summaryrefslogtreecommitdiff
path: root/3f/a7ab991ae747bf94c7dcd7457dc93b6dbf23ab
blob: 1bb23b2f8f96ee0dbca679651857461379bab8bc (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
Return-Path: <antoine.riard@gmail.com>
Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 33E17C0032
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed, 13 Sep 2023 20:25:22 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp1.osuosl.org (Postfix) with ESMTP id 19B8481F4C
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed, 13 Sep 2023 20:25:22 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 19B8481F4C
Authentication-Results: smtp1.osuosl.org;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.a=rsa-sha256 header.s=20221208 header.b=cXnOtcTN
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -0.099
X-Spam-Level: 
X-Spam-Status: No, score=-0.099 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 HTML_MESSAGE=0.001, PDS_OTHER_BAD_TLD=1.999,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001]
 autolearn=no autolearn_force=no
Received: from smtp1.osuosl.org ([127.0.0.1])
 by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id vunX6xVIHt3y
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed, 13 Sep 2023 20:25:20 +0000 (UTC)
Received: from mail-il1-x12d.google.com (mail-il1-x12d.google.com
 [IPv6:2607:f8b0:4864:20::12d])
 by smtp1.osuosl.org (Postfix) with ESMTPS id 0FF02813E8
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed, 13 Sep 2023 20:25:19 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 0FF02813E8
Received: by mail-il1-x12d.google.com with SMTP id
 e9e14a558f8ab-34ccedcc584so871845ab.0
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Wed, 13 Sep 2023 13:25:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1694636719; x=1695241519;
 darn=lists.linuxfoundation.org; 
 h=cc:to:subject:message-id:date:from:in-reply-to:references
 :mime-version:from:to:cc:subject:date:message-id:reply-to;
 bh=nA3o72Jlatg4dOZ2bT5JMSkAG1feQv1H6jJtBXWuhSc=;
 b=cXnOtcTNCq1splhKNL9AjDmh3rsbSmf1Zp/JrHHUjCwBco5KBdUD7z5eYFyL+L/0Kt
 0DEHFaNWSfM/upQUUh8qsLjm+ehi4ovVJeeADqEyV2bBvx5onuI6apCwga4HNpy4Og4k
 d5OlXc73jePDQe2OqWVctnX+PkABwuq5UfO6hYWdkJuP3ZBFnbfXEzPyEz1P5NY/X3Ct
 mzMXoWJi5Ol58h0LMJeweamS3ejw/zjBWka8hovLRu450Xd3JAVhsGAJboZlo4oKdtqJ
 vBK0e/lNAFUCLY3vwB4xqHpDyDsSbodNrD705wU+uyacJQY2v0UNGs+qp4whsJJd3Qj9
 /l0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1694636719; x=1695241519;
 h=cc:to:subject:message-id:date:from:in-reply-to:references
 :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=nA3o72Jlatg4dOZ2bT5JMSkAG1feQv1H6jJtBXWuhSc=;
 b=EJVmdaUjEWw1fXxYN1PpHXktS70YALUWLpLb2J6pEHEpPb60PwXl8l0NaKN2osBSaM
 zs2bY6RyF9Ty1IiX8+XHJIi0OmPNRxZLxB93M/toCCuSz9k+hwcovEBV/Mt9Vfj78yex
 90aIPBE1bEy7wZQyG0h5qS6WBUlAUD7Jk7CXm21Meb9bPTWYSyg6vduXg9Ut/GcXwBKO
 0W4Eow+ghpFd695XuhHAiF1W8kwHrNXxjHBPgECm+YwqdZzoQx5g1Pc7+i6yw9tJCcvL
 1DcYnLKTKLwbxUig7JYbcSLFG4xnSvk35x1qLNuQU/TcAAFVwDt9g/jA25/C+rmAOxbk
 352A==
X-Gm-Message-State: AOJu0Yzq3cX/iyzu8p68Y8mDypAP1rmtVqEVmJN+YNJyrey3/kMaf1Hj
 80gEsExMOSz+d4fzTzGmmWjyqyUBZSDynizS02l/Ibz/3zWU+Q==
X-Google-Smtp-Source: AGHT+IF2GSyDSv8p1iwALi5aMjLth376ObpM6bZ1GqFFTX4hBeXUpu/wl1eVCm3C+9dCetdOI/KwIpNsel+Y0a8hqnc=
X-Received: by 2002:a05:6e02:1c28:b0:34f:7b1e:c568 with SMTP id
 m8-20020a056e021c2800b0034f7b1ec568mr4335331ilh.3.1694636718958; Wed, 13 Sep
 2023 13:25:18 -0700 (PDT)
MIME-Version: 1.0
References: <CAMhCMoFYF+9NL1sqKfn=ma3C_mfQv7mj2fqbqO5WXVwd6vyhLw@mail.gmail.com>
 <CALZpt+F251k7gSpogwFYHxFtGxc_tZjB4UU4SVEr=WvrsyMVMQ@mail.gmail.com>
 <PfvRyT3qBOh4ap8M1a7E45pKofXHR7k0K_YxS8cPE83sPzSiKH9aiAqukMYBTH8svl4Ob3yYWarP9tjnyZS3vidfAmz7Rb9NEj98f9mVxD0=@proton.me>
In-Reply-To: <PfvRyT3qBOh4ap8M1a7E45pKofXHR7k0K_YxS8cPE83sPzSiKH9aiAqukMYBTH8svl4Ob3yYWarP9tjnyZS3vidfAmz7Rb9NEj98f9mVxD0=@proton.me>
From: Antoine Riard <antoine.riard@gmail.com>
Date: Wed, 13 Sep 2023 21:25:07 +0100
Message-ID: <CALZpt+Ha5fWoLyf_gn1Q9FChxuOM3EgiCy76LACS-p7tQva-Bw@mail.gmail.com>
To: symphonicbtc <symphonicbtc@proton.me>
Content-Type: multipart/alternative; boundary="000000000000a82c2f0605435b06"
X-Mailman-Approved-At: Fri, 15 Sep 2023 13:48:53 +0000
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Concrete MATT opcodes
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Sep 2023 20:25:22 -0000

