Delivery-date: Wed, 12 Mar 2025 03:53:25 -0700
Sender: bitcoindev@googlegroups.com
Received-SPF: pass (google.com: domain of nadav@shesek.info designates 2607:f8b0:4864:20::b2a as permitted sender) client-ip=2607:f8b0:4864:20::b2a;
MIME-Version: 1.0
References: <Z8eUQCfCWjdivIzn@erisian.com.au> <CAGXD5f3EGyUVBc=bDoNi_nXcKmW7M_-mUZ7LOeyCCab5Nqt69Q@mail.gmail.com>
 <Z9ED_dez7_UHxjK0@erisian.com.au>
In-Reply-To: <Z9ED_dez7_UHxjK0@erisian.com.au>
From: Nadav Ivgi <nadav@shesek.info>
Date: Wed, 12 Mar 2025 12:02:27 +0200
Message-ID: <CAGXD5f3zHuwGq+M1jwBJjpEc3Wd8biwjwnrXu6VhrysQeyivLQ@mail.gmail.com>
Subject: Re: [bitcoindev] "Recursive covenant" with CTV and CSFS
To: Anthony Towns <aj@erisian.com.au>
Cc: bitcoindev@googlegroups.com
Content-Type: multipart/alternative; boundary="00000000000020f3310630224efe"
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com

--00000000000020f3310630224efe
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Wed, Mar 12, 2025 at 5:48=E2=80=AFAM Anthony Towns <aj@erisian.com.au> w=
rote:

> I think the original COSHV implementation had the hash appear a push
> *after*
> the CTV opcode.
>
> https://github.com/JeremyRubin/bips/blob/op-checkoutputshashverify/bip-co=
shv.mediawiki


Yes you are of course correct. My memory failed me, should've looked up the
BIP :)

With either APO or CTV alone you can do an arbitrarily long chain of
> commitments,

adding CSFS and discarding the CSFS private key allows
> you to have a single commitment that can be reused indefinitely.


With APO alone, you can use one of two constructs:

1. Trustless, Finite - using a chain of pre-computed transactions where the
signature for the next transaction is committed to in the scriptPubKey.
This has similar properties to what you can get with CTV alone.

2. Trusted, Infinite - using a simple non-committed signature spending back
to the same address. This has similar properties to your CTV+CSFS construct=
.

Does adding CSFS enable any additional designs?

I think it's impossible to get Trustless, Infinite short of having full
introspection abilities (CAT/TXHASH/Elements-like), right?

With Elements it's pretty straightforward, something like
`OP_PUSHCURRENTINPUTINDEX OP_INSPECTINPUTSCRIPTPUBKEY <0>
OP_INSPECTOUTPUTSCRIPTPUBKEY OP_ROT OP_EQUALVERIFY OP_EQUAL`

You could have CTV commit to two inputs, with the second input's entire
> value being burnt to fees, but that's fairly annoying


Yes, preparing an exact-sized utxo for fees is indeed annoying. However
it's not much different from CPFP - an extra tx with the same overall
number of inputs/outputs, only around 46vB less efficient[0] (assuming you
need change[1]). So at least for some use-cases it's not terrible either.

One important difference is that for a BMM-like bidding system, losing bids
would still pay tx fees (and take up chain space) for creating the fee
utxo, unlike with CPFP where only the winning bid pays fees. But for other
cases, the difference would be negligible.

Of course, the most WU-optimal construct is APO|SINGLE (implying ACP) that
you mentioned, where no extra transaction is needed at all.

[0] Assuming you need to use N coins for fees and that change is needed,
with an exact-sized fee utxo you have a N-in, 2-out tx to prepare the fee
utxo, then a 2-in, 1-out for the main tx - for a total of N+2 inputs and 3
outputs. With CPFP, its 1-in, 2-out for the main tx, then a N+1-in, 1-out
tx for the CPFP fee bump - also for a total of N+2 inputs and 3 outputs.
However, with CPFP you could use Pay-to-Anchor (while the fee utxo has to
be key-encumbered), saving 65WU for one input plus 30vB/120WU for one
output, making it more efficient by a total of 185WU/46vB (assuming the fee
utxo uses key-path P2TR).

[1] If you happen to have an existing utxo to pay fees with, the 2-input
CTV template would be as efficient as it gets, on par with APO|SINGLE. This
can be extended to combos of multiple utxos, by adding more CTV tapleaves
for different numbers of inputs (at a slight cost of larger control
blocks). With large wallets it could be plausible to find such combos.

Cheers,
shesek

--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
CAGXD5f3zHuwGq%2BM1jwBJjpEc3Wd8biwjwnrXu6VhrysQeyivLQ%40mail.gmail.com.

--00000000000020f3310630224efe
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_quote gmail_quote_container"><div dir=
=3D"ltr" class=3D"gmail_attr">On Wed, Mar 12, 2025 at 5:48=E2=80=AFAM Antho=
ny Towns &lt;<a href=3D"mailto:aj@erisian.com.au">aj@erisian.com.au</a>&gt;=
 wrote:</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px =
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
I think the original COSHV implementation had the hash appear a push *after=
*<br>
the CTV opcode.<br>
<a href=3D"https://github.com/JeremyRubin/bips/blob/op-checkoutputshashveri=
fy/bip-coshv.mediawiki" rel=3D"noreferrer" target=3D"_blank">https://github=
.com/JeremyRubin/bips/blob/op-checkoutputshashverify/bip-coshv.mediawiki</a=
></blockquote><div><br></div><div>Yes you are of course correct. My memory =
failed me, should&#39;ve looked up the BIP :) <br></div><div><br></div><blo=
ckquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left=
:1px solid rgb(204,204,204);padding-left:1ex">
With either APO or CTV alone you can do an arbitrarily long chain of commit=
ments,</blockquote><div><blockquote class=3D"gmail_quote" style=3D"margin:0=
px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">a=
dding CSFS and discarding the CSFS private key allows<br>
you to have a single commitment that can be reused indefinitely.</blockquot=
e>=C2=A0</div><div>With APO alone, you can use one of two constructs:</div>=
<div><br></div><div></div><div>1. Trustless, Finite - using a chain of pre-=
computed transactions where the signature for the next transaction is commi=
tted to in the scriptPubKey. This has similar properties to what you can ge=
t with CTV alone.</div><div><br></div><div><div>2. Trusted, Infinite - usin=
g a simple non-committed signature spending back to the
 same address. This has similar properties to your CTV+CSFS construct.</div=
></div><div><br></div><div>Does adding CSFS enable any additional designs?<=
/div><div><br></div><div>I think it&#39;s impossible to get Trustless, Infi=
nite short of having full introspection abilities (CAT/TXHASH/Elements-like=
), right?</div><div><br></div><div><div>With Elements it&#39;s pretty strai=
ghtforward, something like `OP_PUSHCURRENTINPUTINDEX=20
OP_INSPECTINPUTSCRIPTPUBKEY &lt;0&gt; OP_INSPECTOUTPUTSCRIPTPUBKEY=20
OP_ROT OP_EQUALVERIFY OP_EQUAL`</div><br></div><blockquote class=3D"gmail_q=
uote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,2=
04);padding-left:1ex">

You could have CTV commit to two inputs, with the second input&#39;s entire=
<br>
value being burnt to fees, but that&#39;s fairly annoying</blockquote><div>=
<br></div><div>Yes, preparing an exact-sized utxo for fees is indeed annoyi=
ng. However it&#39;s not much different from CPFP - an extra tx with the sa=
me overall number of inputs/outputs, only around 46vB less efficient[0] (as=
suming you need change[1]). So at least for some use-cases it&#39;s not ter=
rible either.</div><br><div>One important difference is that for a BMM-like=
 bidding system, losing bids would still pay tx fees (and take up chain spa=
ce) for creating the fee utxo, unlike with CPFP where only the winning bid =
pays fees. But for other cases, the difference would be negligible.</div><d=
iv><br></div><div>Of course, the most WU-optimal construct is APO|SINGLE (i=
mplying ACP) that you mentioned, where no extra transaction is needed at al=
l.</div><div><br></div><div>[0] Assuming you need to use N coins for fees a=
nd that change is needed, with an exact-sized fee utxo you have a N-in, 2-o=
ut tx to prepare the fee utxo, then a 2-in, 1-out for the main tx - for a t=
otal of N+2 inputs and 3 outputs. With CPFP, its 1-in, 2-out for the main t=
x, then a N+1-in, 1-out tx for the CPFP fee bump - also for a total of N+2 =
inputs and 3 outputs. However, with CPFP you could use Pay-to-Anchor (while=
 the fee utxo has to be key-encumbered), saving 65WU for one input plus 30v=
B/120WU for one output, making it more efficient by a total of 185WU/46vB (=
assuming the fee utxo uses key-path P2TR).</div><div><br></div><div>[1] If =
you happen to have an existing utxo to pay fees with, the 2-input CTV templ=
ate would be as efficient as it gets, on par with APO|SINGLE. This can be e=
xtended to combos of multiple utxos, by adding more CTV tapleaves for diffe=
rent numbers of inputs (at a slight cost of larger control blocks). With la=
rge wallets it could be plausible to find such combos.</div><div><br></div>=
Cheers,</div><div class=3D"gmail_quote gmail_quote_container">shesek</div><=
/div>

<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/CAGXD5f3zHuwGq%2BM1jwBJjpEc3Wd8biwjwnrXu6VhrysQeyivLQ%40mail.gma=
il.com?utm_medium=3Demail&utm_source=3Dfooter">https://groups.google.com/d/=
msgid/bitcoindev/CAGXD5f3zHuwGq%2BM1jwBJjpEc3Wd8biwjwnrXu6VhrysQeyivLQ%40ma=
il.gmail.com</a>.<br />

--00000000000020f3310630224efe--