[bitcoin-dev] [BIP Draft] Allow zero value OP

Discussion:

[bitcoin-dev] [BIP Draft] Allow zero value OP_RETURN in Payment Protocol

Luke Dashjr via bitcoin-dev

2016-01-26 02:24:16 UTC

This is a bad idea. OP_RETURN attachments are tolerated (not encouraged!) for
the sake of the network, since the spam cannot be outright stopped. If it
could be outright stopped, it would not be reasonable to allow OP_RETURN. When
it comes to the payment protocol, however, changing the current behaviour has
literally no benefit to the network at all, and the changes proposed herein
are clearly detrimental since it would both encourage spam, and potentially
make users unwilling (maybe even unaware) participants in it. For these
reasons, *I highly advise against publishing or implementing this BIP, even if
the later mentioned issues are fixed.*

An example might be a merchant that adds the hash of a plain text invoice
to the checkout transaction. The merchant could construct the
PaymentRequest with the invoice hash in an OP_RETURN and pass it to the
customer's wallet. The wallet could then submit the transaction, including
the invoice hash from the PaymentRequest. The wallet will have encoded a
proof of purchase to the blockchain without the wallet developer having to
coordinate with the merchant software or add features beyond this BIP.

Such a "proof" is useless without wallet support. Even if you argue it could
be implemented later on, it stands to reason that a scammer will simply encode
garbage if the wallet is not checking the proof-of-purchase upfront. To check
it, you would also need further protocol extensions which are not included in
this draft.

Merchants and Bitcoin application developers benefit from this BIP because
they can now construct transactions that include OP_RETURN data in a
keyless environment. Again, prior to this BIP, transactions that used
OP_RETURN (with zero value) needed to be constructed and executed in the
same software. By separating the two concerns, this BIP allows merchant
software to create transactions with OP_RETURN metadata on a server without
storing public or private Bitcoin keys. This greatly enhances security
where OP_RETURN applications currently need access to a private key to sign
transactions.

I don't see how this has any relevance to keys at all...

## Specification
The specification for this BIP is straightforward. BIP70 should be fully
1. Outputs where the script is an OP_RETURN and the value is zero should be
accepted by the wallet.
2. Outputs where the script is an OP_RETURN and the value is greater than
zero should be rejected.
This is a change from the BIP70 requirement that all zero value outputs be
ignored.

This does not appear to be backward nor even forward compatible. Old clients
will continue to use the previous behaviour and transparently omit any
commitments. New clients on the other hand will fail to include commitments
produced by old servers. In other words, it is impossible to produce software
compatible with both BIP 70 and this draft, and implementing either would
result in severe consequences.

As it exists today, BIP70 allows for OP_RETURN data storage at the expense
of permanently destroyed Bitcoin.

It is better for the spammers to lose burned bitcoins, than have a way to
avoid them.

Luke

Toby Padilla via bitcoin-dev

2016-01-26 02:54:16 UTC

Permalink

It looks like my draft hasn't been approved by the mailing list so if
anyone would like to read it it's also on Gist:

https://gist.github.com/toby/9e71811d387923a71a53

Luke - As stated in the Github thread, I totally understand where you're
coming from but the fact is people *will* encode data on the blockchain
using worse methods. For all of the reasons that OP_RETURN was a good idea
in the first place, it's a good idea to support it in PaymentRequests.

As for keyless - there's no way (that I know of) to construct a transaction
with a zero value OP_RETURN in an environment without keys since the
Payment Protocol is what defines the method for getting a transaction from
a server to a wallet. You can make a custom transaction and execute it in
the same application but without Payments there's no way to move
transactions between two applications. You need to build the transaction
where you execute it and thus need a key.

Post by Luke Dashjr via bitcoin-dev
This is a bad idea. OP_RETURN attachments are tolerated (not encouraged!) for
the sake of the network, since the spam cannot be outright stopped. If it
could be outright stopped, it would not be reasonable to allow OP_RETURN. When
it comes to the payment protocol, however, changing the current behaviour has
literally no benefit to the network at all, and the changes proposed herein
are clearly detrimental since it would both encourage spam, and potentially
make users unwilling (maybe even unaware) participants in it. For these
reasons, *I highly advise against publishing or implementing this BIP, even if
the later mentioned issues are fixed.*

including

the invoice hash from the PaymentRequest. The wallet will have encoded a
proof of purchase to the blockchain without the wallet developer having

coordinate with the merchant software or add features beyond this BIP.

