Return-Path: Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 6F103C0032 for ; Mon, 23 Oct 2023 02:13:26 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 48C728206E for ; Mon, 23 Oct 2023 02:13:26 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 48C728206E Authentication-Results: smtp1.osuosl.org; dkim=pass (2048-bit key) header.d=rustcorp.com.au header.i=@rustcorp.com.au header.a=rsa-sha256 header.s=202305 header.b=YUVF0LKl X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -1.604 X-Spam-Level: X-Spam-Status: No, score=-1.604 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DATE_IN_PAST_12_24=1.049, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4LmgKQu6MfYi for ; Mon, 23 Oct 2023 02:13:24 +0000 (UTC) Received: from gandalf.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3]) by smtp1.osuosl.org (Postfix) with ESMTPS id B37368206A for ; Mon, 23 Oct 2023 02:13:24 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org B37368206A DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rustcorp.com.au; s=202305; t=1698027199; bh=OUW8izyxzZIEaSLGB4zOo1oTQN+g9qHdzX0iT1serz0=; h=From:To:Subject:In-Reply-To:References:Date:From; b=YUVF0LKlk4UPzgiyj2HNgAZq1y6fYA9DKiGnzpa0VHuJ9lBtlubehef+gWU3U44Wj 9lXYXhM4LdOoLpVAvp1kk1iv0gaw7vDU8r7Um/f1LLbAhbBNPeBXnWd45bZXfXI9nS /mIHpIrGv1fqRIgjc536hFSlJJtgZf4mTy4kIztv4k2WV1nDO1ao1E9Ra06q4OBUOY WSO4NL/NXTSTonYDFKte5qF2tqox3Pykkfk4mx8pFU9ITb7gbRn11DZt2VbMmiky4U Q5XahP+vMl0di9MvoP08comssAv8AifqkNXGGcgEoNcJ5il8HC5Gv+YSmteSsBvNIv tSuh7R29i+Mug== Received: by gandalf.ozlabs.org (Postfix, from userid 1011) id 4SDJdC0TWPz4x5j; Mon, 23 Oct 2023 13:13:19 +1100 (AEDT) From: Rusty Russell To: Brandon Black , Bitcoin Protocol Discussion In-Reply-To: References: <87v8b2vu4q.fsf@rustcorp.com.au> Date: Sun, 22 Oct 2023 14:46:33 +1030 Message-ID: <87edhnwau6.fsf@rustcorp.com.au> MIME-Version: 1.0 Content-Type: text/plain Subject: Re: [bitcoin-dev] Examining ScriptPubkeys in Bitcoin Script X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Oct 2023 02:13:26 -0000 Brandon Black writes: > On 2023-10-20 (Fri) at 14:10:37 +1030, Rusty Russell via bitcoin-dev wrote: >> I've done an exploration of what would be required (given >> OP_TX/OP_TXHASH or equivalent way of pushing a scriptPubkey on the >> stack) to usefully validate Taproot outputs in Bitcoin Script. Such >> functionality is required for usable vaults, at least. > > So you're proposing this direction as an alternative to the more > constrained OP_UNVAULT that replaces a specific leaf in the taptree in a > specific way? I think the benefits of OP_UNVAULT are pretty big vs. a > generic construction (e.g. ability to unvault multiple inputs sharing > the same scriptPubkey to the same output). I would have to write the scripts exactly (and I'm already uncomfortable that I haven't actually tested the ones I wrote so far!) to properly evaluate. In general, script makes it hard to do N-input evaluation (having no iteration). It would be useful to attempt this though, as it might enlighted us as to OP_TXHASH input selection: for example, we might want to have an "all *but* one input" mode for this kind of usage. Dealing with satsoshi amounts is possible, but really messy (that's my next post). >> TL;DR: if we have OP_TXHASH/OP_TX, and add OP_MULTISHA256 (or OP_CAT), >> OP_KEYADDTWEAK and OP_LESS (or OP_CONDSWAP), and soft-fork weaken the >> OP_SUCCESSx rule (or pop-script-from-stack), we can prove a two-leaf >> tapscript tree in about 110 bytes of Script. This allows useful >> spending constraints based on a template approach. > > I agree that this is what is needed. I started pondering this in > response to some discussion about the benefits of OP_CAT or OP_2SHA256 > for BitVM. Given these examples, I think it's clear that OP_MULTISHA256 is almost as powerful as OP_CAT, without the stack limit problems. And OP_2SHA256 is not sufficient in general for CScriptNum generation, for example. > Personally I'd use OP_TAGGEDCATHASH that pops a tag (empty tag can be > special cased to plain sha256) and a number (n) of elements to hash, > then tagged-hashes the following 'n' elements from the stack. That's definitely a premature optimization to save two opcodes. Cheers, Rusty.