--000000000000a82c2f0605435b06
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Symphonic,

I'm not aware of any theory of the "mining firm" (in the coasian sense)
that would give the lineaments of the cost / income structure of a lambda
mining operation, and from which to predict how a change in the withhold
mined coins impact the long-term sustainability of their business,
especially incorporating relationships with electricity providers and
mining chips makers.

On the impact of disregarding OFAC sanctioned txs, this sounds correct that
as long as this is a minority of economic transactions that a mining
operation can censor, they can afford to stay in business and not lose
long-term blockspace issuance. If the regulation enforcement cost starts to
be too high, they can move to a jurisdiction where regulation costs are
lower [0].

This is indeed a good remark that is unclear if additional constructs and
smart contracts would incentive block-reorgs or transactions censoring
attitudes, or even if we would see "lightning-bounty" transactions
constructs happening generating an economic equilibrium between censorship
and confirmation. I think this is an area deserving more research for sure.

This is unclear if reduction of the timewarp attack too could modify the
miners incentives equilibrium [1].

In the end I can only agree that miners and full-nodes operators incentives
should be a built-in protection in case of consensus upgrades substantially
altering the Bitcoin deep security model. The thing is this model is very
unclear to the best of my knowledge and I don't think anyone has taken time
to formalize it from the years of blocksize wars from then to analyze
carefully proposed covenant upgrades.

Best,
Antoine

[0] Side-note and IANA disclaimer. On the application to US OFAC by Bitcoin
economic entities operators, there is a huge uncertainty if naive
application of OFAC is respecting the EU GDPR, the article 8 of the CEDH
and what is left of Roe vs Wade in the US in terms of constitutional
protections. If you're a human right activist, you have time to dedicate
yourself on years-long issues and you have the dual-level of legal and
technical expertise, I would invite you to open litigations against mining
pools and chainanalysis companies in this space. While European and US
jurisdictions have clear traditional constitutional protections and legal
remedies to protect the end-users zone of data autonomy, I'm incredibly
worried w.r.t to non-Western based jurisdictions less concerned with human
rights, where chainanalysis companies might do ethically concerning things.

