* [bitcoindev] Consensus Cleanup BIP draft
@ 2025-03-26 17:14 'Antoine Poinsot' via Bitcoin Development Mailing List
2025-03-27 10:46 ` Chris Stewart
0 siblings, 1 reply; 10+ messages in thread
From: 'Antoine Poinsot' via Bitcoin Development Mailing List @ 2025-03-26 17:14 UTC (permalink / raw)
To: Bitcoin Development Mailing List
Hi everyone,
About two months ago i shared an update on this list about my (and others', really) work on the
Consensus Cleanup [0]. I am now ready to share a BIP draft for a Consensus Cleanup soft fork.
The BIP draft can be found here: https://github.com/darosior/bips/blob/consensus_cleanup/bip-cc.md
It includes the following fixes:
- a restriction on the timestamp of the first and last blocks of a difficulty adjustment period to
address the Timewarp and Murch-Zawy attacks;
- a limit on the number of legacy signature operations that may be executed in validating a single
transaction to address long block validation times;
- making 64 bytes transactions invalid to address weaknesses in the block Merkle tree construction;
- mandating coinbase transactions be timelocked to their block height to prevent future transaction
duplication without resorting to BIP30 validation.
This BIP draws on the 2019 Great Consensus Cleanup proposal from Matt Corallo [1]. A number of
people contributed ideas, testing, data or useful discussions. This includes Ava Chow, Matt Corallo,
Mark Erhardt, Brian Groll, David A. Harding, Sjors Provoost, Anthony Towns, Greg Sanders, Chris
Stewart, Eric Voskuil, @0xb10c and others.
Antoine Poinsot
[0] https://gnusha.org/pi/bitcoindev/jiyMlvTX8BnG71f75SqChQZxyhZDQ65kldcugeIDJVJsvK4hadCO3GT46xFc7_cUlWdmOCG0B_WIz0HAO5ZugqYTuX5qxnNLRBn3MopuATI=@protonmail.com
[1] https://github.com/TheBlueMatt/bips/blob/7f9670b643b7c943a0cc6d2197d3eabe661050c2/bip-XXXX.mediawiki
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/uDAujRxk4oWnEGYX9lBD3e0V7a4V4Pd-c4-2QVybSZNcfJj5a6IbO6fCM_xEQEpBvQeOT8eIi1r91iKFIveeLIxfNMzDys77HUcbl7Zne4g%3D%40protonmail.com.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [bitcoindev] Consensus Cleanup BIP draft
2025-03-26 17:14 [bitcoindev] Consensus Cleanup BIP draft 'Antoine Poinsot' via Bitcoin Development Mailing List
@ 2025-03-27 10:46 ` Chris Stewart
2025-03-27 19:05 ` 'Antoine Poinsot' via Bitcoin Development Mailing List
0 siblings, 1 reply; 10+ messages in thread
From: Chris Stewart @ 2025-03-27 10:46 UTC (permalink / raw)
To: Antoine Poinsot; +Cc: Bitcoin Development Mailing List
[-- Attachment #1: Type: text/plain, Size: 4545 bytes --]
Hi Antoine,
First off, concept ACK. My concerns are procedural rather than objections
to the individual security fixes themselves.
The "Great Consensus Cleanup" is a fantastic brand for communicating these
protocol changes to non-technical users. However, since this is a technical
forum and we are producing BIPs intended for technical audiences, I believe
we should document these changes in separate BIPs.
The proposed security fixes are largely unrelated from a technical
standpoint:
1.
Timewarp attack mitigation
2.
Worst-case block validation constraints
3.
Disallowing 64-byte transactions
4.
Avoiding duplicate transactions
We should absolutely retain the "Great Consensus Cleanup" branding while
independently documenting each security enhancement.
A common concern I’ve heard about splitting this BIP is that deploying soft
forks is difficult, so all changes should be bundled together. While soft
fork deployment is indeed challenging, we've successfully activated
multiple BIPs within a single soft fork in the past—e.g., BIP141 and BIP143
in Segwit, as well as BIP341, BIP342, and BIP343 in Taproot. If the
community reaches consensus, we can still deploy all these changes
together, even if they are documented separately.
This approach also provides flexibility: if one of the proposed changes
turns out to be controversial, we could remove it without holding up the
rest of the improvements. Additionally, once these fixes are deployed,
there will likely be significant research and documentation to incorporate,
and maintaining independent BIPs will make it easier to manage that growth.
I do see merit in implementing all the security fixes in a single PR for
Bitcoin Core. More active contributors to the project may have stronger
opinions on the best approach there.
-Chris
------------------------------
On Wed, Mar 26, 2025 at 1:23 PM 'Antoine Poinsot' via Bitcoin Development
Mailing List <bitcoindev@googlegroups.com> wrote:
> Hi everyone,
>
> About two months ago i shared an update on this list about my (and
> others', really) work on the
> Consensus Cleanup [0]. I am now ready to share a BIP draft for a Consensus
> Cleanup soft fork.
>
> The BIP draft can be found here:
> https://github.com/darosior/bips/blob/consensus_cleanup/bip-cc.md
>
> It includes the following fixes:
> - a restriction on the timestamp of the first and last blocks of a
> difficulty adjustment period to
> address the Timewarp and Murch-Zawy attacks;
> - a limit on the number of legacy signature operations that may be
> executed in validating a single
> transaction to address long block validation times;
> - making 64 bytes transactions invalid to address weaknesses in the block
> Merkle tree construction;
> - mandating coinbase transactions be timelocked to their block height to
> prevent future transaction
> duplication without resorting to BIP30 validation.
