Return-Path: Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists.linuxfoundation.org (Postfix) with ESMTP id ACCCCC0032 for ; Mon, 6 Mar 2023 15:25:28 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 851E981462 for ; Mon, 6 Mar 2023 15:25:28 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 851E981462 Authentication-Results: smtp1.osuosl.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=KEPCKUl9 X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b5I0JM_Mllvl for ; Mon, 6 Mar 2023 15:25:27 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 43E8B80E62 Received: from mail-oa1-x32.google.com (mail-oa1-x32.google.com [IPv6:2001:4860:4864:20::32]) by smtp1.osuosl.org (Postfix) with ESMTPS id 43E8B80E62 for ; Mon, 6 Mar 2023 15:25:27 +0000 (UTC) Received: by mail-oa1-x32.google.com with SMTP id 586e51a60fabf-176b90e14a9so4119271fac.9 for ; Mon, 06 Mar 2023 07:25:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678116326; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=+hl9viP1p2Zf/uWKlPYzMlAysuCRnem2npeV1du65QM=; b=KEPCKUl9Cco2GR8odlZPaIQQ8uU2tZy2OZ1QiUtOQ4B17d0q0RIrDnFi2p1EJmASGB 0rxk8+nklvP2f9N1beU5dT9850kKMQgrA3I4xcDkJr2TYzcB2GLZVDbLM+1S8K8412bX ikXAdC91xv2JeiQSwrQm0lfhwOxWcsQJl+0g5cmfdD1aVJYrWrHwoP02SeC9raH6jx3C VAdCbe+SvNc9mZNP95yov2uzNOyDlR1o5ztlClBu+SVSIsYsdjVFOdx5uzeG/dB3ZxxA OEPzr87L4ChxwjR5Gblxmm7V5oXWIRt/3QZ9TAzy4ITQB4BO41Tjs3k163h3aFuyeJhU uaRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678116326; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=+hl9viP1p2Zf/uWKlPYzMlAysuCRnem2npeV1du65QM=; b=HR3QBMPJ3OcgO83fht/lCi4knXWH390DHlHFEOF7SKxznDjTH33xSYpcDgUMAWlH4C BKu3sA5Se7jKLfkxfIDzkbfElIhDeZYzbPmx/iqIiwQvRzBqX1YeN8eFXd2pr4jd5bwG VI4k/f9sTuhEWUUTmIc8WNri3R/jtNQRn+a5XuMRM3TFjsKs/oIvjY+t8LTm1CMBL4Zu Q3/8uDVPaCMN/EXnkkl5oEES9lwOnE7JYN0gQPF3xdbontJMQnqSvJ7mqiWSUE0sLRhm DYErIm0yWTH1tpr6GuE355W2BwDF2TbRLqImTys1M5RJ/UUGpVIpS0OhnfywTUPX8leg bSyw== X-Gm-Message-State: AO0yUKWsYJ57vc6/4dXnSJb9e5vNeNL2BSjaMJDrevIkxOiYHVWtcJmQ L7pJJFg9J2O+waZhrAte8dC17UUq+qSlf1lvJJt8wbq/SME= X-Google-Smtp-Source: AK7set/pwvCba69KSbH2NMM65FyKfTbM6y47iM34imCKmQmBc4cawaMgAT4V66M55zJ7NSNtJf5xvHBYHMR5rePGDtg= X-Received: by 2002:a05:6871:4495:b0:176:3e22:3f99 with SMTP id ne21-20020a056871449500b001763e223f99mr7181248oab.2.1678116326028; Mon, 06 Mar 2023 07:25:26 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: "James O'Beirne" Date: Mon, 6 Mar 2023 10:25:38 -0500 Message-ID: To: Greg Sanders Content-Type: multipart/alternative; boundary="000000000000813aec05f63ce78f" Cc: Bitcoin Protocol Discussion , Anthony Towns Subject: Re: [bitcoin-dev] BIP for OP_VAULT X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Mar 2023 15:25:28 -0000 --000000000000813aec05f63ce78f Content-Type: text/plain; charset="UTF-8" I'm glad to see that Greg and AJ are forming a habit of hammering this proposal into shape. Nice work fellas. To summarize: What Greg is proposing above is to in essence TLUV-ify this proposal. I.e. instead of relying on hashed commitments and recursive script execution (e.g. + later presentation of preimage script for execution), OP_VAULT would instead move through its withdrawal process by swapping out tapleaf contents according to specialized rules. If this is opaque (as it was to me), don't fret - I'll describe it below in the "mechanics" section. The benefits of this TLUVification are - we can avoid any nested/recursive script execution. I know the recursive stuff rankles some greybeards even in spite of it being bounded to a single call. I'm not sure I share the concern but