Return-Path: Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 0A291C000B for ; Fri, 28 Jan 2022 00:19:10 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id E9B554160F for ; Fri, 28 Jan 2022 00:19:09 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: smtp4.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yC1I7rDTxOxG for ; Fri, 28 Jan 2022 00:19:07 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from mail-yb1-xb2f.google.com (mail-yb1-xb2f.google.com [IPv6:2607:f8b0:4864:20::b2f]) by smtp4.osuosl.org (Postfix) with ESMTPS id 50554415F4 for ; Fri, 28 Jan 2022 00:19:06 +0000 (UTC) Received: by mail-yb1-xb2f.google.com with SMTP id i10so13622117ybt.10 for ; Thu, 27 Jan 2022 16:19:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=F6TNH+eZZA+fo5l8KRfKHwThuXFRQcj+pkRqI4zuAiA=; b=WwdaCbyIZA1V3dBDZiz4HUrsfK5ov5l1e43j0OHIS1td8p2A6XS6yg9bgfVEHukNAc tSqASjH8q6VygKcS3rS6vUtqUm5chDVUU6Qrcmy8/hksr8/JvRNFcogXH/BnbulSCuO8 HV7VospV8CRCO6Lz/9wiW72OrxB33/CN/popGKfmdncE8z+6bktTMhMU7HzZZhsuBPeu A/sM/Ff1i2O0yd9MXuyr9l++4XuyDQ+1mLogKqhs2DEyWJ0Ckrzv+H6UYwsEhSojGe3J duYI5Qv7yDnWRn7kts2TOIWQAoUmn6YesnQp5fauVspAblxSIH6jHi2fnHk2vgHoGSqo 6U6w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=F6TNH+eZZA+fo5l8KRfKHwThuXFRQcj+pkRqI4zuAiA=; b=1UA+xqqZgVeWGJEofVM5JGSuJUTZBqsw1mi03WjjJItdXtIIKEj6F/8NIUldHVivub jupXejLHzG/9kMC0HZKsGGbJXXRuoLR5qzwfhGFVefeYLtpW4VgbqrvzRvKobop3llVs dyPhPyvmSp8kktw2hiTN91+QlJIwkJqs7/+C419yXgdcyQ2/iGXqnk+SoAbPHIku1Km5 uLhAXBOQVnshCKiH8YahHz4irtGJ6fUysyyderjRiLzVWvbcljIIdieaZT64MdtvYWId 6IrWIg+E6zzSm1SxFsyOSJX5KcvW9Uq9eFIxhDkvQzVYoK+eDI5UUl7mnKkizes1crXm j6uw== X-Gm-Message-State: AOAM533ZIvqpvA47oQoj7yxpXHq0AAcEz5+fL9tiSQM5qSFkKn0rfcGq MHy+0KS4AFU9PGgXV5odUbPvcDONN4JfyYr4etsUwDdmF0M= X-Google-Smtp-Source: ABdhPJzD1GwOHERGOntF2QzO0xZDF6V11A2hJkNr6zNMAXxZcnD9BytdsRf6yZS+kwukwVvat5X2xJRL/GOjW2SVzwU= X-Received: by 2002:a25:2451:: with SMTP id k78mr8619927ybk.511.1643329145648; Thu, 27 Jan 2022 16:19:05 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: "James O'Beirne" Date: Thu, 27 Jan 2022 19:18:54 -0500 Message-ID: To: "Russell O'Connor" , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="000000000000f9bbcd05d699614f" X-Mailman-Approved-At: Fri, 28 Jan 2022 08:42:00 +0000 Subject: Re: [bitcoin-dev] TXHASH + CHECKSIGFROMSTACKVERIFY in lieu of CTV and ANYPREVOUT X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jan 2022 00:19:10 -0000 --000000000000f9bbcd05d699614f Content-Type: text/plain; charset="UTF-8" > I don't think implementing a CTV opcode that we expect to largely be obsoleted by a TXHASH at a later date is yielding good value from a soft fork process. This presumes the eventual adoption of TXHASH (or something like it). You're presenting a novel idea that, as far as I know, hasn't had much time to bake in public. Like Jeremy, I'm concerned by the combinatorial growth of flags and the implications that has for testing. Caching for something like TXHASH looks to me like a whole different ballgame relative to CTV, which has a single kind of hash. Even if we were to adopt something like TXHASH, how long is it going to take to develop, test, and release? My guess is "a while" - in the meantime, users of Bitcoin are without a vault strategy that doesn't require either presigning transactions with ephemeral keys (operationally difficult) or multisig configurations that would make Rube Goldberg blush (operationally difficult and precarious). The utility of vaulting seems underappreciated among consensus devs and it's something I'd like to write about soon in a separate post. > The strongest argument I can make in favour of CTV would be something like: "We definitely want bare CTV and if we are going to add CTV to legacy script (since we cannot use TXHASH in legacy script), then it is actually easier not to exclude it from tapscript, even if we plan to add TXHASH to tapscript as well." Another argument for CTV (which I find especially persuasive) is its simplicity - it's relatively easy to reason about and, at this point, pretty well understood. It seems like a low-risk change relative to some of the other covenant proposals, nearly all of which elicit a good deal of headscratching (at least from me) and seem to require not only larger on-chain footprints but sizable code changes. > I am sensitive to technical debt and soft fork processes If OP_CTV ends up being the most practical approach for vaulting - among other things - in terms of weight (which it seems to be at the moment) I don't think "technical debt" is an applicable term. On Thu, Jan 27, 2022 at 5:20 PM Russell O'Connor via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > I am sensitive to technical debt and soft fork processes, and I don't > believe I'm unordinary particular about these issues. Once implemented, > opcodes must be supported and maintained indefinitely. Some opcodes are > easier to maintain than others. These particular opcodes involve caching > of hash computations and, for that reason, I would judge them to be of > moderate complexity. > > But more importantly, soft-forks are inherently a risky process, so we > should be getting as much value out of them as we reasonably can. I don't > think implementing a CTV opcode that we expect to largely be obsoleted by a > TXHASH at a later date is yielding good value from a soft fork process. > > The strongest argument I can make in favour of CTV would be something > like: "We definitely want bare CTV and if we are going to add CTV to legacy > script (since we cannot use TXHASH in legacy script), then it is actually > easier not to exclude it from tapscript, even if we plan to add TXHASH to > tapscript as well." > > But that argument basically rests the entire value of CTV on the shoulders > of bare CTV. As I understand, the argument for why we want bare CTV, > instead of just letting people use tapscript, involves the finer details of > weight