>
> This BIP draws on the 2019 Great Consensus Cleanup proposal from Matt
> Corallo [1]. A number of
> people contributed ideas, testing, data or useful discussions. This
> includes Ava Chow, Matt Corallo,
> Mark Erhardt, Brian Groll, David A. Harding, Sjors Provoost, Anthony
> Towns, Greg Sanders, Chris
> Stewart, Eric Voskuil, @0xb10c and others.
>
> Antoine Poinsot
>
> [0]
> https://gnusha.org/pi/bitcoindev/jiyMlvTX8BnG71f75SqChQZxyhZDQ65kldcugeIDJVJsvK4hadCO3GT46xFc7_cUlWdmOCG0B_WIz0HAO5ZugqYTuX5qxnNLRBn3MopuATI=@protonmail.com
> [1]
> https://github.com/TheBlueMatt/bips/blob/7f9670b643b7c943a0cc6d2197d3eabe661050c2/bip-XXXX.mediawiki
>
> --
> You received this message because you are subscribed to the Google Groups
> "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to bitcoindev+unsubscribe@googlegroups•com.
> To view this discussion visit
> https://groups.google.com/d/msgid/bitcoindev/uDAujRxk4oWnEGYX9lBD3e0V7a4V4Pd-c4-2QVybSZNcfJj5a6IbO6fCM_xEQEpBvQeOT8eIi1r91iKFIveeLIxfNMzDys77HUcbl7Zne4g%3D%40protonmail.com
> .
>
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAGL6%2BmFQqTS21cQZ_aU%3DhXtMaKkw5ygAk2PT9hQpdB4THz9X_A%40mail.gmail.com.
[-- Attachment #2: Type: text/html, Size: 6218 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [bitcoindev] Consensus Cleanup BIP draft
2025-03-27 10:46 ` Chris Stewart
@ 2025-03-27 19:05 ` 'Antoine Poinsot' via Bitcoin Development Mailing List
2025-03-27 20:45 ` jeremy
0 siblings, 1 reply; 10+ messages in thread
From: 'Antoine Poinsot' via Bitcoin Development Mailing List @ 2025-03-27 19:05 UTC (permalink / raw)
To: Chris Stewart; +Cc: Bitcoin Development Mailing List
[-- Attachment #1: Type: text/plain, Size: 6445 bytes --]
Hi Chris,
As i already explained on this very list 2 months ago [0], i don't find the argument for splitting my BIP convincing. On the contrary i think it would be counterproductive as it would create more churn, invite bikeshedding and overall impede progress on this proposal.
> we've successfully activated multiple BIPs within a single soft fork in the past—e.g., BIP141 and BIP143 in Segwit, as well as BIP341, BIP342, and BIP343 in Taproot.
Those BIPs had much more content to them. The specifications of the Consensus Cleanup is trivial in comparison: they fit in less than a dozen lines of text when described in details. Splitting them in 4 different BIPs with a single or a couple lines of specifications would just introduce unnecessary overhead.
> if one of the proposed changes turns out to be controversial, we could remove it without holding up the rest of the improvements.
First of all, i do not expect to remove any of the mitigations from the BIP at this stage. The fact that each of these mitigations was researched and discussed at length by multiple people over the past year gives me confidence to move forward with every single one of those. Otherwise i would not have proposed this BIP in the first place.
Now, even if somehow we should drop one of the mitigations from the proposal, having them in separate BIPs does not make that any easier.
> More active contributors to the project may have stronger opinions on the best approach there.
Yes.
Best,
Antoine
[0] https://gnusha.org/pi/bitcoindev/mm_NvE4votqtjm455I3AmdrLOTzwgfFpqbtbFFNy0Zf2PywGt220MXfn76it60q_kbnS9Rw97cv6XzqogNgQMfIXi6-HdOnamw7tUrMtmXc=@protonmail.com
On Thursday, March 27th, 2025 at 6:46 AM, Chris Stewart <stewart.chris1234@gmail•com> wrote:
> Hi Antoine,
>
> First off, concept ACK. My concerns are procedural rather than objections to the individual security fixes themselves.
>
> The "Great Consensus Cleanup" is a fantastic brand for communicating these protocol changes to non-technical users. However, since this is a technical forum and we are producing BIPs intended for technical audiences, I believe we should document these changes in separate BIPs.
>
> The proposed security fixes are largely unrelated from a technical standpoint:
>
> -
>
> Timewarp attack mitigation
>
> -
>
> Worst-case block validation constraints
>
> -
>
> Disallowing 64-byte transactions
>
> -
>
> Avoiding duplicate transactions
>
> We should absolutely retain the "Great Consensus Cleanup" branding while independently documenting each security enhancement.
>
> A common concern I’ve heard about splitting this BIP is that deploying soft forks is difficult, so all changes should be bundled together. While soft fork deployment is indeed challenging, we've successfully activated multiple BIPs within a single soft fork in the past—e.g., BIP141 and BIP143 in Segwit, as well as BIP341, BIP342, and BIP343 in Taproot. If the community reaches consensus, we can still deploy all these changes together, even if they are documented separately.
>
> This approach also provides flexibility: if one of the proposed changes turns out to be controversial, we could remove it without holding up the rest of the improvements. Additionally, once these fixes are deployed, there will likely be significant research and documentation to incorporate, and maintaining independent BIPs will make it easier to manage that growth.
>
> I do see merit in implementing all the security fixes in a single PR for Bitcoin Core. More active contributors to the project may have stronger opinions on the best approach there.
>
> -Chris
>
> ---------------------------------------------------------------
>
> On Wed, Mar 26, 2025 at 1:23 PM 'Antoine Poinsot' via Bitcoin Development Mailing List <bitcoindev@googlegroups.com> wrote:
>
>> Hi everyone,
>>
>> About two months ago i shared an update on this list about my (and others', really) work on the
>> Consensus Cleanup [0]. I am now ready to share a BIP draft for a Consensus Cleanup soft fork.
