Relax OP_RETURN standardness restrictions

It might be better to do both, if only to avoid repeating the discussion in a year.

From perusing the Citrea paper (page 18) it seems a single output is enough, and they only need 144 bytes.

1. Regarding size

The current ~80 byte limit was based on Counterparty needing it [0], and otherwise using bare multisig. A similar argument would apply here. At the time there was discussion about how much space Counterparty really needed if their protocol was well implemented.

The 144 bytes consist of a Groth16 proof and the total chain work. Along similar lines we could pick a number based on various cryptographic commitment schemes, and then only raise the limit by that much.

But that just guarantees repeating the argument in a year when some protocol needs a slightly higher limit. In a post-inscription world that seems pointless. My preference is to drop the size limit entirely.

2. Regarding count

IIUC there's no consensus limit on the size of an OP_RETURN [1] and there's also no standardness rule on the size of a scriptPubKey. The size of a single OP_RETURN is limited only by the maximum transaction size, i.e. 100 kvB.

Without a size restriction on individual OP_RETURN outputs, there's no point in limiting their number.

That said, it would be interesting to know if any protocols are thinking of using multiple OP_RETURN outputs.

3. Reminder why we didn't do this earlier

In the August 2023 discussion [2] Murch wrote, in response to John Light:

>> is there ever a case where using OP_RETURN to embed data actually results in fewer bytes onchain than embedding the same data using the segwit/taproot witness space
>
> Yes, a back-of-the-envelope calculation has me thinking that only payloads of 135 bytes would be cheaper with transcriptions than with nulldata outputs. In detail:
[...]
> we learn that nulldata outputs are cheaper up to a payload size of 134 bytes, only above that inscriptions become a more blockspace efficient data carrier.

Since we're discussing raising the limit to at least 144 bytes, the above argument would no longer be relevant.

And from what I recall at the time that was the only remaining reason to keep the OP_RETURN restrictions around a bit longer, despite heavy use of inscriptions.

4. PS - on liveliness assumptions

The paper [3] states the following assumption:

> We consider a secure ledger, i.e., a ledger that is safe and live. Safety and liveness are defined as follows:
>
> ...
>
> Definition 2 (Liveness). A distributed ledger protocol is live with liveness parameter u if all transactions written by any correct party at round r, appear in the ledgers of all correct parties by round r + u.

For standard transactions this already not trivially true. See all of Lightning pinning discussions.

For non-standard transactions, does BitVM2 keep all its transactions under 100 kvB?

Otherwise your liveness assumption requires a direct connection to at least one miner / pool that is trusted to not censor (though you can shop around until the deadline).

Conversely, having actively used protocols that frequently require going over some standardises limit puts pressure on that limit for the reasons Antoine outlined. So for anyone working on such protocols, please let this list know, since these discussions can take a while.

- Sjors

[0] https://www.reddit.com/r/btc/comments/80ycim/a_few_months_after_the_counterparty_developers/?rdt=53592
[1] https://bitcoin.stackexchange.com/a/117595/4948
[2] https://gnusha.org/pi/bitcoindev/[email protected]/#t (click on the html attachment)
[3] https://citrea.xyz/clementine_whitepaper.pdf

IIUC [..] The size of a single OP_RETURN is limited only by the maximum transaction size, i.e. 100 kvB.

we *could have* reserved multi-output as some sort of signaling mechanism [..] though I can't imagine what that would be. Additional OP_RETURNs would be an expensive signal.

I would suggest removing both limits at the same time.

While multiple OP_Return outputs are more expensive than a single one
for the same amount of total data. In some cases they're necessary for
technical reasons, e.g. if signing with SIGHASH_SINGLE.

--
https://petertodd.org 'peter'[:-1]@petertodd.org

Hello Darosior,

Generally, I'm +1 on relaxing OP_RETURN standardness restrictions.

Few links that can be relevant for the discussions:
- https://github.com/petertodd/bitcoin/pull/6
- https://github.com/ordinals/ord/issues/2405

For adding a `-datacarrierenum`, this might be re-considered, e.g if you're
running a bitcoin full-node with an extended number of op_return outputs, and
you have callback action when you're seeing said snarg proofs is in the op_return.

This is assuming that of course additional software is running on top of
the full-node, e.g a custom block explorer, though it could be a source of
DoS, if callbacks are triggered before inclusion in op_return outputs (--
and some might do before inclusion, just for latency gains in their use-cases).

I think there is one downside I can see of relaxing OP_RETURN standardness
restrictions, namely that a single transaction output "exogeneous" value
might be worth more than the block reward yields in fees (`blockReward`).

That could be an issue where a single transaction output owner with an
"exogeneous" value braodcast a tx for a double-spend where this condition
can only be included if the block is reorged-out (e.g a bridge where 2
withdrawal are valid at the same time to different owners). Somehow
linearity of chain advances is a good property to have.

One can have a look on the ordinals markets at the last halving blocks,
to see it's already can be a concern, as something like ordinals mined
by the coinbase pubkey was trading for a high price.

This is not a problem for now with multi-party transactiosn or contracting
protocols (e.g coinjoins or lightning), as it's always a coin exchanged, or
fees that must be committed to settle an off-chain state.

Best,
Antoine
OTS hash: a3264eaedf79b15d5e9cd32a20d1d82c6981f49a34256d6c961fd39c976ff2c2

Scripts, of course, not specific keys. Just like we had early on. But
that is only necessary if the simpler filter steps are insufficient,
which is unlikely.
Only during flood relay. They don't need to be included in blocks. Even
a softfork, should it become necessary, could potentially get away with
pruning them after being buried a certain depth.
It's sufficient to make spam unwelcome and costly. No spam filtration
solution needs to be perfect. Every little bit helps.
That's nonsense. They were and continue to be very effective, even with
only a small amount of adoption. Further, mining centralization and
pools denying miners options has been the biggest barrier to that
adoption. There is no significant financial impact either, that's just
FUD; miners using the fixed and improved spam filters have in fact
earned significantly more than miners using Core.
It would be a pain, but it is definitely viable. Thankfully, policy
works just fine for spam filtration, and can be adapted much quicker.
The entire reason compact blocks were acceptable, is that miners are
incentivized to conform to non-miner node policies. Now you're trying to
bait-and-switch it to nodes conforming to malicious miner policies instead.
>    b) centralisation
No, this is more FUD.

I'll reply to your arguments when Ocean Pool reorgs a competitor block with inscriptions in it.

- Sjors

Standardness rules have definitely been effective in the past, if we go far enough back in time. But back then:

* There were far less financial incentives to bypass them. Standardness adds inconvenience to people developing infrastructure on top, which can nudge in another direction. But I don't see how million-dollar (or more) business incentives would be thwarted by the need to communicate with miners directly (see below). These incentives will only increase as the subsidy dwindles.

* There was far more reason for rules of this kind; the network was small and far less valuable, and there were significant concerns about increased node operation cost with a quickly-growing blockchain. With blocks consistently full for most of the time for years now, even at times without so-called "spam", that concern just does not exist; nodes will be processing the same amount of transaction data anyway. I think I share Luke's feelings around non-financially-relevant transactions on-chain, but given sufficient demand for block space anyway, there just is no need to discriminate.
I am doubtful of this claim, and would like to see evidence of it.
Nobody is required to adopt policy, and I think you're burying your head in the sand if you believe even in a world with more decentralized hashpower, miners/hashers would voluntarily choose to disregard transactions that pay a significant fee, if the potential gains from accepting them exceed the cost of building infrastructure to bypass whatever policy exists.

