Should Address maintain validity invariants?

[Kixunil]

Address currently neither promises to hold any validity properties nor it denies them (and in fact it seems it does currently check whatever is in FromStr impl).

As a result, code using it should repeat (some) validity checks to avoid problems but such code duplication can actually cause problems (WET code). Some people could even rely on Address being valid.

We should either:

• Guarantee validity, document it test it and make whatever other measures necessary to make it reliable
• Document that there's no guarantee so that people don't accidentally rely on them

I'm personally in favor of promising guarantees but if there are good arguments against it I want to hear them. If we do guarantee them should we do unsafe guarantee? (That means if unsafe code assumes them and they are broken are we the ones to blame?) I guess not upholding them despite promise is pretty bad already so we may as well allow unsafe to rely on it.

See https://github.com/rust-bitcoin/rust-bitcoin/pull/563/files#r705268082

[dr-orlovsky]

I am up to provide such guarantees, however not sure are they possible. We may try to draft one

[apoelstra]

Will conflict with #643 which makes the Address type much more public

[Kixunil]

I believe that one only affects encoding, not consistency of data stored within address?

[sanket1729]

Agreed, we should uphold these guarantees. In rust-bitcoin, or rust in general whenever we create an object it should be valid.

I think the problem here is that we are conflating two uses of address.

• We want to support sending to addresses that are UnsupportedWitnessVersion,
• But we want to be sure that we are not receiving an address type that we do not support.

Maybe two different types make sense, but that might be even more confusing.

In any case, we can improve the current API with checks for witness program len (2 <= len <= 40).

[Kixunil]

Yes, unsupported version should be considered valid Address. I think we could commit to keeping certain validity checks. Thus code using Address can safely skip those checks but if it relies on something outside them it must check (e.g. witness version).
Also if hypothetically there's a new encoding of addresses (like was base58 vs bech32) then it can become a valid address. This implies that AddressType should be #[non_exhaustive] but we put the attribute only in next MSRV.

[dr-orlovsky]

I started implementing address guarantees and found a lot of ambiguity around this question, which probably better to discuss first and decide on the way we'd like the API to look.

Overall, there are four options:

1. We can construct scriptPubkey which can't be represented as a valid address at all (for instance OP_RETURN or bare script), i.e. the Address or AddressPayload are not always constructable from a Script object.
2. We can create an unspendable address string and construct corresponding unspendable scriptPubkey. Example: Witness V0 address with non-standard program length. Should our Address data type support such cases, and do not fail on parsing corresponding strings and scriptPubkey representation?
3. We can create anyone-can-spend address with some future witness version (>1) or witness v1 with non-standard length, which may change spending consensus rule with future softforks. Again, should Address support this?
4. Finally, we have normal addresses.

[Kixunil]

1. Yes, this is expected and should stay as-is, Address implies Script, Script doesn't imply address. (There could be impl From<Address> for Script, impl TryFrom<Script> for Address)
2. I don't think v0 with non-standard length is unspendable but anyone can spend? Anyway a simple unspendable string is just public key nobody knows private key to. This can not ever be detected and thus Address can not guarantee that script created from it is satisfiable.
3. I strongly believe it should. bech32 addresses were specifically designed to be forward-compatible to avoid the hell we had in the past (speaking as someone who helped onboarding hundreds of people, this is huge). Removing this support would be an awful step back.

I think the validity invariants should be:

• Each address can be displayed
• If parsed from a string the string was in currently-known widely-accepted format (base58, bech32, bech32m)
• Whatever checksum the format had, it was valid
• All restrictions on address defined by standards were obeyed
• Script-pubkey can always be constructed from Address and can not cause the resulting transaction to be invalid unless future soft fork bans it.

In relation to public API:

• Removing any of the restrictions is considered breaking change
• Starting to parse strings that were previously considered invalid (because of a new standard) is minor change
• Returning errors in case of previously-valid strings is breaking change unless it fixes a vulnerability (dropping base58 would be breaking, rejecting bech32 for witness version > 0 would be minor)

In other words, all code can safely rely on checks being performed by Address and does not have to repeat them.

For related but distinct type AddressType:

• The enum is considered non_exhaustive (and will have the attribute in next MSRV)
• Unknown variant may or may not contain additional information about address, no guarantees given, there may be a stable method for displaying it in English.
• If a non-Unknown variant of AddressType was returned for an Address it will continue to be returned for same address unless it was buggy in the first place.

In other words, AddressType may change from Unknown to something else but no other change is permitted.

[dr-orlovsky]

2. I don't think v0 with non-standard length is unspendable but anyone can spend?

 If the version byte is 0, but the witness program is neither 20 nor 32 bytes, the script must fail.[1] 

— a quote from BIP-141

Anyway a simple unspendable string is just public key nobody knows private key to.

I was meaning "deterministivally unspendable" outputs, which can be proven to be unspendable from the onchain data - OP_RETURN, non-standard length of witness v0 all falls into this category. And we already have functions to detect them: https://github.com/rust-bitcoin/rust-bitcoin/blob/master/src/blockdata/script.rs#L409-L413 (but its incomplete and its equivalent is not present in address)

On the rest of this I do agree. Just would like to highlight that we probably need to forms of "address type" types: one which will have a Display/FromStr representation (in form of P2PKH strings) - and the more general one which supports future, custom and non-standard variants (corresponding to the cases I numbered) which do not have a string representation. Here how I see it:

/// Detailed address information returned by [`Address:address_info`]
#[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Hash)]
pub enum AddressInfo {
    /// Witness versions recognized by the current consensus
    Known(AddressType),

    /// Future witness versions (>1)
    Future(WitnessVersion, /** witness program length */ usize),

    /// Witness version is known to the consensus rules, but has custom
    /// witness program length (currently supported only by V1 witness)
    Custom(WitnessVersion, /** witness program length */ usize),

    /// Witness version is known to the consensus rules, but has non-standard
    /// witness program length not supported by BIP (and not spendable)
    NonStandard(WitnessVersion, usize),
}


/// The different types of addresses representable with string and currently supported by the 
/// current consensus rules to be spendable only with a valid signature
#[derive(Debug, Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Hash)]
pub enum AddressType {
    /// pay-to-pubkey-hash
    P2pkh,
    /// pay-to-script-hash
    P2sh,
    /// pay-to-witness-pubkey-hash
    P2wpkh,
    /// pay-to-witness-script-hash
    P2wsh,
    /// pay-to-taproot
    P2tr,
}

I drafted a PR covering this proposal: #668

[Kixunil]

Hmm, I think v0 addresses specifically must have one of those lengths then? Thus Address should guarantee it.

[dr-orlovsky]

Hmm, I think v0 addresses specifically must have one of those lengths then? Thus Address should guarantee it.

which implies that Bech32 string with witness v0 of non-standard length will not be parsable as Address

[Kixunil]

Exactly.

[dr-orlovsky]

@Kixunil ok, implemented in last commit (2fc8197f140440764078bbe420cf51acfee09108) in #668