Hi Antoine, Could you please clearly describe the "attack" with a clear threat model? I don't think what you describe is an issue under any realistic threat model, much less how it would only materialize with BIP54's sigop limit but not with the existing sigop limit.
> Anyway, the current BIP54 says the following nothing about legacy inputs: The BIP54 specifications are written from the perspective of an implementer and clearly states "count the number of [sigops] in the input scriptSig and previous output's scriptPubKey". Signature operations in these fields preceded Segwit (which requires the scriptSig to be empty and the prevout's scriptPubKey to be pushonly). > I think there are some implications about all of this for some use-cases > designers, > e.g for massive Coinjoin Any remotely sane transaction would run into the standardness size limit before running into this limit. Only a pathological transaction which tries to increase its validation cost may run into this limit while being standard according to today's Core policy. See https://github.com/bitcoin/bips/blob/master/bip-0054.md#user-content-fn-7-21829941cd04259d86862ad3baa11d05. Best, Antoine On Saturday, July 12th, 2025 at 8:46 PM, Antoine Riard <antoine.ri...@gmail.com> wrote: > Hi Poinsot, > > Not necessarily, if you go to multi-sign the first input of your second-stage > txn with > SIGHASH_SINGLE | ANYONECANPAY, the hashPrevouts and the hashSequence are not > commited. > The second input can be a legacy input, even if it's altered in-flight (e.g > flipping > the S component of the ECDSA sig), it's breaking your sig hash for the second > input, > but not the sighash for the "contract" multi-signed input. Very practical for > doing > unilateral fee-bumping. > > It's a problem if you do multi-stage for an off-chain construction, as the > third order > tx, even with SIGHASH_SINGLE would commit to `outpoint` field, and implicitly > the > parent txid of the malleable second input. > > ... > > Anyway, the current BIP54 says the following nothing about legacy inputs: > > "A limit is set on the number of potentially executed signature operations in > validating > a transaction. It applies to all transactions in the block except the > coinbase transaction. > For each input in the transaction, count the number of CHECKSIG and > CHECKMULTISIG in the > input scriptSig and previous output's scriptPubKey, including the P2SH > redeemScript". > > I do think it would be clearer to say that Segwit spends are logically > excluded due > to a) a Segwit spend's scriptSig must be always empty (`scriptSig.size() != 0 > in > `VerifyScript()`) and b) a witness program must be a data push and as such > it's > never a scriptCode that can contain a CHECKSIG ops. Accounting is implicitly > always > 0 for Segwit spends. > > There is no definition of what make a spend a "legacy" input, other than it's > not > a Segwit spend. Technically, the CHECKSIG operations are committed in the > witness > program, which is itself part of the scriptPubkey... While indeed, currently > the code > is properly dissociating the verifcation of the legacy spends from the > witness program, > it's hard to say the limit is correctly implemented in the complete lack of > available code. > > The limit could be implemented in EvalScript(), but I'm not