>>
>> The BIP draft can be found here: https://github.com/darosior/bips/blob/consensus_cleanup/bip-cc.md
>>
>> It includes the following fixes:
>> - a restriction on the timestamp of the first and last blocks of a difficulty adjustment period to
>> address the Timewarp and Murch-Zawy attacks;
>> - a limit on the number of legacy signature operations that may be executed in validating a single
>> transaction to address long block validation times;
>> - making 64 bytes transactions invalid to address weaknesses in the block Merkle tree construction;
>> - mandating coinbase transactions be timelocked to their block height to prevent future transaction
>> duplication without resorting to BIP30 validation.
>>
>> This BIP draws on the 2019 Great Consensus Cleanup proposal from Matt Corallo [1]. A number of
>> people contributed ideas, testing, data or useful discussions. This includes Ava Chow, Matt Corallo,
>> Mark Erhardt, Brian Groll, David A. Harding, Sjors Provoost, Anthony Towns, Greg Sanders, Chris
>> Stewart, Eric Voskuil, @0xb10c and others.
>>
>> Antoine Poinsot
>>
>> [0] https://gnusha.org/pi/bitcoindev/jiyMlvTX8BnG71f75SqChQZxyhZDQ65kldcugeIDJVJsvK4hadCO3GT46xFc7_cUlWdmOCG0B_WIz0HAO5ZugqYTuX5qxnNLRBn3MopuATI=@protonmail.com
>> [1] https://github.com/TheBlueMatt/bips/blob/7f9670b643b7c943a0cc6d2197d3eabe661050c2/bip-XXXX.mediawiki
>>
>> --
>> You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to [bitcoindev+unsubscribe@googlegroups.com](mailto:bitcoindev%2Bunsubscribe@googlegroups•com).
>> To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/uDAujRxk4oWnEGYX9lBD3e0V7a4V4Pd-c4-2QVybSZNcfJj5a6IbO6fCM_xEQEpBvQeOT8eIi1r91iKFIveeLIxfNMzDys77HUcbl7Zne4g%3D%40protonmail.com.
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/TD8gP8PKw3th-0DrZznBXrXFILRkwr66wVRoiPC2di_e-NivCRKVjooVZIh7JJSV_C9rJEkKTvudWSG8CJsq16jPhQBjM0eVmPe8rir50Y4%3D%40protonmail.com.
[-- Attachment #2: Type: text/html, Size: 10448 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [bitcoindev] Consensus Cleanup BIP draft
2025-03-27 19:05 ` 'Antoine Poinsot' via Bitcoin Development Mailing List
@ 2025-03-27 20:45 ` jeremy
2025-03-28 9:23 ` Sjors Provoost
2025-03-28 19:53 ` eric
0 siblings, 2 replies; 10+ messages in thread
From: jeremy @ 2025-03-27 20:45 UTC (permalink / raw)
To: Bitcoin Development Mailing List
[-- Attachment #1.1: Type: text/plain, Size: 8039 bytes --]
> First of all, i do not expect to remove any of the mitigations from the
BIP at this stage. The fact that each of these mitigations was researched
and discussed at length by multiple people over the past year gives me
confidence to move forward with every single one of those. Otherwise i
would not have proposed this BIP in the first place.
I'd recommend taking a much more flexible mindset at this stage. The set of
eyeballs you get at a pre-BIP and BIP stage, and the level of attention are
very different, and this type of messaging is very discouraging for someone
with expertise to care to put review in v.s. disregarding the effort as
non-constructive.
Critically:
In your "discussed at length" proposal, you failed to realize that there
were indeed 64 byte transactions on-chain until it was pointed out to you 7
days ago.
You also include a hack using coinbase nSequence -- have you bothered to
talk to anyone in the mining business how they feel about that? Are you
sure no ASIC in the wild don't hardcode a field that never needed to be set
before?
I'm also personally strongly against removing 64-byte transactions. It's a
wart in how transactions work, and future upgrades (especially around tx
programmability) might integrate very poorly with this kind of edge
condition.
regards,
Jeremy
On Thursday, March 27, 2025 at 3:36:13 PM UTC-4 Antoine Poinsot wrote:
> Hi Chris,
>
> As i already explained on this very list 2 months ago [0], i don't find
> the argument for splitting my BIP convincing. On the contrary i think it
> would be counterproductive as it would create more churn, invite
> bikeshedding and overall impede progress on this proposal.
>
> we've successfully activated multiple BIPs within a single soft fork in
> the past—e.g., BIP141 and BIP143 in Segwit, as well as BIP341, BIP342, and
> BIP343 in Taproot.
>
>
> Those BIPs had much more content to them. The specifications of the
> Consensus Cleanup is trivial in comparison: they fit in less than a dozen
> lines of text when described in details. Splitting them in 4 different BIPs
> with a single or a couple lines of specifications would just introduce
> unnecessary overhead.
>
> if one of the proposed changes turns out to be controversial, we could
> remove it without holding up the rest of the improvements.
>
>
> First of all, i do not expect to remove any of the mitigations from the
> BIP at this stage. The fact that each of these mitigations was researched
> and discussed at length by multiple people over the past year gives me
> confidence to move forward with every single one of those. Otherwise i
> would not have proposed this BIP in the first place.
>
> Now, even if somehow we should drop one of the mitigations from the
> proposal, having them in separate BIPs does not make that any easier.
>
> More active contributors to the project may have stronger opinions on the
> best approach there.
>
>
> Yes.