Merchants and Bitcoin application developers benefit from this BIP

because

they can now construct transactions that include OP_RETURN data in a
keyless environment. Again, prior to this BIP, transactions that used
OP_RETURN (with zero value) needed to be constructed and executed in the
same software. By separating the two concerns, this BIP allows merchant
software to create transactions with OP_RETURN metadata on a server

without

storing public or private Bitcoin keys. This greatly enhances security
where OP_RETURN applications currently need access to a private key to

sign

transactions.

I don't see how this has any relevance to keys at all...

## Specification
The specification for this BIP is straightforward. BIP70 should be fully
1. Outputs where the script is an OP_RETURN and the value is zero should

accepted by the wallet.
2. Outputs where the script is an OP_RETURN and the value is greater than
zero should be rejected.
This is a change from the BIP70 requirement that all zero value outputs

ignored.

As it exists today, BIP70 allows for OP_RETURN data storage at the

expense

of permanently destroyed Bitcoin.

It is better for the spammers to lose burned bitcoins, than have a way to
avoid them.
Luke

Luke Dashjr via bitcoin-dev

2016-01-26 02:56:54 UTC

Permalink

Post by Toby Padilla via bitcoin-dev
Luke - As stated in the Github thread, I totally understand where you're
coming from but the fact is people *will* encode data on the blockchain
using worse methods. For all of the reasons that OP_RETURN was a good idea
in the first place, it's a good idea to support it in PaymentRequests.

As I explained, none of those reasons apply to PaymentRequests.

I have no idea what you are trying to say here.

Luke

Luke Dashjr via bitcoin-dev

2016-01-26 03:04:33 UTC

Permalink

Post by Luke Dashjr via bitcoin-dev
As I explained, none of those reasons apply to PaymentRequests.

As they exist today PaymentRequests allow for essentially the same types of
transactions as non-PaymentRequest based transactions with the limitation
that OP_RETURN values must be greater. In that sense they're basically a
pre-OP_RETURN environment. OP_RETURN serves a purpose and it can't be used
with PaymentRequest transactions.

OP_RETURN can be used, but you need to burn coins. I don't see any benefit to
changing that. It is better that coins are burned.

Post by Luke Dashjr via bitcoin-dev
I have no idea what you are trying to say here.

I think if you think through how you would create an OP_RETURN transaction
today without this BIP you'll see you need a key at some point if you want
a zero value.

You *always* need a key, to redeem inputs... regardless of values.

Luke

Luke Dashjr via bitcoin-dev

2016-01-26 03:12:24 UTC

Permalink

I don't see any benefit to changing that. It is better that coins are
burned.

I think this is our fundamental disagreement. People will burn coins to
encode data, why allow this when there's a better alternative?

My point is that there isn't a better alternative. The coins being burned, is
strictly better than it being gratis.

You *always* need a key, to redeem inputs... regardless of values.

Correct, but with BIP70 that key is in the user's wallet and you can
construct transactions on another machine (thus not needing a key during
construction). Right now there's no way to do the transaction construction
on another machine with zero value OP_RETURNs.

This is also a good thing. Spam should not be made easier or cheaper.

Luke

Luke Dashjr via bitcoin-dev

2016-01-26 03:23:13 UTC

Permalink

I don't think every application of OP_RETURN could be classified as "spam".

Perhaps not, but in this context I cannot think of any non-spam use cases.
Use cases should come before changes to support them.

I also don't think burning the value is going to dissuade anyone from going
down that route. I don't think lost value is better for anyone.

Lost value is better because it has a cost to the spammer, and deflates the
rest of the bitcoins.

Luke

Toby Padilla via bitcoin-dev

2016-01-26 03:30:38 UTC

Permalink

There are already valid use cases for OP_RETURN, it only makes sense to
fully support the feature. The only reason it's not supported now is
because the Payments protocol came before OP_RETURN.

I give one example use case in the BIP. I agree that special wallet support
would make the feature even better, but if someone tried to use Core the
transaction would at least not be rejected.

I've also been exploring this area with key.run (
https://git.playgrub.com/toby/keyrun) and want the functionality for voting
based on aggregate OP_RETURN value. *Not* to store data on the blockchain,
but to associate content pointers with transactions.

