Published on: 2016-06-12T14:40:17+00:00
In a Bitcoin-dev mailing list discussion, Luke Dashjr expressed his opinion on the safety and size limitations of the 32 bytes hash. He argued that a witness program larger than 40 bytes would be unnecessary and expensive, taking up more UTXO space. However, he acknowledged the downside of being too strict, which limits the ability to do soft fork upgrades in the future. As a compromise, he suggested raising the limit to 75 bytes.Pieter, who initiated the discussion, disagreed with the need for any changes. He believed that any data that needs to be encoded can be moved to the witness at a cheaper cost and replaced by a 256-bit hash. The only thing not allowed in the hash is metadata to indicate the hashing/rule scheme used, which Pieter thought could be represented by 68 bits (OP_n + 8 bytes).Johnson Lau also expressed concerns about the safety of the 32 bytes hash and its potential impact on the safety of txid. He suggested that if the 32 bytes hash is deemed unsafe in the future, a hard fork might be needed. Additionally, he questioned the usefulness of a witness program larger than 40 bytes, as it would be more expensive and take up more UTXO space.Luke Dashjr and Johnson Lau discussed the possibility of extending the definition for scripts with a 1-byte push followed by a push of 40 bytes. Lau suggested making it even bigger, up to 75 bytes, but Dashjr did not see this as a sufficient answer. However, Pieter explained that a softfork to redefine such scripts would be complicated due to the current limit preventing the use of the witness field.On June 8, 2016, Johnson Lau proposed increasing the size of transaction scripts to 75 bytes. Pieter explained why a size larger than 75 would be inconvenient, but did not provide a satisfactory response to the proposed increase. Luke Dashjr pointed out that scripts with a 1-byte push followed by a push of over 40 bytes remain anyone-can-spend, so they could be redefined with a softfork. However, this would prevent the use of the witness field for such scripts, requiring two different witness commitments or disabling the previous witness transaction format.The segregated witness (BIP141) consensus rule has been updated to extend the definition of a witness program, allowing it to consist of a data push between 2 to 40 bytes, instead of the previous limit of 2 to 32 bytes. This update was necessary as BIP141 only defined version 0 witness programs for P2WPKH and P2WSH, leaving versions 1 to 16 undefined and considered anyone-can-spend scripts. By extending the maximum length by 8 bytes, up to 16 * 2^64 versions are now available for future upgrades. A witness program of 40 bytes allows a 32-byte hash with 8-byte metadata, and any scripts larger than 32 bytes should be recorded in the witness field to reduce transaction cost and impact on the UTXO set.It is unlikely that a larger witness program would be required without a major revamp of the Bitcoin protocol since SHA256 is widely used. Previously, a script with a 1-byte push followed by a data push of 33-40 bytes did not allow witness data, but this is now allowed. Users running segnet nodes or testnet nodes with segwit code are advised to upgrade to the latest version at https://github.com/bitcoin/bitcoin/pull/7910. Alternative implementations should also ensure their consensus code is updated accordingly to avoid forking off the network.
Updated on: 2023-08-01T18:26:18.831867+00:00