>
> Best,
> Antoine
>
> [0]
> https://gnusha.org/pi/bitcoindev/mm_NvE4votqtjm455I3AmdrLOTzwgfFpqbtbFFNy0Zf2PywGt220MXfn76it60q_kbnS9Rw97cv6XzqogNgQMfIXi6-HdOnamw7tUrMtmXc=@protonmail.com
> On Thursday, March 27th, 2025 at 6:46 AM, Chris Stewart <
> stewart....@gmail•com> wrote:
>
> Hi Antoine,
>
> First off, concept ACK. My concerns are procedural rather than objections
> to the individual security fixes themselves.
>
> The "Great Consensus Cleanup" is a fantastic brand for communicating these
> protocol changes to non-technical users. However, since this is a technical
> forum and we are producing BIPs intended for technical audiences, I believe
> we should document these changes in separate BIPs.
>
> The proposed security fixes are largely unrelated from a technical
> standpoint:
>
> 1.
>
> Timewarp attack mitigation
> 2.
>
> Worst-case block validation constraints
> 3.
>
> Disallowing 64-byte transactions
> 4.
>
> Avoiding duplicate transactions
>
> We should absolutely retain the "Great Consensus Cleanup" branding while
> independently documenting each security enhancement.
>
> A common concern I’ve heard about splitting this BIP is that deploying
> soft forks is difficult, so all changes should be bundled together. While
> soft fork deployment is indeed challenging, we've successfully activated
> multiple BIPs within a single soft fork in the past—e.g., BIP141 and BIP143
> in Segwit, as well as BIP341, BIP342, and BIP343 in Taproot. If the
> community reaches consensus, we can still deploy all these changes
> together, even if they are documented separately.
>
> This approach also provides flexibility: if one of the proposed changes
> turns out to be controversial, we could remove it without holding up the
> rest of the improvements. Additionally, once these fixes are deployed,
> there will likely be significant research and documentation to incorporate,
> and maintaining independent BIPs will make it easier to manage that growth.
>
> I do see merit in implementing all the security fixes in a single PR for
> Bitcoin Core. More active contributors to the project may have stronger
> opinions on the best approach there.
>
> -Chris
> ------------------------------
>
>
>
>
> On Wed, Mar 26, 2025 at 1:23 PM 'Antoine Poinsot' via Bitcoin Development
> Mailing List <bitco...@googlegroups•com> wrote:
>
>> Hi everyone,
>>
>> About two months ago i shared an update on this list about my (and
>> others', really) work on the
>> Consensus Cleanup [0]. I am now ready to share a BIP draft for a
>> Consensus Cleanup soft fork.
>>
>> The BIP draft can be found here:
>> https://github.com/darosior/bips/blob/consensus_cleanup/bip-cc.md
>>
>> It includes the following fixes:
>> - a restriction on the timestamp of the first and last blocks of a
>> difficulty adjustment period to
>> address the Timewarp and Murch-Zawy attacks;
>> - a limit on the number of legacy signature operations that may be
>> executed in validating a single
>> transaction to address long block validation times;
>> - making 64 bytes transactions invalid to address weaknesses in the block
>> Merkle tree construction;
>> - mandating coinbase transactions be timelocked to their block height to
>> prevent future transaction
>> duplication without resorting to BIP30 validation.
>>
>> This BIP draws on the 2019 Great Consensus Cleanup proposal from Matt
>> Corallo [1]. A number of
>> people contributed ideas, testing, data or useful discussions. This
>> includes Ava Chow, Matt Corallo,
>> Mark Erhardt, Brian Groll, David A. Harding, Sjors Provoost, Anthony
>> Towns, Greg Sanders, Chris
>> Stewart, Eric Voskuil, @0xb10c and others.
>>
>> Antoine Poinsot
>>
>> [0]
>> https://gnusha.org/pi/bitcoindev/jiyMlvTX8BnG71f75SqChQZxyhZDQ65kldcugeIDJVJsvK4hadCO3GT46xFc7_cUlWdmOCG0B_WIz0HAO5ZugqYTuX5qxnNLRBn3MopuATI=@protonmail.com
>> [1]
>> https://github.com/TheBlueMatt/bips/blob/7f9670b643b7c943a0cc6d2197d3eabe661050c2/bip-XXXX.mediawiki
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Bitcoin Development Mailing List" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to bitcoindev+...@googlegroups•com.
>> To view this discussion visit
>> https://groups.google.com/d/msgid/bitcoindev/uDAujRxk4oWnEGYX9lBD3e0V7a4V4Pd-c4-2QVybSZNcfJj5a6IbO6fCM_xEQEpBvQeOT8eIi1r91iKFIveeLIxfNMzDys77HUcbl7Zne4g%3D%40protonmail.com
>> .
>>
>
>
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/afedbc69-8042-4fe8-99c2-279173a440f3n%40googlegroups.com.
[-- Attachment #1.2: Type: text/html, Size: 13928 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [bitcoindev] Consensus Cleanup BIP draft
2025-03-27 20:45 ` jeremy
@ 2025-03-28 9:23 ` Sjors Provoost
2025-03-28 11:02 ` Chris Stewart
2025-03-28 19:53 ` eric
1 sibling, 1 reply; 10+ messages in thread
From: Sjors Provoost @ 2025-03-28 9:23 UTC (permalink / raw)
To: Bitcoin Development Mailing List; +Cc: jeremy
> Op 27 mrt 2025, om 21:45 heeft jeremy <jeremy.l.rubin@gmail•com> het volgende geschreven:
>
> I'm also personally strongly against removing 64-byte transactions. It's a wart in how transactions work, and future upgrades (especially around tx programmability) might integrate very poorly with this kind of edge condition.
Do you have an example in mind where a 64-byte transaction could appear in such a system?
