Author

Topic: What's the reason for not being strict about Taproot witness program size? (Read 303 times)

legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
I am new to the forum and this thread is 6 months old, but that's *still* a month younger than my own brief experiment making a single inscription using the Ord code -- A small (<1KB) text poem to my Mom for Mother's day to put her on the Chain (see https://ordinals.com/preview/51b2b0ca885149b342a2c80420f57f4fb86e3abd6ad4f17b618fb33b8b0e436bi0 for context). 

SO I'm still trying to sort through whether I played myself (and my dear old mum, and the world?) into the hands of some obscure and nefarious "attack" conspiracy? Directed by shadowy bad actors who are suing luminaries here on this board? for billions of dollars or something... sounds hideous! 

Welcome to Bitcointalk forum. Don't worry about speculation written by other member. And while it's discouraged, some people already include text to Bitcoin blockchain using OP_RETURN, public key (which then converted into address) and other means.

Meanwhile my specific questions for this thread are:  
Is it true that there used to be a 10000 byte limit on scripts which Taproot actually removed?

Yes, Although it's more accurate to say limit for Taproot script never exist.

If so, why was 10KB of space before Taproot, not enough for Witness scripts and  that an unlimited amount of space was required?

Pieter Wuille on https://bitcoin.stackexchange.com/a/114912 partially answer your question.
newbie
Activity: 1
Merit: 0
I am new to the forum and this thread is 6 months old, but that's *still* a month younger than my own brief experiment making a single inscription using the Ord code -- A small (<1KB) text poem to my Mom for Mother's day to put her on the Chain (see https://ordinals.com/preview/51b2b0ca885149b342a2c80420f57f4fb86e3abd6ad4f17b618fb33b8b0e436bi0 for context).  

SO I'm still trying to sort through whether I played myself (and my dear old mum, and the world?) into the hands of some obscure and nefarious "attack" conspiracy? Directed by shadowy bad actors who are suing luminaries here on this board? for billions of dollars or something... sounds hideous!  

Meanwhile my specific questions for this thread are:  
Is it true that there used to be a 10000 byte limit on scripts which Taproot actually removed?  
If so, why was 10KB of space before Taproot, not enough for Witness scripts and  that an unlimited amount of space was required?
Lastly, if this thread was answered, can someone summarize the answer to the thread question "What's the reason(s) for not being strict about Taproot witness program size?"
I always thought standards were good, and that without limits (or proportions) the only options are "All" or "Nothing."

My instincts are for compromise, proportion and ratio as the basis of Harmony.  Why cannot an appropriate amount of space for Marginalia (and Witness Scripts) be set that does not crowd out the space needed for actual ledger entries.  

Maybe my instincts are wrong -- If Answers have already been given and I lost them in the read-through, perhaps they can be re-summarized more succinctly and my sincere thanks in advance to anyone who does so.
staff
Activity: 4284
Merit: 8808

I've been away from development for a long time, so it's likely I'm out of sync and it's possible I'm confused--- I only looked into the discussions around this stuff when I learned about who's been funding the BRC-20 floods, and my interest is mostly limited to figuring how it plans into the overall attacks on Bitcoin developers by these parties.  That said, XKCD-386 applies Tongue and I can at least offer some historical context.

Funny how they almost completely left me out of the drama considering that Luke was replying to my message. Roll Eyes
I don't think that's an accident.  Luke (like a dozen other current&former developers; including me) is being sued for billions of dollars with an allegation that we specifically and no one else control the Bitcoin network, and so we're obligated to institute a backdoor for Wright wright to "recover" billions of dollars worth of Bitcoin where he claims to have lost the keys.  You're not (currently!) on the list of defendants, and so bringing up you would actually undermine their argument that having opinions on blocking the spam was evidence of that control.

Quote
if we close off this vector, these nutcases will just find another vector to continue their spam such as OP_RETURN or Segwit v1 witness data compacted properly in binary, scriptsigs in legacy addresses which have a dummy P2PKH script followed by compact BRC-20 OP_PUSHDATAs and so on. We can't possibly disable all such vectors as some require a hardfork.

Not just a hardfork, it seems to be fundamentally *impossible* even with a hardfork: because attackers could just burn capacity with chains of transactions that look nearly indistinguishable (as they actually did in 2016/2017-- some of the flooding attacks are only obvious with retrospective blockchain analysis).