sure it's exactly > what > you have in mind. Thanks by advance if there is code and specification > defining > more precisly what is understood as a legacy input under this BIP proposal. > > ... > > I think there are some implications about all of this for some use-cases > designers, > e.g for massive Coinjoin, if in the collaborative transaction construction > any party > proposes a scriptpubkey with a huge number of sigs to reach the limit, now if > you > don't verify the script sanity against this new rule, you might have > contributed > an input in a transaction that is never going to be valid. Some kind of > denial-of-service, > and the reason initially opt-in rbf was proposed to be remove. > > While this is not a concern for lightning (bc the dual funding spec explictly > requests segwit input at `tx_add_input` reception), I'm not sure for any > coinjoin > or multi-party tx construction stuff that might be affected by a new DoS > vector > as soon as this starts to be a policy rule spread substantially on the > network. > > It's not to say that this limit shouldn't be deployed, but in my opinion it's > wise to advertise more towards multi-party use-cases maintainers and devs the > potential implications of the deployment of this rule, as soon as it's policy. > > Best, > Riard > OTS hash: c236ba440e27f6bf89db9d21f1650d945c92fc941bb9177dbf06bbbac2afc902 > > Le lundi 7 juillet 2025 à 23:25:02 UTC+1, Antoine Poinsot a écrit : > >> This limit only concerns legacy signature operations. Off-chain >> constructions use Segwit inputs, as they would be trivially broken by txid >> malleability otherwise. >> >> On Friday, July 4th, 2025 at 10:38 AM, Antoine Riard <antoin...@gmail.com> >> wrote: >> >>> Hi Poinsot, >>> >>> Thanks for the collection of historical txn hitting the proposed new limit. >>> >>> The only long-term downside coming immediately out of mind, if the rule >>> becomes consensus >>> in the future, it's the implicit limitation it would make on the >>> multi-party dimensions >>> of off-chain constructions. In the past, I made really rough math for >>> 1000-sized participants >>> payments pools, where for the funding_tx, you have the 1000 participants >>> contributing >>> one input with one sig for each [0]. >>> >>> In my understanding the new limit of 2500 signatures operation would make a >>> hard-limit >>> for the number of participants entering in such construction, without other >>> tricks that >>> are consuming more block space. One can note the downside on funding tx of >>> high-order >>> off-chain construction, if a max tx size consensus limit is introduced in >>> the future. >>> >>> Of course, I do not deny the DoS rational of introducing the 2500 sig limit >>> and it's >>> very needed. At the same time, we should be careful of not closing too much >>> doors for >>> future off-chain constructions and long-term tx throughput scalability. >>> >>> I do believe, it's always technically possible in the future to introduce >>> new opcode >>> or segwit versions scripts (e.g grafroot or entroot-based pool >>> construction), which >>> wouldn't be subject to the new limit, and as such more scalable. If I'm >>> correct, I >>> think it's all about how the limit is implemented to parse current scripts >>> to be >>> spent. >>> >>> But it's hard to say without