Given the limited space, in particular no room for a public key or signature, I could imagine a burn or anyone-can-spend clause. Those don't have to be exactly 64 bytes. Even if 64 byte transactions are generated by accident, I believe they can be tweaked after the fact (though that claim could use more scrutiny):
https://bitcoin.stackexchange.com/q/125971/4948
If we grant that any smart contract system has to engineer around this "ward", we should also consider how much engineering effort is saved in other smart contract systems by having simpler SPV proofs.
Imo the real ward is the originally broken Merkle tree design. That has required a bunch of engineering all over the place to compensate. Afaik it can only be truly fixed with a hard fork. This seems to be as good as it gets with a soft fork.
- Sjors
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/17A67D4A-3EF4-4676-8356-B1DE6B0C2D8D%40sprovoost.nl.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [bitcoindev] Consensus Cleanup BIP draft
2025-03-28 9:23 ` Sjors Provoost
@ 2025-03-28 11:02 ` Chris Stewart
2025-03-28 12:48 ` Sjors Provoost
0 siblings, 1 reply; 10+ messages in thread
From: Chris Stewart @ 2025-03-28 11:02 UTC (permalink / raw)
To: Sjors Provoost; +Cc: Bitcoin Development Mailing List, jeremy
[-- Attachment #1: Type: text/plain, Size: 2997 bytes --]
Hi Sjors,
An example is any segwit transaction that 1 input 1 output that pays to a 2
byte witness program. Since witness data doesn't count towards the 64 byte
limit, the witness could be of arbitrary size. This was pointed out
<https://delvingbitcoin.org/t/great-consensus-cleanup-revival/710/74?u=chris_stewart_5>
by garlonicon <https://delvingbitcoin.org/u/garlonicon> on delvingbitcoin.
This type of witness program is used for pay-to-anchor outputs currently -
although I don't believe anchor outputs make sense in a 1 input 1 output
transaction? The author of pay to anchor outputs is aware of this issue
<https://delvingbitcoin.org/t/great-consensus-cleanup-revival/710/78?u=chris_stewart_5>,
but I haven't heard of any further updates since his post on delving.
-Chris
On Fri, Mar 28, 2025 at 4:25 AM Sjors Provoost <sjors@sprovoost•nl> wrote:
>
> > Op 27 mrt 2025, om 21:45 heeft jeremy <jeremy.l.rubin@gmail•com> het
> volgende geschreven:
> >
> > I'm also personally strongly against removing 64-byte transactions. It's
> a wart in how transactions work, and future upgrades (especially around tx
> programmability) might integrate very poorly with this kind of edge
> condition.
>
> Do you have an example in mind where a 64-byte transaction could appear in
> such a system?
>
> Given the limited space, in particular no room for a public key or
> signature, I could imagine a burn or anyone-can-spend clause. Those don't
> have to be exactly 64 bytes. Even if 64 byte transactions are generated by
> accident, I believe they can be tweaked after the fact (though that claim
> could use more scrutiny):
>
> https://bitcoin.stackexchange.com/q/125971/4948
>
> If we grant that any smart contract system has to engineer around this
> "ward", we should also consider how much engineering effort is saved in
> other smart contract systems by having simpler SPV proofs.
>
> Imo the real ward is the originally broken Merkle tree design. That has
> required a bunch of engineering all over the place to compensate. Afaik it
> can only be truly fixed with a hard fork. This seems to be as good as it
> gets with a soft fork.
>
> - Sjors
>
> --
> You received this message because you are subscribed to the Google Groups
> "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to bitcoindev+unsubscribe@googlegroups•com.
> To view this discussion visit
> https://groups.google.com/d/msgid/bitcoindev/17A67D4A-3EF4-4676-8356-B1DE6B0C2D8D%40sprovoost.nl
> .
>
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAGL6%2BmE8JQGJErgJH03sz8Nzo%2Bwkgx74jgFWp7hFT0MuHiPg_g%40mail.gmail.com.
[-- Attachment #2: Type: text/html, Size: 4240 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [bitcoindev] Consensus Cleanup BIP draft
2025-03-28 11:02 ` Chris Stewart
@ 2025-03-28 12:48 ` Sjors Provoost
2025-03-28 13:54 ` Chris Stewart
0 siblings, 1 reply; 10+ messages in thread
From: Sjors Provoost @ 2025-03-28 12:48 UTC (permalink / raw)
To: Chris Stewart; +Cc: Bitcoin Development Mailing List, jeremy
[-- Attachment #1: Type: text/plain, Size: 2892 bytes --]
Hi Chris,
Thanks for that example.
I also realised that there indeed can exist 64 byte transactions that can't be malleated into a different size (see Stack Exchange link below). The example uses SIGHASH_SINGLE | SIGHASH_ANYONECANPAY, so as long as our hypothetical smart contracting system uses those flags for its burn-all / giveaway-all clauses, then if it produces a 64 byte transaction by mistake, it's recoverable.
But a SIGHASH_ALL could get stuck (can't be confirmed, can't be modified). And IIUC with OP_CTV even a SIGHASH_SINGLE | SIGHASH_ANYONECANPAY, once committed inside a CTV tree, can't be modified.
- Sjors
> Op 28 mrt 2025, om 12:02 heeft Chris Stewart <stewart.chris1234@gmail•com> het volgende geschreven:
>
> Hi Sjors,
>
> An example is any segwit transaction that 1 input 1 output that pays to a 2 byte witness program. Since witness data doesn't count towards the 64 byte limit, the witness could be of arbitrary size. This was pointed out <https://delvingbitcoin.org/t/great-consensus-cleanup-revival/710/74?u=chris_stewart_5> by garlonicon <https://delvingbitcoin.org/u/garlonicon> on delvingbitcoin. This type of witness program is used for pay-to-anchor outputs currently - although I don't believe anchor outputs make sense in a 1 input 1 output transaction? The author of pay to anchor outputs is aware of this issue <https://delvingbitcoin.org/t/great-consensus-cleanup-revival/710/78?u=chris_stewart_5>, but I haven't heard of any further updates since his post on delving.