Bitcoin users do have a means to deny usage of the chain to truly damaging use: consensus changes. Those are not optional, apply to everyone equally, do not create incentives for bypass, and - and I believe that is a good thing - can only be adopted with very wide agreement.
The **entire** reason why Bitcoin uses PoW, as opposed to using a traditional consensus system with a federation of block-builders, is to avoid censorship. If anyone dislikes the choices current miners make in what transactions they accept, they can - without asking anyone for permission - join the set of miners, and earn a proportional piece of the pie. While it is the case that today mining power is quite concentrated in a number of businesses, the set of such businesses can, and has, changed over time. This is a very valuable property.

Part of the puzzle to make that permissionlessness of mining work is access to fee-paying transactions from the public. If sufficient economic demand exist for transactions that the public network denies, miners and creators of such transaction will develop transaction rails that bypass that network.

If it comes to a point where that economic demand is so high that miners need to rely on private transaction rails to realistically compete, I feel we'd be giving up on one of the most valuable properties the network has. I realize this is a slipstreamery-slope argument, but it is already happening, and once the rails are ubiquitous, it will be very hard to go back to a public network.

---

Because of all these reasons, Concept ACK on relaxing the OP_RETURN limits, including removing them entirely. I have been a strong proponent of these limits in the past, and I'm not happy with seeing the demand for those transactions. But I also recognize the reality that that demand exists, and the alternative of pushing that demand to bypass the public network is far more damaging.

I will add that I am not in favor of relaxing many other standardness rules in Bitcoin Core, such as transaction sizes and other resource limitations. These have significant impact on the public's ability to verify and relay transactions, and reason about incentive compatibility while doing so. Significant and sustained economic demand for such transactions may at some point too mean the policy needs to be revised to avoid an even worse outcome, but I'm hopeful that is not the case. However, these arguments do not apply to OP_RETURN limits, which don't serve an objective harm reduction beyond a subjective "that isn't what you should be using the chain for".

--
Pieter

I was asked to take my comments to the mailing list, so here we go.

First, see my comments on Github PR #32359:
- https://github.com/bitcoin/bitcoin/pull/32359#issuecomment-2835467933
- https://github.com/bitcoin/bitcoin/pull/32359#issuecomment-2835638919
- https://github.com/bitcoin/bitcoin/pull/32359#issuecomment-2834012756

Next, I'll once again point out relevant history for those just tuning in:

OP_RETURN was only made standard in a limited size to encourage less harmful data carrying in Bitcoin. Attackers were using harmful methods of data carrying in unspendable UTXOs, and so a way to inject a small amount of data was TOLERABLE over this harmful UTXO bloat that.  That mostly worked, and such practices were quickly minimized. This remained the case for about a decade without significant issue. Bitcoin is not file storage, and this was known to developers at that time.  Sadly, eventually an exploit called 'inscriptions' happened which blew the cap off of the size limitation of arbitrary data storage... and to make matters worse, developers refused to patch the exploit or otherwise enforce the decade old limit on arbitrary data size. If that wasn't bad enough, exploiters get a 75% discount on transaction fees.

Hi Jason,
That's correct.
If you look at the actual pull requests that implement such patches you'll discover the various reasons why they were rejected. This mailinglist thread has also re-iterated the futility of this cat-and-mouse game. It contains the relevant links, so I'm not going to repeat them here.
At the time SegWit was proposed it was clear that the worst case block size would increase to 4 MB. It took a few years for people to figure out how to take advantage of that. Somewhere between 2015 and early 2017 would have been good time to object to the SegWit discount, but removing it now would be a hard fork. Fwiw I think the discount was a good idea.
What you call "nonstandard" is actually standard. Inscriptions follow standardness rules.

In general you're reasoning the wrong around imo. There is no point in restricting transactions that are 4x more expensive than the alternative. And as was explained earlier in this thread by me and others, if we don't drop this limit then the UTXO set will get bloated. Just as you point out was the historical issue.

Bitcoin Core used to have a whitelist model where only a few transaction blessed by Satoshi were standard. I think it's good that we moved away from that to where you typically don't have to lobby for your transaction type to be included. But others disagree, e.g. Luke Dashr in this thread proposed going back to that model.
The issue of consecutive byte sequences stored on disk is intestering. But imo it has been fully addressed on the Github PR now: https://github.com/bitcoin/bitcoin/pull/32359#issuecomment-2838068278

In summary:

1. The mempool is encrypted at rest
2. The blockchain is encrypted at rest for (relatively) new users, but not for everyone. However, it is already trivial to inject arbitrary data into the blockchain.

This change does not make the problem worse.
It's irrelevant because this PR does not change the threats you are worried about.
If you don't have confidence in the Bitcoin Core developers, instead of insulting them, you could also just (help) maintain a fork of the project. Working on Knots seems the easiest way to do that. I obviously think you're misguided here, but at least it's better to channel this distrust into something constructive. Given the number of people who share your sentiment, such a project should be perfectly viable.

- Sjors

Can you elaborate on why removing the SegWit discount now would be a
hard fork, please? This would be a tightening of consensus rules -
blocks that are valid under the current rules become invalid under new
rules, but not vice versa.

(I'm not proposing this, just a technical question.)

--
Best regards,
Boris Nagaev

Fees are under 3sat/vb; there's no attack. Excess block space is being
filled by low-value spam, but that's expected and, in a permissionless
system, unavoidable.
They subside when the people creating the spam realise they're wasting
money paying for fees.

Acting tough about it at best has zero effect, and at worst generates
publicity for the spammers as media and influencers gather around the
drame, making the activity more profitable.
Encoding data into random protocols is a standard exercise, and doing
so in ways that are undetectable to third parties is also standard,
albeit more complicated. In a permissionless system, attempting to
filter encoded data is a losing proposition.

Well, I guess if you can convince someone to pay you by the hour to write
the filters, you've got yourself a job that will never be finished,
so really it's only a losing proposition if you ever hope to actually
succeed at it.
Not every form of transaction spam is about jpegs or altcoins. There
were significant spam attacks on the network in 2015, see

https://en.bitcoin.it/wiki/July_2015_flood_attack
https://www.ibtimes.co.uk/coinwallet-plans-bitcoin-dust-attack-september-create-30-day-transaction-backlog-1515981
https://nyuscholars.nyu.edu/en/publications/stressing-out-bitcoin-stress-testing

eg. The spam during that time was particularly harmful, because most
wallets failed to calculate fees on a per-vbyte basis and replace-by-fee
was rarely supported, leading to many transactions getting stuck in the
mempool for weeks or months as a result.

The only sustainable way to avoid low value spam appearing on the
blockchain (whatever form that spam might take) is to prevent low value
*transactions* from appearing on the blockchain. I don't think that's
particularly desirable at this time; but it's something that could be
achieved (even on a temporary basis) by lowering the block size.

Cheers,
aj

Good point. It might indeed be a soft fork: https://bitcoin.stackexchange.com/a/121185/4948

It just has to be combined with a block size decrease.

I think it would boil down to reducing MAX_BLOCK_WEIGHT from 4 million to 1 million, while at the same time reducing WITNESS_SCALE_FACTOR from 4 to 1.

So it undoes the block size increase created by SegWit. From the perspective of pre-segwit nodes, they would see that typical blocks got smaller, because they don't see the witness data.

I also can't think of a vice-versa example. One could start by adjusting all the tests in Bitcoin Core to verify if there really isn't one.

It would however be a confiscatory soft fork. E.g. if you have a pre-signed 1.1 MB transaction, it won't fit in a block. Similarly, though less severe, a 101 KB pre-signed transaction would no longer be standard, so you'd have to find a miner or accelerator.

Those transactions may sound silly, but soft fork proposals have been criticised for far less likely confiscatory surface. See e.g. the original Great Consensus Cleanup thread from 2010.

Note that a similar, albeit temporary, block size decrease has been proposed before, see [0].

