BIP 53: Disallow 64-byte transactions #1760

pull Christewart wants to merge 1 commits into bitcoin:master from Christewart:2024-12-20-64bytetxs changing 5 files +178 −0
  1. Christewart commented at 9:29 pm on February 10, 2025: contributor

    This BIP makes 64 byte bitcoin transactions serialized without the witness consensus invalid

    Mailing list post: https://groups.google.com/g/bitcoindev/c/rf3QOlzg230/m/eOOC8pkOAgAJ

    Delving discussion: https://delvingbitcoin.org/t/great-consensus-cleanup-revival/710

    Side note, wasn’t sure how to best handle the 2-Bitcoin-Merkle.pdf as it isn’t hosted anywhere easily accessible AFAICT? For now I just added it into the git repo. Lmk if you have other suggestions

  2. jonatack added the label New BIP on Feb 10, 2025
  3. murchandamus commented at 7:36 pm on February 11, 2025: contributor
    I am a little surprised at this pull request, given the frequent coverage of Antoine’s ongoing research on reviving the Great Consensus Cleanup that includes a similar fix. It seems better to me to package all four fixes in one soft fork. Was it overlooked that this work is being duplicated, or are you disagreeing with the direction of Antoine’s work and want to put forward an alternative? Could you elaborate why you decided to submit this?
  4. Christewart commented at 8:11 pm on February 11, 2025: contributor

    I am a little surprised at this pull request, given the frequent coverage of Antoine’s ongoing research on reviving the Great Consensus Cleanup that includes a similar fix. It seems better to me to package all four fixes in one soft fork. Was it overlooked that this work is being duplicated, or are you disagreeing with the direction of Antoine’s work and want to put forward an alternative? Could you elaborate why you decided to submit this?

    HI Murch!

    Great Consensus Cleanup

    While the GCC is a great name for a disjoint set of bitcoin protocol security fixes, that doesn’t mean they all need to be bundled into one BIP and deployed at the same time.

    It seems better to me to package all four fixes in one soft fork.

    This document takes no opinion on how this enhancement is deployed.

    Previously we have deployed multiple consensus changes in a single soft fork that contained multiple BIPs. The 2017 Segwit soft fork had BIP141, BIP143. The Taproot soft fork had BIP341 and BIP342.

    Was it overlooked that this work is being duplicated,

    I was recommended that this was a piece of work that was easily to peel off from the rest of GCC and propose a fix for. Its relatively simple and straight forward, and has been known about for a long time.

    Antoine’s on going research.

    I think Antoine’s research is great, but just because he is researching the topic doesn’t mean he gets to monopolize the vulnerabilities. The 64 byte transaction vulnerability has been known since at least 2012 - yet no one has taken the time to write up a BIP to fix it 😬 . I’ve put forth the first BIP draft in the 13 years since this vulnerability has been known. I encourage Antoine to write up his proposal (hopefully sooner rather than later) as he doesn’t seem to be interested in working with me.

    Other vulnerabilities in GCC have also been known about for a long time - such as worse case block validation time. Antoine has done a lot of novel research there and I think his work product has been excellent on delving.

    There is plenty of meat left on the GCC bone, this was a small piece I decided to carve off.

  5. in bip-XXXX.mediawiki:20 in b08c7a116a outdated 
    15+We describe the weaknesses to the merkle tree included in bitcoin block headers, various exploits for those weaknesses.
16+
17+==Motivation==
18+
19+Bitcoin block headers include a commitment to the set of transactions in a given
20+block, which is implemented by constructing a Merkle tree of transaction id’s
    murchandamus commented at 10:16 pm on February 11, 2025: 
    0block, which is implemented by constructing a Merkle tree of transaction ids
  6. in bip-XXXX.mediawiki:29 in b08c7a116a outdated 
    24+transaction. However, Bitcoin’s particular construction of the Merkle tree has
25+several security weaknesses, including at least two forms of block malleability
26+that have an impact on the consensus logic of Bitcoin Core, and an attack on
27+light clients, where an invalid transaction could be ”proven” to appear in a block
28+by doing substantially less work than a SHA256 hash collision would require.
29+This has been prevented by relay policy since 2018<ref>[https://github.com/bitcoin/bitcoin/pull/11423/commits/7485488e907e236133a016ba7064c89bf9ab6da3 PR #11423 disallows 64 byte transactions in bitcoin core relay]</ref>
    murchandamus commented at 10:18 pm on February 11, 2025:

    Bitcoin Core is a proper noun:

    0This has been prevented by relay policy since 2018<ref>[https://github.com/bitcoin/bitcoin/pull/11423/commits/7485488e907e236133a016ba7064c89bf9ab6da3 PR [#11423](/bitcoin-bips/11423/) disallows 64-byte transactions in Bitcoin Core relay]</ref>
  7. in bip-XXXX.mediawiki:33 in b08c7a116a outdated 
    28+by doing substantially less work than a SHA256 hash collision would require.
29+This has been prevented by relay policy since 2018<ref>[https://github.com/bitcoin/bitcoin/pull/11423/commits/7485488e907e236133a016ba7064c89bf9ab6da3 PR #11423 disallows 64 byte transactions in bitcoin core relay]</ref>
30+
31+==Specification==
32+
33+This BIP disallows bitcoin transactions that are serialized to 64 bytes in length without it's witness.
    murchandamus commented at 10:18 pm on February 11, 2025: 
    0This BIP disallows bitcoin transactions that are serialized to 64 bytes in length without its witness.
    murchandamus commented at 11:08 pm on February 11, 2025:

    Could you explain the exact semantics of how and where such transactions are disallowed?

    Do you mean e.g., that a block including a 64-byte transaction must be rejected as invalid?

  8. in bip-XXXX.mediawiki:4 in b08c7a116a outdated 
    0@@ -0,0 +1,140 @@
1+<pre>
2+  BIP: ?
3+  Layer: Consensus (soft fork)
4+  Title: Disallow 64 byte transactions
    murchandamus commented at 10:35 pm on February 11, 2025:

    Here and in the following, when used as an adjective, “64-byte” is commonly hyphenated.

    0  Title: Disallow 64-byte transactions
  9. in bip-XXXX.mediawiki:9 in b08c7a116a outdated 
    0@@ -0,0 +1,140 @@
1+<pre>
2+  BIP: ?
3+  Layer: Consensus (soft fork)
4+  Title: Disallow 64 byte transactions
5+  Author: Chris Stewart <stewart.chris1234@gmail.com>
6+  Status: Draft
7+  Type: Specification
8+  License: BSD-3-Clause
9+  Created: ?
    murchandamus commented at 10:35 pm on February 11, 2025: 
    0  Created: ?
1  License: BSD-3-Clause
  10. in bip-XXXX.mediawiki:7 in b08c7a116a outdated 
    0@@ -0,0 +1,140 @@
1+<pre>
2+  BIP: ?
3+  Layer: Consensus (soft fork)
4+  Title: Disallow 64 byte transactions
5+  Author: Chris Stewart <stewart.chris1234@gmail.com>
6+  Status: Draft
7+  Type: Specification
    murchandamus commented at 10:35 pm on February 11, 2025: 
    0  Type: Standards Track
  11. in bip-XXXX.mediawiki:5 in b08c7a116a outdated 
    0@@ -0,0 +1,140 @@
1+<pre>
2+  BIP: ?
3+  Layer: Consensus (soft fork)
4+  Title: Disallow 64 byte transactions
5+  Author: Chris Stewart <stewart.chris1234@gmail.com>
    murchandamus commented at 10:35 pm on February 11, 2025:

    I’m afraid that BIP 2 is still Active, and BIP 3 is not yet:

    0  Author: Chris Stewart <stewart.chris1234@gmail.com>
1  Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-?
  12. in bip-XXXX.mediawiki:67 in b08c7a116a outdated 
    62+This attack vector was fixed in 0.6.2<ref>[https://bitcoin.org/en/alert/2012-05-14-dos#risks CVE-2012-2459]</ref>, re-introduced in 0.13.x<ref>[https://github.com/bitcoin/bitcoin/pull/7225 #7225]</ref> and patched again in
63+0.14<ref>[https://github.com/bitcoin/bitcoin/pull/9765 #9765]</ref> of bitcoin core.
64+
65+==== Block malleability with consensus VALID transactions ====
66+
67+Producing a valid bitcoin transaction T<sub>m</sub> that adheres to network consesnsus
    murchandamus commented at 10:46 pm on February 11, 2025: 
    0Producing a valid bitcoin transaction T<sub>m</sub> that adheres to network consensus
  13. in bip-XXXX.mediawiki:90 in b08c7a116a outdated 
    85+with the hash of some other fake, invalid transaction F. The attacker can fool the SPV client into believing that F
86+was included in a bitcoin block rather than T with 81 bits<ref>[https://github.com/Christewart/bips/blob/2024-12-20-64bytetxs/bip-XXXX/2-BitcoinMerkle.pdf An attacker who can do 81 bits of work (followed by another 40 bits of work, to
87+construct the funding transaction whose coins will be spent by this one) is able
88+to fool an SPV client in this way.]</ref> of work. This also reduces implementation complexity of SPV wallets<ref>[https://delvingbitcoin.org/t/great-consensus-cleanup-revival/710/43 The steps needed to make sure a merkle proof for a transaction is secure.]</ref>.
89+
90+This could be mitigated by knowing the depth of the merkle tree. Requiring SPV clients to request both the coinbase transaction could mitigate this attack.
    murchandamus commented at 11:05 pm on February 11, 2025:
    The area around “both the coinbase transaction” seems to be missing something
  14. in bip-XXXX.mediawiki:96 in b08c7a116a outdated 
    91+To produce a valid coinbase transaction at the same depth that our fake transaction F occurs at would require 224 bits of work.
92+As mentioned above, this is computionally and financially expensive, but theoretically possible.
93+
94+==Backward compatibility==
95+
96+There have been 5 64 byte transactions that have occcurred in the bitcoin blockchain as of this
    murchandamus commented at 11:10 pm on February 11, 2025:
    Could you expand on how you are suggesting that implementers should mitigate this incompatibility? What about the potential existence of a pre-signed transaction that serializes to 64 bytes?
  15. in bip-XXXX.mediawiki:35 in b08c7a116a outdated 
    30+
31+==Specification==
32+
33+This BIP disallows bitcoin transactions that are serialized to 64 bytes in length without it's witness.
34+
35+==Rationale==
    murchandamus commented at 11:15 pm on February 11, 2025:
    A lot of the content of this section would maybe fit better under Motivation. Rationale usually explores the design decisions, alternate designs, and related work. For example you could expand on the approach of tracking the height of the Merkle branch to the coinbase transaction in the Rationale.
  16. murchandamus commented at 11:30 pm on February 11, 2025: contributor

    This does seem like a reasonable start for a BIP. A few parts of the content could perhaps be organized a bit differently, and some sections could be expanded. Especially the Specification could be a bit more precise in what an implementation should do to be compliance with this BIP. I left you a few editorial nits that you could perhaps take a look at.