>
> -Chris
>
> On Fri, Mar 28, 2025 at 4:25 AM Sjors Provoost <sjors@sprovoost•nl <mailto:sjors@sprovoost•nl>> wrote:
>>
>> > Op 27 mrt 2025, om 21:45 heeft jeremy <jeremy.l.rubin@gmail•com <mailto:jeremy.l.rubin@gmail•com>> het volgende geschreven:
>> >
>> > I'm also personally strongly against removing 64-byte transactions. It's a wart in how transactions work, and future upgrades (especially around tx programmability) might integrate very poorly with this kind of edge condition.
>>
>> Do you have an example in mind where a 64-byte transaction could appear in such a system?
>>
>> Given the limited space, in particular no room for a public key or signature, I could imagine a burn or anyone-can-spend clause. Those don't have to be exactly 64 bytes. Even if 64 byte transactions are generated by accident, I believe they can be tweaked after the fact (though that claim could use more scrutiny):
>>
>> https://bitcoin.stackexchange.com/q/125971/4948
>>
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/80010585-E209-4042-B6F6-5B7DC6675247%40sprovoost.nl.
[-- Attachment #2: Type: text/html, Size: 4209 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [bitcoindev] Consensus Cleanup BIP draft
2025-03-28 12:48 ` Sjors Provoost
@ 2025-03-28 13:54 ` Chris Stewart
2025-03-28 14:07 ` Sjors Provoost
0 siblings, 1 reply; 10+ messages in thread
From: Chris Stewart @ 2025-03-28 13:54 UTC (permalink / raw)
To: Sjors Provoost; +Cc: Bitcoin Development Mailing List, jeremy
[-- Attachment #1: Type: text/plain, Size: 4179 bytes --]
*Hi Sjors,*
Sorry to be a bit pedantic here, but I think this distinction is important.
Are you referring to a pre-SegWit transaction or a SegWit transaction? It’s
crucial to analyze these separately, as SegWit was designed to solve
transaction malleability, which affects how we assess backward
compatibility concerns when disallowing 64-byte transactions.
In the future, it would be helpful to explicitly specify “pre-segwit” or
“segwit” when discussing potential transactions. In my draft BIP
<https://github.com/bitcoin/bips/blob/a3d12410d3e3361932e44f34f8420331cf5f9b59/bip-XXXX.mediawiki#backward-compatibility>,
I differentiate between these two types when evaluating the backward
compatibility risks of disallowing 64-byte transactions. Additionally, as I
mentioned earlier (and as I believe Jeremy has also raised concerns about),
there are potential *future* compatibility issues with segwit transactions.
I'll take a closer look at the Stack Exchange examples and share my
thoughts there when I have a bit of time.
Thanks for diving into this in detail—I really appreciate it.
*- Chris*
On Fri, Mar 28, 2025 at 7:48 AM Sjors Provoost <sjors@sprovoost•nl> wrote:
> Hi Chris,
>
> Thanks for that example.
>
> I also realised that there indeed can exist 64 byte transactions that
> can't be malleated into a different size (see Stack Exchange link below).
> The example uses SIGHASH_SINGLE | SIGHASH_ANYONECANPAY, so as long as our
> hypothetical smart contracting system uses those flags for its burn-all /
> giveaway-all clauses, then if it produces a 64 byte transaction by mistake,
> it's recoverable.
>
> But a SIGHASH_ALL could get stuck (can't be confirmed, can't be modified).
> And IIUC with OP_CTV even a SIGHASH_SINGLE | SIGHASH_ANYONECANPAY, once
> committed inside a CTV tree, can't be modified.
>
> - Sjors
>
> Op 28 mrt 2025, om 12:02 heeft Chris Stewart <stewart.chris1234@gmail•com>
> het volgende geschreven:
>
> Hi Sjors,
>
> An example is any segwit transaction that 1 input 1 output that pays to a
> 2 byte witness program. Since witness data doesn't count towards the 64
> byte limit, the witness could be of arbitrary size. This was pointed out
> <https://delvingbitcoin.org/t/great-consensus-cleanup-revival/710/74?u=chris_stewart_5>
> by garlonicon <https://delvingbitcoin.org/u/garlonicon> on
> delvingbitcoin. This type of witness program is used for pay-to-anchor
> outputs currently - although I don't believe anchor outputs make sense in a
> 1 input 1 output transaction? The author of pay to anchor outputs is aware
> of this issue
> <https://delvingbitcoin.org/t/great-consensus-cleanup-revival/710/78?u=chris_stewart_5>,
> but I haven't heard of any further updates since his post on delving.
>
> -Chris
>
> On Fri, Mar 28, 2025 at 4:25 AM Sjors Provoost <sjors@sprovoost•nl> wrote:
>
>>
>> > Op 27 mrt 2025, om 21:45 heeft jeremy <jeremy.l.rubin@gmail•com> het
>> volgende geschreven:
>> >
>> > I'm also personally strongly against removing 64-byte transactions.
>> It's a wart in how transactions work, and future upgrades (especially
>> around tx programmability) might integrate very poorly with this kind of
>> edge condition.
>>
>> Do you have an example in mind where a 64-byte transaction could appear
>> in such a system?