I'm mindful of the point pooya87 has made in another thread here that part of the attack is enlisting idiots to participate, which can actually be dampened by standardness rules to inhibit specific forms of spam.  I think he's right but I don't think it matters, the enlistment is only a small constant factor on the attack cost.  Sure-- the attacker will use enlistment to lower their costs and/or prolong their attack some if they can, but if they can't enlist they'll still attack.

There has been some more blatant attempted enlistment on reddit that the r/bitcoin mods have been pretty good about nuking.  E.g. posts claiming that "taproot" has an inflation bug that user can exploit by making a lot of transactions... their inability to get away with *that* kind of enlistment hasn't stopped the attack.  The attackers are just going to use whatever is available to attack, but removing those things won't stop the attack unless the things being removed are the only ways to accomplish it.   And to the extent that the attack is *specifically* to drive fees up, the actual structure of how they do it is completely irrelevant to the attacker, so blocking any particular one won't work.

I think its also absolutely guaranteed that anyone that successfully deploys standardness rules to inhibit this attack is going to be saddled with hundreds of thousands of dollars in legal fees defending lawsuits--- either because they get sucked into the "you must backdoor bitcoin for me" litigation somehow or because proxy entities will claim that blocking their spam destroyed their oh-so-legitimate business which was goona make billions.  It's happened before, see "United American Corp vs Amaury Sechet, Shamma Chancellor, and Jason Cox"-- bcash developers were sued by some shell company because they added a checkpoint that blocked a reorg attack Wright was threatening to perform on social media.  They defeated the lawsuit and the shell just declared bankruptcy and vanished, but even though they won they took on large costs that can't be recovered (cause the entity just vanished).

It's also the case that any specific spam filtering can't really stop enlistment..  like these BRC-20 transactions could be encoded in a way that makes it extremely difficult to filter them (as they only embed <90 bytes or so), they aren't now but that's because the attack is just really lazy.  It would at best be a bunch of wack-a-mole, and particularly hard to the extent that there exists any earnest usage at all (even if it's just a tiny fraction of a percent)-- since those earnest users will be useful fools for the attackers in opposing the bandaids.

If it was clear that it would work then the costs of trying it might be justifiable, but if it'll just delay or shift the form of the attack? ::meh::  I mean, feel free to put your own neck out, but I think that would be a pyrrhic victory.  I'm sure that in some attacks people would expose themselves to personal bankruptcy to defend even a non-guaranteed defense, but "an attacker is bankrupting themselves making fees elevated" is probably just not one of them.  Though anyone who disagrees is free to try!

All that said, I do think that the overall trend ... really since 2013 or 2014 has been to avoid having standardness restrictions except where it's needed to preserve the ability to introduce new features or protect hard-to-fix soft spots (like script opcodes that took too much time to execute relative to their weight usage).  Part of the motivation behind that trend is that filtering this or that structure doesn't actually prevent attacks since attackers will do whatever works, but part of it was also that additional standardness rules could be deployed as needed.  That's made harder by attackers pretending to be legitimate usage in enlistment attacks, which I think was probably expected in the past but perhaps under estimated-- what wasn't anticipated is that they could use any action in defense as a viable way to attack the defenders with lawsuits.  So in that sense you could say there may have been some oversight, but I don't know if the loss of "fix the spam with policy" as a tool is all that meaningful, given the broader point that the attack can just change shape.

I haven't even gone into the fact that standardness is a really weak protection since it doesn't apply to miners, who absolutely are known to mine non-standard txn for pay... the whole ethereum MEV dark forest with an endless supply of incentive incompatible smart contracts has also made dishonest conduct (in the sense of violating the unenforced protocol to maximize income) a norm for any part of that industry that has touched the ethereum ecosystem.

Enlistment can also be combated with communication and, in fact, communication is both necessary and sufficient since you can't deploy or preserve a stanardness rule against an attack without justifying it.  The tricky part is that if people make a big deal arguing against something they validate it as something important and give it free press so you have to be careful that you don't help it, but actually acting against with technical measures is probably a zillion times worse.