maintaining the status quo seems good. - the spec is easier to reason about, more or less. The opcodes introduced don't have variadic witness requirements, and each opcode is only consumed in a single way. - there's less general indirection. Instead of saying "okay, here's the hash of the script I'm going to use to authorize trigger transactions," we're just outright including the trigger auth script in the tapleaf at the birth of the vault as regular 'ol script that is evaluated before execution of the OP_VAULT instruction. Similarly, instead of relying on an implicit rule that an OP_VAULT can be claimed by a recovery flow, we're relying on a specific tapleaf that facilitates that recovery with OP_VAULT_RECOVER, described below. Basically, OP_VAULT would just be implemented in a way that feels more native to Taproot primitives. Greg also introduces different opcodes to facilitate consistent witness structure, rather than the variable ones we have now since OP_VAULT and OP_UNVAULT can each be spent in two different contexts. I've changed those a little here; instead of the three general ones Greg gave, we whittled it down to two: OP_VAULT and OP_VAULT_RECOVER. So I think that, barring significant implementation complexity - which I'll find out about soon and don't expect - this is a good change to the proposal. As Greg noted, it doesn't really change anything about the usage or expressiveness... other than the fact that, as a bonus, it might allow an optional withdrawal authorization script (i.e. trigger output => final target), which could be useful if e.g. some kind of size-limiting opcode (e.g. OP_TX_MAXSIZE or something) came around in the future as a kind of pinning fix. If that last bit lost you, don't worry - that is speculative, but the point is that this rework composes well with other stuff. # CTV use Another thing that has dawned on us is that we might as well just reuse OP_CHECKTEMPLATEVERIFY for withdrawal target spends. Ben Carmen and others realized early on that you can synthesize CTV-like behavior by spending to a 0-delay OP_UNVAULT output, so something CTVish has always implicitly been a part of the proposal. But CTV is better studied and basically as simple as the OP_UNVAULT spend semantics, so the thought is that we might as well reuse all the existing work (and scrutiny) from CTV. As a concrete example, an issue with the existing proposal is that the existing CTVish OP_UNVAULT behavior has txid malleability, since it doesn't commit to nVersion or nLockTime or the input sequences. Using CTV solves this issue. Otherwise we'd basically reinvent it - "something something convergent evolution." I think this is a satisfying development, because there's clearly demand for CTV use in other contexts (DLC efficiency, e.g.), and if it's required behavior for practical vaults, I think pulling in the existing BIP-119 that's been worked over for years reduces the conceptual surface area added by OP_VAULT. # New mechanics of the proposal So here I'm going to describe my rendering of Greg and AJ's suggestions. ## Required opcodes - OP_VAULT: spent to trigger withdrawal - OP_VAULT_RECOVER: spent to recover - OP_CHECKTEMPLATEVERIFY: spent into final withdrawal target Creating an initial deposit --------------------------- For each vault, vaulted coins are spent to an output with the taproot structure taproot(internal_key, {$recovery_leaf, $trigger_leaf, ...}) where internal_key = unchanged from original proposal (some very safe recovery key) $recovery_leaf = [ ] OP_VAULT_RECOVER $trigger_leaf =