Author: Gregory Maxwell 2017-04-06 00:17:17
Published on: 2017-04-06T00:17:17+00:00
A serious security flaw has been identified in Bitcoin. There is a proposal for a soft fork to be included in Bitcoin Core as soon as 0.14.1, with a trigger 3-6 months from release. The speed of adoption depends on the level of support from the community. It is proposed that the user's choice of segwit commitment or a modified form should be used to lower technical complexity and risk. The default behavior as of 0.13.2 is for SegWit-ready miners to always produce a commitment even when optional according to BIP 141, but this has not been measured yet.Many protocol upgrades beyond segwit could run into the same incompatibility, including UTXO commitments, committed Bloom filters, committed address indexes, STXO commitments, weak blocks, most kinds of fraud proofs, among others. Adding any commitment to data dependent on the right-hand side of the hash tree in the left-hand side can lead to a massive increase in the computation required for covert boosting, which can nullify the ASICBOOST advantage. The proposal aims at severely handicapping the covert form of it and eliminating the differential advantage for boosting miners related to the use of transaction-dependent commitments. Use of the segwit-style commitment even in non-segwit blocks is sufficient because the segwit commitment commits to all transactions except the coinbase. This was designed so that lite clients that needed witness data could work with just one tree.
Updated on: 2023-05-20T01:51:59.586858+00:00