calculations, and I haven't really reviewed that aspect yet. I > think it would need to be pretty compelling to make it worthwhile to add > CTV for that one use case. > > > Regarding "OP_TXHASH+CSFSV doesn't seem to be the 'full' set of things > needed", I totally agree we will want more things such as CAT, rolling > SHA256 opcodes, wider arithmetic, pushing amounts onto the stack, some kind > of tapleaf manipulation and/or TWEAKVERIFY. For now, I only want to argue > TXHASH+CSFSV is better than CTV+APO because it gives us more value, namely > oracle signature verification. In particular, I want to argue that > TXHASH's push semantics is better that CTV's verify semantics because it > composes better by not needing to carry an extra 32-bytes (per instance) in > the witness data. I expect that in a world of full recursive covenants, > TXHASH would still be useful as a fast and cheap way to verify the > "payload" of these covenants, i.e. that a transaction is paying a certain, > possibly large, set of addresses certain specific amounts of money. And > even if not, TXHASH+CSFSV would still be the way that eltoo would be > implemented under this proposal. > > On Wed, Jan 26, 2022 at 5:16 PM Jeremy wrote: > >> Hi Russell, >> >> Thanks for this email, it's great to see this approach described. >> >> A few preliminary notes of feedback: >> >> 1) a Verify approach can be made to work for OP_TXHASH (even with CTV >> as-is) E.g., suppose a semantic added for a single byte stack[-1] sighash >> flag to read the hash at stack[-2], then the hash can be passed in instead >> of put on the stack. This has the disadvantage of larger witnesses, but the >> advantage of allowing undefined sighash flags to pass for any hash type. >> 2) using the internal key for APO covenants is not an option because it >> makes transaction construction interactive and precludes contracts with a >> NUMS point taproot key. Instead, if you want similar savings, you should >> advocate an OP_GENERATOR which puts G on the stack. Further, an untagged >> APO variant which has split R and S values would permit something like >> OP_GENERATOR OP_GENERATOR CHECKSIGAPO, which would be only 2 more >> bytes than CTV. >> 3) I count something like 20 different flags in your proposal. As long as >> flags are under 40 bytes (and 32 assuming we want it to be easy) without >> upgrading math this should be feasible to manipulate on the stack >> programmatically. This is ignoring some of the more flexible additions you >> mention about picking which outputs/inputs are included. However, 20 flags >> means that for testing we would want comprehensive tests and understanding >> for ~1 million different flag combos and the behaviors they expose. I think >> this necessitates a formal model of scripting and transaction validity >> properties. Are there any combinations that might be undesirable? >> 4) Just hashing or not hashing isn't actually that flexible, because it >> doesn't natively let you do things like (for example) TLUV. You really do >> need tx operations for directly manipulating the data on the stack to >> construct the hash if you want more flexible covenants. This happens to be >> compatible with either a Verify or Push approach, since you either >> destructure a pushed hash or build up a hash for a verify. >> 5) Flexible hashing has the potential for quadratic hashing bugs. The >> fields you propose seem to be within similar range to work you could cause >> with a regular OP_HASH256, although you'd want to be careful with some of >> the proposed extensions that you don't create risk of quadratic hashing, >> which seems possible with an output selecting opcode unless you cache >> properly (which might be tricky to do). Overall for the fields explicitly >> mentioned, seems safe, the "possibles" seem to have some more complex >> interactions. E.g., CTV with the ability to pick a subset of outputs would >> be exposed to quadratic hashing. >> 6) Missing field: covering the annex or some sub-range of the annex >> (quadratic hashing issues on the latter) >> 7) It seems simpler to, for many of these fields, push values directly >> (as in OP_PUSHTXDATA from Johnson Lau) because the combo of flags to push >> the hash of a single output's amount to emulate OP_AMOUNT looks 'general >> but annoying'. It may make more sense to do the OP_PUSHTXDATA style opcode >> instead. This also makes it simpler to think about the combinations of >> flags, since it's really N independent multi-byte opcodes. >> >> >> Ultimately if we had OP_TXHASH available "tomorrow", I would be able to >> build out the use cases I care about for CTV (and more). So I don't have an >> opposition on it with regards to lack of function. >> >> However, if one finds the TXHASH approach acceptable, then you should >> also be relatively fine doing APO, CTV, CSFS, TXHASH acceptable in any >> order (whenever "ready"), unless you are particularly sensitive to >> "technical debt" and "soft fork processes". The only costs of doing >> something for CTV or APO given an eventual TXHASH is perhaps a wasted key >> version or the 32 byte argument of a NOP opcode and some code to maintain. >> >> Are there other costs I am missing? >> >> However, as it pertains to actual rollout: >> >> - OP_TXHASH+CSFSV doesn't seem to be the "full" set of things needed (we >> still need e.g. OP_CAT, Upgraded >=64 bit Math, TLUV or OP_TWEAK >> OP_TAPBRANCH OP_MANIPULATETAPTREE, and more) to full realize covenanting >> power it intends to introduce. >> - What sort of timeline would it take to ready something like TXHASH (and >> desired friends) given greater scope of testing and analysis (standalone + >> compared to CTV)? >> - Is there opposition from the community to this degree of >> general/recursive covenants? >> - Does it make "more sense" to invest the research and development effort >> that would go into proving TXHASH