Fix InputWeightPrediction::P2WPKH_MAX constant DER sig length #2213
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This method computes the weight an InputWeightPrediction would to a transaction, not including witness flag bytes.
The P2WPKH_MAX constant assumed DER signatures in the witness have a max length of 73. However, their maximum length in practice is 72, because BIP62 forbids nodes from relaying transactions whose ECDSA signatures are not canonical (i.e. all sigs must have an s value of less than n/2). This means s is never encoded with a leading zero byte, and the signature as a whole never exceeds 72 bytes in total encoded length. The ground_p2wpkh function was already correct; only the constant needed to be corrected.
Sanity checks the InputWeightPrediction against a transaction which uses P2WPKH inputs.
conduition
force-pushed
the
fix-p2wpkh-input-max-weight
branch
from
d2727de
to
f41ebc2
Compare
tcharding
approved these changes
Nov 22, 2023
apoelstra
approved these changes
Nov 22, 2023
|
Concept ACK: |
Kixunil
reviewed
Dec 1, 2023
|
|
||
| /// Tallies the total weight added to a transaction by an input with this weight prediction, | ||
| /// not counting potential witness flag bytes or the witness count varint. | ||
| pub const fn weight(&self) -> Weight { |
There was a problem hiding this comment.
Shit, I only noticed this now. I kinda worry that people might misuse this but the documentation is pretty good so maybe not a big deal.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The$s$ value of less than $\frac{n}{2}$ ).
P2WPKH_MAXconstant assumed DER signatures in the witness have a max length of 73. In practice, their maximum length is 72, because BIP62 forbids nodes from relaying transactions which contain non-canonical ECDSA signatures (i.e. TX sigs must have anThis means$s$ is never encoded with a leading zero byte, and the signature as a whole never exceeds 72 bytes in total encoded length. The
ground_p2wpkhfunction was already correct; only the constant needed to be corrected.Technically 73 bytes is the upper limit for signatures, as nothing forbids miners from including such non-standard transaction signatures in blocks, but for the purposes of fee estimation and input weight prediction, 72 is the number which 99.9% of implementations should use as their ceiling. We already use it as the ceiling for the
ground_p2wpkhfunction -ground_p2wpkh(0)returns a prediction which uses a witness signature of length 72.Reference:
To enable testing, I added a
weight()method toInputWeightPredictionand made it public but i'm not sure whether it has a use-case. Let me know if I should make it private instead.