[Bitcoin-ml] Proposal to deploy cashaddr January, 14

[Jason Dreyzehner]

Thanks for the explanation. That answers all of my initial objections
– excellent idea and fantastic work. Just to summarize what changed my view:

---

*User Recognition:*

Purely from a UX standpoint, I agree that this format is much better.
Here’s how BitPay’s support personnel currently describe a bitcoin address
when asking for support case information:

> A bitcoin address is a set of around 34 mixed case (upper/lower)
alphanumeric characters (0-9, a-z, A-Z) which starts with a “1” or a “3”.

Outside of a more technically inclined group of users, I’ve talked with
plenty of bitcoin users who can’t describe the difference between a bitcoin
address and a random string. For the next billion users, I can see how this
description would be a lot better:

> a bitcoin cash address begins with the letters `bitcoincash:`, followed
by a long series of letters and numbers.

And I would definitely recommend that implementors use and display the
prefix in all interfaces for recognizability (if addresses are displayed at
all). Even at the cost of addresses “not fitting” in current UIs. We’ll
just have to get more creative. (We were going to have that problem with
256-bit P2SH addresses anyways.)

*Prefix Length*:

I also now agree with you that the few extra characters for mainnet (vs a
shorter prefix, like `bch:`) are worth it to reduce ambiguity. In fact,
this address format is even comprehensible to humans who have never heard
of Bitcoin Cash. I can’t think of any other crypto address formats which
accomplish that goal. (What were we thinking before?)

Besides, alphanumeric mode QR codes already give this proposal slightly
better compression vs. the Copay address format. With
(backwards-compatible) Payment Protocol support, this advantage becomes
even larger.

*Double-click selection*:

To summarize the issue of double-click selection (and existing crypto users
expecting a format without a prefix-colon-hash format) – I’m also now
convinced this is a non-issue.

With this spec, users can mistakenly leave off the `bitcoincash:` when
copying the address, and software which expects to receive a cashaddr can
reliably add it back.

E.g. when a user pastes an address into Copay, the address is already
checked against a growing list of formats. It’s equally easy and safe to
accept this new format with or without the prefix.

One additional note – I just realized that Google’s Chrome browser selects
through `:` when double-clicked. For our purposes, that’s a nice bonus.

*Unknown version byte*:

So implementations probably want to check the checksum first – if it’s
valid, but the version byte is unrecognized, just let the user know
somehow, e.g. ”This [PREFIX] address uses an unrecognized version number
(X). Please ask the recipient for help using this address.”

---

This is great – you have my full support on format.

A few remaining notes/questions:

*Error correction example*: Yes, please – if you’d be willing to make that
code available, it would be great to have some safely-written reference
implementations. (Personally, I’d love to port it to JS for use in the
browser.)

*(version, hash) output*: just to make sure I’m following – do you mean TX
outputs? As in a protocol change to begin versioning Bitcoin Script and
paying to script hashes?

*256-bit P2SH*: at least for the business users I know, this is the 10x
reason to switch to cashaddr (from the Copay format). If we can get this
part ironed out, it will be much easier to get full ecosystem support.
Could you describe your vision for how it works?
Jason

On Thu, Nov 16, 2017 at 3:30 PM Amaury Séchet <deadalnix at gmail.com> wrote:

> Hi,
>
> The use of ":" is due to the fact that it is what's used in link and/or QR
> codes already. Choosing something else means that you need to double
> prefix. Because the prefix is checksumed, it can actually be implicit in
> most cases and only be specified when there is an ambiguity. Let me
> explicit. In a QR code, you would encode:
>
> bitcoincash:abcdefwhateverchecksum
>
> From the bitcoincash prefix, your QR code reader determine that it needs
> to be open with your bch wallet. The bch wallet receive the address
> "abcdefwhateverchecksum" . If that address is not a bitcoincash address,
> then the checksum will be invalid and the wallet can reject it. That means
> that in most cases, the prefix is just implicit.
>
> Because the prefix is implicit, there is no need to make it especially
> short. in fact, because it need to designate bitcoin cash in some global
> namespace, it needs to be long enough to avoid name clashes.
>
> So we get to a) it doesn't matter if the prefix get dropped and b) it
> doesn't matter if the prefix gets dropped :) In both cases, the prefix is
> implied in the checksum. Only put the prefix in case you need to
> deambiguate, or when embedding in a link/QR code.
>
> For unknown version byte, the wallet should reject. Longer term it is
> desirable to move to a (version, hash) output, and I hope to convince
> people this is the right thing to do - that'd make the protocol much more
> upgradable. But we'll see how that one goes.
>
> For error correction, I have code for it in C++ that I used to research
> what's the best BCH codes to be used given the criterion. It rathe raw but
> I can put it in shape if this is something people want. However, I would
> advice against trying to do error correction on addresses. While you can
> detect 6 errors with the chosen code, you can only correct 3. If you have
> more than 3, you will correct incorrectly, sending the funds in a black
> hole. The basic idea is that you compute the checksum for a vector of 0
> (without starting and ending with a 1 in the buffer as it is done for the
> checksum) except for one character. The checksum that you get is what the
> final checksum will be xored with if the character you changed is invalid
> by the value you changed. Once you compute all the checksums for all the
> possible errors, you can use gaussian elimination to find out what set of
> errors can be applied to get a valid address. It sounds complicated, but
> for 1 or 2 errors, it is really easy. For 3 it's a bit more tricky, but
> nothing extraordinary.
>
> For the birthday solution, this is indeed an option to solve it. Or going
> with version, hash as an output. Whichever gets traction.
>
>
>
>
> 2017-11-16 6:13 GMT+01:00 Jason Dreyzehner <jason at dreyzehner.com>:
>
>> Thanks for your work on this Amaury! I’m excited about this format and
>> definitely think it’s a step forward. I also appreciate the goal of
>> committing to a rollout schedule, at least for the most actively-developed
>> implementations.
>>
>>
>> *Questions on the spec*:
>>
>> *Design considerations*: could you provide your reasoning where this
>> spec differs from BIP 173? I’m most interested in: a) the use of `:` rather
>> than `1`, and b) your reasoning for choosing slightly longer standard
>> prefixes (`bitcoincash`, `xbctest`).
>>
>> For (a), this eliminates the double-click select-ability on most OSes.
>> Not essential, but if the design goal is clear separation, did you consider
>> the use of the period character (`.`)? Still not selectable on Windows, but
>> works for macOS and some Linux users. (I see that both are also within the
>> alphanumeric mode character set for the QR Code standard.) BIP 173 uses a
>> `1`, which guarantees select-ability across all environments, and probably
>> also would reduce the chance of humans mistakenly copying only the hash and
>> checksum. (Esp. those humans already accustomed to other crypto addresses.)
>>
>> For (b) – the test vector
>> `bitcoincash:qpzry9x8gf2tvdw0s3jn54khce6mua7lcw20ayyn` is 52 characters, 11
>> of which indicate the network. This is fairly expensive, and completely
>> precludes the use of Version 2 L QR Codes (max 47 Alphanumeric). In this
>> case, with a prefix of 6 characters or shorter, we can save a level of QR
>> complexity.
>>
>> *Future compatibility*: can this spec provide guidance on how
>> implementations should handle unknown version bytes?
>>
>> *Error correction*: is there a sample implementation which
>> properly/safely demonstrates error correction?
>>
>> *P2SH birthday attack resistance*: is there a proposed implementation
>> for this? In your vision, does this expand the current BIP 16 P2SH
>> mechanism to include a new script template? (e.g. `OP_HASH256
>> [32-byte-hash-value] OP_EQUAL`) Or does it rely on a new mechanism? [1]
>>
>>
>> *On the rollout schedule*:
>>
>> It seems like a great goal to have ecosystem-wide support by Jan 14.
>>
>> It’s probably also worthwhile to derive some lessons from the rollout of
>> BIPs 70-73: until we have almost universal support, the support/development
>> costs of making a new address format “default” for any consumer product is
>> seems to be quite high.
>>
>> For example, in a limited rollout of “on-by-default” BIP 73 support,
>> BitPay found that a surprising percentage of users contacted BitPay’s
>> support when their outdated wallets weren’t able to parse the simpler QR
>> code. (Logically, since the users had used their wallet before, they
