Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
Standard Unstructured Annex
253 views
Skip to first unread message
Peter Todd
Mar 19, 2025, 9:02:10 PMMar 19
to bitco...@googlegroups.com
I'm working on adding support for the taproot annex to Libre Relay:
https://github.com/petertodd/bitcoin/commit/04c8e449a34e74e048bf5751d13592a22763ff7e
I'm basing this on Joost Jager's pull-req: https://github.com/bitcoin/bitcoin/pull/27926
Specifically, transactions containing taproot annexes will be standard
if:
1) All non-empty annexes start with the byte 0x00, to distinguish them
from consensus-relevant annexes. This ensures that any use of the
annex will not conflict with future soft-forks that may assign
meaning to the annex.
2) All inputs have an annex. This ensures that use of the annex is
opt-in, preventing transaction pinning attacks in multi-party
protocols. This requirement may be relaxed in the future, eg to allow
spends of keyless outputs, and/or if RBF for witness-only
replacements is implemented.
An example of a transaction meeting these requirements is:
010000000001011a559447098aaa14dec0c62ea55f43f9ce6bda07d1759f11b634334ab9da939b0000000000ffffffff010000000000000000076a05616e6e657802406840b6fa27a00ba001cc92797ce4f3ab7b7a32c21d1fce49e893b42e506bd92e8db187966a84ef799915cf671334cc59779915b192bfb66b2afcf384bb61d0f422500049276d20616e20616e6e6578212041726520796f7520616e20616e6e65783f0000000000
--
https://petertodd.org 'peter'[:-1]@petertodd.org
https://github.com/petertodd/bitcoin/commit/04c8e449a34e74e048bf5751d13592a22763ff7e
I'm basing this on Joost Jager's pull-req: https://github.com/bitcoin/bitcoin/pull/27926
Specifically, transactions containing taproot annexes will be standard
if:
1) All non-empty annexes start with the byte 0x00, to distinguish them
from consensus-relevant annexes. This ensures that any use of the
annex will not conflict with future soft-forks that may assign
meaning to the annex.
2) All inputs have an annex. This ensures that use of the annex is
opt-in, preventing transaction pinning attacks in multi-party
protocols. This requirement may be relaxed in the future, eg to allow
spends of keyless outputs, and/or if RBF for witness-only
replacements is implemented.
An example of a transaction meeting these requirements is:
010000000001011a559447098aaa14dec0c62ea55f43f9ce6bda07d1759f11b634334ab9da939b0000000000ffffffff010000000000000000076a05616e6e657802406840b6fa27a00ba001cc92797ce4f3ab7b7a32c21d1fce49e893b42e506bd92e8db187966a84ef799915cf671334cc59779915b192bfb66b2afcf384bb61d0f422500049276d20616e20616e6e6578212041726520796f7520616e20616e6e65783f0000000000
--
https://petertodd.org 'peter'[:-1]@petertodd.org
Antoine Riard
Mar 23, 2025, 9:30:10 PMMar 23
to Bitcoin Development Mailing List
Hi Peter,
See also that can be relevant for taproot annex support:
https://github.com/bitcoin/bips/pull/1381
> 1) All non-empty annexes start with the byte 0x00, to distinguish them
> from consensus-relevant annexes. This ensures that any use of the
> annex will not conflict with future soft-forks that may assign
> meaning to the annex.
So IIUC, it would be 1-byte: 0x00 | <random_data payload>.
> 2) All inputs have an annex. This ensures that use of the annex is
> opt-in, preventing transaction pinning attacks in multi-party
> protocols. This requirement may be relaxed in the future, eg to allow
> spends of keyless outputs, and/or if RBF for witness-only
> replacements is implemented.
I think it's good to start with all inputs have an annex. It avoids
the kind of issue, like what if the annex size is inflated to downgrade
the feerate of the multi-party transaction (e.g to have a coinjoin
stucking in network mempools).
One thing that might be missed, without having looked to the code, is
potentially a policy transaction-relay rule to limit the max size of the
annex, to avoid the same concern than above. There shouldn't be max
limit for now, as normally the annex is not standard at all as a taproot
data field.
Best,
Antoine
OTS hash: 5b620c444896f05d05fe00542a4ac04c44f21684
See also that can be relevant for taproot annex support:
https://github.com/bitcoin/bips/pull/1381
> 1) All non-empty annexes start with the byte 0x00, to distinguish them
> from consensus-relevant annexes. This ensures that any use of the
> annex will not conflict with future soft-forks that may assign
> meaning to the annex.
> 2) All inputs have an annex. This ensures that use of the annex is
> opt-in, preventing transaction pinning attacks in multi-party
> protocols. This requirement may be relaxed in the future, eg to allow
> spends of keyless outputs, and/or if RBF for witness-only
> replacements is implemented.
the kind of issue, like what if the annex size is inflated to downgrade
the feerate of the multi-party transaction (e.g to have a coinjoin
stucking in network mempools).
One thing that might be missed, without having looked to the code, is
potentially a policy transaction-relay rule to limit the max size of the
annex, to avoid the same concern than above. There shouldn't be max
limit for now, as normally the annex is not standard at all as a taproot
data field.
Best,
Antoine
OTS hash: 5b620c444896f05d05fe00542a4ac04c44f21684
Peter Todd
Mar 24, 2025, 6:00:51 PMMar 24
to Antoine Riard, Bitcoin Development Mailing List
On Thu, Mar 20, 2025 at 03:47:16PM -0700, Antoine Riard wrote:
> Hi Peter,
>
> See also that can be relevant for taproot annex support:
> https://github.com/bitcoin/bips/pull/1381
> > 1) All non-empty annexes start with the byte 0x00, to distinguish them
> > from consensus-relevant annexes. This ensures that any use of the
> > annex will not conflict with future soft-forks that may assign
> > meaning to the annex.
