Re: [bitcoin-dev] OP_SECURETHEBAG (supersedes OP_CHECKOUTPUTSVERIFY)
On Sat, Jun 1, 2019 at 12:47 PM Jeremy via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> Hi All,
>
> OP_CHECKOUTPUTSHASHVERIFY is retracted in favor of OP_SECURETHEBAG*.
> OP_SECURETHEBAG does more or less the same thing, but fixes malleability
> issues and lifts the single output restriction to a known number of inputs
> restriction.
>
> OP_CHECKOUTPUTSVERIFY had some issues with malleability of version and
> locktime. OP_SECURETHEBAG commits to both of these values.
>
Can you elaborate a bit more on what the issues were?
> OP_SECURETHEBAG also lifts the restriction that OP_CHECKOUTPUTSVERIFY had
> to be spent as only a single input, and instead just commits to the number
> of inputs. This allows for more flexibility, but keeps it easy to get the
> same single output restriction.
>
> BIP:
> https://github.com/JeremyRubin/bips/blob/op-secure-the-bag/bip-secure-the-bag.mediawiki
> Implementation: https://github.com/JeremyRubin/bitcoin/tree/secure_the_bag
>
> A particularly useful topic of discussion is how best to eliminate the
> PUSHDATA and treat OP_SECURETHEBAG like a pushdata directly. I thought
> about how the interpreter works and is implemented and couldn't come up
> with something noninvasive.
>
I'm not a Core developer but from what I understand, I'd be inclined to to
treat OP_SECURETHEBAG as with an immediate 32-byte parameter by modifying
GetScriptOp to return the 32-byte parameter through pvchRet.
bool GetScriptOp(CScriptBase::const_iterator& pc,
CScriptBase::const_iterator end, opcodetype& opcodeRet,
std::vector* pvchRet)
{
opcodeRet = OP_INVALIDOPCODE;
if (pvchRet)
pvchRet->clear();
if (pc >= end)
return false;
// Read instruction
if (end - pc < 1)
return false;
unsigned int opcode = *pc++;
// Immediate operand
if (opcode <= OP_PUSHDATA4)
{
// ...
}
if (opcode == OP_SECURETHEBAG) {
if (end - pc < 0 || (unsigned int)(end - pc) < 32)
return false;
if (pvchRet)
pvchRet->assign(pc, pc + 32);
pc += 32;
}
opcodeRet = static_cast(opcode);
return true;
}
and go from there.
Thank you for your review and discussion,
>
> Jeremy
>
> * Plus the name is better
>
> ___
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] [PROPOSAL] Emergency RBF (BIP 125)
Hi Rusty, On Sun, Jun 2, 2019 at 9:21 AM Rusty Russell via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > The new "emergency RBF" rule: > > 6. If the original transaction was not in the first 4,000,000 weight > units of the fee-ordered mempool and the replacement transaction is, > rules 3, 4 and 5 do not apply. > > This means: > > 3. This proposal does not open any significant new ability to RBF spam, >since it can (usually) only be used once. IIUC bitcoind won't >accept more that 100 descendents of an unconfirmed tx anyway. > Is it not possible for Alice to grief Bob's node by alternating RBFing two transactions, each one placing itself at the bottom of Bob's top 4,000,000 weight mempool which pushes the other one below the top 4,000,000 weight, and then repeating with the other transaction? It might be possible to amend this proposal to partially mitigate this. ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] [PROPOSAL] Emergency RBF (BIP 125)
+1 From an incentive-compatible point of view, miners should be accepting transactions that increase the amount of fees that can achieved with 4M weight of transactions, so it seems like a pretty sane plan. One common problem I've run into with RBF is since you're using RBF you probably want to low ball fees. With good coin selection (*cough* coinsayer.com *cough*), it'll use that opportunity to consolidate inputs. But now let's say fees suddenly spike (pretty common), you might want to fee bump your now stuck transaction. But now that fees are high, it doesn't make sense to be consolidating so ideally you'd just replace it with a much smaller transaction (that pays higher fee rate). So if anything, I think your proposal doesn't go far enough. I think even in "non-emergency" cases, we could get away with removing the requirement to increase the absolute fee (as long as the fee rate is increased); which also makes it incentive compatible if you assume a reasonable fee-market. I realize it does open potential DoS vectors, but they seem reasonably small. -Ryan ‐‐‐ Original Message ‐‐‐ On Saturday, June 1, 2019 9:41 PM, Rusty Russell via bitcoin-dev wrote: > Hi all, > > I want to propose a modification to rules 3, 4 and 5 of BIP 125: > > To remind you of BIP 125: > 3. The replacement transaction pays an absolute fee of at least the sum > paid by the original transactions. > > 4. The replacement transaction must also pay for its own bandwidth at > or above the rate set by the node's minimum relay fee setting. > > 5. The number of original transactions to be replaced and their > descendant transactions which will be evicted from the mempool must not > exceed a total of 100 transactions. > > The new "emergency RBF" rule: > > 6. If the original transaction was not in the first 4,000,000 weight > units of the fee-ordered mempool and the replacement transaction is, > rules 3, 4 and 5 do not apply. > > This means: > > 1. RBF can be used in adversarial conditions, such as lightning > unilateral closes where the adversary has another valid transaction > and can use it to block yours. This is a problem when we allow > differential fees between the two current lightning transactions > (aka "Bring Your Own Fees"). > > 2. RBF can be used without knowing about miner's mempools, or that the > above problem is occurring. One simply gets close to the required > maximum height for lightning timeout, and bids to get into the next > block. > > 3. This proposal does not open any significant new ability to RBF spam, > since it can (usually) only be used once. IIUC bitcoind won't > accept more that 100 descendents of an unconfirmed tx anyway. > > 4. This proposal makes RBF miner-incentive compatible. Currently the > protocol tells miners they shouldn't accept the highest bidding tx > for the good of the network. This conflict is particularly sharp > in the case where the replacement tx would be immediately minable, > which this proposal addresses. > > Unfortunately I haven't found time to code this up in bitcoin, but if > there's positive response I can try. > > Thanks for reading! > Rusty. > > > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] [PROPOSAL] Emergency RBF (BIP 125)
I think this needs significantly improved motivation/description. A few areas I'd like to see calculated out: 1) wrt rule 3, for this to be obviously-incentive-compatible-for-the-next-miner, I'd think no evicted transactions would be allowed to be in the next block range. This would probably require some significant additional tracking in today's mempool logic. 2) wrt rule 4, I'd like to see a calculation of worst-case free relay. I think we're already not in a great place, but maybe it's worth it or maybe there is some other way to reduce this cost (intuitively it looks like this proposal could make things very, very, very bad). 3) wrt rule 5, I'd like to see benchmarks, it's probably a pretty nasty DoS attack, but it may also be the case that is (a) not worse than other fundamental issues or (b) sufficiently expensive. 4) As I've indicated before, I'm generaly not a fan of such vague protections for time-critical transactions such as payment channel punishment transactions. At a high-level, in this context your counterparty's transactions (not to mention every other transaction in everyone's mempool) are still involved in the decision about whether to accept an RBF, in contrast to previous proposals, which makes it much harder to reason about. As a specific example, if an attacker exploits mempool policy differences they may cause your concept of "top 4M weight" to be bogus for a subeset of nodes, causing propogation to be limited. Obviously there is also a ton more client-side knowledge required and complexity to RBF decisions here than other previous, more narrowly-targeted proposals. (I don't think this one use-case being not optimal should prevent such a proposal, i agree it's quite nice for some other cases). Matt > On Jun 2, 2019, at 06:41, Rusty Russell wrote: > > Hi all, > > I want to propose a modification to rules 3, 4 and 5 of BIP 125: > > To remind you of BIP 125: > 3. The replacement transaction pays an absolute fee of at least the sum > paid by the original transactions. > > 4. The replacement transaction must also pay for its own bandwidth at > or above the rate set by the node's minimum relay fee setting. > > 5. The number of original transactions to be replaced and their > descendant transactions which will be evicted from the mempool must not > exceed a total of 100 transactions. > > The new "emergency RBF" rule: > > 6. If the original transaction was not in the first 4,000,000 weight > units of the fee-ordered mempool and the replacement transaction is, > rules 3, 4 and 5 do not apply. > > This means: > > 1. RBF can be used in adversarial conditions, such as lightning > unilateral closes where the adversary has another valid transaction > and can use it to block yours. This is a problem when we allow > differential fees between the two current lightning transactions > (aka "Bring Your Own Fees"). > > 2. RBF can be used without knowing about miner's mempools, or that the > above problem is occurring. One simply gets close to the required > maximum height for lightning timeout, and bids to get into the next > block. > > 3. This proposal does not open any significant new ability to RBF spam, > since it can (usually) only be used once. IIUC bitcoind won't > accept more that 100 descendents of an unconfirmed tx anyway. > > 4. This proposal makes RBF miner-incentive compatible. Currently the > protocol tells miners they shouldn't accept the highest bidding tx > for the good of the network. This conflict is particularly sharp > in the case where the replacement tx would be immediately minable, > which this proposal addresses. > > Unfortunately I haven't found time to code this up in bitcoin, but if > there's positive response I can try. > > Thanks for reading! > Rusty. ___ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
Re: [bitcoin-dev] OP_SECURETHEBAG (supersedes OP_CHECKOUTPUTSVERIFY)
Hi Russell,
Thanks for the response. I double checked my work in drafting my response
and realized I didn't address all the malleability concerns, I believe I
have now (fingers crossed) addressed all points of malleability.
*The malleability concerns are as follows:*
A TXID is computed as:
def txid(self):
r = b""
r += struct.pack("___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