safe, for example, into Simplicity >> instead? >> >> Overall, *my opinion *is that: >> >> - TXHASH is an acceptable theoretical approach, and I am happy to put >> more thought into it and maybe draft a prototype of it. >> - I prefer CTV as a first step for pragmatic engineering and availability >> timeline reasons. >> - If TXHASH were to take, optimistically, 2 years to develop and review, >> and then 1 year to activate, the "path dependence of software" would put >> Bitcoin in a much better place were we to have CTV within 1 year and >> applications (that are to be a subset of TXHASH later) being built over the >> next few years enhanced in the future by TXHASH's availability. >> - There is an element of expediency meritted for something like CTV >> insofar as it provides primitives to tackle time sensitive issues around >> privacy, scalability, self custody, and decentralization. The >> aforementioned properties may be difficult to reclaim once given away (with >> the exception of perhaps scalability). >> - Bringing CTV to an implemented state of near-unanimous "we could do >> this, technically" is good for concretely driving the process of review for >> any covenant proposals forward, irrespective of if we ultimately activate. >> (I.e., if there were a reason we could not do CTV safely, it would likely >> have implications for any other future covenant) >> >> Concretely, I'm not going to stop advocating for CTV based on the above, >> but I'm very happy to have something new in the mix to consider! >> >> Best, >> >> Jeremy >> >> >> -- >> @JeremyRubin >> >> >> >> On Wed, Jan 26, 2022 at 9:23 AM Russell O'Connor via bitcoin-dev < >> bitcoin-dev@lists.linuxfoundation.org> wrote: >> >>> Recapping the relationship between CTV and ANYPREVOUT:: >>> >>> It is known that there is a significant amount of overlap in the >>> applications that are enabled by the CTV and ANYPREVOUT proposals despite >>> the fact that their primary applications (congestion control for CTV and >>> eltoo lightning channels for ANYPREVOUT) are quite distinct. >>> In particular, ANYPREVOUT can enable most of the applications of CTV, >>> albeit with a higher cost. The primary functionality of CTV is to allow a >>> scriptPubKey to make a commitment to its spending transaction's hash with >>> the input's TXID excluded from the hash. This exclusion is necessary >>> because the scriptPubKey is hashed into the input's TXID, and including the >>> TXID would cause a cycle of hash commitments, which is impossible to >>> construct. On the other hand, ANYPREVOUT defines a signature hash mode >>> that similarly excludes the inputs TXID for its purpose of rebindable >>> signatures. >>> >>> This means that ANYPREVOUT can mimic most of the properties of CTV by >>> committing both a public key along with an ANYPREVOUT signature inside >>> scriptPubKey. In fact, the only reason Bitcoin doesn't have covenants >>> today is due to this cycle between scriptPubKeys and the TXIDs that occur >>> in all the sighash modes. >>> >>> The major differences between simulating CTV via ANYPREVOUT and the >>> actual CTV proposal is: (1) The cost of simulating CTV. With CTV the >>> spending transaction is committed using a hash of 32 bytes, while >>> simulating it with ANYPREVOUT requires 64 bytes for a signature, and 32 >>> bytes for some public key, plus a few more bytes for various flags. Some >>> of that cost could be reduced by using the inner public key (1 byte >>> representation) and, if we had CAT, maybe by assembling the signature from >>> reusable pieces (i.e. setting the nonce of the commited signature equal to >>> the public key). >>> >>> The other major difference is: (2) CTV's transaction hash covers values >>> such as the number of inputs in the transaction and their sequence numbers, >>> which ANYPREVOUT does not cover. CTV's hash contains enough information so >>> that when combined with the missing TXIDs, you can compute the TXID of the >>> spending transaction. In particular if the number of inputs is committed >>> to being 1, once the scriptpubkey's transaction id is known and committed >>> to the blockchain, the TXID of its spending transaction is deducible. And >>> if that transaction has outputs that have CTV commitments in them, you can >>> deduce their spending TXIDs in turn. While this is a pretty neat feature, >>> something that ANYPREVOUT cannot mimic, the main application for it is >>> listed as using congestion control to fund lightning channels, fixing their >>> TXIDs in advance of them being placed on chain. However, if ANYPREVOUT >>> were used to mimic CTV, then likely it would be eltoo channels that would >>> be funded, and it isn't necessary to know the TXIDs of eltoo channels in >>> advance in order to use them. >>> >>> >>> >>> An Alternative Proposal:: >>> >>> Given the overlap in functionality between CTV and ANYPREVOUT, I think >>> it makes sense to decompose their operations into their constituent pieces >>> and reassemble their behaviour programmatically. To this end, I'd like to >>> instead propose OP_TXHASH and OP_CHECKSIGFROMSTACKVERIFY. >>> >>> OP_TXHASH would pop a txhash flag from the stack and compute a (tagged) >>> txhash in accordance with that flag, and push the resulting hash onto the >>> stack. >>> OP_CHECKSIGFROMSTACKVERIFY would pop a pubkey, message, and signature >>> from the stack and fail if the signature does not verify on that message. >>> >>> CTV and TXHASH have roughly equivalent functionality. 