I think that since OP_RETURN has already been approved and supported it
doesn't make much sense for me to have to re-defend it from scratch here.

I don't think every application of OP_RETURN could be classified as

"spam".
Perhaps not, but in this context I cannot think of any non-spam use cases.
Use cases should come before changes to support them.

I also don't think burning the value is going to dissuade anyone from

going

down that route. I don't think lost value is better for anyone.

Lost value is better because it has a cost to the spammer, and deflates the
rest of the bitcoins.
Luke

Thomas Kerin via bitcoin-dev

2016-01-26 16:19:18 UTC

Permalink

Post by Toby Padilla via bitcoin-dev
There are already valid use cases for OP_RETURN, it only makes sense
to fully support the feature. The only reason it's not supported now
is because the Payments protocol came before OP_RETURN.

You keep saying OP_RETURN is new, but it has been there from day one.
It's purpose is causing script execution to end if encountered.

Since then, we have tolerated putting pushdata's after it, and even
raised the limit for the size of this data. It still doesn't mean every
proposal has to be rewritten to cater for a new allowance we give
OP_RETURN.

Post by Toby Padilla via bitcoin-dev
I've also been exploring this area with key.run
(https://git.playgrub.com/toby/keyrun) and want the functionality for
voting based on aggregate OP_RETURN value. *Not* to store data on the
blockchain, but to associate content pointers with transactions.
I think that since OP_RETURN has already been approved and supported
it doesn't make much sense for me to have to re-defend it from scratch
here.

Toby Padilla via bitcoin-dev

2016-01-26 17:44:48 UTC

Permalink

OP_RETURN was not part of isStandard? from day one. Once it was supported
by Core it became necessary to actually support it, not try to support it
in one part of the software and not in others. The whole reason it was
supported is because without it people will use more heinous methods to
encode data on the blockchain. There's no way to stop people from doing
that, so this compromise seemed best for everyone.

I think we should actually define "spam". To me a valid transaction someone
willing pays for is never spam. Also PaymentRequests would be a very
inefficient way to spam. It would be much easier to write a script to
automatically create and submit transactions yourself. With PaymentRequests
customers have to initiate the transaction and submit/pay for it one by
one.

What is actually the worst case scenario that those opposed to this are
concerned about? That this takes off like wild fire and all of the sudden
millions of people are using PaymentRequests and creating small
transactions? That seems like a win for Bitcoin. It will help spread
support for the Payment protocol and IF it becomes a problem it's because
so many people are using it. In which case there's a very valid use case
for Bitcoin that people are obviously excited about.

I really don't like the idea of policing other people's use of the
protocol. If a transaction pays its fee and has a greater than dust value,
it makes no sense to object to it.

On Tue, Jan 26, 2016 at 8:19 AM, Thomas Kerin via bitcoin-dev <

Post by Thomas Kerin via bitcoin-dev

You keep saying OP_RETURN is new, but it has been there from day one.
It's purpose is causing script execution to end if encountered.
Since then, we have tolerated putting pushdata's after it, and even
raised the limit for the size of this data. It still doesn't mean every
proposal has to be rewritten to cater for a new allowance we give
OP_RETURN.

I'd generally agree with Luke. Removing the cost of this hurts bitcoin,
and ironically, your application to a certain degree. Just because you
can do a thing one way, it doesn't mean you should. Especially if your
applications success depends on people spamming OP_RETURN hashes of
every torrent they like.
_______________________________________________
bitcoin-dev mailing list
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Peter Todd via bitcoin-dev

2016-02-02 17:03:57 UTC

Permalink

Post by Toby Padilla via bitcoin-dev
I really don't like the idea of policing other people's use of the
protocol. If a transaction pays its fee and has a greater than dust value,
it makes no sense to object to it.

I'll point out that getting a BIP for a feature is *not* a hard
requirement for deployment. I'd encourage you to go write up your BIP
document, give it a non-numerical name for ease of reference, and lobby
wallet vendors to implement it.

While I'll refrain from commenting on whether or not I think the feature
itself is a good idea, I really don't want people to get the impression
that we're gatekeepers for how people choose use Bitcoin.

