[bitcoin-dev] Progress on bech32 for future Segwit Versions (BIP-173)

Rusty Russell rusty at rustcorp.com.au
Thu Oct 8 00:21:10 UTC 2020

Hi all,

        I propose an alternative to length restrictions suggested by
Russell in https://github.com/bitcoin/bips/pull/945: use the
https://gist.github.com/sipa/a9845b37c1b298a7301c33a04090b2eb variant,
unless the first byte is 0.

Here's a summary of each proposal:

Length restrictions (future segwits must be 10, 13, 16, 20, 23, 26, 29,
32, 36, or 40 bytes)
  1. Backwards compatible for v1 etc; old code it still works.
  2. Restricts future segwit versions, may require new encoding if we
     want a diff length (or waste chainspace if we need to have a padded
     version for compat).
Checksum change based on first byte:
  1. Backwards incompatible for v1 etc; only succeeds 1 in a billion.
  2. Weakens guarantees against typos in first two data-part letters to
     1 in a billion.[1]

I prefer the second because it forces upgrades, since it breaks so
clearly.  And unfortunately we do need to upgrade, because the length
extension bug means it's unwise to accept non-v0 addresses.

(Note non-v0 segwit didn't relay before v0.19.0 anyway, so many places
may already be restricting to v0 segwit).

The sooner a decision is reached on this, the sooner we can begin
upgrading software for a taproot world.

PS. Lightning uses bech32 over longer lengths, but the checksum is less critical; we'd prefer to follow whatever
bitcoin chooses.

[1] Technically less for non-v0: you have a 1 in 8 chance of a typo in the second letter changing the checksum
     algorithm, so it's 1 in 8 billion. 

More information about the bitcoin-dev mailing list