'CTV DROP' can be >>> simulated by ' TXHASH EQUALVERIFY'. The reverse is also >>> true where ' TXHASH' can be simulated by CTV by >>> ' CTV', however, as you can see, simulating >>> TXHASH from CTV is much more expensive than the other way around, because >>> the resulting 32-byte hash result must be included as part of the witness >>> stack. >>> >>> ' CHECKSIGVERIFY can be simulated by >>> ' TXHASH CHECKSIGFROMSTACKVERIFY'. Here we see >>> the advantage of pushing the hash value onto the stack. APO can be >>> simulated without needing to include a copy of the resulting txhash inside >>> the witness data. >>> >>> In addition to the CTV and ANYPREVOUT applications, with >>> CHECKSIGFROMSTACKVERIFY we can verify signatures on arbitrary messages >>> signed by oracles for oracle applications. This is where we see the >>> benefit of decomposing operations into primitive pieces. By giving users >>> the ability to program their own use cases from components, we get more >>> applications out of fewer op codes! >>> >>> >>> >>> Caveats:: >>> >>> First, I acknowledge that replicating the behaviour of CTV and >>> ANYPREVOUT does cost a few more bytes than using the custom purpose built >>> proposals themselves. That is the price to be paid when we choose the >>> ability to program solutions from pieces. But we get to reap the >>> advantages of being able to build more applications from these pieces. >>> >>> Unlike CTV, TXHASH is not NOP-compatable and can only be implemented >>> within tapscript. In particular, bare CTV isn't possible with this >>> proposal. However, this proposal doesn't preclude the possibility of >>> having CTV added to legacy script in while having TXHASH added to tapscript. >>> >>> For similar reasons, TXHASH is not amenable to extending the set of >>> txflags at a later date. In theory, one could have TXHASH >>> abort-with-success when encountering an unknown set of flags. However, >>> this would make analyzing tapscript much more difficult. Tapscripts would >>> then be able to abort with success or failure depending on the order script >>> fragments are assembled and executed, and getting the order incorrect would >>> be catastrophic. This behavior is manifestly different from the current >>> batch of OP_SUCCESS opcodes that abort-with-success just by their mere >>> presence, whether they would be executed or not. >>> >>> I believe the difficulties with upgrading TXHASH can be mitigated by >>> designing a robust set of TXHASH flags from the start. For example having >>> bits to control whether (1) the version is covered; (2) the locktime is >>> covered; (3) txids are covered; (4) sequence numbers are covered; (5) input >>> amounts are covered; (6) input scriptpubkeys are covered; (7) number of >>> inputs is covered; (8) output amounts are covered; (9) output scriptpubkeys >>> are covered; (10) number of outputs is covered; (11) the tapbranch is >>> covered; (12) the tapleaf is covered; (13) the opseparator value is >>> covered; (14) whether all, one, or no inputs are covered; (15) whether all, >>> one or no outputs are covered; (16) whether the one input position is >>> covered; (17) whether the one output position is covered; (18) whether the >>> sighash flags are covered or not (note: whether or not the sighash flags >>> are or are not covered must itself be covered). Possibly specifying which >>> input or output position is covered in the single case and whether the >>> position is relative to the input's position or is an absolute position. >>> >>> That all said, even if other txhash flag modes are needed in the future, >>> adding TXHASH2 always remains an option. >>> >>> >>> >>> Interactions with potential future opcodes:: >>> >>> We should give some consideration on how these opcodes may interact with >>> future opcodes such as CAT, rolling SHA256 opcodes, or how it might >>> interface with other covenant opcodes that may do things like, directly >>> push input or output amounts onto the stack for computation purposes, >>> opcodes which have been added to the Elements project. >>> >>> With CAT and/or rolling SHA256 opcodes and/or existing SHA256 opcodes, >>> the CHECKSIGFROMSTACKVERIFY could verify signatures on programmatically >>> assembled messages. Also, in combination with multiple calls to TXHASH, >>> could be used to create signatures that commit to complex subsets of >>> transaction data. >>> >>> If new opcodes are added to push parts of the transaction data direction >>> onto the stack, e.g. OP_INSPECTOUTPUTVALUE, there is perhaps concern that >>> they would obsolete TXHASH, since, in the presence of rolling SHA256 >>> opcodes, TXHASH could be simulated. However, given that TXHASH can >>> compactly create a hash of large portions of transaction data, it seems >>> unlikely that TXHASH would fall into disuse. Also, a combination of TXHASH >>> and transaction introspection opcodes can be used to build "*subtractive >>> covenants*". >>> >>> The usual way of building a covenant, which we will call "*additive * >>> *covenants*", is to push all the parts of the transaction data you >>> would like to fix onto the stack, hash it all together, and verify the >>> resulting hash matches a fixed value. Another way of building covenants, >>> which we will call "*subtractive covenants*", is to push all the parts >>> of the transaction data you would like to remain free onto the stack. Then >>> use rolling SHA256 opcodes starting from a fixed midstate that commits to a >>> prefix of the transaction hash data. The free parts are hashed into that >>> midstate. Finally, the resulting hash value is verified to match a value >>> returned by TXHASH. The ability to nicely build subtractive covenants >>> depends on the details of how the TXHASH hash value is constructed, >>> something that I'm told CTV has given consideration to. >>> _______________________________________________ >>> bitcoin-dev mailing list >>> bitcoin-dev@lists.linuxfoundation.org >>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >>> >> _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --000000000000f9bbcd05d699614f Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
> I don't think implementing a CTV= opcode that we expect to largely=20 be obsoleted by a TXHASH at a later date is yielding good value from a=20 soft fork process.