> The initial size limit upon activation depends on when it is activated: for example, if in 2018 January, it would begin at ~356k; or if in 2024 June, it would begin at just over 1 MB.

It kept the SegWit discount intact, though it added a byte based ceiling:

> The weight of a block may not exceed double the size limit in bytes.

It was never assigned a BIP number, so I'm not sure how serious this proposal was. In any case, it got no traction, nor did any other block size decrease proposal.

So even if there was support for removing the witness discount, since you can't do that without also decreasing the block size, I don't think this avenue is worth exploring.

- Sjors

[0] https://github.com/luke-jr/bips/blob/bip-blksize/bip-blksize.mediawiki

As far as I can tell, the claim is mostly justified by FPPS pools not
distributing all the fee component from block rewards (eg, [0]). This
reportedly reduces miner income by a larger factor than the occassional
block that collects significantly less fees (eg, [1]). I haven't seen
any hard evidence to back those claims up, but I also haven't tried
creating any accounts with FPPS mining pools to get access to any of
their APIs. Ocean/Datum also currently sets a 1% pool fee, compared to
some FPPS pools setting a 4% pool fee, so that would also be a bigger
impact on earnings than tx selection policy per se.

Ocean's block template page [2] usually seems to have core templates
gathering the most fees, followed by core-antispam, followed by ocean,
followed by datafree, as far as I can see. The differences are usually
pretty trivial though. Those differences would probably increase
substantially if a more significant proportion of hashpower adopted
filtering policies though.

[0] https://x.com/MarkArtymko/status/1826970076605481367

[1] https://mempool.space/block/0000000000000000000055167ff46b33e39e25510a096360a185d7e757595b0e
forgoing 530k sats, or ~0.27% of the block reward

[2] https://ocean.xyz/blocktemplate

Cheers,
aj

--

FWIW I've written a tool to xor your blocks dir without having to resync. https://github.com/andrewtoth/blocks-xor/

If they use OP_RETURN instead of putting data into the witness, they
will exhaust their funds four times faster and store four times less
data on the blockchain. Maybe the removal of OP_RETURN constraints in
policy is a Trojan horse against spammers?

I mean, the definition of a cease-fire is that no one attacks during it.
The point of eliminating OP_RETURN restrictions is to avoid people
encoding data in more harmful ways.
Yes, spammers can and will continue filling up block space if they're
willing to pay more for that block space than non-spammers.
> > drama, making the activity more profitable.
I don't agree with that claim. (To be specific: I think it had zero
technical/economic effect (though maybe some propaganda value), and that
Ethereum was launched as its own chain for the same class of reasons
that Algorand and Solana launched their own chains, rather than using
data commitments on top of Ethereum)
It's almost always true that writing something shorter is better.
Ultimately, that's not true: you can always encode data in ways that would
otherwise look like a normal financial transaction, or a set of normal
financial transactions, and if necessary, encrypt it in a way that it's
only identifiable as a data encoding after it's already been published.

I don't particularly want to give practical examples of how to do that,
of course.

> And of course, smaller blocks don't help with *high*-value (high-fee) spam,
Ordinals/runes only managed to have fees-per-block rise above the block
subsidy (ie 313sat/vb or 625sat/vb) for a handful of blocks, so I wouldn't
call it particularly "high value" in general. At 3sat/vb and $100k/BTC
we're still at the "sure, I can afford 25c for an on-chain tx to buy a
coffee" level.
That's the exact opposite concern: if there's that much high value
transaction volume, then that valuation will justify paying for both
engineering talent to avoid whatever filtering efforts you come up with
(if nothing else, by spammers mining blocks directly), and mining fees to
price your transactions out of the available block space. The solution to
that scenario is to increase the block size, until there's enough capacity
for all the high value transactions as well as your lower value ones.

I don't share that concern, personally. Data storage is far more
efficiently done outside of a blockchain (or more cheaply done on
non-Bitcoin blockchains), and for any legitimate use case, avoiding
wasting money on inefficient designs or unnecessary engineering projects
lets you capture more of that value as profit. For scams and frauds,
that doesn't apply, but scams and frauds only last until your pool of
victims grows wise to your shenanigans.

Cheers,
aj

On Thu, May 01, 2025 at 11:29:35PM -0700, Greg Maxwell wrote:

(Yay!)
Hmm, I don't actually think this is a good rule -- if followed strictly,
it prevents ever making relay rules more restrictive, even for cases
which are provably harmful for the network.
Alternatively, if it's a rule with exceptions, then it's those exceptions
that are the important factor and should be figured out.

For example, the reason mining a "quadratic hashing bloat txn" is bad
because it causes delayed block validation on its own, potentially in
ways that aren't even sufficiently mitigated by running your node on
extremely high end hardware. Transactions like that should really be
removed from consensus validity not just prevented at the relay level,
and BIP 54's consensus cleanup hopefully does that.

Miners have accepted out-of-band relay of spends of unknown
segwit versions (which I presume is similar enough to the "unused
opcode/successcode/version number or whatever" case), in particular
txid b10c007c60e14f9d087e0291d4d0c7869697c6681d979c6639dbd960792b4d41
in block 692261 (the taproot exception block). Even though that was not
done by mistake or out of technical ignorance, I think doing such things
extremely rarely through out of band mechanisms is pretty much fine.
(Even if miners do it for profit, rather than as a 0-fee tx where the
outputs are a donation to a developer funding group)
If adopted, a policy like that would be fairly easy to use to hold the
network hostage: find a miner who doesn't much care and has perhaps
0.1% of total hashrate, get them to mine txs spending segwit versions 2
through 16, and forward a handful of such transactions to them every day.
The transactions are getting mined regularly and reliably (at a rate
of about once a week), the transactions aren't immediately damaging the
network, the miner is making excess profits, and by your relay argument,
the miner is gaining a slight advantage in being able to potentially
mine two blocks in a row due to the block relay delays caused by not
relaying spends of future segwit versions.

The LibreRelay project has already followed pretty much that script for
pushing fullrbf relay onto the network, and is proposing to do the same
approach for data storage in the annex, so I don't think this is just
a hypothetical concern.

I'd describe that class of policy as something of a "popularity contest"
approach -- it's a policy that says that anything that's sufficiently
popular is good/permissable. I think that makes sense as a check/balance
approach -- "this think is popular, is there really a good reason why
it's not permitted?" -- but not as the first thing we think about.
As a check/balance, I think that argument holds water, and should cause
us to ask if your existing policies make sense. I think it's fair to
say Bitcoin Core's existing policies (as expressed by its code, and not
necessarily matching the policies of various forks of Core) are (in no
particular order):

1 limit utxo growth (via block weight constraints, and by avoiding
creation of utxos that would be uneconomic to spend)

2 prefer that transaction data be prunable rather than potentially
permanent (eg, better to have a 20-32 byte hash in the utxo set and
a 160 byte x-of-5 multisig script in the scriptSig or witness, than
to have the 160 byte x-of-5 multisig directly in the utxo set; this
is the main justification for why witness data should be discounted
vs output data)

3 limit block validation time to the ~1s range (on a block whose txs have
not been seen before, on reasonable hardware)

4 limit maximum block size growth to ~4GB/week (ie, the worst case from
having a 4M weight limit)

5 optimise validation and relay of blocks with txs that we have seen before
as much as possible

6 allow anyone to create any sort of scripts they like (via p2sh, p2wsh, p2tr),
within the limits of what you can conceivably do with script opcodes, and
without causing excessive validation costs

7 encourage people who want to use the blockchain as an anchor for their data
to store commitments in the blockchain rather than the actual data

8 allow miners to occassionally generate excess profits by mining non-standard
transactions that violate relay rules but comply with consensus rules

(There are obviously many other policies, eg the 21M coin limit, but I
think the above are the ones most relevant to this discussion)

I think all of those policies can be justified (or criticised) on their
own merits, independent of their popularity per se, and I think doing
that is a better approach than starting with what's popular or not.

I think there's perhaps four conclusions you could reasonably draw about
the policies above, wrt what's been discussed on this topic:

* encouraging data storage people to use commitments (7) didn't really
work, and given that could be done via documentation or blog posts
where we could provide reasoning, examples and alternatives rather than
just a "transaction rejected" which might be more effective anyway.
the citrea design also suggests that that policy is interfering with
the goal of limiting utxo growth (1). as a result, it probably doesn't
make a lot of sense to maintain that policy in code. There's already
the obvious incentive pushing people towards commitments instead of
raw data, in that doing so reduces the on-chain fees you need to pay.

* for (non-commitment) data storage use cases, OP_RETURN limits are
probably largely irrelevant in limiting blockchain usage; while
OP_RETURN is also prunable, it's not discounted (2), so including
data in the witness will still be preferable to the people who wish
to publish data in large volumes

* people with legitimate concerns about their node being overloaded
should probably be concerned more by the "limit maximum block size
growth to ~4GB/week" policy (4), rather than commitments vs data (7),
complicated scripts (6) or prefering prunable data (2): it doesn't
really make much difference if your node is overloaded by spam or by
real transactions, either way it's overloaded. I haven't seen any
evidence of it being difficult to keep a node operating for that
reason, however.

* there are two aspects to the "miners generate excess profits from non-standard
transactions":

* one is that for that to only be "occassional" means that even
vaguely legitimate use cases should have a supported way of
being exercised via standard transactions without being much more
expensive: eg, instead of consolidating 4000 transactions in a
270kvB transaction, you might use consolidate 1333 transactions
in each of three 91kvB transactions. That limits the amount of
excess profits the miner can generate, in this example the 3kvB
of savings would only justify paying about 1.1% higher than the
going feerate for standard transactions, eg.

* the other is that if you want to disallow this from happening
even occassionally, then you want to have relay and consensus rules
be the same; but that effectively means that any functionality
upgrade needs to be done as a hard fork, which in turn likely has
highly centralising effects around the developer team, as running
old versions of the software becomes infeasible
I don't agree with that at all: giving people what they ask for, even
if it's literally a punch in the face, isn't disrespectful, it's the
opposite. (Respecting other people isn't always the highest virtue,
of course)
Core's mempool/standardness policy covers both relay and mining
acceptability. I don't think it makes very much sense to separate them
-- beyond making the code more complex, accepting txs into your mempool
that you'll still relay but won't mine might block you from accepting
other (conflicting) txs that you would mine, eg.

About 11 years ago, you wrote:

] [...] Right now I've seen a lot of people
] promoting data storage as a virtuous use, and gearing up to directly
] store data when a commitment would work.
]
] If it turns out that encouraging people to use hashes is a lost cause
] it can always be further relaxed in the future, going the other way is
] much harder.

-- https://gnusha.org/pi/bitcoindev/[email protected]/

Even if they're fundamentally wrong, I think it's respectful to people who
haven't yet given that up as a lost cause to leave them with a knob that
gives them at least a chance to continue the fight for sometime longer.

Let me offer a principle that will never need any exceptions: people
who are a mere 10-15 years behind the thinking of the bitcointalk.org
class of 2012 are still the brightest 1% of humanity.

Cheers,
aj

I think this debate is missing one important part: a communication link between the developers and the users. The developers are speaking with the developers, the users are speaking with the users, and no one is really trying to understand where the other side is coming from. It's been a lot of aggressive, unproductive back-and-forth, with both sides accusing each other of bad intentions and completely dismissing each other's points.

This is a technical mailing list aimed at devs, so I'll try to summarize what I've seen in normal_users_land, and the general feeling out there right now. Obviously, I'm not trying to suggest that users *feelings* should be dictate the technical direction of Bitcoin. However, it is important that there is mutual respect and trust between users and devs.

Right now, trust is pretty broken. It can be regained, but not without understanding what went wrong in the first place.

I saw on IRC some devs suggesting they spend time on podcasts and social media to explain the motivations behind this proposal *before* merging it, instead of merging now and hoping people just accept it. I think that’s a fantastic idea, and the way to go. I particularly liked jonatack's message - “if Core shows humility and patience, it would surprise people and improve things.”

Now, about the proposal itself and what it *feels* like: It’s a big change that came out of nowhere, especially at a time when spam doesn’t seem like a big issue. It’s a bit… shocking? Normally Bitcoin changes are discussed for ages, PRs take so long to get merged, because of all the care that devs put into considering the pros and the cons, but here? We get a mailing list post (that no user is reading, let’s be honest) and a PR with a lot of contributors saying “yeah, let’s do this!”. There should be a bit more research. (Maybe there was, but behind closed doors?). We want to know about all the protocols that are bloating the UTXO set and that could be using OP_RETURN instead. We want to know how many transactions like these are in each block, and how many there will be once the new protocols start getting deployed. We want to see that you did your homework for weeks before trying to change the policies.

It feels weird—like some sort of attack or a bribe. One protocol is mentioned that would benefit from this change, and then an investor ACKs the PR. Someone points out a potential conflict of interest, and their comment gets hidden. That’s shady, no denying it.

And then, it feels that users have no say. It's a ""technocracy"", where devs have all the power in their hands and can decide where the protocol goes, while completely dismissing users' concerns.

Users do have concerns—lots of them. And I encourage devs to step out and talk to "regular" Bitcoin users. It’s not just a “loud minority”—there are many people genuinely worried: “Can we trust Core devs anymore? Is there even another option?”. But their concerns are dismissed, their comments deleted or hidden, they're treated like "bullies" that devs should ignore, devs should "merge Todd's PR and call it a day".

Without understanding all the technical details, I'd say there's a pretty good chance that the very smart people that work on Core are right once again. Statistically, it's very likely. Communicate to users, explain your motivations, and show that you want to listen to our concerns.

Lastly, as irritating as that might be, users freaking out and holding core developers accountable and flooding Github is a feature, not a bug. Devs aren't the Bitcoin gods, they are humans, and humans can be bribed,  can be coerced, can have conflict of interest, can fck up.

Users care and want to protect Bitcoin. Be grateful.

Respectfully,
A Bitcoin Dev

This is a misunderstanding. One that probably should have been better communicated, because I can see why it creates a bad impression.

The Citrea protocol does not benefit from this change at all! We're just asking them nicely to please use OP_RETURN and not bloat the UTXO set.

The cost difference between OP_RETURN and fake public keys is negligible for them. I try to explain this in more detail here:

https://bitcoin.stackexchange.com/questions/126208/why-would-anyone-use-op-return-over-inscriptions-aside-from-fees

We can only hope they do so, but why would they? They already wrote the code, and now they have to spend engineering hours to deviate from their whitepaper design. For what, just to be a good citizen? Their developers are getting attacked for agreeing with this change. And since the proposal is controversial, they can't even count on this actually going through in time for whenever they want to launch.

As someone once said: we don't have the cards here.

- Sjors

"Spam is annoying but it always runs it course if you ignore it"
and
"When relay policy shouldn't be more restrictive than what is actually being mined"

are contradictory statements by gmaxwell. Btw, 99.9% of transactions rn are standard, nothing has changed. People are pre-emptively making accomodation for a startup with a whitepaper. No one is making relay policy more restrictive, they're talking about making it more flexible "pre-emptively".
> To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/1B78AC90-E698-421F-AECD-32DBCDD8669A%40sprovoost.nl.

Hi Greg,

I agree with the linked write-up: the quality of debate has been
atrocious. We've had a bunch of people who should know better, making
points that don't make technical sense, and a bunch of passerby's
repeating that nonsense (as well as even more nonsensical arguments).