    It seems likely to me that this submission may be duplicating some effort on all of our ends, assuming that the other anticipated BIP gets submitted near-term, but fair enough, we have not received another BIP on this topic. I guess I can’t fault multiple people for being interested in the same topic.

  17. murchandamus added the label PR Author action required on Feb 12, 2025
  18. jonatack removed the label PR Author action required on Feb 27, 2025
  19. Christewart force-pushed on Mar 1, 2025
  20. Christewart requested review from murchandamus on Mar 1, 2025
  21. Christewart force-pushed on Mar 1, 2025
  22. Christewart commented at 4:39 pm on March 1, 2025: contributor
    I believe the CI failure is unrelated to me?
  23. in bip-XXXX.mediawiki:16 in 8a75ee8f38 outdated 
    11+</pre>
12+
13+==Abstract==
14+
15+This BIP describes the rationale for disallowing transactions that are serialized to 64 bytes without the transaction's witness. 
16+We describe the weaknesses to the merkle tree included in bitcoin block headers, various exploits for those weaknesses.
    jonatack commented at 9:06 pm on March 7, 2025: 
    0We describe the weaknesses to the Merkle tree included in bitcoin block headers, and various exploits for those weaknesses.

    (Suggest using consistent capitalization of “merkle” in this document, here and for the other instances)

  24. in bip-XXXX.mediawiki:20 in 8a75ee8f38 outdated 
    15+This BIP describes the rationale for disallowing transactions that are serialized to 64 bytes without the transaction's witness. 
16+We describe the weaknesses to the merkle tree included in bitcoin block headers, various exploits for those weaknesses.
17+
18+==Specification==
19+
20+This BIP disallows bitcoin transactions that are serialized to 64 bytes in length without its witness.
    jonatack commented at 9:07 pm on March 7, 2025:

    s/its/their/, or “transaction” in the singular form

    0This BIP disallows bitcoin transactions that are serialized to 64 bytes in length without their witness.
  25. in bip-XXXX.mediawiki:34 in 8a75ee8f38 outdated 
    29+transaction. However, Bitcoin’s particular construction of the Merkle tree has
30+several security weaknesses, including at least two forms of block malleability
31+that have an impact on the consensus logic of Bitcoin Core, and an attack on
32+light clients, where an invalid transaction could be ”proven” to appear in a block
33+by doing substantially less work than a SHA256 hash collision would require.
34+This has been prevented by relay policy and RPC interface since 2018<ref>[https://github.com/bitcoin/bitcoin/pull/11423/commits/7485488e907e236133a016ba7064c89bf9ab6da3 PR #11423 disallows 64-byte transactions in Bitcoin Core relay and RPC interface]</ref>.
    jonatack commented at 9:08 pm on March 7, 2025: 
    0This has been prevented by relay policy and the RPC interface since 2018<ref>[https://github.com/bitcoin/bitcoin/pull/11423/commits/7485488e907e236133a016ba7064c89bf9ab6da3 PR [#11423](/bitcoin-bips/11423/) disallows 64-byte transactions in Bitcoin Core relay and RPC interface]</ref>.
  26. in bip-XXXX.mediawiki:52 in 8a75ee8f38 outdated 
    47+==== Block malleability with consensus INVALID transactions ====
48+
49+The peer receiving the malicious block marks the block as invalid as T<sub>m</sub> 
50+is not a valid transaction according to network consensus rules.
51+Other peers on the network receive the valid block containing T<sub>0</sub> and T<sub>1</sub>
52+add the block to their blockchain. Peers that receive the invalid block before the valid block
    jonatack commented at 9:11 pm on March 7, 2025:

    IIUC

    0and add the block to their blockchain. Peers that receive the invalid block before the valid block
  27. in bip-XXXX.mediawiki:54 in 8a75ee8f38 outdated 
    49+The peer receiving the malicious block marks the block as invalid as T<sub>m</sub> 
50+is not a valid transaction according to network consensus rules.
51+Other peers on the network receive the valid block containing T<sub>0</sub> and T<sub>1</sub>
52+add the block to their blockchain. Peers that receive the invalid block before the valid block
53+will never come to consensus with their peers due to the malicious user finding a collision
54+within the block's merkle root. Finding this collision approximately 22 bits worth of work<ref>[https://github.com/Christewart/bips/blob/2024-12-20-64bytetxs/bip-XXXX/2-BitcoinMerkle.pdf to produce a block that has a Merkle
    jonatack commented at 9:15 pm on March 7, 2025:
    “Finding this collision approximately 22 bits worth of work” -> looks like a verb is missing here, or the sentence seems hard to follow
  28. in bip-XXXX.mediawiki:121 in 8a75ee8f38 outdated 
    116+
117+====Segwit 64-byte transactions====
118+
119+This BIP disallows single-input single output segwit transactions that pay to a 2 byte witness program.<ref>[https://delvingbitcoin.org/t/great-consensus-cleanup-revival/710/73#p-4382-future-segwit-versions-10 BIP141 says witness programs can be 2 bytes in size, which makes the scriptPubKey a total of 4 bytes]</ref>
120+The only known use case<ref>[https://bitcoin.stackexchange.com/a/110664 Why do we have 2 byte witness programs? The original rationale for the lower end of the range of valid witness program lengths is that 2 bytes is enough to guarantee no ambiguity of how the program would be pushed (some 1 byte values can - and according to standardness, must - be pushed with OP_n, and dealing with those would have complicated the matter).]</ref>
121+for this type of transaction is ephemeral anchor outputs<ref>[https://bitcoinops.org/en/topics/ephemeral-anchors/ What are ephemeral anchor outputs? This allows anyone on the network to use that output as the input to a child transaction. This allows anyone to create the fee-paying child, even if they don’t receive any of the other outputs from the parent transaction. This allows ephemeral anchors to function as fee sponsorship but without requiring any consensus changes.]</ref>
    jonatack commented at 9:21 pm on March 7, 2025: 
    0for this type of transaction is ephemeral anchor outputs.<ref>[https://bitcoinops.org/en/topics/ephemeral-anchors/ What are ephemeral anchor outputs? This allows anyone on the network to use that output as the input to a child transaction. This allows anyone to create the fee-paying child, even if they don’t receive any of the other outputs from the parent transaction. This allows ephemeral anchors to function as fee sponsorship but without requiring any consensus changes.]</ref>
  29. in bip-XXXX.mediawiki:113 in 8a75ee8f38 outdated 
    108+The largest scriptSig a 64-byte transaction can have is 4 bytes.<ref>[https://delvingbitcoin.org/t/great-consensus-cleanup-revival/710/73]</ref>
109+
110+There are 6<ref>[https://github.com/Christewart/bips/blob/2024-12-20-64bytetxs/nonstandard-hashlock-utxos.txt As of block `00000000000000000001194ae6be942619bf61aa70822b9643d01c1a441bf2b7` there exist 6 nonstandard hashlock utxos that could theoretically have a 0-3 byte pre-image. None of them have a 0-3 byte pre-image.]</ref>
111+non standard hashlock utxos in the bitcoin blockchain. None of them have a 0-3 byte pre-image. This means they cannot be spent by a 64-byte transaction.
112+
113+Pre-segwit 64-byte transactions that spend a nonstandard utxo that are inherently malleable<ref>[https://github.com/bitcoin/bips/blob/master/bip-0141.mediawiki#trust-free-unconfirmed-transaction-dependency-chain Details on how to malleate a pre-segwit transaction]</ref>.
    jonatack commented at 9:27 pm on March 7, 2025: 
    0Pre-segwit 64-byte transactions that spend a nonstandard utxo that are inherently malleable.<ref>[https://github.com/bitcoin/bips/blob/master/bip-0141.mediawiki#trust-free-unconfirmed-transaction-dependency-chain Details on how to malleate a pre-segwit transaction]</ref>
  30. in bip-XXXX.mediawiki:102 in 8a75ee8f38 outdated 
     97+
 98+==Backward compatibility==
 99+
100+There have been 5 64-byte transactions that have occcurred in the bitcoin blockchain as of this
101+writing <ref>[https://github.com/Christewart/bips/blob/2024-12-20-64bytetxs/64byte-tx-mainnet.txt 64-byte transactions in the bitcoin blockchain]</ref>
102+With the last transaction 7f2efc6546011ad3227b2da678be0d30c7f4b08e2ce57b5edadd437f9e27a612<ref>[https://mempool.space/tx/7f2efc6546011ad3227b2da678be0d30c7f4b08e2ce57b5edadd437f9e27a612 Last 64-byte transaction in the bitcoin blockchain]</ref>
    jonatack commented at 9:28 pm on March 7, 2025: 
    0with the last transaction 7f2efc6546011ad3227b2da678be0d30c7f4b08e2ce57b5edadd437f9e27a612<ref>[https://mempool.space/tx/7f2efc6546011ad3227b2da678be0d30c7f4b08e2ce57b5edadd437f9e27a612 Last 64-byte transaction in the bitcoin blockchain]</ref>
  31. in bip-XXXX.mediawiki:129 in 8a75ee8f38 outdated 
    124+
125+<source lang="cpp">
126+/**
127+ * We want to enforce certain rules (specifically the 64-byte transaction check)
128+ * before we call CheckBlock to check the merkle root. This allows us to enforce
129+ * malleability checks which may interact with other CheckBlock checks.
    jonatack commented at 9:29 pm on March 7, 2025: 
    0 * malleability checks that may interact with other CheckBlock checks.
    Christewart commented at 3:52 pm on March 10, 2025:
    I’m going to avoid changing these nits unless they change in the reference implementation unless you have a super strong opinion on this.
    jonatack commented at 6:22 pm on March 10, 2025:
    I see. It wasn’t clear to me that this is extracted from the open pull in bitcoin-inquisition.
  32. in bip-XXXX.mediawiki:132 in 8a75ee8f38 outdated 
    127+ * We want to enforce certain rules (specifically the 64-byte transaction check)
128+ * before we call CheckBlock to check the merkle root. This allows us to enforce
129+ * malleability checks which may interact with other CheckBlock checks.
130+ * This is currently called both in AcceptBlock prior to writing the block to
131+ * disk and in ConnectBlock.
132+ * Note that as this is called before merkle-tree checks so must never return a
    jonatack commented at 9:30 pm on March 7, 2025: 
    0 * Note that this is called before merkle-tree checks and so must never return a
    Christewart commented at 3:52 pm on March 10, 2025:
    #1760 (review)
  33. jonatack commented at 9:36 pm on March 7, 2025: member
    Looks quite good. A few minor suggestions follow. Suggest rebasing to current master for a green CI if you repush.
  34. Christewart force-pushed on Mar 10, 2025
  35. Christewart requested review from jonatack on Mar 10, 2025
  36. in bip-XXXX.mediawiki:149 in c6bcc0019d outdated 
    144+
145+    return true;
146+}
147+</source>
148+
149+https://github.com/bitcoin-inquisition/bitcoin/pull/24/files
    jonatack commented at 6:21 pm on March 10, 2025: 
    0+This sample implementation is currently an open pull request here:
1+
2https://github.com/bitcoin-inquisition/bitcoin/pull/24/files
  37. in bip-XXXX.mediawiki:34 in c6bcc0019d outdated 
    29+transaction. However, Bitcoin’s particular construction of the Merkle tree has
30+several security weaknesses, including at least two forms of block malleability
31+that have an impact on the consensus logic of Bitcoin Core, and an attack on
32+light clients, where an invalid transaction could be ”proven” to appear in a block
33+by doing substantially less work than a SHA256 hash collision would require.
34+This has been prevented by Bitcoin Core's relay policy and the RPC interface since 2018<ref>[https://github.com/bitcoin/bitcoin/pull/11423/commits/7485488e907e236133a016ba7064c89bf9ab6da3 PR #11423 disallows 64-byte transactions in Bitcoin Core relay and RPC interface]</ref>.
    jonatack commented at 6:28 pm on March 10, 2025:

    Now that “Bitcoin Core’s” was added.

    0This has been prevented by Bitcoin Core's relay policy and RPC interface since 2018<ref>[https://github.com/bitcoin/bitcoin/pull/11423/commits/7485488e907e236133a016ba7064c89bf9ab6da3 PR [#11423](/bitcoin-bips/11423/) disallows 64-byte transactions in Bitcoin Core relay and RPC interface]</ref>.
    jonatack commented at 6:39 pm on March 10, 2025:
    Perhaps also mention https://github.com/bitcoin/bitcoin/commit/8c5b3646b5afe8a61f5c66478d8e11f0d2ce5108 that updated this change
  38. in bip-XXXX.mediawiki:15 in c6bcc0019d outdated 
    10+  License: BSD-3-Clause
11+</pre>
12+
13+==Abstract==
14+
15+This BIP describes the rationale for disallowing transactions that are serialized to 64 bytes without the transaction's witness.
    jonatack commented at 6:40 pm on March 10, 2025:

    nit, extra space at EOL

    0This BIP describes the rationale for disallowing transactions that are serialized to 64 bytes without the transaction's witness.
  39. in bip-XXXX.mediawiki:49 in c6bcc0019d outdated 
    44+Next the malicious user relays the block containing the malicious T<sub>m</sub> rather than the
45+valid bitcoin transactions that correspond with T<sub>0</sub> and T<sub>1</sub>.
46+
47+==== Block malleability with consensus INVALID transactions ====
48+
49+The peer receiving the malicious block marks the block as invalid as T<sub>m</sub>
    jonatack commented at 6:40 pm on March 10, 2025:

    nit, extra space at EOL

    0The peer receiving the malicious block marks the block as invalid as T<sub>m</sub>
  40. bitcoin deleted a comment on Mar 11, 2025
  41. jonatack commented at 9:13 pm on March 12, 2025: member
    Would be good to have some more eyes on this, otherwise seems close to ready as a draft for a number assignment.
  42. vostrnad commented at 8:31 pm on March 26, 2025: contributor

    @Christewart Antoine just opened a pull request for the Consensus Cleanup which includes the 64-byte transaction fix: #1800

    If you don’t feel too strongly about this being a separate BIP, I think it would be better to withdraw it, otherwise it’ll just be duplicating effort with no obvious benefit.

  43. Christewart commented at 10:54 am on March 28, 2025: contributor

    Hi @vostrnad,

    As of this commit, PR #1800 does not provide as much detail as this document in defining the problem with 64-byte transactions, explaining the proposed solution, and demonstrating why it does not pose a confiscatory risk.

    I hope the author of #1800 will consider expanding the BIP with more detail or breaking it into separate proposals for each consensus change. However, based on this email, it seems they believe the current content is sufficient and only requires minor edits.

    At this time, I believe my document is of higher quality. I will not be voluntarily closing my BIP until I feel #1800 reaches parity.

  44. murchandamus commented at 3:40 am on April 12, 2025: contributor
    Let’s call this BIP 53. Please update the table entry preamble and title correspondingly.
  45. murchandamus renamed this:
    BIP Draft: Disallow 64 byte transactions
    BIP 53: Disallow 64 byte transactions
    on Apr 12, 2025
  46. murchandamus added the label PR Author action required on Apr 15, 2025
  47. Christewart commented at 4:26 pm on April 21, 2025: contributor

    Let’s call this BIP 53. Please update the table entry preamble and title correspondingly.

    Done in 23e01bf

  48. in bip-XXXX.mediawiki:34 in 23e01bf187 outdated 
    29+transaction. However, Bitcoin’s particular construction of the Merkle tree has
30+several security weaknesses, including at least two forms of block malleability
31+that have an impact on the consensus logic of Bitcoin Core, and an attack on
32+light clients, where an invalid transaction could be ”proven” to appear in a block
33+by doing substantially less work than a SHA256 hash collision would require.
34+This has been prevented by Bitcoin Core's relay policy and the RPC interface since 2018<ref>[https://github.com/bitcoin/bitcoin/pull/11423/commits/7485488e907e236133a016ba7064c89bf9ab6da3 PR #11423 disallows transactions that are less than 82 bytes in size from Bitcoin Core relay and RPC interface]</ref><ref>[https://github.com/bitcoin/bitcoin/commit/8c5b3646b5afe8a61f5c66478d8e11f0d2ce5108 Reduces the minimum transaction size required for a transaction to be considered standard from 82 bytes to 65 bytes]</ref>.
    murchandamus commented at 11:29 pm on April 21, 2025:

    Given that such transaction were still valid, just nonstandard, I’m not sure that “prevented” is the right term. How about mitigated?

    0This has been mitigated by Bitcoin Core's relay policy and the RPC interface since 2018<ref>[https://github.com/bitcoin/bitcoin/pull/11423/commits/7485488e907e236133a016ba7064c89bf9ab6da3 PR [#11423](/bitcoin-bips/11423/) disallows transactions that are less than 82 bytes in size from Bitcoin Core relay and RPC interface]</ref><ref>[https://github.com/bitcoin/bitcoin/commit/8c5b3646b5afe8a61f5c66478d8e11f0d2ce5108 Reduces the minimum transaction size required for a transaction to be considered standard from 82 bytes to 65 bytes]</ref>.
  49. in bip-XXXX.mediawiki:79 in 23e01bf187 outdated 
    74+This is computationally and financially expensive but theoretically possible. This can lead to a persistent chain split on the network.
75+
76+=== Attack on SPV clients ===
77+
78+BIP37<ref>[https://github.com/bitcoin/bips/blob/master/bip-0037.mediawiki BIP37]</ref>provides a partial merkle tree format<ref>[https://github.com/bitcoin/bips/blob/master/bip-0037.mediawiki#user-content-Partial_Merkle_branch_format Partial Merkle Tree Format]</ref>
79+that allows you to verify your bitcoin transaction is included in a merkle root embedded in a bitcoin block header.
    murchandamus commented at 11:33 pm on April 21, 2025: 
    0that allows you to verify that your bitcoin transaction is included in a merkle root embedded in a bitcoin block header.
  50. in bip-XXXX.mediawiki:87 in 23e01bf187 outdated 
    82+Suppose a (valid) 64-byte transaction T is included in a block with the property that the second 32 bytes (which
83+are less constrained than the first 32 bytes) are constructed so that they collide
84+with the hash of some other fake, invalid transaction F. The attacker can fool the SPV client into believing that F
85+was included in a bitcoin block rather than T with 81 bits<ref>[https://github.com/Christewart/bips/blob/2024-12-20-64bytetxs/bip-XXXX/2-BitcoinMerkle.pdf An attacker who can do 81 bits of work (followed by another 40 bits of work, to
86+construct the funding transaction whose coins will be spent by this one) is able
87+to fool an SPV client in this way.]</ref> of work. This also reduces implementation complexity of SPV wallets<ref>[https://delvingbitcoin.org/t/great-consensus-cleanup-revival/710/43 The steps needed to make sure a merkle proof for a transaction is secure.]</ref>.
    murchandamus commented at 11:35 pm on April 21, 2025: 
    0to fool an SPV client in this way.]</ref> of work. This also reduces implementation complexity for SPV wallets<ref>[https://delvingbitcoin.org/t/great-consensus-cleanup-revival/710/43 The steps needed to make sure a merkle proof for a transaction is secure.]</ref>.
  51. in bip-XXXX.mediawiki:107 in 23e01bf187 outdated 
    102+with the last transaction 7f2efc6546011ad3227b2da678be0d30c7f4b08e2ce57b5edadd437f9e27a612<ref>[https://mempool.space/tx/7f2efc6546011ad3227b2da678be0d30c7f4b08e2ce57b5edadd437f9e27a612 Last 64-byte transaction in the bitcoin blockchain]</ref>
103+occurring at block height 419,606<ref>[https://mempool.space/block/000000000000000000308f1efc24419f34a3bafcc2b53c32dd57e4502865fd84 Block 419,606]</ref>.
104+
105+====Pre segwit 64-byte transactions====
106+
107+64-byte transactions cannot spend a utxo protected by a digital signature.<ref>[https://github.com/bitcoin/bips/blob/master/bip-0066.mediawiki After BIP66 was activated on the bitcoin network, bitcoin transactions cannot have a digital signature smaller than 9 bytes.]</ref>
    murchandamus commented at 11:38 pm on April 21, 2025: 
    0Pre-segwit 64-byte transactions cannot spend a utxo protected by a digital signature.<ref>[https://github.com/bitcoin/bips/blob/master/bip-0066.mediawiki After BIP66 was activated on the bitcoin network, bitcoin transactions cannot have a digital signature smaller than 9 bytes.]</ref>
  52. in bip-XXXX.mediawiki:108 in 23e01bf187 outdated 
    103+occurring at block height 419,606<ref>[https://mempool.space/block/000000000000000000308f1efc24419f34a3bafcc2b53c32dd57e4502865fd84 Block 419,606]</ref>.
104+
105+====Pre segwit 64-byte transactions====
106+
107+64-byte transactions cannot spend a utxo protected by a digital signature.<ref>[https://github.com/bitcoin/bips/blob/master/bip-0066.mediawiki After BIP66 was activated on the bitcoin network, bitcoin transactions cannot have a digital signature smaller than 9 bytes.]</ref>
108+The largest scriptSig a 64-byte transaction can have is 4 bytes.<ref>[https://delvingbitcoin.org/t/great-consensus-cleanup-revival/710/73]</ref>
    murchandamus commented at 11:38 pm on April 21, 2025: 
    0The largest scriptSig a pre-segwit 64-byte transaction can have is 4 bytes.<ref>[https://delvingbitcoin.org/t/great-consensus-cleanup-revival/710/73]</ref>
  53. in bip-XXXX.mediawiki:9 in 23e01bf187 outdated 
    0@@ -0,0 +1,162 @@
1+<pre>
2+  BIP: 53
3+  Layer: Consensus (soft fork)
4+  Title: Disallow 64-byte transactions
5+  Author: Chris Stewart <stewart.chris1234@gmail.com>
6+  Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-53
7+  Status: Draft
8+  Type: Standards Track
9+  Created: ?
    murchandamus commented at 11:52 pm on April 21, 2025: 
    0  Created: 2025-04-11
  54. in bip-XXXX.mediawiki:153 in 23e01bf187 outdated 
    148+
149+The sample implementation is currently open here:
150+
151+https://github.com/bitcoin-inquisition/bitcoin/pull/24/files
152+
153+== Rationale ==
    murchandamus commented at 11:54 pm on April 21, 2025:
    This document has two “Rationale” sections.
  55. in bip-XXXX.mediawiki:96 in 23e01bf187 outdated 
    91+===SPV clients===
92+
93+Attacks on SPV clients could be mitigated by knowing the depth of the merkle tree. Requiring SPV clients to request both the coinbase and payment transaction could mitigate this attack.
94+To produce a valid coinbase transaction at the same depth that our fake transaction F occurs at would require 224 bits of work.
95+As mentioned above, this is computionally and financially expensive, but theoretically possible. This design would increase the size
96+of SPV proofs by 70%.<ref>[https://delvingbitcoin.org/t/great-consensus-cleanup-revival/710/29?u=chris_stewart_5  Base proof: 80 byte header + 448 byte partial merkle tree = 528 bytes. Proof with coinbase tx, assuming the coinbase tx is in the left half of the tree and the tx to prove is in the right half of the tree: 80 byte header + 416 bytes partial merkle tree for coinbase tx + 416 bytes partial merkle tree for tx = 912 bytes.]</ref>
    murchandamus commented at 11:57 pm on April 21, 2025: 
    0of SPV proofs by 70%.<ref>[https://delvingbitcoin.org/t/great-consensus-cleanup-revival/710/29?u=chris_stewart_5  Base proof: 80-byte header + 448-byte partial merkle tree = 528 bytes. Proof with coinbase tx, assuming the coinbase tx is in the left half of the tree and the tx to prove is in the right half of the tree: 80-byte header + 416 bytes partial merkle tree for coinbase tx + 416 bytes partial merkle tree for tx = 912 bytes.]</ref>
  56. in bip-XXXX.mediawiki:119 in 23e01bf187 outdated 
    114+Policy rules such as CLEANSTACK, MINIMALDATA, PUSHONLY are not consensus rules. If a user has a way to confirm an already non-standard
115+64-byte transaction - they can malleate the transaction by violating policy rules to change the size of the transaction to a size other than 64 bytes.
116+
117+====Segwit 64-byte transactions====
118+
119+This BIP disallows single-input single output segwit transactions that pay to a 2 byte witness program.<ref>[https://delvingbitcoin.org/t/great-consensus-cleanup-revival/710/73#p-4382-future-segwit-versions-10 BIP141 says witness programs can be 2 bytes in size, which makes the scriptPubKey a total of 4 bytes]</ref>
    murchandamus commented at 11:58 pm on April 21, 2025: 
    0This BIP disallows single-input single-output segwit transactions that pay to a 2-byte witness program.<ref>[https://delvingbitcoin.org/t/great-consensus-cleanup-revival/710/73#p-4382-future-segwit-versions-10 BIP141 says witness programs can be 2 bytes in size, which makes the scriptPubKey a total of 4 bytes]</ref>
  57. in bip-XXXX.mediawiki:120 in 23e01bf187 outdated 
    115+64-byte transaction - they can malleate the transaction by violating policy rules to change the size of the transaction to a size other than 64 bytes.
116+
117+====Segwit 64-byte transactions====
118+
119+This BIP disallows single-input single output segwit transactions that pay to a 2 byte witness program.<ref>[https://delvingbitcoin.org/t/great-consensus-cleanup-revival/710/73#p-4382-future-segwit-versions-10 BIP141 says witness programs can be 2 bytes in size, which makes the scriptPubKey a total of 4 bytes]</ref>
120+The only known use case<ref>[https://bitcoin.stackexchange.com/a/110664 Why do we have 2 byte witness programs? The original rationale for the lower end of the range of valid witness program lengths is that 2 bytes is enough to guarantee no ambiguity of how the program would be pushed (some 1 byte values can - and according to standardness, must - be pushed with OP_n, and dealing with those would have complicated the matter).]</ref>
    murchandamus commented at 11:58 pm on April 21, 2025: 
    0The only known use case<ref>[https://bitcoin.stackexchange.com/a/110664 Why do we have 2-byte witness programs? The original rationale for the lower end of the range of valid witness program lengths is that 2 bytes is enough to guarantee no ambiguity of how the program would be pushed (some 1-byte values can — and according to standardness, must — be pushed with OP_n, and dealing with those would have complicated the matter).]</ref>
  58. in bip-XXXX.mediawiki:114 in 23e01bf187 outdated 
    109+
110+There are 6<ref>[https://github.com/Christewart/bips/blob/2024-12-20-64bytetxs/nonstandard-hashlock-utxos.txt As of block `00000000000000000001194ae6be942619bf61aa70822b9643d01c1a441bf2b7` there exist 6 nonstandard hashlock utxos that could theoretically have a 0-3 byte pre-image. None of them have a 0-3 byte pre-image.]</ref>
111+non standard hashlock utxos in the bitcoin blockchain. None of them have a 0-3 byte pre-image. This means they cannot be spent by a 64-byte transaction.
112+
113+Pre-segwit 64-byte transactions that spend a nonstandard utxo that are inherently malleable.<ref>[https://github.com/bitcoin/bips/blob/master/bip-0141.mediawiki#trust-free-unconfirmed-transaction-dependency-chain Details on how to malleate a pre-segwit transaction]</ref>
114+Policy rules such as CLEANSTACK, MINIMALDATA, PUSHONLY are not consensus rules. If a user has a way to confirm an already non-standard
    murchandamus commented at 0:08 am on April 22, 2025:

    I think “non-standard” is more common in the context of transactions. Could you use either “non-standard” or “nonstandard” throughout the document?

    0There are 6<ref>[https://github.com/Christewart/bips/blob/2024-12-20-64bytetxs/nonstandard-hashlock-utxos.txt As of block `00000000000000000001194ae6be942619bf61aa70822b9643d01c1a441bf2b7` there exist 6 non-standard hashlock utxos that could theoretically have a 0-3 byte pre-image. None of them have a 0-3 byte pre-image.]</ref>
1non-standard hashlock utxos in the bitcoin blockchain. None of them have a 0-3 byte pre-image. This means they cannot be spent by a 64-byte transaction.
2
3Pre-segwit 64-byte transactions that spend a non-standard utxo that are inherently malleable.<ref>[https://github.com/bitcoin/bips/blob/master/bip-0141.mediawiki#trust-free-unconfirmed-transaction-dependency-chain Details on how to malleate a pre-segwit transaction]</ref>
4Policy rules such as CLEANSTACK, MINIMALDATA, PUSHONLY are not consensus rules. If a user has a way to confirm an already non-standard
  59. in bip-XXXX.mediawiki:58 in 23e01bf187 outdated 
    53+will never come to consensus with their peers due to the malicious user finding a collision
54+within the block's merkle root. Finding this collision is approximately 22 bits worth of work.<ref>[https://github.com/Christewart/bips/blob/2024-12-20-64bytetxs/bip-XXXX/2-BitcoinMerkle.pdf to produce a block that has a Merkle
55+root which is a hash of a 64-byte quantity that deserializes validly, it’s enough
56+to just do 8 bits of work to find a workable coinbase (which will hash to the first
57+32 bytes), plus another ≈22 bits of work ((1/5) ∗224, so slightly less) to find
58+a workable second transaction which will hash to the second 32 bytes) – a very
    murchandamus commented at 0:09 am on April 22, 2025: 
    0a workable second transaction which will hash to the second 32 bytes)—a very
  60. in bip-XXXX.mediawiki:78 in 23e01bf187 outdated 
    73+only 16 bytes or so are constrained, so approximately 128 bits of work to find a collision). Of course, any of the rows in the Merkle tree could be used, but it nevertheless seems clear that this should be computationally infeasible.]</ref>.
74+This is computationally and financially expensive but theoretically possible. This can lead to a persistent chain split on the network.
75+
76+=== Attack on SPV clients ===
77+
78+BIP37<ref>[https://github.com/bitcoin/bips/blob/master/bip-0037.mediawiki BIP37]</ref>provides a partial merkle tree format<ref>[https://github.com/bitcoin/bips/blob/master/bip-0037.mediawiki#user-content-Partial_Merkle_branch_format Partial Merkle Tree Format]</ref>
    murchandamus commented at 0:14 am on April 22, 2025:
    Consistency-nit: Please stick either to “Merkle” or to “merkle” throughout the document.
  61. murchandamus commented at 0:27 am on April 22, 2025: contributor

    The document seems fairly complete content-wise, but the presentation could use more attention. Capitalization is a bit random: some acronyms are capitalized (“SPV”), but others are uncapitalized (e.g. “utxos”) and proper nouns are sometimes capitalized (Merkle, Bitcoin Core), sometimes not (merkle, bitcoin). Please either retitle one of the two Rationale sections or combine them.

    It would be good if the proposal got more commentary or review from other contributors, but otherwise seems close to ready for a merge.

  62. murchandamus renamed this:
    BIP 53: Disallow 64 byte transactions
    BIP 53: Disallow 64-byte transactions
    on Apr 22, 2025
  63. murchandamus commented at 0:35 am on April 22, 2025: contributor
    Please also add the table entry to the README.
  64. in bip-0053.mediawiki:9 in 13c98f84c4 outdated 
     5@@ -6,7 +6,7 @@
 6   Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0053
 7   Status: Draft
 8   Type: Standards Track
 9-  Created: ?
10+  Created: 2024-12-20
    murchandamus commented at 5:08 pm on April 22, 2025:

    According to BIP2, the “Created” header records the date a proposal was assigned a number, which is why I suggested 2025-04-11.

    image

  65. murchandamus commented at 5:11 pm on April 22, 2025: contributor
    I assume you are still working on my other suggestions, so I’ll take another look later.
  66. Christewart commented at 5:14 pm on April 22, 2025: contributor

    Yes I am. Child nap time only allows for so many things to get done at 1 time 😅. I’ll try to address the rest later today

    On Tue, Apr 22, 2025 at 12:12 PM murchandamus @.***> wrote:

    @.**** commented on this pull request.

    I assume you are still working on my other suggestions, so I’ll take another look later.

    In bip-0053.mediawiki https://github.com/bitcoin/bips/pull/1760#discussion_r2054517864:

    @@ -6,7 +6,7 @@ Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0053 Status: Draft Type: Standards Track

    • Created: ?
    • Created: 2024-12-20

    According to BIP2 https://github.com/bitcoin/bips/blob/master/bip-0002.mediawiki#bip-header-preamble, the “Created” header records the date a proposal was assigned a number, which is why I suggested 2025-04-11.

    image.png (view on web) https://github.com/user-attachments/assets/5ac62de5-00b6-455e-940f-f22c88d228e1

    — Reply to this email directly, view it on GitHub https://github.com/bitcoin/bips/pull/1760#pullrequestreview-2784772967, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA22ETNRE5UYZ32HHFCPFTD22ZZ6DAVCNFSM6AAAAABW3SF3JSVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDOOBUG43TEOJWG4 . You are receiving this because you were mentioned.Message ID: @.***>

  67. Christewart commented at 7:15 pm on April 22, 2025: contributor

    The document seems fairly complete content-wise, but the presentation could use more attention. Capitalization is a bit random: some acronyms are capitalized (“SPV”), but others are uncapitalized (e.g. “utxos”) and proper nouns are sometimes capitalized (Merkle, Bitcoin Core), sometimes not (merkle, bitcoin).

    Ok think this is addressed in f797b9f, bd815e9, acda401

    Please either retitle one of the two Rationale sections or combine them.

    Sorry this was a bit unclear could you be more specific of what you would like to see?

    Apologies, I see what you are talking about now and this is fixed in 5a89036.

    Also I missed some code review due to github.com collapsing some comments, hopefully everything is addressed now with 5a89036

  68. murchandamus commented at 8:28 pm on April 22, 2025: contributor

    Also I missed some code review due to github.com collapsing some comments, hopefully everything is addressed now with 5a89036

    Yeah, I think I see what happened: when you started by moving the file, it marked all of my review comments as outdated, because they had been left on the old file. ;)

  69. murchandamus commented at 1:13 am on April 23, 2025: contributor

    Reviewed the changes, looks much better, thanks. :)

    What’s your plan for this proposal? Do you see it as a standalone soft fork that can be merged as is on its own, or are you working on additional parts? What is the intended deployment strategy?

  70. Christewart commented at 3:32 pm on April 23, 2025: contributor

    Do you see it as a standalone soft fork that can be merged as is on its own

    This is possible if the community wants to do this.

    or are you working on additional parts?

    I am not at this time.

    What is the intended deployment strategy?

    I don’t have one at this time. Recent precedent with BIP148 and BIP343 details activating the last 2 soft forks that contained a variety of BIPs.

    These activation BIPs were written by a different set of people than the BIP authors for taproot and segwit. I assume something like this will have to happen again as it seems like there isn’t really another realistic path to deploying soft forks IMO.

  71. in bip-0053.mediawiki:160 in 5a890366db outdated 
    155+==Copyright==
156+This BIP is licensed under the [https://opensource.org/license/BSD-3-Clause BSD-3-Clause License].
157+
158+==Acknowledgements==
159+
160+Suhas Daftuar, AJ Towns, Sergio Demian Lerner, Greg Maxwell, Matt Corallo, Antoine Poinsont, Dave Harding and Erik Voskuil
    murchandamus commented at 6:10 pm on April 23, 2025: 
    0Suhas Daftuar, AJ Towns, Sergio Demian Lerner, Greg Maxwell, Matt Corallo, Antoine Poinsot, Dave Harding and Eric Voskuil
  72. murchandamus commented at 6:17 pm on April 23, 2025: contributor
    Okay, is there anything else that is missing from your perspective before this can be merged?
  73. Christewart commented at 6:31 pm on April 23, 2025: contributor

    Okay, is there anything else that is missing from your perspective before this can be merged?

    I thought about this a bit more, there are 2 things that could potentially be addressed. I would like to hear your opinion.

    How BIP3 defines the Rationale section:

    The rationale should record relevant objections or important concerns that were raised and addressed as this proposal was developed.

    One concern that was raised on the mailing list by Jeremy Rubin and agreed by Eric Voskuil was that disallowing 64 byte transaction

    “might integrate very poorly with this kind of edge condition”

    Do you think this is adequately addressed by this section of the BIP? I’m on the fence.

    One other concern shared on the delving thread by Antoine Poinsot was sidechains may be vulnerable to the same merkle tree weakeness that SPV clients are. I haven’t investigated this further, but it could potentially merit a section the Motivation.

    This currently isn’t at the top of my bitcoin research priorities, so if you think these things should be done I’ll address them next week.

  74. jonatack removed the label PR Author action required on Apr 23, 2025
  75. jonatack assigned jonatack on Apr 29, 2025
  76. murchandamus commented at 5:04 pm on May 7, 2025: contributor
    If you feel that they are open points that came up in the evaluation of the idea this proposal is based on, then it would be appropriate to cover them here. If you don’t have the bandwidth to do so now, we can also merge this PR as a draft and you can continue to iterate on it as you move it toward “Proposed”.
  77. Christewart force-pushed on May 9, 2025
  78. Christewart commented at 0:23 am on May 9, 2025: contributor

    we can also merge this PR as a draft and you can continue to iterate on it as you move it toward “Proposed”.

    Lets do that. I rebased the PR to get rid of conflicts. Would you like me to squash everything into 1 commit as well?

  79. murchandamus commented at 0:38 am on May 13, 2025: contributor
    @Christewart: Yeah, I think it would make sense to squash it. Thanks.
  80. in README.mediawiki:310 in d938c295c3 outdated 
    305+| Consensus (soft fork)
306+| Disallow 64-byte transactions
307+| Chris Stewart
308+| Standard
309+| Draft
310+<!-- 50 series reserved for a group of post-mortems -->
    murchandamus commented at 0:41 am on May 13, 2025:

    this line seems outdated and if anywhere, it should be after BIP 50 or after BIP 54.

  81. Christewart force-pushed on May 14, 2025
  82. Christewart commented at 0:09 am on May 14, 2025: contributor

    @Christewart: Yeah, I think it would make sense to squash it. Thanks.

    Done in c07e507

  83. in bip-0053.mediawiki:34 in c07e507da9 outdated 
    29+transaction. However, Bitcoin’s particular construction of the Merkle tree has
30+several security weaknesses, including at least two forms of block malleability
31+that have an impact on the consensus logic of Bitcoin Core, and an attack on
32+light clients, where an invalid transaction could be ”proven” to appear in a block
33+by doing substantially less work than a SHA256 hash collision would require.
34+This has been mitigated by Bitcoin Core's relay policy and the RPC interface since 2018<ref>[https://github.com/bitcoin/bitcoin/pull/11423/commits/7485488e907e236133a016ba7064c89bf9ab6da3 PR #11423 disallows transactions that are less than 82 bytes in size from Bitcoin Core relay and RPC interface]</ref><ref>[https://github.com/bitcoin/bitcoin/commit/8c5b3646b5afe8a61f5c66478d8e11f0d2ce5108 Reduces the minimum transaction size required for a transaction to be considered standard from 82 bytes to 65 bytes]</ref>.
    jonatack commented at 2:23 pm on May 15, 2025:
    I think the second URL should be either https://github.com/bitcoin/bitcoin/pull/26265 (or https://github.com/bitcoin/bitcoin/pull/26265/commits/8c5b3646b5afe8a61f5c66478d8e11f0d2ce5108 but prefer the first one) to be able to readily see the pull request.
    Christewart commented at 7:21 pm on May 20, 2025:
    I don’t think #26265 got merged so it doesn’t really make sense to link to it?
  84. in bip-0053.mediawiki:44 in c07e507da9 outdated 
    39+transactions that have the same serialization as the concatenation of 2 hashes in the Merkle tree.
40+
41+Assume we have a valid Bitcoin block with 2 transactions in it that have transaction ids of T<sub>0</sub> and T<sub>1</sub>.
42+The Merkle root for this block is H(T<sub>0</sub>||T<sub>1</sub>).
43+A user could find a malicious 64-byte transaction T<sub>m</sub> that serializes to T<sub>0</sub>||T<sub>1</sub>.
44+Next the malicious user relays the block containing the malicious T<sub>m</sub> rather than the
    jonatack commented at 2:28 pm on May 15, 2025:
    As written, there is possible ambiguity whether the “A user” and “malicious user” are the same, though the intent looks to be that they are the same. Perhaps “A malicious user” and “that user”.
  85. in bip-0053.mediawiki:49 in c07e507da9 outdated 
    44+Next the malicious user relays the block containing the malicious T<sub>m</sub> rather than the
45+valid Bitcoin transactions that correspond with T<sub>0</sub> and T<sub>1</sub>.
46+
47+==== Block malleability with consensus INVALID transactions ====
48+
49+The peer receiving the malicious block marks the block as invalid as T<sub>m</sub>
    jonatack commented at 2:29 pm on May 15, 2025: 
    0The peer receiving the malicious block marks the block as invalid, as T<sub>m</sub>
  86. in bip-0053.mediawiki:54 in c07e507da9 outdated 
    49+The peer receiving the malicious block marks the block as invalid as T<sub>m</sub>
50+is not a valid transaction according to network consensus rules.
51+Other peers on the network receive the valid block containing T<sub>0</sub> and T<sub>1</sub>
52+and add the block to their blockchain. Peers that receive the invalid block before the valid block
53+will never come to consensus with their peers due to the malicious user finding a collision
54+within the block's Merkle root. Finding this collision is approximately 22 bits worth of work.<ref>[https://github.com/Christewart/bips/blob/2024-12-20-64bytetxs/bip-XXXX/2-BitcoinMerkle.pdf to produce a block that has a Merkle
    jonatack commented at 2:32 pm on May 15, 2025:
    404, URL needs updating?
  87. in bip-0053.mediawiki:58 in c07e507da9 outdated 
    53+will never come to consensus with their peers due to the malicious user finding a collision
54+within the block's Merkle root. Finding this collision is approximately 22 bits worth of work.<ref>[https://github.com/Christewart/bips/blob/2024-12-20-64bytetxs/bip-XXXX/2-BitcoinMerkle.pdf to produce a block that has a Merkle
55+root which is a hash of a 64-byte quantity that deserializes validly, it’s enough
56+to just do 8 bits of work to find a workable coinbase (which will hash to the first
57+32 bytes), plus another ≈22 bits of work ((1/5) ∗224, so slightly less) to find
58+a workable second transaction which will hash to the second 32 bytes)– a very
    jonatack commented at 2:33 pm on May 15, 2025: 
    0a workable second transaction that will hash to the second 32 bytes)– a very
  88. in bip-0053.mediawiki:55 in c07e507da9 outdated 
    50+is not a valid transaction according to network consensus rules.
51+Other peers on the network receive the valid block containing T<sub>0</sub> and T<sub>1</sub>
52+and add the block to their blockchain. Peers that receive the invalid block before the valid block
53+will never come to consensus with their peers due to the malicious user finding a collision
54+within the block's Merkle root. Finding this collision is approximately 22 bits worth of work.<ref>[https://github.com/Christewart/bips/blob/2024-12-20-64bytetxs/bip-XXXX/2-BitcoinMerkle.pdf to produce a block that has a Merkle
55+root which is a hash of a 64-byte quantity that deserializes validly, it’s enough
    jonatack commented at 2:34 pm on May 15, 2025:
    “that has a Merkle root which” -> “having a Merkle root that”
  89. in bip-0053.mediawiki:61 in c07e507da9 outdated 
    56+to just do 8 bits of work to find a workable coinbase (which will hash to the first
57+32 bytes), plus another ≈22 bits of work ((1/5) ∗224, so slightly less) to find
58+a workable second transaction which will hash to the second 32 bytes)– a very
59+small amount of computation.]</ref>
60+
61+This attack vector was fixed in 0.6.2<ref>[https://bitcoin.org/en/alert/2012-05-14-dos#risks CVE-2012-2459]</ref>, re-introduced in 0.13.x<ref>[https://github.com/bitcoin/bitcoin/pull/7225 #7225]</ref> and patched again in
    jonatack commented at 2:35 pm on May 15, 2025:

    nit, suggest moving “Bitcoin Core” from the end of the sentence to before the first reference.

    0This attack vector was fixed in Bitcoin Core 0.6.2<ref>[https://bitcoin.org/en/alert/2012-05-14-dos#risks CVE-2012-2459]</ref>, re-introduced in 0.13.x<ref>[https://github.com/bitcoin/bitcoin/pull/7225 [#7225](/bitcoin-bips/7225/)]</ref> and patched again in
  90. in bip-0053.mediawiki:67 in c07e507da9 outdated 
    62+0.14<ref>[https://github.com/bitcoin/bitcoin/pull/9765 #9765]</ref> of Bitcoin Core.
63+
64+==== Block malleability with consensus VALID transactions ====
65+
66+Producing a valid Bitcoin transaction T<sub>m</sub> that adheres to network consensus
67+rules requires 224 bits of work<ref>[https://github.com/Christewart/bips/blob/2024-12-20-64bytetxs/bip-XXXX/2-BitcoinMerkle.pdf Note that the first transaction in a block must be a coinbase, and as discussed
    jonatack commented at 2:56 pm on May 15, 2025:
    URL needs updating?
    Christewart commented at 9:02 pm on May 20, 2025:

    How should i be linking these? These are the 2 options I see

    1. Its my understanding I cannot use relative paths inside of mediawiki (i.e. ../bip-0053/2-BitcoinMerkle.pdf
    2. If I link to a commit, the commit will likely be squashed and no longer exist after the rebase.
    Christewart commented at 9:12 pm on May 20, 2025:

    I fixed them by just using this link, seems like the problem occurred when we renamed from bip-xxxx -> bip-0053

    https://github.com/Christewart/bips/tree/2024-12-20-64bytetxs/bip-0053

  91. in bip-0053.mediawiki:78 in c07e507da9 outdated 
    73+only 16 bytes or so are constrained, so approximately 128 bits of work to find a collision). Of course, any of the rows in the Merkle tree could be used, but it nevertheless seems clear that this should be computationally infeasible.]</ref>.
74+This is computationally and financially expensive but theoretically possible. This can lead to a persistent chain split on the network.
75+
76+=== Attack on SPV clients ===
77+
78+BIP37<ref>[https://github.com/bitcoin/bips/blob/master/bip-0037.mediawiki BIP37]</ref>provides a partial Merkle tree format<ref>[https://github.com/bitcoin/bips/blob/master/bip-0037.mediawiki#user-content-Partial_Merkle_branch_format Partial Merkle Tree Format]</ref>
    jonatack commented at 3:00 pm on May 15, 2025:

    unsure if this matters

    0BIP37<ref>[https://github.com/bitcoin/bips/blob/master/bip-0037.mediawiki BIP37]</ref>provides a partial Merkle tree format<ref>[https://github.com/bitcoin/bips/blob/master/bip-0037.mediawiki#partial-merkle-branch-format Partial Merkle Tree Format]</ref>
  92. in bip-0053.mediawiki:85 in c07e507da9 outdated 
    80+Notably this format does not commit to the height of the Merkle tree.
81+
82+Suppose a (valid) 64-byte transaction T is included in a block with the property that the second 32 bytes (which
83+are less constrained than the first 32 bytes) are constructed so that they collide
84+with the hash of some other fake, invalid transaction F. The attacker can fool the SPV client into believing that F
85+was included in a Bitcoin block rather than T with 81 bits<ref>[https://github.com/Christewart/bips/blob/2024-12-20-64bytetxs/bip-XXXX/2-BitcoinMerkle.pdf An attacker who can do 81 bits of work (followed by another 40 bits of work, to
    jonatack commented at 3:03 pm on May 15, 2025:
    Link is 404
  93. in bip-0053.mediawiki:95 in c07e507da9 outdated 
    90+
91+===SPV clients===
92+
93+Attacks on SPV clients could be mitigated by knowing the depth of the Merkle tree. Requiring SPV clients to request both the coinbase and payment transaction could mitigate this attack.
94+To produce a valid coinbase transaction at the same depth that our fake transaction F occurs at would require 224 bits of work.
95+As mentioned above, this is computionally and financially expensive, but theoretically possible. This design would increase the size
    jonatack commented at 3:06 pm on May 15, 2025:
    computationally
  94. in bip-0053.mediawiki:96 in c07e507da9 outdated 
    91+===SPV clients===
92+
93+Attacks on SPV clients could be mitigated by knowing the depth of the Merkle tree. Requiring SPV clients to request both the coinbase and payment transaction could mitigate this attack.
94+To produce a valid coinbase transaction at the same depth that our fake transaction F occurs at would require 224 bits of work.
95+As mentioned above, this is computionally and financially expensive, but theoretically possible. This design would increase the size
96+of SPV proofs by 70%.<ref>[https://delvingbitcoin.org/t/great-consensus-cleanup-revival/710/29?u=chris_stewart_5  Base proof: 80-byte header + 448-byte partial Merkle tree = 528 bytes. Proof with coinbase tx, assuming the coinbase tx is in the left half of the tree and the tx to prove is in the right half of the tree: 80-byte header + 416 bytes partial Merkle tree for coinbase tx + 416 bytes partial Merkle tree for tx = 912 bytes.]</ref>
    jonatack commented at 3:07 pm on May 15, 2025: 
    0of SPV proofs by 70%.<ref>[https://delvingbitcoin.org/t/great-consensus-cleanup-revival/710/29 Base proof: 80-byte header + 448-byte partial Merkle tree = 528 bytes. Proof with coinbase tx, assuming the coinbase tx is in the left half of the tree and the tx to prove is in the right half of the tree: 80-byte header + 416 bytes partial Merkle tree for coinbase tx + 416 bytes partial Merkle tree for tx = 912 bytes.]</ref>
  95. in bip-0053.mediawiki:100 in c07e507da9 outdated 
     95+As mentioned above, this is computionally and financially expensive, but theoretically possible. This design would increase the size
 96+of SPV proofs by 70%.<ref>[https://delvingbitcoin.org/t/great-consensus-cleanup-revival/710/29?u=chris_stewart_5  Base proof: 80-byte header + 448-byte partial Merkle tree = 528 bytes. Proof with coinbase tx, assuming the coinbase tx is in the left half of the tree and the tx to prove is in the right half of the tree: 80-byte header + 416 bytes partial Merkle tree for coinbase tx + 416 bytes partial Merkle tree for tx = 912 bytes.]</ref>
 97+
 98+==Backward compatibility==
 99+
100+There have been 5 64-byte transactions that have occcurred in the Bitcoin blockchain as of this
    jonatack commented at 3:07 pm on May 15, 2025:
    occurred
  96. in bip-0053.mediawiki:101 in c07e507da9 outdated 
     96+of SPV proofs by 70%.<ref>[https://delvingbitcoin.org/t/great-consensus-cleanup-revival/710/29?u=chris_stewart_5  Base proof: 80-byte header + 448-byte partial Merkle tree = 528 bytes. Proof with coinbase tx, assuming the coinbase tx is in the left half of the tree and the tx to prove is in the right half of the tree: 80-byte header + 416 bytes partial Merkle tree for coinbase tx + 416 bytes partial Merkle tree for tx = 912 bytes.]</ref>
 97+
 98+==Backward compatibility==
 99+
100+There have been 5 64-byte transactions that have occcurred in the Bitcoin blockchain as of this
101+writing <ref>[https://github.com/Christewart/bips/blob/2024-12-20-64bytetxs/64byte-tx-mainnet.txt 64-byte transactions in the Bitcoin blockchain]</ref>
    jonatack commented at 3:08 pm on May 15, 2025:
    404?
  97. in bip-0053.mediawiki:110 in c07e507da9 outdated 
    105+====Pre-segwit 64-byte transactions====
106+
107+Pre-segwit 64-byte transactions cannot spend a UTXO protected by a digital signature.<ref>[https://github.com/bitcoin/bips/blob/master/bip-0066.mediawiki After BIP66 was activated on the Bitcoin network, Bitcoin transactions cannot have a digital signature smaller than 9 bytes.]</ref>
108+The largest scriptSig a pre-segwit 64-byte transaction can have is 4 bytes.<ref>[https://delvingbitcoin.org/t/great-consensus-cleanup-revival/710/73]</ref>
109+
110+There are 6<ref>[https://github.com/Christewart/bips/blob/2024-12-20-64bytetxs/non-standard-hashlock-utxos.txt As of block `00000000000000000001194ae6be942619bf61aa70822b9643d01c1a441bf2b7` there exist 6 non-standard hashlock UTXOs that could theoretically have a 0-3 byte pre-image. None of them have a 0-3 byte pre-image.]</ref>
    jonatack commented at 3:09 pm on May 15, 2025:
    404
  98. in bip-0053.mediawiki:130 in c07e507da9 outdated 
    125+<source lang="cpp">
126+/**
127+ * We want to enforce certain rules (specifically the 64-byte transaction check)
128+ * before we call CheckBlock to check the Merkle root. This allows us to enforce
129+ * malleability checks which may interact with other CheckBlock checks.
130+ * This is currently called both in AcceptBlock prior to writing the block to
    jonatack commented at 3:12 pm on May 15, 2025:

    • Ambiguous “This” here (perhaps “This function” instead?), following “This” in the preceding sentence that appears to refer to a different subject

    • Suggest specifying the implementation (presumably Bitcoin Core) and version along with “currently”

    Christewart commented at 9:06 pm on May 20, 2025:
    Same response as here: #1760 (review)
  99. in bip-0053.mediawiki:132 in c07e507da9 outdated 
    127+ * We want to enforce certain rules (specifically the 64-byte transaction check)
128+ * before we call CheckBlock to check the Merkle root. This allows us to enforce
129+ * malleability checks which may interact with other CheckBlock checks.
130+ * This is currently called both in AcceptBlock prior to writing the block to
131+ * disk and in ConnectBlock.
132+ * Note that as this is called before merkle-tree checks so must never return a
    jonatack commented at 3:15 pm on May 15, 2025: 
    0 * Note that as this function is called before merkle-tree checks, it must never return a
  100. jonatack commented at 3:25 pm on May 15, 2025: member
    Looks complete, modulo a number of broken links (if I’m not confused) and some fixups and text suggestions.
  101. murchandamus added the label PR Author action required on May 19, 2025
  102. Christewart commented at 9:25 pm on May 20, 2025: contributor
    @jonatack I believe every non-nit comment has been addressed
  103. in bip-0053.mediawiki:67 in 1b75553deb outdated 
    63@@ -64,7 +64,7 @@ This attack vector was fixed in 0.6.2<ref>[https://bitcoin.org/en/alert/2012-05-
64 ==== Block malleability with consensus VALID transactions ====
65 
66 Producing a valid Bitcoin transaction T<sub>m</sub> that adheres to network consensus
67-rules requires 224 bits of work<ref>[https://github.com/Christewart/bips/blob/2024-12-20-64bytetxs/bip-XXXX/2-BitcoinMerkle.pdf Note that the first transaction in a block must be a coinbase, and as discussed
68+rules requires 224 bits of work<ref>[https://github.com/Christewart/bips/blob/2024-12-20-64bytetxs/bip-0053/2-BitcoinMerkle.pdf Note that the first transaction in a block must be a coinbase, and as discussed
    murchandamus commented at 9:54 pm on May 20, 2025: 
    0rules requires 224 bits of work<ref>[bip-0053/2-BitcoinMerkle.pdf Note that the first transaction in a block must be a coinbase, and as discussed
  104. in bip-0053.mediawiki:54 in 1b75553deb outdated 
    50@@ -51,7 +51,7 @@ is not a valid transaction according to network consensus rules.
51 Other peers on the network receive the valid block containing T<sub>0</sub> and T<sub>1</sub>
52 and add the block to their blockchain. Peers that receive the invalid block before the valid block
53 will never come to consensus with their peers due to the malicious user finding a collision
54-within the block's Merkle root. Finding this collision is approximately 22 bits worth of work.<ref>[https://github.com/Christewart/bips/blob/2024-12-20-64bytetxs/bip-XXXX/2-BitcoinMerkle.pdf to produce a block having a Merkle root that
55+within the block's Merkle root. Finding this collision is approximately 22 bits worth of work.<ref>[https://github.com/Christewart/bips/blob/2024-12-20-64bytetxs/bip-0053/2-BitcoinMerkle.pdf to produce a block having a Merkle root that
    murchandamus commented at 9:54 pm on May 20, 2025:

    While those links work at the time, a relative link would make more sense to me, because it would work now, and still link to the correct document if it gets updated later.

    0within the block's Merkle root. Finding this collision is approximately 22 bits worth of work.<ref>[bip-0053/2-BitcoinMerkle.pdf to produce a block having a Merkle root that
  105. in bip-0053.mediawiki:101 in 1b75553deb outdated 
     97@@ -98,7 +98,7 @@ of SPV proofs by 70%.<ref>[https://delvingbitcoin.org/t/great-consensus-cleanup-
 98 ==Backward compatibility==
 99 
100 There have been 5 64-byte transactions that have occurred in the Bitcoin blockchain as of this
101-writing <ref>[https://github.com/Christewart/bips/blob/2024-12-20-64bytetxs/64byte-tx-mainnet.txt 64-byte transactions in the Bitcoin blockchain]</ref>
102+writing <ref>[https://github.com/Christewart/bips/blob/2024-12-20-64bytetxs/bip-0053/64byte-tx-mainnet.txt 64-byte transactions in the Bitcoin blockchain]</ref>
    murchandamus commented at 9:56 pm on May 20, 2025: 
    0writing <ref>[[bip-0053/64byte-tx-mainnet.txt|64-byte transactions in the Bitcoin blockchain]]</ref>
  106. in bip-0053.mediawiki:110 in 1b75553deb outdated 
    106@@ -107,7 +107,7 @@ occurring at block height 419,606<ref>[https://mempool.space/block/0000000000000
107 Pre-segwit 64-byte transactions cannot spend a UTXO protected by a digital signature.<ref>[https://github.com/bitcoin/bips/blob/master/bip-0066.mediawiki After BIP66 was activated on the Bitcoin network, Bitcoin transactions cannot have a digital signature smaller than 9 bytes.]</ref>
108 The largest scriptSig a pre-segwit 64-byte transaction can have is 4 bytes.<ref>[https://delvingbitcoin.org/t/great-consensus-cleanup-revival/710/73]</ref>
109 
110-There are 6<ref>[https://github.com/Christewart/bips/blob/2024-12-20-64bytetxs/non-standard-hashlock-utxos.txt As of block `00000000000000000001194ae6be942619bf61aa70822b9643d01c1a441bf2b7` there exist 6 non-standard hashlock UTXOs that could theoretically have a 0-3 byte pre-image. None of them have a 0-3 byte pre-image.]</ref>
111+There are 6<ref>[https://github.com/Christewart/bips/blob/2024-12-20-64bytetxs/bip-0053/non-standard-hashlock-utxos.txt As of block `00000000000000000001194ae6be942619bf61aa70822b9643d01c1a441bf2b7` there exist 6 non-standard hashlock UTXOs that could theoretically have a 0-3 byte pre-image. None of them have a 0-3 byte pre-image.]</ref>
    murchandamus commented at 9:56 pm on May 20, 2025: 
    0There are 6<ref>[[bip-0053/non-standard-hashlock-utxos.txt|As of block `00000000000000000001194ae6be942619bf61aa70822b9643d01c1a441bf2b7` there exist 6 non-standard hashlock UTXOs that could theoretically have a 0-3 byte pre-image. None of them have a 0-3 byte pre-image.]]</ref>
  107. murchandamus commented at 9:57 pm on May 20, 2025: contributor
    Most of these changes look good, but it seems better to use a relative link for the accompanying files than a external link to the current version of the draft.
  108. Christewart commented at 0:21 am on May 21, 2025: contributor

    Most of these changes look good, but it seems better to use a relative link for the accompanying files than a external link to the current version of the draft.

    Unfortunately this doesn’t seem to work? I’ve accepted one of your commits you suggested ( bc9afbc ) and here is the result: https://github.com/bitcoin/bips/blob/bc9afbca79d484970756aa92659d246c049fbb55/bip-0053.mediawiki#cite_note-7

    I think the best path forward may be merging this PR, and immediately submitting a follow up PR correcting the links to the official bips repo? 🤷‍♂️

  109. in bip-0053.mediawiki:73 in bc9afbca79 outdated 
    68+above, that largely constrains the first 32 bytes of the first transaction: only
69+the 4 version bytes are unconstrained. So it would take at least 28*8= 224 bits
70+of work to find the first node in a given row of the tree that would match the
71+first half of a coinbase, in addition to the amount of work required to grind the
72+second half of the transaction to something meaningful (which is much easier –
73+only 16 bytes or so are constrained, so approximately 128 bits of work to find a collision). Of course, any of the rows in the Merkle tree could be used, but it nevertheless seems clear that this should be computationally infeasible.]</ref>.
    murchandamus commented at 10:25 pm on May 21, 2025: 
    0rules requires 224 bits of work<ref>[[bip-0053/2-BitcoinMerkle.pdf|Note that the first transaction in a block must be a coinbase, and as discussed
1above, that largely constrains the first 32 bytes of the first transaction: only
2the 4 version bytes are unconstrained. So it would take at least 28*8= 224 bits
3of work to find the first node in a given row of the tree that would match the
4first half of a coinbase, in addition to the amount of work required to grind the
5second half of the transaction to something meaningful (which is much easier 
6only 16 bytes or so are constrained, so approximately 128 bits of work to find a collision). Of course, any of the rows in the Merkle tree could be used, but it nevertheless seems clear that this should be computationally infeasible.]]</ref>.

    I tested that, and it works: image

    murchandamus commented at 10:45 pm on May 21, 2025:
    I realized that after figuring out the fix, I might as well just commit it. ;) I tested it, it works. :)
  110. in bip-0053.mediawiki:87 in bc9afbca79 outdated 
    82+Suppose a (valid) 64-byte transaction T is included in a block with the property that the second 32 bytes (which
83+are less constrained than the first 32 bytes) are constructed so that they collide
84+with the hash of some other fake, invalid transaction F. The attacker can fool the SPV client into believing that F
85+was included in a Bitcoin block rather than T with 81 bits<ref>[https://github.com/Christewart/bips/blob/2024-12-20-64bytetxs/bip-0053/2-BitcoinMerkle.pdf An attacker who can do 81 bits of work (followed by another 40 bits of work, to
86+construct the funding transaction whose coins will be spent by this one) is able
87+to fool an SPV client in this way.]</ref> of work. This also reduces implementation complexity for SPV wallets<ref>[https://delvingbitcoin.org/t/great-consensus-cleanup-revival/710/43 The steps needed to make sure a Merkle proof for a transaction is secure.]</ref>.
    murchandamus commented at 10:28 pm on May 21, 2025: 
    0was included in a Bitcoin block rather than T with 81 bits<ref>[[bip-0053/2-BitcoinMerkle.pdf|An attacker who can do 81 bits of work (followed by another 40 bits of work, to
1construct the funding transaction whose coins will be spent by this one) is able
2to fool an SPV client in this way.]]</ref> of work. This also reduces implementation complexity for SPV wallets<ref>[https://delvingbitcoin.org/t/great-consensus-cleanup-revival/710/43 The steps needed to make sure a Merkle proof for a transaction is secure.]</ref>.
  111. in bip-0053.mediawiki:59 in bc9afbca79 outdated 
    54+within the block's Merkle root. Finding this collision is approximately 22 bits worth of work.<ref>[https://github.com/Christewart/bips/blob/2024-12-20-64bytetxs/bip-0053/2-BitcoinMerkle.pdf to produce a block having a Merkle root that
55+is a hash of a 64-byte quantity that deserializes validly, it’s enough
56+to just do 8 bits of work to find a workable coinbase (which will hash to the first
57+32 bytes), plus another ≈22 bits of work ((1/5) ∗224, so slightly less) to find
58+a workable second transaction that will hash to the second 32 bytes)– a very
59+small amount of computation.]</ref>
    murchandamus commented at 10:30 pm on May 21, 2025: 
    0within the block's Merkle root. Finding this collision is approximately 22 bits worth of work.<ref>[[bip-0053/2-BitcoinMerkle.pdf|to produce a block having a Merkle root that
1is a hash of a 64-byte quantity that deserializes validly, it’s enough
2to just do 8 bits of work to find a workable coinbase (which will hash to the first
332 bytes), plus another ≈22 bits of work ((1/5) ∗224, so slightly less) to find
4a workable second transaction that will hash to the second 32 bytes)– a very
5small amount of computation.]]</ref>
  112. murchandamus commented at 10:31 pm on May 21, 2025: contributor
    Sorry, for the incorrect suggestions. You will want to use internal link formatting, which separates link and text with a pipe and encloses in double brackets:
  113. murchandamus force-pushed on May 21, 2025
  114. murchandamus commented at 10:48 pm on May 21, 2025: contributor
    I realized that after figuring out the fix for the links, I might as well commit it. All the links to the documents shipping with the BIP are now internal relative links, and I tested that they work. :)
  115. murchandamus force-pushed on May 21, 2025
  116. murchandamus commented at 11:30 pm on May 21, 2025: contributor
    Squashed per request of @Christewart.
  117. murchandamus force-pushed on May 21, 2025
  118. BIP53: Disallow 64-byte transactions 
    Co-authored-by: Mark "Murch" Erhardt <murch@murch.one>

Co-authored-by: Jon Atack <jon@atack.com>
    4d495ab1a0
  119. Christewart force-pushed on May 22, 2025
  120. Christewart commented at 0:12 am on May 22, 2025: contributor
    Ok @murchandamus @jonatack I believe i’ve incorporated all outstanding review or added a comment on why I’m not taking a suggestion. I squashed everything again into 1 commit
  121. murchandamus removed the label PR Author action required on May 22, 2025
  122. murchandamus commented at 0:58 am on May 22, 2025: contributor
    LGTM, thanks for sticking with it.
  123. murchandamus merged this on May 22, 2025
  124. murchandamus closed this on May 22, 2025


Christewart murchandamus jonatack vostrnad

Labels
New BIP

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bips. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2025-05-23 10:10 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me