But here I don't know that a lot of communication is needed because I've seen very little evidence of significant enlistment, the enlistment mostly seems to be a cover.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
I think it's a reasonable guess that since we know the congestion is almost entirely being performed by three Calvin Ayre funded companies that the goals are some mixture of congesting Bitcoin to reduce its utility and trick people into using his centralized and controlled fork of a fork of Bitcoin, BSV... and trying to get some engineers to push for controversial changes to filter their specific attack-- of course they instantly fanned the controversy as soon as Luke posted saying it should be blocked-- in order to attach lawsuits to even more technical experts and try to generate some substantiation for their existing multi-billion dollar backdoor demands.

Funny how they almost completely left me out of the drama considering that Luke was replying to my message. Roll Eyes

But I think Michael Folkson said it best in his reply on the mailing list, if we close off this vector, these nutcases will just find another vector to continue their spam such as OP_RETURN or Segwit v1 witness data compacted properly in binary, scriptsigs in legacy addresses which have a dummy P2PKH script followed by compact BRC-20 OP_PUSHDATAs and so on. We can't possibly disable all such vectors as some require a hardfork.

The protocol is rife for exploit pretty much everywhere - our job (well those of us still working on Bitcoin that is) is to make Layer 2's that mitigate these effects for the users. Ark is a good example of something that was invented as a result of this controversy.
staff
Activity: 4284
Merit: 8808
I don't agree.

The exact same transactions were valid *before* (e.g. if taproot had never been proposed) and are also valid as witness versions 2 to 16, and the same congestion can be caused regardless of *any* limitation (just use more transactions or inputs).  I think people are being duped by a consensus cracking diversion intended to cause users to blame the congestion on "a bug" instead pretty the obvious flooding attack that is spending millions per day to congest the network-- flooding attacks were also being performed back in 2016.   There is a proven and robust way to inhibit flooding attacks, and as far as I know it's the only way to inhibit them: competition for space makes them eye wateringly expensive.  Unfortunately, it also makes ordinary transactions expensive (but far less so:  a normal transaction has to pay a high fee just once, while a flooder has to pay the fee of every transaction they block in each block they block it in) and inhibiting doesn't prevent them completely.  Sometimes attackers are willing to spend tens or hundreds of millions of dollars in a short lived attack--- though you have to wonder what they think they're going to get out of it.

I think it's a reasonable guess that since we know the congestion is almost entirely being performed by three Calvin Ayre funded companies that the goals are some mixture of congesting Bitcoin to reduce its utility and trick people into using his centralized and controlled fork of a fork of Bitcoin, BSV... and trying to get some engineers to push for controversial changes to filter their specific attack-- of course they instantly fanned the controversy as soon as Luke posted saying it should be blocked-- in order to attach lawsuits to even more technical experts and try to generate some substantiation for their existing multi-billion dollar backdoor demands.
legendary
Activity: 1042
Merit: 2805
Bitcoin and C♯ Enthusiast
These days we are witnessing my concerns from 2 years ago materialize in form of a mess called Ordinals. It is a good example of the downsides of leaving consensus rules this loose for extensibility purposes.
staff
Activity: 4284
Merit: 8808
It just leaves more of the witness V1 space open for other usages that have different sizes.  No need to needlessly close off extensibility.
legendary
Activity: 1042
Merit: 2805
Bitcoin and C♯ Enthusiast
But isn't that about the "spending" script put in the witness not the pubkey script where the program is?
full member
Activity: 206
Merit: 447

Taproot is upgradable itself. From the announcement https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-May/016914.html

Quote
* Extensibility through leaf versions, OP_SUCCESS opcodes, and upgradable pubkey types.

legendary
Activity: 1042
Merit: 2805
Bitcoin and C♯ Enthusiast
Witness version 0 is strict and will fail if the program size is not 20 or 32 bytes but witness version 1 will simply assume the program is undefined and passes on verification. What's the rational for keeping this loose?
https://github.com/bitcoin/bitcoin/blob/55a156fca08713b020aafef91f40df8ce4bc3cae/src/script/interpreter.cpp#L1878
Code:
if (witversion == 0) 
{
  if (program.size() == WITNESS_V0_SCRIPTHASH_SIZE){}
  else if (program.size() == WITNESS_V0_KEYHASH_SIZE){}
  else { set_error (...) }
}
else if (witversion == 1 && program.size() == WITNESS_V1_TAPROOT_SIZE && !is_p2sh)
{...}
else
   return true;
Jump to: