It would be simpler for sure. The reasoning was that you'd need this to not add significant overhead to small scripts, but that may not be the case anymore. I wouldn't mind seeing numbers.

> My proposal would be to just do a version 0 witness program now, that is
> RIPEMD160(SHA256(script)).

I don't think that is wise. Bitcoin has a 128-bit security target for everything else. We did not know that P2SH and similar constructs were vulnerable to a collision attack at the time, but now we do, so the obvious choice is to pick a size that is sufficiently large to maintain the 128-bit security target. This is a no brainer to me; we're not proposing switching to a 160-bit EC curve either, right?

> I'm really disappointed with the "Here's the spec, take it or leave it"
> attitude. What's the point of having a BIP process if the discussion just
> comes down to "We think more is better. We don't care what you think."

It is a proposal and we are discussing it. You first brought up some criticisms in private, and I agreed with several things you said.

But it remains the proposal of a few people including me, and I do not agree with the specific suggestion of reducing the security target for witness scripts to 80 bits.

We are not deciding what the system will be. We're making a proposal, and hope that due to its technical merit, the ecosystem will adopt it. You're free to participate in that discussion.

--
Pieter