[1] Putting back
https://bitcoinops.org/en/topics/consensus-cleanup-soft-fork/ on the
consensus upgrade table I think it would be great to address Bitcoin
consensus "technical debt" and simplify the design and analysis of
covenants and second-layers protocols.


Le lun. 14 ao=C3=BBt 2023 =C3=A0 15:07, symphonicbtc <symphonicbtc@proton.m=
e> a
=C3=A9crit :

> > I think cross-input inspection (not cross-input signature aggregation
> which is different) is opening a pandora box in terms of "malicious"
> off-chain contracts than one could design. E.g miners bribing contracts t=
o
> censor the confirmation of time-sensitive lightning channel transactions,
> where the bribes are paid on the hashrate distribution of miners during t=
he
> previous difficulty period, thanks to the coinbase pubkey.
> >
> > See https://blog.bitmex.com/txwithhold-smart-contracts/ and
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2023-February/021=
395.html
>
> Hi Antoine,
>
> These two papers make a lot of incorrect assumptions about bitcoins
> security model. The assumption of the existence of constructs such as
> oracles or altchains for =E2=80=9Ctrustless=E2=80=9D out-of-band payments=
 opens the door
> for plenty of things that in reality are not possible without sacrificing
> security. The assumption that these constructs =E2=80=9Cminimize=E2=80=9D=
 miner / attacker
> trust is no better than assuming the existence of an oracle that can simp=
ly
> perform the entire attack.
>
> Moreover, even the limited examples of attacks that do not use these
> constructs completely overlook the fact that bitcoins security model is
> dependent on the preservation of the nash equilibrium between miners. Not
> only is it disincentivized for miners to engage in any form of censorship=
,
> because they can all be fired by node-runners at any time, it is also not
> in miners interests to reorg the chain if say an anonymous miner mines so=
me
> transactions that were being censored. Sustained, successful censorship i=
n
> any capacity assumes that bitcoin is compromised, a 51% attack has
> occurred, and necessitates a change in PoW algorithm. A sufficient CSV in
> LN-like protocols is always sufficient to avoid being attacked in this wa=
y.
>
> The addition of most forms of covenant does not assist any of these
> attacks afaict because they already make assumptions rendering them inval=
id.
>
>
> Symphonic
>
> ------- Original Message -------
> On Monday, August 14th, 2023 at 3:00 AM, Antoine Riard via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>
> > Hi Salvatore,
> > > This also allows inspection of other inputs, that was not possible
> with the original opcodes.
> >
> > I think cross-input inspection (not cross-input signature aggregation
> which is different) is opening a pandora box in terms of "malicious"
> off-chain contracts than one could design. E.g miners bribing contracts t=
o
> censor the confirmation of time-sensitive lightning channel transactions,
> where the bribes are paid on the hashrate distribution of miners during t=
he
> previous difficulty period, thanks to the coinbase pubkey.
> >
> > See https://blog.bitmex.com/txwithhold-smart-contracts/ and
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2023-February/021=
395.html
> >
> > I wonder if we might face the dilemma of miners censorship attacks, if
> we wish to have more advanced bitcoin contracts, though I think it would =
be
> safe design practice to rule out those types of concerns thanks to smart
> bitcoin contracting primitives.
> >
> > I think this is a common risk to all second-layers vaults, lightning
> channels and payment pools.
> >
> > > A flag can disable this behavior"
> >
> > More than a binary flag like a matrix could be introduced to encode
> subset of introspected inputs /outputs to enable sighash_group-like
> semantic:
> >
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-July/019243.=
html
> >
> > > There are two defined flags:
> > > - CCV_FLAG_CHECK_INPUT =3D 1: if present, <index> refers to an input;
> > > otherwise, it refers to an output.
> > > - CCV_FLAG_IGNORE_OUTPUT_AMOUNT =3D 2: only defined when _CHECK_INPUT
> > > is absent, it disables the deferred checks logic for amounts.
> >
> > Or even beyond a matrix, it could be a set of "tags". There could be a
> generalized tag for unstructured data, and another one for bitcoin
> transaction / script data types (e.g scriptpubkey, amount, nsequence,
> merkle branch) that could be fetched from the taproot annex.
> >
> > > After the evaluation of all inputs, it is verified that each output's
> > > amount is greater than or equal to the total amount in the bucket
> > > if that output (validation of the deferred checks).
> >
> > At the very least, I think for the payment pool, where you're
> fanning-out satoshis value from a subset of inputs to another subset of
> outputs, I think you would need more malleability here.
> >
> > > It is unclear if all the special values above will be useful in
> > > applications; however, as each special case requires very little adde=
d
> > > code, I tried to make the specs as flexible as possible at this time.
> >
> > I think this generic framework is interesting for joinpool / coinpool /
> payment pool, as you can check that any withdrawal output can be committe=
d
> as part of the input scriptpubkey, and spend it on
> blessed-with-one-participant-sig script. There is still a big open questi=
on
> if it's efficient in terms of witness space consumed.
> >
> > That said, I still think you would need at least ANYPREVOUT and more
> malleability for the amount transfer validation as laid out above.
> >
> > Looking on the `DeferredCheck` framework commit, one obvious low-level
> concern is the DoS risk for full-nodes participating in transaction-relay=
,
> and that maybe policy rules should be introduced to keep the worst-CPU
> input in the ranges of current transaction spend allowed to propagate on
> the network today.
> >
> > Thanks for the proposal,
> >
> > Best,
> > Antoine
> >
> >
> >
> > Le dim. 30 juil. 2023 =C3=A0 22:52, Salvatore Ingala via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> a =C3=A9crit :
> >
> > > Hi all,
> > >
> > > I have put together a first complete proposal for the core opcodes of
> > > MATT [1][2].
> > > The changes make the opcode functionally complete, and the
> > > implementation is revised and improved.
> > >
> > > The code is implemented in the following fork of the
> > > bitcoin-inquisition repo:
> > >
> > > https://github.com/Merkleize/bitcoin/tree/checkcontractverify
> > >
> > > Therefore, it also includes OP_CHECKTEMPLATEVERIFY, as in a
> > > previous early demo for vaults [3].
> > >
> > > Please check out the diff [4] if you are interested in the
> > > implementation details. It includes some basic functional tests for
> > > the main cases of the opcode.
> > >
> > > ## Changes vs the previous draft
> > >
> > > These are the changes compared to the initial incomplete proposal:
> > > - OP_CHECK{IN,OUT}CONTRACTVERIFY are replaced by a single opcode
> > > OP_CHECKCONTRACTVERIFY (CCV). An additional `flags` parameter allows
> > > to specify if the opcode operates on an input or an output.
> > > This also allows inspection of other inputs, that was not possible
> > > with the original opcodes.
> > > - For outputs, the default behavior is to have the following deferred