>>
>> Given the limited space, in particular no room for a public key or
>> signature, I could imagine a burn or anyone-can-spend clause. Those don't
>> have to be exactly 64 bytes. Even if 64 byte transactions are generated by
>> accident, I believe they can be tweaked after the fact (though that claim
>> could use more scrutiny):
>>
>> https://bitcoin.stackexchange.com/q/125971/4948
>>
>>
>
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAGL6%2BmHuVgWc9ATjRnBz%2Bb7SJyz84La8q9jeM%3Dyiw-Anh%3Da3ag%40mail.gmail.com.
[-- Attachment #2: Type: text/html, Size: 5742 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [bitcoindev] Consensus Cleanup BIP draft
2025-03-28 13:54 ` Chris Stewart
@ 2025-03-28 14:07 ` Sjors Provoost
0 siblings, 0 replies; 10+ messages in thread
From: Sjors Provoost @ 2025-03-28 14:07 UTC (permalink / raw)
To: Chris Stewart; +Cc: Bitcoin Development Mailing List, jeremy
Hi Chris,
Sorry for the confusion. I meant SegWit.
I believe that 64 byte pre-SegWit transactions are always malleable, because there's no space for a signature in the scriptSig. But with SegWit the scriptSig is empty, there could a SIGHASH_ALL signature in the witness.
- Sjors
> Op 28 mrt 2025, om 14:54 heeft Chris Stewart <stewart.chris1234@gmail•com> het volgende geschreven:
>
> Hi Sjors,
> Sorry to be a bit pedantic here, but I think this distinction is important. Are you referring to a pre-SegWit transaction or a SegWit transaction? It’s crucial to analyze these separately, as SegWit was designed to solve transaction malleability, which affects how we assess backward compatibility concerns when disallowing 64-byte transactions.
> In the future, it would be helpful to explicitly specify “pre-segwit” or “segwit” when discussing potential transactions. In my draft BIP, I differentiate between these two types when evaluating the backward compatibility risks of disallowing 64-byte transactions. Additionally, as I mentioned earlier (and as I believe Jeremy has also raised concerns about), there are potential future compatibility issues with segwit transactions.
> I'll take a closer look at the Stack Exchange examples and share my thoughts there when I have a bit of time.
>
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/8DCD4B60-F1BA-46C4-8594-5CAFB9540128%40sprovoost.nl.
^ permalink raw reply [flat|nested] 10+ messages in thread
* RE: [bitcoindev] Consensus Cleanup BIP draft
2025-03-27 20:45 ` jeremy
2025-03-28 9:23 ` Sjors Provoost
@ 2025-03-28 19:53 ` eric
1 sibling, 0 replies; 10+ messages in thread
From: eric @ 2025-03-28 19:53 UTC (permalink / raw)
To: 'jeremy', 'Bitcoin Development Mailing List'
Hi Jeremy,
> I'm also personally strongly against removing 64-byte transactions. It's a wart
> in how transactions work, and future upgrades (especially around tx
> programmability) might integrate very poorly with this kind of edge condition.
I tend to agree. This kind of discontinuity always comes back to bite eventually. That concern should not be dismissed so casually.
But more to the point, it does not solve any of the problems that were originally provided as justification, apart from making it slightly simpler to implement an SPV wallet (no need to get the coinbase tx). This was discussed at very great length here and on delving by myself and others, and I believe that it was fully accepted that the only justification is this SPV question. There are no issues of security or performance for any code, and not even a code simplification for a node. It's a new consensus rule that creates this discontinuity - only to make an SPV wallet very slightly easier to implement. There is no other benefit whatsoever. I want to emphasize this because in the discussion it still seems that people may be holding on to the idea that it provides some other benefit - it doesn't. If people agree that this is a worthwhile trade, I'm not going to lose any sleep over it. But I don't like seeing arguments about consensus being based on implementation details - especially when they are flawed. It feels very much to me that this is what got this issue going (the several rejected arguments about node performance and simplification), and may be in part what's still driving it.
I ACK the single activation concept, but don't accept that a rule should be deployed that would not stand on its own justification.
Also, I do appreciate the work that Antoine and others have done on the set of issues overall.
Best,
Eric
> On Thursday, March 27, 2025 at 3:36:13 PM UTC-4 Antoine Poinsot wrote:
>
>
> Hi Chris,
>
> As i already explained on this very list 2 months ago [0], i don't find
> the argument for splitting my BIP convincing. On the contrary i think it would
> be counterproductive as it would create more churn, invite bikeshedding and
> overall impede progress on this proposal.
>
>
> we've successfully activated multiple BIPs within a single soft
> fork in the past—e.g., BIP141 and BIP143 in Segwit, as well as BIP341,
> BIP342, and BIP343 in Taproot.
>
>
>
> Those BIPs had much more content to them. The specifications of the
> Consensus Cleanup is trivial in comparison: they fit in less than a dozen lines of
> text when described in details. Splitting them in 4 different BIPs with a single or
> a couple lines of specifications would just introduce unnecessary overhead.
>
>
> if one of the proposed changes turns out to be controversial,
> we could remove it without holding up the rest of the improvements.
>
>
>
> First of all, i do not expect to remove any of the mitigations from the
> BIP at this stage. The fact that each of these mitigations was researched and
> discussed at length by multiple people over the past year gives me confidence
> to move forward with every single one of those. Otherwise i would not have
> proposed this BIP in the first place.
>
> Now, even if somehow we should drop one of the mitigations from
> the proposal, having them in separate BIPs does not make that any easier.
>
>
> More active contributors to the project may have stronger
> opinions on the best approach there.
>
>
>
> Yes.
>
> Best,
> Antoine
>
>
> [0]
> https://gnusha.org/pi/bitcoindev/mm_NvE4votqtjm455I3AmdrLOTzwgfFpq
> btbFFNy0Zf2PywGt220MXfn76it60q_kbnS9Rw97cv6XzqogNgQMfIXi6-
> HdOnamw7tUrMtmXc=@protonmail•com
>
> On Thursday, March 27th, 2025 at 6:46 AM, Chris Stewart
> <stewart....@gmail•com> wrote:
>
>
> Hi Antoine,
>
> First off, concept ACK. My concerns are procedural rather than
> objections to the individual security fixes themselves.