>
> So IIUC, it would be 1-byte: 0x00 | <random_data payload>.
When annex data finally does get a consensus meaning any encoding scheme
starting with a non-zero byte will be compatible. Most likely we'll get
some tag-length-value encoding scheme.
Applications already using annexes who want to also take advantage of
new consensus features will of course have to upgrade their encoding
schemes to match. But I think that's fine.
> > 2) All inputs have an annex. This ensures that use of the annex is
> > opt-in, preventing transaction pinning attacks in multi-party
> > protocols. This requirement may be relaxed in the future, eg to allow
> > spends of keyless outputs, and/or if RBF for witness-only
> > replacements is implemented.
>
> I think it's good to start with all inputs have an annex. It avoids
> the kind of issue, like what if the annex size is inflated to downgrade
> the feerate of the multi-party transaction (e.g to have a coinjoin
> stucking in network mempools).
> One thing that might be missed, without having looked to the code, is
> potentially a policy transaction-relay rule to limit the max size of the
> annex, to avoid the same concern than above. There shouldn't be max
> limit for now, as normally the annex is not standard at all as a taproot
> data field.
artificially limit annex usage either. The requirement to opt-in to
annex usage should be sufficient.
There is a possibility of a multi-party, annex-using, protocol where
someone does a pinning attack by re-signing their transaction with a
bigger annex. But witness-RBF in combination with replace-by-fee-rate
will fix this, so I'm not concerned. No such protocols actually exist
yet anyway, so we can figure that out later.
Antoine Riard
Apr 9, 2025, 7:24:35 PM (11 days ago) Apr 9
to Bitcoin Development Mailing List
Hi Peter,
> Applications already using annexes who want to also take advantage of
> new consensus features will of course have to upgrade their encoding
> schemes to match. But I think that's fine.
Yes, I agree. I believe there is one more thing to falicitate any future
potential encoding scheme transition for application.
I.e you have the 1-byte : 0x00 | <random_payload_data>, and you could
have a an application-only versioning of the <random_payload_data> with
one more 1-byte, to give the evolvability to application to experiment
with multiple parsing format.
So you would have "1-byte" 0x00 | "random_payload_data" where "random_payload_data"
is defined as 1-byte: <version_number> | "random_payload_data". That
version number shall only have application meaning, no consensus, it's
just some kind of clear domain separation. AFAICT, the version number
could be always retrofitted for a non-0x00 tag-length-value consensus
meaning.
If it can be useful in any way, an old annex branch with a try of TLV:
https://github.com/ariard/bitcoin/commit/84a897feb20c7df813e236d6bf98b69e241a4530
IMHO, this was a very positive thing for taproot to have a lot of
versioning and upgradeability paths (e.g leaves version, pubkey type, etc).
> There is a possibility of a multi-party, annex-using, protocol where
> someone does a pinning attack by re-signing their transaction with a
> bigger annex. But witness-RBF in combination with replace-by-fee-rate
> will fix this, so I'm not concerned. No such protocols actually exist
> yet anyway, so we can figure that out later.
Correct given it's opt-in and that there will be witness-RBF support.
Note, for witness support, where IIUC you have wtxidB allowed to
replace wtxidB if wtxidA's feerate > wtxidB and if annex size is
unbounded, I think it works for multi-party protocols.
For witness re-composition problems, see:
https://github.com/bitcoin/bitcoin/pull/19645#issuecomment-677955391
Best,
Antoine
OTS hash: 30c270434ccb4b50a4a65b40bcdc014b8ef863df8e5e425732c1b385e71b680c
> Applications already using annexes who want to also take advantage of
> new consensus features will of course have to upgrade their encoding
> schemes to match. But I think that's fine.
potential encoding scheme transition for application.
I.e you have the 1-byte : 0x00 | <random_payload_data>, and you could
have a an application-only versioning of the <random_payload_data> with
one more 1-byte, to give the evolvability to application to experiment
with multiple parsing format.
So you would have "1-byte" 0x00 | "random_payload_data" where "random_payload_data"
is defined as 1-byte: <version_number> | "random_payload_data". That
version number shall only have application meaning, no consensus, it's
just some kind of clear domain separation. AFAICT, the version number
could be always retrofitted for a non-0x00 tag-length-value consensus
meaning.
If it can be useful in any way, an old annex branch with a try of TLV:
https://github.com/ariard/bitcoin/commit/84a897feb20c7df813e236d6bf98b69e241a4530
IMHO, this was a very positive thing for taproot to have a lot of
versioning and upgradeability paths (e.g leaves version, pubkey type, etc).
> There is a possibility of a multi-party, annex-using, protocol where
> someone does a pinning attack by re-signing their transaction with a
> bigger annex. But witness-RBF in combination with replace-by-fee-rate
> will fix this, so I'm not concerned. No such protocols actually exist
> yet anyway, so we can figure that out later.
Note, for witness support, where IIUC you have wtxidB allowed to
replace wtxidB if wtxidA's feerate > wtxidB and if annex size is
unbounded, I think it works for multi-party protocols.
For witness re-composition problems, see:
https://github.com/bitcoin/bitcoin/pull/19645#issuecomment-677955391
Best,
Antoine
OTS hash: 30c270434ccb4b50a4a65b40bcdc014b8ef863df8e5e425732c1b385e71b680c
Reply all
Reply to author
Forward
0 new messages