> > > checks mechanism for amounts: all the inputs that have a CCV towards
> > > the same output, have their input amounts summed, and that act as a
> > > lower bound for that output's amount.
> > > A flag can disable this behavior. [*]
> > > - A number of special values of the parameters were defined in order
> > > to optimize for common cases, and add some implicit introspection.
> > > - The order of parameters is modified (particularly, <data> is at the
> > > bottom of the arguments, as so is more natural when writing Scripts).
> > >
> > > ## Semantics
> > >
> > > The new OP_CHECKCONTRACTVERIFY takes 5 parameters from the stack:
> > >
> > > <data>, <index>, <pk>, <taptree>, <flags>
> > >
> > > The core logic of the opcode is as follows:
> > >
> > > "Check if the <index>-th input/output's scriptPubKey is a P2TR
> > > whose public key is obtained from <pk>, (optionally) tweaked with
> > > <data>, (optionally) tap-tweaked with <taptree>".
> > >
> > > The following are special values of the parameters:
> > >
> > > - if <pk> is empty, it is replaced with a fixed NUMS point. [**]
> > > - if <pk> is -1, it is replaced with the current input's taproot
> > > internal key.
> > > - if <index> is -1, it is replaced with the current input's index.
> > > - if <data> is empty, the data tweak is skipped.
> > > - if <taptree> is empty, the taptweak is skipped.
> > > - if <taptree> is -1, it is replaced with the current input's root
> > > of the taproot merkle tree.
> > >
> > > There are two defined flags:
> > > - CCV_FLAG_CHECK_INPUT =3D 1: if present, <index> refers to an input;
> > > otherwise, it refers to an output.
> > > - CCV_FLAG_IGNORE_OUTPUT_AMOUNT =3D 2: only defined when _CHECK_INPUT
> > > is absent, it disables the deferred checks logic for amounts.
> > >
> > > Finally, if both the flags CCV_FLAG_CHECK_INPUT and
> > > CCV_FLAG_IGNORE_OUTPUT_AMOUNT are absent:
> > > - Add the current input's amount to the <index>-th output's bucket.
> > >
> > > After the evaluation of all inputs, it is verified that each output's
> > > amount is greater than or equal to the total amount in the bucket
> > > if that output (validation of the deferred checks).
> > >
> > > ## Comment
> > >
> > > It is unclear if all the special values above will be useful in
> > > applications; however, as each special case requires very little adde=
d
> > > code, I tried to make the specs as flexible as possible at this time.
> > >
> > > With this new opcode, the full generality of MATT (including the frau=
d
> > > proofs) can be obtained with just two opcodes: OP_CHECKCONTRACTVERIFY
> > > and OP_CAT.
> > > However, additional opcodes (and additional introspection) would
> > > surely benefit some applications.
> > >
> > > I look forward to your comments, and to start drafting a BIP proposal=
.
> > >
> > > Best,
> > > Salvatore Ingala
> > >
> > >
> > > [*] - Credits go to James O'Beirne for this approach, taken from his
> > > OP_VAULT proposal. I cherry-picked the commit containing the
> > > Deferred Checks framework.
> > > [**] - The same NUMS point suggested in BIP-0341 was used.
> > >
> > >
> > > References:
> > >
> > > [1] - https://merkle.fun/
> > > [2] -
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-November/021=
182.html
> > > [3] -
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2023-April/021588=
.html
> > > [4] -
> https://github.com/bitcoin-inquisition/bitcoin/compare/24.0...Merkleize:b=
itcoin:checkcontractverify
> > > _______________________________________________
> > > bitcoin-dev mailing list
> > > bitcoin-dev@lists.linuxfoundation.org
> > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>