code available to review and reason. May I >>> kindly note >>> there is no reference implementation attached in the current BIP54 document >>> [1]. Even, >>> if it's often updated, it's always fruitful to have code under the eyes for >>> review. >>> >>> This might be the kind of concern (very) far down the line...but preserving >>> the >>> evolvability of the consensus rules is a good property to care about, in my >>> humble >>> opinion. >>> >>> Best, >>> Riard >>> OTS hash: a2bb9a1faf79309b039d8ae7e0b951644ca0adb2 >>> >>> [0] >>> [https://gnusha.org/pi/bitcoindev/calzpt+e+ekktoxd-8a6othw-...@mail.gmail.com/](https://gnusha.org/pi/bitcoindev/calzpt+e+ekktoxd-8a6othw-1i5cj4h12tug8tnwswqbfan...@mail.gmail.com/) >>> [1] https://github.com/bitcoin/bips/blob/master/bip-0054.md >>> >>> Le mercredi 2 juillet 2025 à 09:54:33 UTC+1, Antoine Poinsot a écrit : >>> >>>> Hi everyone, >>>> >>>> To mitigate high block validation time, BIP54 proposes to make >>>> transactions which require more than >>>> 2500 legacy signature operations invalid by consensus. The 2500 figure was >>>> chosen as the tightest >>>> value that did not make any non-pathological currently standard >>>> transaction invalid. >>>> >>>> No transaction in Bitcoin's history would have both hit the BIP54 sigop >>>> limit and been standard >>>> according to today's Bitcoin Core policy[^0]. But what happened in the >>>> past doesn't matter as much >>>> as the fact that it is possible today to create a pathological standard >>>> transaction that is >>>> BIP54-invalid. >>>> >>>> This opens up a major DoS vector against unupgraded miners if BIP54 ever >>>> gets activated in these >>>> conditions. Therefore i propose to make such transactions non-standard and >>>> hold off activation of >>>> BIP54 until we have good reasons to believe that the vast majority of the >>>> hashrate won't create a >>>> block containing such a transaction. >>>> >>>> Doing so gives better guarantees in case BIP54 is ever considered for >>>> activation, and comes at >>>> virtually no cost since these pathological transactions have never been >>>> used and serve no purpose >>>> beyond increasing the cost of validation. Bitcoin Core PR #32521 >>>> implements this change, which i >>>> hope to get into the upcoming 30.0 release as well as backported to >>>> previous versions. >>>> >>>> Best, >>>> Antoine Poinsot >>>> >>>> [^0]: Here the full list of historical transactions that would have hit >>>> the BIP54 sigops limit: >>>> - 659135664894e50040830edb516a76f704fd2be409ecd8d1ea9916c002ab28a2 >>>> - bea1c2b87fee95a203c5b5d9f3e5d0f472385c34cb5af02d0560aab973169683 >>>> - 24b16a13c972522241b65fbb83d09d4bc02ceb33487f41d1f2f620b047307179 >>>> - 53666009e036171b1aee099bc9cd3cb551969a53315410d13ad5390b8b4f3bd0 >>>> - ffc178be118bc2f9eaf016d1c942aec18441a6c5ec17c9d92d1da7962f0479f6 >>>> - 2f1654561297114e434c4aea5ca715e4e3f10be0be8c1c9db2b6f68ea76dae09 >>>> - 62fc8d091a7c597783981f00b889d72d24ad5e3e224dbe1c2a317aabef89217e >>>> - d939315b180d3d73b5e316eb57a18f8137a3f5943aef21a811660d25f1080a3f >>>> - 8a6bfaa78828a81147e4848372d491aa4e9048631982a670ad3a61402a4ec327 >>>> - 02cc78789cc070125817189ec378daa750355c8b22bbce982ed96aa549facb1f >>>> - b97a16ae2e8ae2a804ed7965373b42055f811653f4628e4bef999145d4b593bc >>>> - c51ffaf08188859669571f897f119b6d39ea48a9334212f554bf4927401b71f3 >>>> - 33ccdda65abdda8025adb03841410dda5fa8948bd38b7fbaf3fed521daf5c4d3 >>>> - bb41a757f405890fb0f5856228e23b715702d714d59bf2b1feb70d8b2b4e3e08 >>>> - ba588134ecc93fdbfa06f795c9bf7a05b09ca9ca9095659e401325d501a90363 >>>> - ba6c6d2389f765f7873f5a9a7c11bf806afd784d15b0b8dff011fe95d1d5e841 >>>> - dd49dc50b54b4bc1232e4b68cfdd3d349e49d3d7fe817d1041fff6dd583a6eaf >>>> - 3d724f03e8bcc9e2e3ea79ebe4c6cffca86d85e510742cd6d3ac29d420787a34 >>>> - 8bcf8e8d8265922956bda9b651d2a0e993072c9dca306f3a132dcdb95c7cee6e >>>> - ba31c8833b7417fec9a84536f32fcb52d432acb66d99b9be6f3899686a269b2b >>>> - 9cc0a350d50fa252264636e62d586c7121d0a5656bc7e6b27354325684bec007 >>>> - dd5e32971010ef0c9f4cda8977830d727a6828165c69005a3fab67415c755b7d >>>> - 66be4e766df2c23e08f4cf8c3e6cfa202b20967616ace38e1cbc1f20ee78db2e >>>> - e229a83deafec5f49e4990dba914fd815d05809f5eefbd979d55fb64f93827a3 >>>> - 901e3695838925dd020a085e8f078c393e64179dcf0a43134a1547d21acab49a >>>> - 49ab4d05adbc3294fbbd63d3b876fb97a87a3f5090aa6b1d87f31ab1c4564235 >>>> - c4f4357657ba403455167b2897acfcb922c2a0973c34e58733ca352394e6c629 >>>> - 6c3ee29a9b584fbeae60169f0abce573a7b768bf21398d4dfad9011aa7132530 >>>> - 5dc2bdc5ce29c52840f10203fd93ffed82da4cf49eddf93437dd1329baa9ade5 >>>> - f40fd92f5e8cecf956caec4b6abe0b88decafde0ae71d16a72c41cb1a3da0d60 >>>> - 92b68e4a19ef47c0dd022727a9c4b8ceb9466ce752ad8995ffbc5948bdfabf57 >>>> - 1b604a075075197c82d33555ea48ae27e3d2724bc4c3f31650eff79692971fb7 >>>> - 5d8875ed1707cfee2221741b3144e575aec4e0d6412eeffe1e0fa07335f61311 >>>> - 14dd70e399f1d88efdb1c1ed799da731e3250d318bfdadc18073092aa7fd02c2 >>>> - bb75a8d10cfbe88bb6aba7b28be497ea83f41767f4ee26217e311c615ea0132f >>>> - a684223716324923178a55737db81383c28f055b844d8196c988c70ee7075a9a >>>> - fa9120afe1bb09b7154ba82a022cbdcc29fc5be2699b346ebb7ffdc46807b2f7 >>>> - 5e640a7861695fa660343abde52cfe10b5a97dd8fc6ad3c5e4b2b4bb1c8c3dd9 >>>> - 7e7e69b4de5ef05750d27a863bdcb2d9dbc4a732c2a719f435ae5a9a4690b30f >>>> - d85ce71f583095a76fb17b5bb2a1cbf369e2a2867ca38103aa310cbb2aaf2921 >>>> - 905df97982a2904d6d1b3dfc272435a24d705f4c7e1fc4052798b9904ad5e597 >>>> - 5b0a05f12f33d2dc1507e5c18ceea6bb368afc51f00890965efcc3cb4025997d >>>> - cb550c9a1c63498f7ecb7bafc6f915318f16bb54069ff6257b4e069b97b367c8 >>>> - 66b614e736c884c1a064f7b0d6a9b0abd97e7bb73ac7e4b1b92b493d558a0711 >>>> - 9fdbcf0ef9d8d00f66e47917f67cc5d78aec1ac786e2abb8d2facb4e4790aad6 >>>> - 9c667c64fcbb484b44dcce638f69130bbf1a4dd0fbb4423f58ceff92af4219ec >>>> - 2e7c454cfc348aa220f53b5ba21a55efa3d36353265f085e34053c4efa575fda >>>> - 484c8f9d1adf16a576bce52721a5e4edd5239df346d94fd730f6d7b681ab3652 >>>> - e3d3d1ecec5d6b57792c793c413fc9b19189f5b932db8887d46f06abc101d24e >>>> - b23c99c30339cb93eb04790bc5213f7732365488fe2549802bb472084b6ec508 >>>> - 92f217ec13ab309240adc0798804b3418666344a5cbfff73fb7be8192dad5261 >>>> - 22e861ee83c3d23a4823a3786460119425d8183783068f7ec519646592fac8c2 >>>> - fa5a58f787f569f5b8fab9dadb2447161fac45b36fb6c2c0f548ed0209b60663 >>>> - 767885bc144bdc0414217547f0169352a065083750371cabe5acbd0e0dd60436 >>>> - 461308024d89ea4231911df4ef24e65e60af2a9204c8282a6b67f4214c1714e7 >>>> - 9db4e0838c55ef20c5eff271fc3bf09a404fff68f9cdad7df8eae732500b983d >>>> - 6e278c0ca05bf8e0317f991dae8a9efa141b5a310a4c18838b4e082e356ef649 >>>> - 9c972a02db30f9ee91cc02b30733d70d4e2d759b5d3c73b240e5026a8a2640c4 >>>> - d38417fcc27d3422fe05f76f6e658202d7fa394d0c9f5b419fef97610c3c49f1 >>>> - e32477636e47e1da5fb49090a3a87a3b8ff637d069a70cd5b41595da225e65b4 >>>> - a7e0a86944e9750a3fe372dd318da7b81c4f4c4ab228741ba0cf7fb6d56d6640 >>>> - f62f2c6a16b5da61eaae36d30d43bb8dd8932cd89b40d83623fa185b671c67f9 >>>> - 856a2117b6d81acbe6add60a114307d9572dff027079151d50ee77a7b0c70404 >>>> - 763e13f873afa5f24cd33fc570a178c65e0a79c05c88c147335834fc9e8f837b >>>> - c3f2c2df5388b79949c01d66e83d8bc3b9ccd4f85dbd91465a16fb8e21bf8e1b >>>> - e245f6c3c6b02dc81ea1b6694735565cc535f603708783be027d0e6a94ac3bd5 >>>> - 02313ac62ca8f03930cdc5d2e437fabc05aea60a31ace18a39678c90b45d32bd >>>> - 01d23d32bccc04b8ca5a934be16da08ae6a760ccaad2f62dc2f337eee7643517 >>>> - d985c42bcd704aac88b9152aede1cca9bbb6baee55c8577f84c42d600cfec8e4 >>>> - 6bb39576292c69016d0e0c1fe7871640aab12dd95874d67c46cf3424822f8dfd >>>> - 79e30d460594694231f163dd79a69808904819e2f39bf3e31b7ddc4baa030a04 >>>> - 26ed04bd772c7d3d621329bda8eefec9f81108d46ef0bd3b690000465f5254b3 >>>> - bf40393fedc45a1b347957124ef9bb8ae6a44feecee10ef2cc78064fabf8125f >>>> - 446c0a1d563c93285e93f085192340a82c9aef7a543d41a86b65e215794845ef >>>> - 1cf52f9ef89fa43bb4f042cbd4f80e9f090061e466cbe14c6b7ba525df0e572e >>>> - 54bf51be42ff45cdf8217b07bb233466e18d23fd66483b12449cd9b99c3a0545 >>>> - b5ca68205e6d55e87bd6163b28467da737227c6cbcc91cb9f6dc7b400163a12b >>>> - 9f8cc4496cff3216608c2f2177ab360bd2d4f58cae6490d5bc23312cf30e72e0 >>>> - 4eba5deb2bbf3abf067f524484763287911e8d68fb54fa09e1287cf6cd6d1276 >>>> - e3de81a5817a3c825cf44fbf8185e15d446393615568966a6e3fc22cba609c7d >>>> - 1e700d8ce85b17d713cad1a8cae932d26740e7c8ab09d2201ddfe9d1acb4706c >>>> - b8ba939da1babf863746175b59cbfb3b967354f04db41bd13cb11da58e43d2a8 >>>> - 22df2138a28c9d339813854a38181ffc5ac6f37d171d5b5bd6b0b79bf8d3c641 >>>> - 1d93bfe18bc05b13169837b6bc868a92da3c87938531d6f3b58eee4b8822ecbf >>>> - e0c5e2dc3a39e733cf1bdb1a55bbcb3c2469f283becf2f99a0de771ec48f6278 >>>> - c1e00054cc3fef88c2fdec2967e96fdb4c645bcf3f08b0580b51e47ecbfab71a >>>> - 9a567fde7c65bf85bbc2b109277933431ebc8a35de321a4b6436601d68aa4521 >>>> - 6a9263e48a076bfc37deb93d01bf354305f4ac929be6b0ca05c078381a562c0c >>>> - 0683fb9cfcd4a211c14ef7cd2d03739160ff9ba1cb5396be227e475e932a8e9b >>>> - 2290263dddf8f06f099fcfb130a85f8f00b6cc1e05565a4c028d2187c8592d15 >>>> - d27ca813c97eef5c6e9ed4bd2fe08a7e34aa8ac0c2af353826c73a4e2711a797 >>>> - b28d67131d00bda9dac0da484dd1352c55ec6a869ea04a7e85b71d2ddf2356d9 >> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "Bitcoin Development Mailing List" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to bitcoindev+...@googlegroups.com. >>> To view this discussion visit >>> https://groups.google.com/d/msgid/bitcoindev/eb191c75-e245-4c40-8288-1d102477ccfdn%40googlegroups.com. > > -- > You received this message because you are subscribed to the Google Groups > "Bitcoin Development Mailing List" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to bitcoindev+unsubscr...@googlegroups.com. > To view this discussion visit > https://groups.google.com/d/msgid/bitcoindev/e27c5b87-3be2-4ed0-9000-84822ca84c23n%40googlegroups.com. -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/baUD_4coLcyQ0vkoOaIzl8KFWTo3Mer27YYzDDCbffdbiJyOktRD_Y5u5OkfzSA3m9uJ84EZuEdbybdKTDElD_8_70vbJimDgen252hVRIo%3D%40protonmail.com.