With that in mind, I thought it'd be worthwhile to Devil's Advocate the
change, and go through some technically valid arguments against it:


# _Uninterrupted_ Illicit Data

Credit where credit is due, this was the only reasonable argument
against that was actually brought up on GitHub. In short, OP_Return,
unlike other standard ways of embedding data in Bitcoin transactions,
allows for long uninterrupted, arbitrary, messages to be embedded
verbatim.

The claimed risk is that this data could then end up peoples' hard
drives, complicating forensics analysis in the future and potentially
falsely incriminating people. (if you can encode your illicit data such
that the right bytes happen to match Bitcoin opcodes, you can already
embed it verbatim, uninterrupted, as seen by how inscriptions embed data
in witnesses; Martin Habovštiak already brought this up on this very
list).

We already have this issue with dumb virus detection software. Which is
why a few years ago code was added to XOR "encrypt" the block*.dat files
by default (chainstate is also XOR "encrypted").

The only remaining argument here is if we should go to the trouble of
adding code to Bitcoin Core to convert existing block*.dat files to the
XOR scheme, without re-downloading.


# Setting Policy Expectations For a Consensus Change

While it is clearly infeasible to prevent people from publishing data
with Bitcoin's existing consensus rules, it _is_ hypothetically possible
to make data publication somewhat more expensive with consensus changes.
Gregory Maxwell outlined how to do so on this mailing list years ago
(I'm not going to dig up the reference). Basically his approach works as
follows:

1) Limit all data in the chain to be either hash digests, signatures,
pubkeys, or trivial values like true and false.

2) Require transactions to *prove* that every item of data is what it
claims to be with, e.g. a hash digest pre-image, a valid signature (for
a pubkey), or the fact that a signature was valid. I may be wrong. But I
*believe* that with protocol changes it is possible for Lightning and
Ark to work in this model.

3) Phase out non-compliant transactions, e.g. applying a block-weight
multiplier that increases over time to eventually make them entirely
unaffordable.

Note that such a scheme *will* require massive ecosystem wide change:
even existing address standards will need to be modified (and made
larger) to prove that you are paying to a real address rather than
something encoding data.

Also note that *even this* consensus change *still* won't entirely
prevent people from publishing data! No-matter what we do you can always
grind pubkeys and hashes to set the first 4-6 bytes of them to the value
that you want. Thus if you're pushing 32 bytes of data, encoded as 33
bytes including the serialized length, and get 5 bytes per push, you
have an overhead of about 6.6x. Existing data encoders have been happy
to pay even more money than that in terms of increased fees during fee
spikes; the difference in cost between witness space and txout space is
already 4x, and some are happy to publish data that way anyway.

A tricky thing here is upgrade paths. If we make these rules apply to
all transactions, with any version number, we've radically limited our
ability to upgrade the Bitcoin protocol in the future. We probably can
make this *not* apply to transactions and taproot script types with
unknown version numbers. However we'd have to do something like ensure
it only applies to insecure transactions without signatures. And even
then some miners will bypass this by mining that stuff anyway for a fee.
That's pretty ugly. _Maybe_ we can make a mechanism where miners signal
support to allow new version numbers first, prior to an upgrade. But
that also adds plenty of complexity.

That said, if the Luke's of the world want to make a reasonable
technical argument, come up with a reasonable scheme like the above and
show that it has a chance of actually getting implemented.

--
https://petertodd.org 'peter'[:-1]@petertodd.org

The `mempoolfullrbf` option was a good example of how keeping an option
to reject otherwise standard transactions is just wasted effort. Having
the option didn't stop full-rbf replacements from getting mined; user's
refusing to relay a transaction type that a significant % of miners are
mining acomplishes nothing.

In that *specific* case there were a tiny number of users, Wasabi's
Coordinator being an example, where for technical reasons full-rbf
replacements caused problems until that code was fixed; giving those
users an option to temporarily disable those replacements was sort of
useful. But there's no reason to think that will be true with OP_Return
outputs, and in any case, you can just delaying upgrading your node
while you fix your broken code.

At the moment the OpenTimestamps calendars I run are getting about 2.1
timestamp requests per second according to my logs (I keep two weeks
worth). In the past, people who *genuinely* needed mere timestamping
were inefficiently using OP_Return for it. A bit of education - and an
alternative that actually worked - has almost entirely eliminated that
usage and replaced it with something drastically more efficient.

The problem is, only a subset of use-cases can get away with mere
commitments. Citrea itself is an example: they genuinely need
proof-of-publication. A commitment is not enough. No amount of
"education" is going to convince them otherwise.

Keep in mind that Lightning also uses proof-of-publication: if an HTLC
goes on chain, spending it via the pre-image ensures that the pre-image
is published, ensuring the next party in the route also learns the
pre-image. It's a basic building block of lots of consensus algorithms.

I need to point out that Citrea, and plenty of other projects similar to
it, is not using Bitcoin as a data storage mechanism. It's using Bitcoin
as a data *publication* mechanism. What's important is by putting data
in the Bitcoin chain, we've proven that the data has been widely
published to a well defined audience of participants who would need to
see that data.

Even Lightning does this: HTLCs work because they ensure that data is
published in a way that allows others in the HTLC chain to be guaranteed
to see that data in a timely manner.

Lightning network already has existing users, why should they agree with relaxing the limits for the other protocols like the one in question for whatever new use cases that aren't even interested in or aren't even monetary use-cases?

Most of them pitch that adding something equivalent to EVM to Bitcoin will help gain Bitcoin more market cap because it doesn't have enough market cap in the crypto. Nice pitch to their investors may be, but not so much to *existing* users of Bitcoin network and lightning.

Additionally, I would like to understand as a user - what will be the quantification for success of this change? If there's increased oversized op_return usage, you can claim - see that worked. If there's none, you can claim - see filters were indeed ineffective. It might not be starightforward to quantify if there are multiple startups trying to insert variety of data(data and commitments of data) in different ways and sizes.

Also, it is being said users who want to retain these options can transition to Knots but what it is not said is that users who don't want these can also transition to Libre Relay. You can then see overtime if usage of Libre Relay is growing or not to take some hint.
> as a data publication mechanism. What's important is by putting data
> To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/aBUPFvXVhR3WoyPC%40petertodd.org.

It can't be a serious proposal therefore I didn't answer it.
Bitcoiners run node software without that prospective bug so they
already decided against the change. I also care about Bitcoin's
survival and I agree with you. Thank you for Bitcoin Knots which is
more powerful and less buggy Bitcoin node software implementation,
superior to Bitcoin Core..

On Sat, Apr 26, 2025 at 11:53 AM Luke Dashjr <[email protected]> wrote:
>
> It should be needless to say, but this idea is utter insanity. Disappointing to see positive responses, and not one sensible reply calling it out yet. The bugs should be fixed, not the abuse embraced. If attackers continue to bypass filters, we can go back to a full whitelist approach. We're now 2+ years into this wave of attacks, and the damage it has already done should be more than enough to prove the hands-off attitude is not viable. Am I the only one left on this list who actually cares about Bitcoin's survival?
> To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/rhfyCHr4RfaEalbfGejVdolYCVWIyf84PT2062DQbs5-eU8BPYty5sGyvI3hKeRZQtVC7rn_ugjUWFnWCymz9e9Chbn7FjWJePllFhZRKYk%3D%40protonmail.com.
> To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/03be4934-f0ff-4b58-880d-861d63a4f970%40dashjr.org.

Err, the text/plain alternative in your email apparently doesn't include
quote markers for the things you're quoting. :( I guess this is some
Google Groups innovation? I'll fix it manually in the other things where
I'm quoting you quoting me below.

