Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 94884AA5 for ; Thu, 6 Jun 2019 07:30:19 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-40130.protonmail.ch (mail-40130.protonmail.ch [185.70.40.130]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id CE77C844 for ; Thu, 6 Jun 2019 07:30:18 +0000 (UTC) Date: Thu, 06 Jun 2019 07:30:13 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=default; t=1559806216; bh=99nLeGrnYWYZh1U6Ihdsij+bY6L1sioBFHn57TcVMp4=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References: Feedback-ID:From; b=xRAp2CPnDx9fuO9kh99GXFz+2IfxjdBVVW7Ku/h7pi31/DAqSiQRQ6k3jbJcxfT7n pT7DAyB7p4+ItwmCnybYWkjW+7W3NYVKj7iGp6585F8dGmVHRFe2jALst/YYm9U5k1 H2HCClhZhusGQWKej5DHe6SCTWNgJ+p59DPuKvNc= To: Anthony Towns , Bitcoin Protocol Discussion From: ZmnSCPxj Reply-To: ZmnSCPxj Message-ID: In-Reply-To: <20190605093039.xfo7lcylqkhsfncv@erisian.com.au> References: <20190605093039.xfo7lcylqkhsfncv@erisian.com.au> Feedback-ID: el4j0RWPRERue64lIQeq9Y2FP-mdB86tFqjmrJyEPR9VAtMovPEo9tvgA0CrTsSHJeeyPXqnoAu6DN-R04uJUg==:Ext:ProtonMail MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, FROM_LOCAL_NOVOWEL, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Thu, 06 Jun 2019 07:32:41 +0000 Subject: Re: [bitcoin-dev] OP_SECURETHEBAG (supersedes OP_CHECKOUTPUTSVERIFY) X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Jun 2019 07:30:19 -0000 Good morning aj, Sent with ProtonMail Secure Email. =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original Me= ssage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 On Wednesday, June 5, 2019 5:30 PM, Anthony Towns via bitcoin-dev wrote: > On Fri, May 31, 2019 at 10:35:45PM -0700, Jeremy via bitcoin-dev wrote: > > > OP_CHECKOUTPUTSHASHVERIFY is retracted in favor of OP_SECURETHEBAG*. > > I think you could generalise that slightly and make it fit in > with the existing opcode naming by calling it something like > "OP_CHECKTXDIGESTVERIFY" and pull a 33-byte value from the stack, > consisting of a sha256 hash and a sighash-byte, and adding a new sighash > value corresponding to the set of info you want to include in the hash, > which I think sounds a bit like "SIGHASH_EXACTLY_ONE_INPUT | SIGHASH_ALL" > > FWIW, I'm not really seeing any reason to complicate the spec to ensure > the digest is precommitted as part of the opcode. > I believe in combination with `OP_LEFT` and `OP_CAT` this allows Turing-com= plete smart contracts, in much the same way as `OP_CHECKSIGFROMSTACK`? Pass in the spent transaction (serialised for txid) and the spending transa= ction (serialised for sighash) as part of the witness of the spending trans= action. Script verifies that the spending transaction witness value is indeed the s= pending transaction by `OP_SHA256 OP_SWAP OP_CAT OP_CHECKTXDI= GESTVERIFY`. Script verifies the spent transaction witness value is indeed the spent tra= nsaction by hashing it, then splitting up the hash with `OP_LEFT` into byte= s, and comparing the bytes to the bytes in the input of the spending transa= ction witness value (txid being the bytes in reversed order). Then the Script can extract a commitment of itself by extracting the output= of the spent transaction. This lets the Script check that the spending transaction also pays to the s= ame script. The Script can then access a state value, for example from an `OP_RETURN` o= utput of the spent transaction, and enforce that a correct next-state is us= ed in the spending transaction. If the state is too large to fit in a standard `OP_RETURN`, then the curren= t state can be passed in as a witness and validated against a hash commitme= nt in an `OP_RETURN` output. I believe this is the primary reason against not pulling data from the stac= k. Regards, ZmnSCPxj