--
https://petertodd.org 'peter'[:-1]@petertodd.org
000000000000000008320874843f282f554aa2436290642fcfa81e5a01d78698

Pieter Wuille via bitcoin-dev

2016-02-02 17:16:30 UTC

Permalink

On Feb 2, 2016 18:04, "Peter Todd via bitcoin-dev" <

Post by Peter Todd via bitcoin-dev

I'll point out that getting a BIP for a feature is *not* a hard
requirement for deployment. I'd encourage you to go write up your BIP
document, give it a non-numerical name for ease of reference, and lobby
wallet vendors to implement it.
While I'll refrain from commenting on whether or not I think the feature
itself is a good idea, I really don't want people to get the impression
that we're gatekeepers for how people choose use Bitcoin.

I'll go further: whatever people have commented here and elsewhere about
this feature (myself included) are personal opinions on the feature itself,
in the hope you take the concerns into account.

These comments are not a judgement on whether this should be accepted as a
BIP. Specifically, the BIP editor should accept a BIP even if he personally
dislikes the ideas in it, when the criteria are satisfied.

Beyond that, having a BIP accepted does not mean wallets have to implement
it. That's up to the individual wallet authors/maintainers.

--
Pieter

Toby Padilla via bitcoin-dev

2016-02-02 17:27:58 UTC

Permalink

My BIP was ultimately accepted, it's number 74

https://github.com/bitcoin/bips/blob/master/bip-0074.mediawiki

The editor did not agree with it, and I suspect would comment against it
with his new proposed BIP :)

I really appreciated that despite his vehement disagreement, he assigned
the BIP. It seems like the process worked great. There was deep vetting,
lots of back and forth and the editor put aside his personal opinions to
accept the BIP.

That being said...

The mailing list is a problem. I'm still on moderation only. I have no idea
if this message will go through and when it will go through. I totally
understand the desire to keep the conversation level high, but when people
who *are* whitelisted can quickly post multiple heated arguments against
you (publicly) and you can't respond, then that starts to look very
centralized and discouraging.

I would agree with Gavin on the other thread about the proposed BIP
commenting BIP. Putting more decision power behind a moderated mailing list
and wiki doesn't seem like a good idea.

Post by Pieter Wuille via bitcoin-dev
On Feb 2, 2016 18:04, "Peter Todd via bitcoin-dev" <

On Tue, Jan 26, 2016 at 09:44:48AM -0800, Toby Padilla via bitcoin-dev

Post by Toby Padilla via bitcoin-dev
I really don't like the idea of policing other people's use of the
protocol. If a transaction pays its fee and has a greater than dust

value,

Post by Toby Padilla via bitcoin-dev
it makes no sense to object to it.

I'll point out that getting a BIP for a feature is *not* a hard
requirement for deployment. I'd encourage you to go write up your BIP
document, give it a non-numerical name for ease of reference, and lobby
wallet vendors to implement it.
While I'll refrain from commenting on whether or not I think the feature
itself is a good idea, I really don't want people to get the impression
that we're gatekeepers for how people choose use Bitcoin.

I'll go further: whatever people have commented here and elsewhere about
this feature (myself included) are personal opinions on the feature itself,
in the hope you take the concerns into account.
These comments are not a judgement on whether this should be accepted as a
BIP. Specifically, the BIP editor should accept a BIP even if he personally
dislikes the ideas in it, when the criteria are satisfied.
Beyond that, having a BIP accepted does not mean wallets have to implement
it. That's up to the individual wallet authors/maintainers.
--
Pieter

Peter Todd via bitcoin-dev

2016-02-02 17:38:49 UTC

Permalink

Post by Toby Padilla via bitcoin-dev
The mailing list is a problem. I'm still on moderation only. I have no idea
if this message will go through and when it will go through. I totally
understand the desire to keep the conversation level high, but when people
who *are* whitelisted can quickly post multiple heated arguments against
you (publicly) and you can't respond, then that starts to look very
centralized and discouraging.

Everyone is on moderation only in this mailing list, myself included.

--
https://petertodd.org 'peter'[:-1]@petertodd.org
000000000000000008320874843f282f554aa2436290642fcfa81e5a01d78698

Toby Padilla via bitcoin-dev

2016-02-02 17:41:35 UTC

Permalink

Then the moderation is being unevenly applied. Luke commented against my
BIP multiple times right after it was published but it took hours for my
responses to go through and I had to track people down on IRC to ask about
it:

http://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016-January/thread.html