This presumes the = eventual adoption of TXHASH (or something like it). You're presenting a= novel idea that, as far as I know, hasn't had much time to bake in pub= lic. Like Jeremy, I'm concerned by the combinatorial growth of flags an= d the implications that has for testing. Caching for something like TXHASH = looks to me like a whole different ballgame relative to CTV, which has a si= ngle kind of hash.

Even if we were to adopt so= mething like TXHASH, how long is it going to take to develop, test, and rel= ease? My guess is "a while" - in the meantime, users of Bitcoin a= re without a vault strategy that doesn't require either presigning tran= sactions with ephemeral keys (operationally difficult) or multisig configur= ations that would make Rube Goldberg blush (operationally difficult and pre= carious). The utility of vaulting seems underappreciated among consensus de= vs and it's something I'd like to write about soon in a separate po= st.

> The strongest argume= nt I can make in favour of CTV would be something=20 like: "We definitely want bare CTV and if we are going to add CTV to= =20 legacy script (since we cannot use TXHASH in legacy script), then it is=20 actually easier not to exclude it from tapscript, even if we plan to add TXHASH to tapscript as well."

Another argume= nt for CTV (which I find especially persuasive) is its simplicity - it'= s relatively easy to reason about and, at this point, pretty well understoo= d. It seems like a low-risk change relative to some of the other covenant p= roposals, nearly all of which elicit a good deal of headscratching (at leas= t from me) and seem to require not only larger on-chain footprints but siza= ble code changes.

> I am sensitive to technical= debt and soft fork=C2=A0processes

If OP_CTV ends = up being the most practical approach for vaulting - among other things - in= terms of weight (which it seems to be at the moment) I don't think &qu= ot;technical debt" is an applicable term.

On Thu, Jan 27, 202= 2 at 5:20 PM Russell O'Connor via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
I am sensitive to technical debt and soft fork=C2=A0pro= cesses, and I don't believe I'm unordinary particular about these i= ssues.=C2=A0 Once implemented, opcodes must be supported and maintained ind= efinitely.=C2=A0 Some opcodes are easier to maintain than others.=C2=A0 The= se particular opcodes involve caching of hash computations and, for that re= ason, I would judge them to be of moderate complexity.

But more importantly, soft-forks are inherently a risky process, s= o we should be getting as much value out of them as we reasonably can. I do= n't think implementing a CTV opcode that we expect to largely be obsole= ted by a TXHASH at a later date is yielding good value from a soft fork pro= cess.

The strongest argument I can make in favour = of CTV would be something like: "We definitely want bare CTV and if we= are going to add CTV to legacy script (since we cannot use TXHASH in legac= y script), then it is actually easier not to exclude it from tapscript, eve= n if we plan to add TXHASH to tapscript as well."

=
But that argument basically rests the entire value of CTV on the shoul= ders of bare CTV.=C2=A0 As I understand, the argument for why we want bare = CTV, instead of just letting people use tapscript, involves the finer detai= ls of weight calculations, and I haven't really reviewed that aspect ye= t.=C2=A0 I think it would need to be pretty compelling to make it worthwhil= e to add CTV for that one use case.