>> perceive the problem to be with the receiving QR code.) Even with further
>> development (including an adjacent, primary call to action of “QR code not
>> scanning?” and other attempts at educating users), it simply wasn’t worth a
>> wider rollout.
>>
>> *Rollout phases*: To avoid that unnecessary cost, I’d recommend we break
>> rollout into two phases: “implementation” in January (assuming implementors
>> agree on this spec), and a later rollout date for “on-by-default support”
>> (like March or April). This lowers the stakes for companies with competing
>> priorities, since they’ll have a number of weeks to verify adequate
>> ecosystem support before completely committing.
>>
>> *In the meantime*, it would also be a good idea for implementations
>> still using the old `1` and `3` address formats to upgrade to the address
>> format adopted by Copay (https://bitpay.github.io/address-translator/).
>> I know it’s easy for many of us to believe that users can keep old-format
>> addresses straight between the networks, but please keep in mind – there’s
>> an astoundingly large group of users who believe BCH and BTC are
>> interchangeable because “it let me send it”…
>>
>>
>> [1]: My preference would be to implement this using Bitcoin Script by
>> defining one of the extensible OP_NOPs to “OP_CHECKREDEEMSCRIPT”. (Rather
>> than another BIP 16-style “magic template”.)
>>
>>
>> Jason
>> On Tue, Nov 14, 2017 at 7:26 PM Amaury Séchet via bitcoin-ml <
>> bitcoin-ml at lists.linuxfoundation.org> wrote:
>>
>>> Dear Bitcoin Cash community,
>>>
>>> Bitcoin Cash has been in need for a new address format for quite some
>>> time. There is an immediate problem as people mistakenly send BCH to BTC
>>> address and vice versa, which is made worse by the fact that segwit on the
>>> BTC chain had the brilliant idea to leverage outputs that anyone can spend,
>>> which make the recovery of the funds delicate on the Bitcoin Cash chain.
>>>
>>> Because this need is pressing, companies like Bitpay started using
>>> incompatible addresses format and this is causing fragmentation in the
>>> Bitcoin Cash ecosystem. I do not wish to blame Bitpay, they took action to
>>> solve the problem their business faces, this is good business from their
>>> part.
>>>
>>> However, while the problem of funds sent on the wrong chain is pressing,
>>> there are other reasons we need to update the address format. It is
>>> imperative that the chosen standard for Bitcoin Cash address the various
>>> issues present with the current address format as we cannot change
>>> addresses every other tuesday. The most important one being that current
>>> outputs are using 160 bits hashes for multiparty contracts such as
>>> multisig, which is really playing with the limit of what can be considered
>>> secure. It is also desirable that the format chosen can accommodate new
>>> features we wish to deploy, or, in other terms, be extensible.
>>>
>>> As a result, I propose to upgrade to the cashaddr format. This format (
>>> https://github.com/Bitcoin-UAHF/spec/blob/master/cashaddr.md ) is based
>>> on work from Rusty Russel ( https://rusty.ozlabs.org/?p=578 ) and uses
>>> BCH codes in order to ensure error detection as suggested by Pieter Wuille
>>> for bech32.
>>>
>>> Using a new format will prevent users from mistakenly sending money on
>>> the wrong chain. It also accept payloads up to 512 bits which ensures we
>>> can deploy more secure way of doing multiparty smart contract in the
>>> future. Finally, it uses a version field ensuring we can encode new
>>> features in these addresses in the future without having to use a new
>>> format.
>>>
>>> In addition of these must have features, cashaddr improve on several
>>> aspects of current address format in a way that may not justify in itself
>>> to use a new format, but are nevertheless really nice to have.
>>>  - It uses a very strong checksum which ensure detection of up to 6
>>> errors in an address and 8 in ‘burst’. Larger number of errors have one
>>> chance over a thousand billion to lead to a valid address.
>>>  - It encode more compactly in QR codes as it allows the use of the
>>> alphanumeric mode.
>>>  - It is much faster to encode and decode than the previous format,
>>> which is important for system having to handle a large number of addresses.
>>>
>>> In order to reduce confusion for users with the use of different
>>> addresses, I think it is important to deploy this shortly and stop the
>>> fragmentation of the ecosystem. Deploying such a change on the network will
>>> take some time for all wallet, exchanges and merchant to upgrade. Christmas
>>> and new year is coming soon and nobody want to do such an upgrade during
>>> this time. As a result, I propose we aim for a deployment around Jan, 14 .
>>> This leaves 2 month for everybody to get ready which I think is reasonable.
>>> Delaying further would push us into the Chinese new year territory, which
>>> is also undesirable.
>>>
>>> The next version of Bitcoin ABC will include support for cashaddr,
>>> hidden behind a configuration at first, so people can experiment with it. I
>>> would like to invite via this message various participants in the ecosystem
>>> to do the same.
>>>
>>> Let's do it ?
>>>
>>> Amaury Séchet
>>> _______________________________________________
>>> bitcoin-ml mailing list
>>> bitcoin-ml at lists.linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-ml
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-ml/attachments/20171118/cb377892/attachment-0001.html>