Discussion:
[bitcoin-dev] We can trivially fix quadratic CHECKSIG with a simple soft-fork modifying just SignatureHash()
Peter Todd via bitcoin-dev
2015-12-29 05:35:59 UTC
Permalink
Occured to me that this hasn't been mentioned before...

We can trivially fix the quadratic CHECK(MULTI)SIG execution time issue
by soft-forking in a limitation on just SignatureHash() to only return
true if the tx size is <100KB. (or whatever limit makes sense)

This fix has the advantage over schemes that limit all txs, or try to
count sigops, of being trivial to implement, while still allowing for a
future CHECKSIG2 soft-fork that properly fixes the quadratic hashing
issue; >100KB txs would still be technically allowed, it's just that
(for now) there'd be no way for them to spend coins that are
cryptographically secured.

For example, if we had an issue with a major miner exploiting
slow-to-propagate blocks(1) to harm their competitors, this simple fix
could be deployed as a soft-fork in a matter of days, stopping the
attack quickly.

1) www.mail-archive.com/bitcoin-***@lists.sourceforge.net/msg03200.html
--
'peter'[:-1]@petertodd.org
0000000000000000094afcbbad10aa6c82ddd8aad102020e553d50a60b6c678f
jl2012 via bitcoin-dev
2015-12-29 07:47:22 UTC
Permalink
Do we need to consider that someone may have a timelocked big tx, with
private key lost?

I think we need to tell people not to do this. Related discussion:
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-November/011656.html
Post by Peter Todd via bitcoin-dev
Occured to me that this hasn't been mentioned before...
We can trivially fix the quadratic CHECK(MULTI)SIG execution time issue
by soft-forking in a limitation on just SignatureHash() to only return
true if the tx size is <100KB. (or whatever limit makes sense)
This fix has the advantage over schemes that limit all txs, or try to
count sigops, of being trivial to implement, while still allowing for a
future CHECKSIG2 soft-fork that properly fixes the quadratic hashing
issue; >100KB txs would still be technically allowed, it's just that
(for now) there'd be no way for them to spend coins that are
cryptographically secured.
For example, if we had an issue with a major miner exploiting
slow-to-propagate blocks(1) to harm their competitors, this simple fix
could be deployed as a soft-fork in a matter of days, stopping the
attack quickly.
1)
_______________________________________________
bitcoin-dev mailing list
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Jonathan Toomim via bitcoin-dev
2015-12-29 12:42:55 UTC
Permalink
That sounds like a rather unlikely scenario. Unless you have a specific reason to suspect that might be the case, I think we don't need to worry about it too much. If we announce the intention to perform such a soft fork a couple of months before the soft fork becomes active, and if nobody complains about it destroying their secret stash, then I think that's fair enough and we could proceed.
Do we need to consider that someone may have a timelocked big tx, with private key lost?
jl2012 via bitcoin-dev
2015-12-29 12:55:28 UTC
Permalink
What if someone complains? We can't even tell whether a complaint is
legit or just trolling. That's why I think we need some general
consensus rules which is not written in code, but as a social contract.
Breaking those rules would be considered as a hardfork and is allowed
only in exceptional situation.
Post by Jonathan Toomim via bitcoin-dev
That sounds like a rather unlikely scenario. Unless you have a
specific reason to suspect that might be the case, I think we don't
need to worry about it too much. If we announce the intention to
perform such a soft fork a couple of months before the soft fork
becomes active, and if nobody complains about it destroying their
secret stash, then I think that's fair enough and we could proceed.
On Dec 28, 2015, at 11:47 PM, jl2012 via bitcoin-dev
Do we need to consider that someone may have a timelocked big tx, with private key lost?
_______________________________________________
bitcoin-dev mailing list
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Jonathan Toomim via bitcoin-dev
2015-12-29 13:00:45 UTC
Permalink
I suggest we use short-circuit evaluation. If someone complains, we figure it out as we go, maybe depending on the nature of the complaint. If nobody complains, we get it done faster.

We're humans. We have the ability to respond to novel conditions without relying on predetermined rules and algorithms. I suggest we use that ability sometimes.
What if someone complains? We can't even tell whether a complaint is legit or just trolling. That's why I think we need some general consensus rules which is not written in code, but as a social contract. Breaking those rules would be considered as a hardfork and is allowed only in exceptional situation.
Post by Jonathan Toomim via bitcoin-dev
That sounds like a rather unlikely scenario. Unless you have a
specific reason to suspect that might be the case, I think we don't
need to worry about it too much. If we announce the intention to
perform such a soft fork a couple of months before the soft fork
becomes active, and if nobody complains about it destroying their
secret stash, then I think that's fair enough and we could proceed.
On Dec 28, 2015, at 11:47 PM, jl2012 via bitcoin-dev
Do we need to consider that someone may have a timelocked big tx, with private key lost?
_______________________________________________
bitcoin-dev mailing list
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Loading...