Regarding "OP_TXHASH+CSFSV doesn't seem to be the 'full' = set of things needed", I totally agree we will want more things such a= s CAT, rolling SHA256 opcodes, wider arithmetic, pushing amounts onto the s= tack, some kind of tapleaf manipulation and/or TWEAKVERIFY.=C2=A0 For now, = I only want to argue TXHASH+CSFSV is better than CTV+APO because it gives u= s more value, namely oracle signature verification.=C2=A0 In particular, I = want to argue that TXHASH's push semantics is better that CTV's ver= ify semantics because it composes better by not needing to carry an extra 3= 2-bytes (per instance) in the witness data.=C2=A0 I expect that in a world = of full recursive covenants, TXHASH would still be useful as a fast and che= ap way to verify the "payload" of these covenants, i.e. that a tr= ansaction is paying a certain, possibly large, set of addresses certain spe= cific amounts of money.=C2=A0 And even if not, TXHASH+CSFSV would still be = the way that eltoo would be implemented under this proposal.
=
Hi Russell= ,

Thanks for this email, it's gr= eat to see this approach described.

A few preliminary notes of feedback:

1) a Verify approach can be made to work for OP_TXHASH (even with CTV as= -is) E.g., suppose a semantic added for a single byte stack[-1] sighash fla= g to read the hash at stack[-2], then the hash can be passed in instead of = put on the stack. This has the disadvantage of larger witnesses, but the ad= vantage=C2=A0of allowing undefined sighash flags to pass for any hash type.=
2) using the internal key for APO covenants is not an opt= ion because it makes transaction construction interactive and precludes con= tracts with a NUMS point taproot key. Instead, if you want similar savings,= you should advocate an OP_GENERATOR which puts G on the stack. Further, an= untagged APO variant which has split R and S values would permit something= like <sig> OP_GENERATOR OP_GENERATOR CHECKSIGAPO, which would be onl= y 2 more bytes than CTV.
3) I count something like 20 diff= erent flags in your proposal. As long as flags are under 40 bytes (and 32 a= ssuming we want it to be easy) without upgrading math this should be feasib= le to manipulate on the stack programmatically. This is ignoring some of th= e more flexible additions you mention about picking which outputs/inputs ar= e included. However, 20 flags means that for testing we would want comprehe= nsive tests and understanding for ~1 million different flag combos and the = behaviors they expose. I think this necessitates a formal model of scriptin= g and transaction validity properties. Are there any combinations that migh= t be undesirable?
4) Just hashing or not hashing isn't= actually that flexible, because it doesn't natively let you do things = like (for example) TLUV. You really do need tx operations for directly mani= pulating the data on the stack to construct the hash if you want more flexi= ble covenants. This happens to be compatible with either a Verify or Push a= pproach, since you either destructure a pushed hash or build up a hash for = a verify.
5) Flexible hashing has the potential for quadra= tic hashing bugs. The fields you propose seem to be within similar range to= work you could cause with a regular OP_HASH256, although you'd want to= be careful with some of the proposed extensions that you don't create = risk of quadratic hashing, which seems possible with an output selecting op= code unless you cache properly (which might be tricky to do). Overall for t= he fields explicitly mentioned, seems safe, the "possibles" seem = to have some more complex interactions. E.g., CTV with the ability to pick = a subset of outputs would be exposed to quadratic hashing.
6) Missing field: covering the annex or some sub-range of the annex (quad= ratic hashing issues on the latter)
7) It seems simpler to= , for many of these fields, push values directly (as in OP_PUSHTXDATA from = Johnson Lau) because the combo of flags to push the hash of a single output= 's amount to emulate OP_AMOUNT looks 'general but annoying'. It= may make more sense to do the OP_PUSHTXDATA=C2=A0style opcode instead. Thi= s also makes it simpler to think about the combinations of flags, since it&= #39;s really N independent multi-byte opcodes.

<= div style=3D"font-family:arial,helvetica,sans-serif;font-size:small;color:r= gb(0,0,0)">
Ultimately if we had OP_TXHASH available &= quot;tomorrow", I would be able to build out the use cases I care abou= t for CTV (and more). So I don't have an opposition on it with regards = to lack of function.

However, i= f one finds the TXHASH approach acceptable, then you should also be relativ= ely fine doing APO, CTV, CSFS, TXHASH acceptable in any order (whenever &qu= ot;ready"), unless you are particularly sensitive to "technical d= ebt" and "soft fork=C2=A0processes". The only costs of doing= something for CTV or APO given an eventual TXHASH=C2=A0is perhaps a wasted= key version or the 32 byte argument of a NOP opcode and some code to maint= ain.

Are there other costs I am missing?

However, as it pertains to a= ctual rollout:

- OP_TXHASH+CSFSV doe= sn't seem to be the "full" set of things needed (we still nee= d e.g. OP_CAT, Upgraded >=3D64 bit Math, TLUV or OP_TWEAK OP_TAPBRANCH O= P_MANIPULATETAPTREE, and more) to full realize covenanting power it intends= to introduce.=C2=A0
- What sort of timeline would it take= to ready something like TXHASH=C2=A0(and desired friends) given greater sc= ope of testing and analysis (standalone=C2=A0+ compared to CTV)?
- Is there opposition from the community to this degree of general/r= ecursive covenants?
- Does it make "more sense" = to invest the research and development effort that would go into proving=C2= =A0TXHASH safe, for example, into Simplicity instead?

=
Overall, my opinion is that:

=
- TXHASH=C2=A0is an acceptable theoretical approach, and = I am happy to put more thought into it and maybe draft a prototype of it.
- I prefer CTV as a first step for pragmatic engineering an= d availability timeline reasons.
- If TXHASH were to take,= optimistically, 2 years to develop and review, and then 1 year to activate= , the "path dependence of software" would put Bitcoin in a much b= etter place were we to have CTV within 1 year and applications (that are to= be a subset of TXHASH=C2=A0later) being built over the next few years enha= nced in the future by TXHASH's availability.=C2=A0
- T= here is an element of expediency meritted for something like CTV insofar as= it provides primitives to tackle time sensitive issues around privacy, sca= lability, self custody, and decentralization. The aforementioned properties= may be difficult to reclaim once given away (with the exception of perhaps= scalability).
- Bringing CTV to an implemented state of n= ear-unanimous "we could do this, technically" is good for concret= ely driving the process of review for any covenant proposals forward, irres= pective of if we ultimately activate. (I.e., if there were a reason we coul= d not do CTV safely, it would likely have implications for any other future= covenant)

Concretely, I'm not g= oing to stop advocating for CTV based on the above, but I'm very happy = to have something new in the mix to consider!

Best,

Jeremy




On Wed, Jan 26, 2022 at 9:23 AM Russell O'Connor = via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
<= div>Recapping the relationship between CTV and ANYPREVOUT::
<= br>
It is known that there is a significant amount of overlap in = the applications that are enabled by the CTV and ANYPREVOUT proposals despi= te the fact that their primary applications (congestion control for CTV and= eltoo lightning channels for ANYPREVOUT) are quite distinct.
In = particular, ANYPREVOUT can enable most of the applications of CTV, albeit w= ith a higher cost.=C2=A0 The primary functionality of CTV is to allow a scr= iptPubKey to make a commitment to its spending transaction's hash with = the input's TXID excluded from the hash.=C2=A0 This exclusion is necess= ary because the scriptPubKey is hashed into the input's TXID, and inclu= ding the TXID would cause a cycle of hash commitments, which is impossible = to construct.=C2=A0 On the other hand, ANYPREVOUT defines a signature hash = mode that similarly excludes the inputs TXID for its purpose of rebindable = signatures.

This means that ANYPREVOUT can mimic m= ost of the properties of CTV by committing both a public key along with an = ANYPREVOUT signature inside scriptPubKey.=C2=A0 In fact, the only reason Bi= tcoin doesn't have covenants today is due to this cycle between scriptP= ubKeys and the TXIDs that occur in all the sighash modes.
The major differences between simulating CTV via ANYPREVOUT and= the actual CTV proposal is: (1) The cost of simulating CTV.=C2=A0 With CTV= the spending transaction is committed using a hash of 32 bytes, while simu= lating it with ANYPREVOUT requires 64 bytes for a signature, and 32 bytes f= or some public key, plus a few more bytes for various flags.=C2=A0 Some of = that cost could be reduced by using the inner public key (1 byte representa= tion) and, if we had CAT, maybe by assembling the signature from reusable p= ieces (i.e. setting the nonce of the commited signature equal to the public= key).

The other major difference is: (2) CTV&= #39;s transaction hash covers values such as the number of inputs in the tr= ansaction and their sequence numbers, which ANYPREVOUT does not cover.=C2= =A0 CTV's hash contains enough information so that when combined with t= he missing TXIDs, you can compute the TXID of the spending transaction.=C2= =A0 In particular if the number of inputs is committed to being 1, once the= scriptpubkey's transaction id is known and committed to the blockchain= , the TXID of its spending transaction is deducible.=C2=A0 And if that tran= saction has outputs that have CTV commitments in them, you can deduce their= spending TXIDs in turn.=C2=A0 While this is a pretty neat feature, somethi= ng that ANYPREVOUT cannot mimic, the main application for it is listed as u= sing congestion control to fund lightning channels, fixing their TXIDs in a= dvance of them being placed on chain.=C2=A0 However, if ANYPREVOUT were use= d to mimic CTV, then likely it would be eltoo channels that would be funded= , and it isn't necessary to know the TXIDs of eltoo channels in advance= in order to use them.



An Alternative Proposal::

Given the overlap= in functionality between CTV and ANYPREVOUT, I think it makes sense to dec= ompose their operations into their constituent pieces and reassemble their = behaviour programmatically.=C2=A0 To this end, I'd like to instead prop= ose OP_TXHASH and OP_CHECKSIGFROMSTACKVERIFY.

OP_T= XHASH would pop a txhash flag from the stack and compute a (tagged) txhash = in accordance with that flag, and push the resulting hash onto the stack.
OP_CHECKSIGFROMSTACKVERIFY would pop a pubkey, message, and si= gnature from the stack and fail if the signature does not verify on that me= ssage.

CTV and TXHASH have roughly equivalent func= tionality.=C2=A0 'CTV DROP' can be simulated by '<ctv_style_= flag> TXHASH EQUALVERIFY'.=C2=A0 The reverse is also true where '= ;<ctv_style_flag> TXHASH' can be simulated by CTV by '<ctv= -result-from-witness-stack> CTV', however, as you can see, simulatin= g TXHASH from CTV is much more expensive than the other way around, because= the resulting 32-byte hash result must be included as part of the witness = stack.

'<anyprevout-pubkey> CHECKSIGVERI= FY can be simulated by '<apo_style_flag> TXHASH <pubkey> CH= ECKSIGFROMSTACKVERIFY'.=C2=A0 Here we see the advantage of pushing the = hash value onto the stack.=C2=A0 APO can be simulated without needing to in= clude a copy of the resulting txhash inside the witness data.

In addition to the CTV and ANYPREVOUT applications, with CH= ECKSIGFROMSTACKVERIFY we can verify signatures on arbitrary messages signed= by oracles for oracle applications.=C2=A0 This is where we see the benefit= of decomposing operations into primitive pieces.=C2=A0 By giving users the= ability to program their own use cases from components, we get more applic= ations out of fewer op codes!



<= /div>
Caveats::

First, I acknowledge that repl= icating the behaviour of CTV and ANYPREVOUT does cost a few more bytes than= using the custom purpose built proposals themselves.=C2=A0 That is the pri= ce to be paid when we choose the ability to program solutions from pieces.= =C2=A0 But we get to reap the advantages of being able to build more applic= ations from these pieces.

Unlike CTV, TXHASH i= s not NOP-compatable and can only be implemented within tapscript.=C2=A0 In= particular, bare CTV isn't possible with this proposal.=C2=A0 However,= this proposal doesn't preclude the possibility of having CTV added to = legacy script in while having TXHASH added to tapscript.

For similar reasons, TXHASH is not amenable to extending the set of = txflags at a later date.=C2=A0 In theory, one could have TXHASH abort-with-= success when encountering an unknown set of flags.=C2=A0 However, this woul= d make analyzing tapscript much more difficult. Tapscripts would then be ab= le to abort with success or failure depending on the order script fragments= are assembled and executed, and getting the order incorrect would be catas= trophic.=C2=A0 This behavior is manifestly different from the current batch= of OP_SUCCESS opcodes that abort-with-success just by their mere presence,= whether they would be executed or not.

I believe = the difficulties with upgrading TXHASH can be mitigated by designing a robu= st set of TXHASH flags from the start.=C2=A0 For example having bits to con= trol whether (1) the version is covered; (2) the locktime is covered; (3) t= xids are covered; (4) sequence numbers are covered; (5) input amounts are c= overed; (6) input scriptpubkeys are covered; (7) number of inputs is covere= d; (8) output amounts are covered; (9) output scriptpubkeys are covered; (1= 0) number of outputs is covered; (11) the tapbranch is covered; (12) the ta= pleaf is covered; (13) the opseparator value is covered; (14) whether all, = one, or no inputs are covered; (15) whether all, one or no outputs are cove= red; (16) whether the one input position is covered; (17) whether the one o= utput position is covered; (18) whether the sighash flags are covered or no= t (note: whether or not the sighash flags are or are not covered must itsel= f be covered).=C2=A0 Possibly specifying which input or output position is = covered in the single case and whether the position is relative to the inpu= t's position or is an absolute position.

That = all said, even if other txhash flag modes are needed in the future, adding = TXHASH2 always remains an option.



Interactions with potential future opcodes::

We should give some consideration on how these opcode= s may interact with future opcodes such as CAT, rolling SHA256 opcodes, or = how it might interface with other covenant opcodes that may do things like,= directly push input or output amounts onto the stack for computation purpo= ses, opcodes which have been added to the Elements project.

<= /div>
With CAT and/or rolling SHA256 opcodes and/or existing SHA256 opc= odes, the CHECKSIGFROMSTACKVERIFY could verify signatures on programmatical= ly assembled messages.=C2=A0 Also, in combination with multiple calls to TX= HASH, could be used to create signatures that commit to complex subsets of = transaction data.

If new opcodes are added to push= parts of the transaction data direction onto the stack, e.g. OP_INSPECTOUT= PUTVALUE, there is perhaps concern that they would obsolete TXHASH, since, = in the presence of rolling SHA256 opcodes, TXHASH could be simulated.=C2=A0= However, given that TXHASH can compactly create a hash of large portions o= f transaction data, it seems unlikely that TXHASH would fall into disuse.= =C2=A0 Also, a combination of TXHASH and transaction introspection opcodes = can be used to build "subtractive covenants".
The usual way of building a covenant, which we will call "= ;additive covenants", is to push all the parts of the tr= ansaction data you would like to fix onto the stack, hash it all together, = and verify the resulting hash matches a fixed value.=C2=A0 Another way of b= uilding covenants, which we will call "subtractive covenants&qu= ot;, is to push all the parts of the transaction data you would like to rem= ain free onto the stack.=C2=A0 Then use rolling SHA256 opcodes starting fro= m a fixed midstate that commits to a prefix of the transaction hash data. T= he free parts are hashed into that midstate.=C2=A0 Finally, the resulting h= ash value is verified to match a value returned by TXHASH.=C2=A0 The abilit= y to nicely build subtractive covenants depends on the details of how the T= XHASH hash value is constructed, something that I'm told CTV has given = consideration to.
_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
--000000000000f9bbcd05d699614f--