>
> The "Great Consensus Cleanup" is a fantastic brand for
> communicating these protocol changes to non-technical users. However, since
> this is a technical forum and we are producing BIPs intended for technical
> audiences, I believe we should document these changes in separate BIPs.
>
> The proposed security fixes are largely unrelated from a
> technical standpoint:
>
> 1. Timewarp attack mitigation
>
> 2. Worst-case block validation constraints
>
> 3. Disallowing 64-byte transactions
>
> 4. Avoiding duplicate transactions
>
> We should absolutely retain the "Great Consensus Cleanup"
> branding while independently documenting each security enhancement.
>
> A common concern I’ve heard about splitting this BIP is that
> deploying soft forks is difficult, so all changes should be bundled together.
> While soft fork deployment is indeed challenging, we've successfully activated
> multiple BIPs within a single soft fork in the past—e.g., BIP141 and BIP143 in
> Segwit, as well as BIP341, BIP342, and BIP343 in Taproot. If the community
> reaches consensus, we can still deploy all these changes together, even if they
> are documented separately.
>
> This approach also provides flexibility: if one of the proposed
> changes turns out to be controversial, we could remove it without holding up
> the rest of the improvements. Additionally, once these fixes are deployed,
> there will likely be significant research and documentation to incorporate, and
> maintaining independent BIPs will make it easier to manage that growth.
>
> I do see merit in implementing all the security fixes in a single
> PR for Bitcoin Core. More active contributors to the project may have stronger
> opinions on the best approach there.
>
>
>
> -Chris
>
>
> ________________________________
>
>
>
>
>
> On Wed, Mar 26, 2025 at 1:23 PM 'Antoine Poinsot' via
> Bitcoin Development Mailing List <bitco...@googlegroups•com> wrote:
>
>
> Hi everyone,
>
> About two months ago i shared an update on this list
> about my (and others', really) work on the
> Consensus Cleanup [0]. I am now ready to share a BIP
> draft for a Consensus Cleanup soft fork.
>
> The BIP draft can be found here:
> https://github.com/darosior/bips/blob/consensus_cleanup/bip-cc.md
>
> It includes the following fixes:
> - a restriction on the timestamp of the first and last
> blocks of a difficulty adjustment period to
> address the Timewarp and Murch-Zawy attacks;
> - a limit on the number of legacy signature operations
> that may be executed in validating a single
> transaction to address long block validation times;
> - making 64 bytes transactions invalid to address
> weaknesses in the block Merkle tree construction;
> - mandating coinbase transactions be timelocked to
> their block height to prevent future transaction
> duplication without resorting to BIP30 validation.
>
> This BIP draws on the 2019 Great Consensus Cleanup
> proposal from Matt Corallo [1]. A number of
> people contributed ideas, testing, data or useful
> discussions. This includes Ava Chow, Matt Corallo,
> Mark Erhardt, Brian Groll, David A. Harding, Sjors
> Provoost, Anthony Towns, Greg Sanders, Chris
> Stewart, Eric Voskuil, @0xb10c and others.
>
> Antoine Poinsot
>
> [0]
> https://gnusha.org/pi/bitcoindev/jiyMlvTX8BnG71f75SqChQZxyhZDQ65kldc
> ugeIDJVJsvK4hadCO3GT46xFc7_cUlWdmOCG0B_WIz0HAO5ZugqYTuX5qxnN
> LRBn3MopuATI=@protonmail•com
> [1]
> https://github.com/TheBlueMatt/bips/blob/7f9670b643b7c943a0cc6d2197
> d3eabe661050c2/bip-XXXX.mediawiki
>
> --
> You received this message because you are subscribed
> to the Google Groups "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving
> emails from it, send an email to bitcoindev+...@googlegroups•com.
> To view this discussion visit
> https://groups.google.com/d/msgid/bitcoindev/uDAujRxk4oWnEGYX9lBD3e
> 0V7a4V4Pd-c4-
> 2QVybSZNcfJj5a6IbO6fCM_xEQEpBvQeOT8eIi1r91iKFIveeLIxfNMzDys77HUc
> bl7Zne4g%3D%40protonmail.com.
>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to bitcoindev+unsubscribe@googlegroups•com
> <mailto:bitcoindev+unsubscribe@googlegroups•com> .
> To view this discussion visit
> https://groups.google.com/d/msgid/bitcoindev/afedbc69-8042-4fe8-99c2-
> 279173a440f3n%40googlegroups.com
> <https://groups.google.com/d/msgid/bitcoindev/afedbc69-8042-4fe8-99c2-
> 279173a440f3n%40googlegroups.com?utm_medium=email&utm_source=fo
> oter> .
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/065901dba01b%242164fff0%24642effd0%24%40voskuil.org.
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2025-03-29 0:03 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-03-26 17:14 [bitcoindev] Consensus Cleanup BIP draft 'Antoine Poinsot' via Bitcoin Development Mailing List
2025-03-27 10:46 ` Chris Stewart
2025-03-27 19:05 ` 'Antoine Poinsot' via Bitcoin Development Mailing List
2025-03-27 20:45 ` jeremy
2025-03-28 9:23 ` Sjors Provoost
2025-03-28 11:02 ` Chris Stewart
2025-03-28 12:48 ` Sjors Provoost
2025-03-28 13:54 ` Chris Stewart
2025-03-28 14:07 ` Sjors Provoost
2025-03-28 19:53 ` eric
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox