Block Signature Overflow and Moving CHECKTEMPLATEVERIFY as an OP_SUCCESS

[ariard]

In its current version, CHECKTEMPLATEVERIFY proposes to refurbish OP_NOP4 (0xb3)
with newer template commitment semantics. In my understanding, this soft fork
proposed changes allows to build pre-committed chain of transactions that are
committed by hash, and therefore immutable in some layout as soon as the root
of the chain of the transactions hits the chain.

The refurbished opcode is expected to behave in the following fashion:

• There is at least one element on the stack (stack.size() < 1), fail otherwise
• The element on the stack is 32 bytes long, NOP otherwise (stack.back().size())
• The DefaultCheckTemplateVerifyHash of the transaction at the current input index is equal to the element on the stack (checker.CheckTemplateVerifyHash(hash))

The DefaultCheckTemplateVerifyHash commits to the serialized version, locktime,
scriptSigs hash (if any non-null scriptSigs), number of inputs, sequences hash,
number of outputs, outputs hash, and currently executing input index
(GetDefaultCheckTemplateVerifyHashEmptyScript() and GetDefaultCheckTemplateVerifyHashWithScript()).

Block Signatures Overflow Attacks

Per-block signature operation limit were introduced by Satoshi with commit
f1e1fb4bde, see GetSigOpCount() > MAX_BLOCK_SIGOPS in the main.cpp.
This limit has been activated with block 79400 and made a consensus rule
by Satoshi with commit 172f0060.

This per-block signature operation limit was originally set to MAX_BLOCK_SIZE / 50,
i.e 20_000 signatures operations per-block. BIP141 bumped this size limit to
80_000 signatures which was implemented in core by commit 2b1f6f9 and this
new consensus rule limit became activated with block 481,824.

This per-block consensus limit opens the door to some cross-layer attacks to
target off-chain protocols with competing interests (e.g alice_sig OR bob_sig+timelock)
where one of the counterparty fulfills the blocks with junk signatures until
some timelock is reached. This has been tested and it's feasible, especially
if you use empty CHECKMULTISIGs for reaching the MAX_BLOCK_SIGOPS_COST.

This limit applies to all the spends of a SegWit V0 scriptpubkey (WitnessSigOps).

See ariard@b85a426

This attack comes with a significative advantage, as if a lamba block construction
algorithm is picked up, the blocks can be busied up to prevent a counterparty
transaction to be included in the chain, as such paralyzing the semantics of
the off-chain protocols. By targetting multiple off-chain protocols instances
at the same time, an adversary can gain an economic advantage on the targetted
counterparties. Indeed the block is a public structure, while each targeted
off-chain protocol is private, and with no easy means for the counterparties
to coordinate themselves for reaction.

The Problem for Signature Ops Consuming Scripts

While this is not a problem with the core design of CHECKTEMPLATEVERIFY, it
is a problem affecting any future CTV scripts using at the same time a CTV
lock and a signature lock (e.g CHECKSIGVERIFY) in the same script path
(i.e a redeemscript or in a witness script). Indeed, by refurbishing OP_NOP4
as a CHECKTEMPLATEVERIFY opcode, this makes implicitly the usage of CTV in
a redeem script subject to the signature ops accounting limit (GetTransactionSigOpCost)
and lead to exposure by block signature exhaustion attack for a subset of
use cases.

The subset of use cases that would be affected would be of the following form,
as one layout example:

   OP_IF 
       <vault_hash> OP_CHECKTEMPLATEVERIFY 
   OP_ELSE 
       <alice_bob_aggregated_pubkey> OP_CHECKSIG 
   OP_ENDIF

The Fix : Deploying CHECKTEMPLATEVERIFY as an OP_SUCCESS

The fix is pretty straightforward to reduce the exposure of future CTV
use-cases, by migrating CTV in another upgradable path, e.g as a tapscript.

One simple way is just to move CTV as an OP_SUCCESS refurbishing the available
slot for the opcode of value 254 (OP_CHECKTEMPLATEVERIFY = 254) that this pull
request is proposing.

[average-gary]

If I am understanding this correctly, the assertion is that future CTV upgrades, via the case OP_CHECKTEMPLATEVERIFY statement in src/script/interpreter.cpp, could add functionality that impacts the SigOps calculation in such a way that the Block Signature Overflow Attacks are a concern?

[jamesob]

Hi @ariard, thanks for the write-up and pull request.

Since this issue applies to all witness v0 coins, which are the bulk of current bitcoin traffic, I don't think this is something that should be addressed specifically with the BIP-119 implementation.

I also think it's important that OP_CHECKTEMPLATEVERIFY be available in a witness v0 (segwit) context, as there are many potential users who may not be willing or able to upgrade to Taproot, but still want to make use of CTV.

If users are worried about the issue you're highlighting - which is very expensive to successfully exploit, and results in a relatively minor, time-bound denial or service - then they can opt to use Taproot.

[ariard]

@average-gary

could add functionality that impacts the SigOps calculation in such a way

No this is not the concern -- iiuc your comment.

The concern is in the case of let's call "mixed script" (e.g CHECKTEMPLATEVERIFY + CHECKSIG) used
by a second layer (e.g a high-value vault), an adversary can launch a block sig overflow attack on
the spend of one of the coins encumbered by the vault, even if it's the CTV path that is used.

Indeed, the script analysis for signature ops within a witnessScript is done statically on all
the opcodes elements revealed in the script (see WitnessSigOps and GetSigOpCount).

E.g, if the coins are locked with either CTV (go to Alice) or CHECKSIG+timelock=10 (go to Bob),
Bob can overflow all the blocks between the inclusion of the parent coin until the block at
which the timelock is final, and as such spending the coins which where under the "vault semantic"
locked for Alice.

My recommendation would be to make CTV taproot-only (no hard per-block limit sigops for P2TR),
or alternatively change BIP119 to document the vector of exposure for segwit script using CTV.

[ariard]

@jamesob

Given the ML warms up again on this subject, coming back to the issue with block sig
overflow attacks affecting "mixed script" (hash + signature), I understand the opposite
concern with a vast majority of today coins traffic being segwit, and as such of the economical
rational to allow CTV within segwit scripts.

On the other hand, I still think the issue can be serious enough that the best is for CTV
use cases designers and developers, to not use "mixed script" in segwit ones or if all the
paths go back to the same party (with not competing interest).

Indeed, the density of signature ops per virtual bytes can be quite high by leveraging
CHECKMULTISIG signature ops counting value, and one can generate a pack of 20 transactions
per block to overflow the inclusion of a "legit" "alice" transaction. Transaction size total
is something like 5000k-10k virtual bytes (very rough estimation). So as of today with a median
fee of 1 sat / vbyte, it's like ~10_000 satoshis per block. There is the segwit discount to take
measure of, though we're in the order of $1000 per block Dosed (-- I did the math initially for
LN and given the default timelocks I was landing around something like $10k to $20k to target
some channel). Anyway, if you're using CTV to lock $$$ vaults, I think this is no a good surface
asymmetry to expose.

While this is for most of use-case a time-bound denial of service, for some off-chain design
this can be also a vector of loss of funds (though it's very specific to the in concreto design
of the use-case).

Assuming I'm correct, and please pointed out if there are flaws in my reasoning about block
sig overflow attacks, I do think there could be a footnote in BIP119 to make that aware to
CTV use cases designers and developers.

Something like the following, IMHO:

In case of time-sensitive use-cases with competing counterparties, one should be careful to
not have mixed witnessScript with both signatures opcodes elements and CHECKTEMPLATE operations
in the same script, as otherwise this is opening exposure to block signature overflow attack,
where a malicious counterparty could fulfill all the blocks for one chain time interval.

If BIP119 is upgraded to be Taproot-only, I'll also go to review it, though I'm aware it's
more engineering work, and the trade-off with constraining all the well functional segwit
software not being able to use a future CHECKTEMPLATEVERIFY. Here me thinking.