I meant to mention this last email, but had forgotten where to find
the link. Personally, I think Greg's "relay extra transactions via weak
blocks" idea [0] from a year ago is an approach that should be considered
here. The TLDR is that if there are miners out there with different
relay policies than your node that are accepting transactions you'll
reject (eg, lower fee, new tx versions, more complicated dependencies,
...) then once they find a relatively high PoW share, have the network
relay that as a weak compact block, with full round-trips to gather
any transactions that weren't in your mempool and add those txs to your
extra pool to help with block reconstruction in the near future.

[0] https://delvingbitcoin.org/t/second-look-at-weak-blocks/805/1

That approach would also help improve block relay where standardness
policies are made less restrictive, for things like pay2anchor, package
rbf, or soft forks, when many nodes haven't upgraded to support the
new feature.
I believe the Great Consensus Cleanup invalidates some transactions
that would currently be standard: the 2500 executed sig operations
limit is only claimed to avoid making **non-pathalogical** transactions
non-standard; I believe there are some pathalogical transactions that
would be standard today that will be invalid when/if BIP 54 is enforced
on chain.
I believe PR#1718 (0 value outputs are non-standard), PR#2577 (dust
outputs are non-standard) and PR#5000 (execution of undefined NOP opcodes
is non-standard) are examples of doing that. (There might be others,
I didn't look very hard)

https://github.com/bitcoin/bitcoin/pull/1718
https://github.com/bitcoin/bitcoin/pull/2577
https://github.com/bitcoin/bitcoin/pull/5000

(The high-S vs low-S example you gave is a case where an even better
solution was available; but that isn't always possible, obviously)
I don't think promoting general principles where you need to be a top-tier
expert to figure out the exceptions is very helpful: there are plenty
of non-experts with an interest in bitcoin and who wish to be involved
in protecting bitcoin's functionality as decentralised money, who'll
simply be misled by that sort of principle.

I think it is probably sufficient to phrase the principle backwards:
"relay/standardness rules can be made more restrictive, but there better
be a damn good reason for it".

I think that still gets the right message across, without having to
go through a "you're breaking the rules", "the rules have exceptions",
"that's dumb, they shouldn't", "yes they should", cycle.
Yeah; I think we should be aware that there's a fair number of otherwise
well intentioned bitcoiners out who'll mistake these things for edicts,
however.
Anything that you can do as a one-off, you can automate and repeat. If
you're going to react in some predictable way as soon as someone sets
up the automation, you might as well do it for the one-offs as well.
Just to note: if everyone else was in agreement, a 0.1% hashrate miner
would not block a soft fork activation (which usually requires something
like 90%-95% hashrate), and would not cause any meaningful risk of a
chain split even for light clients after activation. So I think under
traditional analysis you wouldn't expect such a miner to be able to
block the introduction of a new segwit version, given everyone else on
the network thinks it's a good idea.
I don't believe that's true for segwit versions. Any such spends will take
the form of someone sending some funds to an undefined segwit address,
followed by someone spending from that address in an unverified way,
moving whatever funds were there to someone else. Because the spend is
unverified, whoever mines that transaction can steal those funds if they
choose, so will either be doing that and sending the funds to somewhere
they choose (eg the Brink donation address), or will, in general, have
been paid even more in fees (whether in-band or out-of-band) to send
the funds to somewhere specific, purely as theatre.

Adding verification rules on top of such spend attempts doesn't cause any
additional harm -- people wanting to fund miners can already do so more
efficiently by just paying fees, and people wanting to spam the utxo set
if everyone else doesn't comply to their demands can also already do so.

AntPool currently has about 20% hashrate, even ignoring the pools that
mine the same block templates. If its operators want to prevent future
soft forks, do we really want to establish that regularly mining garbage
transactions is a perfectly effective way of doing so?
If they continue to make such transactions, despite it no longer
transferring value to miners the way it did before, then that probably
serves to spam the utxo set, but if that's their goal, then there are
already plenty of ways to do that. I don't think preventing one particular
way of doing that is worth allowing them to hold upgrade paths hostage
at almost zero cost.

The same argument doesn't necessarily apply to every upgrade method --
segwit versions and OP_SUCCESS are essentially explicit "pay to miner"
in ways other upgrade methods aren't. But I don't think we should be any
more concerned with people losing access to funds they've encumbered via
undefined upgrade methods, any more than we were concerned with people
accepting unconfirmed transactions getting double spent.
> > approach -- "this thing is popular, is there really a good reason why
That's a fine attitude if you're willing to just follow the current
fashion, and defer to others as to what that fashion is and how it will
change in the future. Given the complaints and lawsuits that can result
from trying to set a direction from Bitocin, I can certainly understand
the appeal of that attitude.

But there are plenty of people around who will attempt to influence what's
considered acceptable; the people making the complaints and filing the
lawsuits, in particular. More concretely, both Knots and Libre Relay
are putting themselves out there as taste makers and trend setters in
exactly that way, and are both happy to defend their respective views
on the merits.
Again, the distinction I'm making here is on how the judgement is made; whether
it's:

* "well, this is popular, so we should give up and just accept it", or
* "huh, this is popular, we should reconsider it on its merits"

If we're settling on the former (with the constraint that we only make
rules less restrictive) then I think we're very quickly going to move
to the "relay rules = consensus rules" approach [1], and from there to
"whoops, we can't make standardness rules more restrictive (because
that would likely be confiscatory), therefore can't make consensus rules
more strict via a soft fork, but we want to do an upgrade, so time for
a hard fork".

[1] eg, as advocated at https://x.com/0x_orkun/status/1918744573251121575

If we're settling on the latter, then the fundamental thing we're judging
our rules on is still their underlying merits, not their popularity,
and that should be the main thing we spend time discussing/evaluating.
At least some of those consensus rules were previously enforced
differently by policy, and could be again. For example the current
4GB/week limit was formerly 1GB/week by consensus, but prior to that was
250MB, 350MB and 750MB by miners sticking with core's default mining
policy.

I don't think core changing the default alone would have any effect there,
but if there were good reasons to reduce that number, then discussing
those reasons with miners, including how they would benefit as a result,
seems to me like it would have a good chance of working out, even without
consensus changes. (At present, I don't think there are good reasons
for such a reduction)
Not every policy needs 100% enforcement to have a meaningful effect. For
example, if 99.9% of miners mine 250kB blocks, and 0.1% of miners mine
4MB blocks, that still limits the block size to 256kB on average.

This might be a rational/incentive-compatible policy for all of those
miners, if fees are a large component of block reward, and the capacity
constraint pushes the average fee paid by transactions up by more than 4x,
and the majority of miners are either taking a long term view themselves
or are in a large pool with signficant constraints on exit.
The lowS rule was part of BIP 62 (dealing with malleability) which was
withdrawn around the time segwit was proposed. Part of it was re-proposed
by Matt as part of the Great Consensus Cleanup (push-only scriptSig),
but that wasn't one of them. I wasn't aware there was any particular
interest/need in upgrading lowS to a consensus rule, for instance.

In any event, the "general dysfunction in updating consensus rules"
largely takes the form of "I don't have confidence that we'll be able to
get consensus to agree to this change, which after all, isn't strictly
necessary". That's why the current BIP 54 doesn't include a restriction
on push-only scriptSig, eg -- disabling it isn't strictly necessary to
avoid the DoS attacks that we know about.

But if we aren't able to have the confidence to make standardness rules
more restrictive, I don't see why we should have any expectation of ever
cleaning things up in consensus: if a standardness change is adopted
by the network, it's still possible to get exceptions through in cases
where someone would have lost funds even if it requires paying exhorbitant
fees to a miner to special case your transaction; for a consensus change,
even that's not possible.
(If you prefer, replace "didn't really work" with "worked for a time,
but that time has passed")

The key argument against using bitcoin for "magical free file storage"
is that it isn't free, or even as cheap as just paying for storage on
S3, not that you have to do ridiculous encoding tricks when your file
size passes various thresholds. In any event, those encoding tricks
have already been standardised and publicised, so I'd expect that the
normal response today to "it doesn't provide that" is "actually it does,
see <url>".

Alternatively, if you believe there's still some potential there, we
could perhaps resurrect ideas like restricting the OP_RETURN pushdata
[2], perhaps to at most 80-bytes (same as now, just allow more of them),
256-bytes (ie, anything that only needs PUSHDATA1), 520-bytes (matching
inscription chunking forced by MAX_SCRIPT_ELEMENT_SIZE), or 4096-bytes
(matching how much data you could stuff contiguously in a taproot control
block via fake merkle leaves).

[2] https://github.com/bitcoin/bitcoin/pull/5286#issuecomment-65671770
> > growth to ~4GB/week" policy (6)
That's because you somehow tore up my quote and dropped the "rather
> > complicated scripts (6) or prefering prunable data (2):

that is, "they should be concerned with [the capacity limit], rather
than being concerned with [the witness discount and other things]". So
I don't think we're disagreeing.
I think a lot of people won't be convinced something's stupid until
they've actually tried doing the stupid things themselves, and found it
really doesn't work. For that example, if getting punched in the face now
lets them go get tested to prove/disprove their theory, and, assuming the
punch in the face didn't work, go move on to a real treatment ASAP, then
if it was someone I cared even slightly about, I'd probably be willing
to deal with some hand pain, yes. Hopefully the youtube conspiracy allows
you to wear a boxing glove, though.
For me, saying "sorry, this has reached a threshold of popularity, you
have to give up and accept it now" makes me want to oppose it just as a
knee-jerk reaction, even things I otherwise think of as a good idea. I
expect the contrapositive "sorry, your idea isn't popular enough,
you have to give up on it" likewise gets a knee jerk rejection from
many bitcoiners.

For me, arguments of the form "this is actually good for bitcoin because
..." are much more helpful than "sorry, a minority of miners have already
decided this is okay, therefore your opinions just don't matter".

Cheers,
aj

If I understand correctly, the Wasabi bug is described in this issue:
https://github.com/WalletWasabi/WalletWasabi/issues/10648
It was opened in May 2023. If the option hadn't been available at that
time, it would have been much harder for Wasabi coordinators to
mitigate the issue — they would have had to patch Bitcoin Core or use
an alternative node implementation, rather than just toggling a
setting.

Also note that the bug in Wasabi was discovered after mempoolfullrbf
was added in July 2022. The first Bitcoin Core release to include this
change was v24.0.1, in December 2022. It took several months after
that release for the Wasabi team to realize that mempoolfullrbf=1
created problems for their use case. If the feature had been released
without a flag (enabled by default with no way to disable it) it would
have made things significantly harder for them.

There may also be users today who rely on datacarrier
behaviour/options without yet realizing they're scheduled for removal.
If the options are simply relaxed in the next release, users could
still set the values they need and have time to adjust their
infrastructure. It would give them a chance to move away from relying
on those settings before they're removed entirely in a future version.
Otherwise, they may be forced to either switch to another node
implementation or remain on version 29.

No, in this hypothetical case (see below) they could have just
downgraded to the earlier version. There's no rush to adopt new Bitcoin
Core versions.
Nope. Wasabi was actually running Bitcoin Knots, which had full-rbf
enabled by default long before Bitcoin Core did. In *their* case, IIRC
they just turned it off, fixed their code, and turned it back on.
It is *very* hard to imagine removing datacarrier causing issues given
that oversized OP_Returns regularly show up in blocks. We don't need to
put unlimited effort into hypotheticals. The only way this would be an
actual issue if it you had mempool-specific code that was so broken that
it broke on an oversized OP_Return (or more than one), and yet somehow
you desperately needed to use a *new* version of Bitcoin Core.

Weak blocks give an advantage to large miners. Small miners, who rarely
find blocks, are also going to rarely find weak blocks, making the
feature mostly useless for them in terms of their choice of
transactions, while simultaneously increasing bandwidth consumption
somewhat. Meanwhile large miners do find weak blocks often, making the
feature useful for them and making it even easier for them to profit by
including non-standard transactions. Which again, is something that
small miners can't do.

When you originally proposed the scheme that may have been true. But
these days you could probably use zero-knowledge-proofs to prove that
hash digests are in fact hash digests, without having to include the
actual pre-images of those hash digests.
But Amazon doesn't offer a service to store data on S3 forever. Not even
indefinitely. The best you can do is pre-pay costs:

https://aws.amazon.com/about-aws/whats-new/2021/06/aws-now-allows-customers-to-pay-for-their-usage-in-advance-/

But even *that* service doesn't actually work in a lot of cases from
what I've heard. For example, I've heard that even if you have two
different AWS accounts, Amazon will use pre-paid funds from one to pay
the bills of another if they believe the accounts are the same
underlying entity (this is quite relevant to me as one of the ways I
backup the OpenTimestamps calendars I run is snapshots saved to S3
Glacier Deep Archive). There's also the issue that for Amazon's cheap
storage (S3 Glacier), it's quite hard for the general public to get
access to the data even if the person storing it wants to make it
available.

Comparing Bitcoin data storage/publication to centralized services like
AWS just isn't a good comparison. Like it or not, but public blockchains
are genuinely a unique service that aren't provided elsewhere.


Also of course, S3 only offers storage. Not publication. Things like
Citrea (and Lightning) specifically need data publication.
No, they do. As fees increased the hype around these tradable assets
moved from heavy-weight inscriptions (full-on JPGs) to absurd,
lightweight, memecoins that could be "registered" with much smaller
inscriptions. Costs do matter, even to the scammy vibe trading industry.

My point is that it's hard to foresee every possible use case. We
don't know how everyone's infrastructure is set up. Some users might
only realize this change affects them after it's already released. And
if they do need to adjust something in their workflow, it's a lot
easier if they can temporarily restore the previous behavior. Right
now, those users aren't speaking up, because they don't yet know
they'll be affected.

For example, someone might be running a device with very limited
resources that can't afford to store the full mempool, but also can't
disable it entirely. If they're only monitoring certain types of
transactions that never use OP_RETURN, filtering those out is a simple
and practical optimization.

Or consider a system that pulls mempool transactions via RPC from
Bitcoin Core. It might assume certain things about OP_RETURN outputs,
maybe it allocates a static buffer for them, and crashes if one turns
out to be unexpectedly large. Fixing that kind of issue may take time.
Keeping the option available gives operators the flexibility to update
their systems without breaking things in the meantime.

This isn't about defending every edge case as critical. It's just
about recognizing that once an option is removed, anyone who runs into
a problem is stuck. Leaving the setting in place for one more release,
even in a relaxed or discouraged state, gives people a fair chance to
adjust before it disappears.

[...]
[..]
On the one hand it allows big miners to get these non-standard transactions propagated early, so that their actual blocks don't get delayed.

On the other hand, as soon as they do that, any other miner can run off with the on chain fees. But that would then encourage out-of-band fees (even more).

There's an attribution problem, but although the weak blocks don't end up in the blockchain, they're still pretty good proof that a miner performed the requested service of (at least) spreading the transaction.

Perhaps weak blocks are only a good thing if they're linked in a chain, like in p2pool. They might work for individual pools internally (small, well connected?), but not for the global system.

- Sjors

On block propagation:
If I'm reading this correctly (and there's every chance I'm not):

1. When a node receives a compact block, it completely checks the
block's validity before relying it.
2. If the block includes txs which aren't in the node's mempool, it
needs to request those txs from peers before it can validate (and
subsequently relay) it.
3. This can slow down propagation of blocks significantly (as this cost
can, in the worst case, be incurred 'per hop').

If my above understanding is correct, then as far as I can tell, this
problem has nothing to do with mempool tx relay policy, and can be
solved by tweaking block relay policy.

On receiving a block:
1. Check whether the block meets the POW target.
2. If it does, relay it.
3. Validate the contents of the block.
4. Apply it.

This removes the 'per hop' block propagation delay caused by retrieving
missing transactions, and the only threat, so far as I can tell, is
that someone might waste a lot of money mining an invalid block to get
nodes to relay it (but then quickly discard it), which doesn't seem
particularly worth it.

Of course, if a miner doesn't have an included transaction locally,
they still need to go get it before they can safely include txs in
their next block, but the propagation delay is removed, and that miner
can always make sure to run, and connect to peers running permissive
relay policy, such as librerelay, to decrease the odds of that
happening.

A miner can already do this to all of their direct peers. The only
difference is whether it gets passed along. What's the functional
difference between this, and a miner delaying broadcast of a block
entirely, besides the fact withholding transactions is network-visible?
It relays once it has all of the transactions, and has done preliminary
validation up to BLOCK_VALID_TRANSACTIONS.

To finish validating the block, nodes of course will need to have all
the transactions. But relay of the compact block doesn't need to be
slowed down by nodes who don't have all transactions yet. Minimal
validation (POW, header, merkleroot) should be sufficient for relay.
Which is the block propagation part.

Right now, your miner won't receive the compact block until every node
along whichever path reaches them first has all the transactions
locally. Every node who was missing some of those transactions will
slow down propagation. The miner could already have all the
transactions locally, and still, they could be delayed. If they don't,
it takes longer for them to even know that they're missing transactions.

If we relay compact blocks before we have all the transactions locally,
the miner gets the compact block without any missing TX delay. If they
already have all transactions, they can finish validation and get to
work no questions asked. If they don't, the only delay in building on
the new block is because transactions were missing *from their own
mempool*.

Whether miners choose to start mining an empty block on top of this new
block, which they haven't yet fully validated, or continue with existing
work until validation completes is up to them. A decision they already
have to make.
As full-RBF demonstrated, transaction relay doesn't require every node
to have the same mempool policy. A small percentage of nodes running
permissive policy can get transactions to miners.

You don't need to try to force people to all use the same relay policy.
Never mind that it's impossible. The transaction can, and will be able
to reach miners via mempool relay by simply giving users more control
over their own node's policy, and lobbying enough of them to choose
more permissive relay policy.

The reason for limiting OP_RETURNs to 80 bytes of data is to encourage
developers to store hashes on the chain, rather than the actual
data. Why store 1GB when you can commit to it with a 32B hash, and save
99.9999968% in fees? In all this debate I haven't seen an analysis of
other alternatives Citrea/Clementine might use, rather than storing 144
bytes of data on chain.

As I understand it, the context in which they're using the data is the
following protocol:

* we have three known groups: Operators, Watchtowers and Signers
* we also have: Users and Challengers (who can be anyone)
* we assume that there is at least 1 honest Operator, 1 honest Watchtower,
1 honest Signer, and 1 honest Challenger, and >50% honest hashrate

When things go wrong, and one of the Operators tries to cheat, one way
they can do so is by publishing a claim that they posted a transaction
in a Bitcoin block that's not actually in the Bitcoin block chain. At
that point, an honest Watchtower observers the claim, and produces a
Groth16 proof that he has a more-work chain that does not contain the
block claimed by the Operator.

* but what if the Operator was honest and the Watchtower was trying to cheat?

* in that case, the claimed Groth16 proof can be evaluated via a sequence of
transactions following the BitVM and will be found to be invalid

The Groth16 proof/evaluator here is acting as a light client (doing
header only evaluation), but with even less data than a traditional
light client -- it only needs the Groth16 proof, not the ~40MB of data
from all the block headers. While 40MB of data isn't much for a phone
or raspberry pi or similar, it is a lot if you need to manually provide
it to a BitVM program.

Because the Watchtower here may be dishonest, they can't just be expected
to publish a hash of their proof -- nobody else can generate the exact
same proof they would without their random inputs, and publishing their
random inputs as well as a commitment would also be more than 80 bytes.

Possibly a protocol like the following could work, however:

* Operator claims block X with work W had the relevant tx
* Watchtower observes block Y with work W+A does not include X in its history,
waits until Y has 6 confirmations, and publishes Y's block hash and W+A
* Challenger:
- observes block Y, generates their own Groth16 proof that X is
not in Y's ancestor set, and verifies this via BitVM, penalising
the operator
- observes block Z with work W+2*A with X in its ancestry but not
Y, generates their own Groth16 proof for that, verifies this via
BitVM, penalising the watchtower
- observes block Z with work W+2*A with neither X nor Y in its
ancestry, generates their own Groth16 proof for that, verifies
this via BitVM, penalising the watchtower

This process is only triggered if either the Operator or Watchtower is
dishonest, and in that case it's likely the full BitVM protocol will
also be triggered, so the potential for a ~100 byte saving is probably
just lost in the noise.



However the point of all this is just to find a way of ensuring that the Operator
publishes a block hash that's actually in the block chain. But knowing what block
hashes are in the block chain is something bitcoind is already pretty good at,
so we could do that pretty differently. eg, Consider the hex string

50 01 24 030c3500 00000000000000000002a7c4c1e48d76c5a37902165a270156b7a8d72728a054

A string like that could be interpreted as:

* this is an annex entry
* of type 1, "per-input height lock"
* data length 36 bytes
* 3-byte int, value 800,000
* 32-byte hash, the block hash of block 800,000

And a consensus rule could be added that the presence of a type 1 annex
entry means a transaction is invalid unless the given block height
has been reached, and the hash of the block at that height (ends with)
the provided bytes.

That would ensure that the Operator's transaction does provide a real block
hash, which I believe is all that the Groth16 proof in question achieves.

I think that's probably sufficient for this use case -- you'd pull the
Operator's tx from the blockchain, then provide it to a BitVM program,
which would verify the witness was signed by the Operator, that the annex
data is of the appropriate length, and then go on to use the block hash
for further computation, presumably establishing some transaction is
included in the block by evaluating a merkle path. So that would remove
both the need to include the 144B groth16 proof, but would also avoid
an entire BitVM evaluation.

Having an annex entry acting as a per-input height lock seems somewhat
useful in general, and might, eg, allow multiple lightning payments to be
timed out in a single transaction, which might be nice. Being able to
commit to the block hash of your height lock is potentially useful when
dealing with controversial soft forks, hard forks, chain splits, or large
reorgs; as you can use the commitment to make a spend only valid on one
chain or the other yourself, rather than needing to try a double spend
race against yourself or collaborate with a miner to mix a new coinbase
output with your coins.

I think doing that via structuring the annex should be pretty feasible,
as a small number of unconditional contextual assertions from a well known
location in the traction should be easy to extract and operate on, in
the same way we treat tx's nVersion, nSequence and nLockTime time today.
In particular that sort of assertion can be validated independently of
executing scripts, which should make working out if a tx can remain in
the mempool after a reorg more straightforward.

Embedding it via an opcode in script seems somewhat more dangerous in two
ways -- you don't know which block hashes a script might reference until
you run the script (so have to give the script interpreter access to all
the blocks), and to cater for reorgs will need to track the most recent
block hash a script references and store that in the tx's mempool entry.
Those aren't impossible to deal with, but it seems better to me to have
keep the information that scripts can use as computation inputs very
local to the transaction being processed.

References:
- https://citrea.xyz/clementine_whitepaper.pdf
- https://x.com/0x_orkun/status/1918009290326950147
- https://gnusha.org/pi/bitcoindev/[email protected]/

Cheers,
aj