--000000000000a82c2f0605435b06
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi Symphonic,<div><br></div><div>I&#39;m not aware of any =
theory of the &quot;mining firm&quot; (in the coasian sense) that would giv=
e the lineaments of the cost / income structure of a lambda mining operatio=
n, and from which to predict how a change in the withhold mined coins impac=
t the long-term sustainability of their business, especially incorporating =
relationships with electricity providers and mining chips makers.</div><div=
><br></div><div>On the impact of disregarding OFAC sanctioned txs, this sou=
nds correct that as long as this is a minority of economic transactions tha=
t a mining operation can censor, they can afford to stay in business and no=
t lose long-term blockspace issuance. If the regulation enforcement cost st=
arts to be too high, they can move to a jurisdiction where regulation costs=
 are lower [0].</div><div><br></div><div>This is indeed a good remark that =
is unclear if additional constructs and smart contracts would incentive blo=
ck-reorgs or transactions censoring attitudes, or even if we would see &quo=
t;lightning-bounty&quot; transactions constructs happening generating an ec=
onomic equilibrium between censorship and confirmation. I think this is an =
area deserving more research for sure.</div><div><br></div><div>This is unc=
lear if reduction of the timewarp attack too could modify the miners incent=
ives equilibrium [1].</div><div><br></div><div>In the end I can only agree =
that miners and full-nodes operators incentives should be a built-in protec=
tion in case of consensus upgrades substantially altering the Bitcoin deep =
security model. The thing is this model is very unclear to the best of my k=
nowledge and I don&#39;t think anyone has taken time to formalize it from t=
he years of blocksize wars from then to analyze carefully proposed covenant=
 upgrades.<br></div><div><br></div><div>Best,</div><div>Antoine</div><div><=
br></div><div>[0] Side-note and IANA disclaimer. On the application to US O=
FAC by Bitcoin economic entities operators, there is a huge uncertainty if =
naive application of OFAC is respecting the EU GDPR, the article 8 of the C=
EDH and what is left of Roe vs Wade in the US in terms of constitutional pr=
otections. If you&#39;re a human right activist, you have time to dedicate =
yourself on years-long issues and you have the dual-level of legal and tech=
nical expertise, I would invite you to open litigations against mining pool=
s and chainanalysis companies in this space. While European and US jurisdic=
tions have clear traditional constitutional protections and legal remedies =
to protect the end-users zone of data autonomy, I&#39;m incredibly worried =
w.r.t to non-Western based jurisdictions less concerned with human rights, =
where chainanalysis companies might do ethically concerning things.</div><d=
iv><br></div><div>[1] Putting back <a href=3D"https://bitcoinops.org/en/top=
ics/consensus-cleanup-soft-fork/">https://bitcoinops.org/en/topics/consensu=
s-cleanup-soft-fork/</a> on the consensus upgrade table I think it would be=
 great to address Bitcoin consensus &quot;technical debt&quot; and simplify=
 the design and analysis of covenants and second-layers protocols.</div><di=
v><br></div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"=
gmail_attr">Le=C2=A0lun. 14 ao=C3=BBt 2023 =C3=A0=C2=A015:07, symphonicbtc =
&lt;<a href=3D"mailto:symphonicbtc@proton.me">symphonicbtc@proton.me</a>&gt=
; a =C3=A9crit=C2=A0:<br></div><blockquote class=3D"gmail_quote" style=3D"m=
argin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;borde=
r-left-color:rgb(204,204,204);padding-left:1ex">&gt; I think cross-input in=
spection (not cross-input signature aggregation which is different) is open=
ing a pandora box in terms of &quot;malicious&quot; off-chain contracts tha=
n one could design. E.g miners bribing contracts to censor the confirmation=
 of time-sensitive lightning channel transactions, where the bribes are pai=
d on the hashrate distribution of miners during the previous difficulty per=
iod, thanks to the coinbase pubkey.<br>
&gt; <br>
&gt; See <a href=3D"https://blog.bitmex.com/txwithhold-smart-contracts/" re=
l=3D"noreferrer" target=3D"_blank">https://blog.bitmex.com/txwithhold-smart=
-contracts/</a> and <a href=3D"https://lists.linuxfoundation.org/pipermail/=
bitcoin-dev/2023-February/021395.html" rel=3D"noreferrer" target=3D"_blank"=
>https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2023-February/0213=
95.html</a><br>
<br>
Hi Antoine,<br>
<br>
These two papers make a lot of incorrect assumptions about bitcoins securit=
y model. The assumption of the existence of constructs such as oracles or a=
ltchains for =E2=80=9Ctrustless=E2=80=9D out-of-band payments opens the doo=
r for plenty of things that in reality are not possible without sacrificing=
 security. The assumption that these constructs =E2=80=9Cminimize=E2=80=9D =
miner / attacker trust is no better than assuming the existence of an oracl=
e that can simply perform the entire attack.<br>
<br>
Moreover, even the limited examples of attacks that do not use these constr=
ucts completely overlook the fact that bitcoins security model is dependent=
 on the preservation of the nash equilibrium between miners. Not only is it=
 disincentivized for miners to engage in any form of censorship, because th=
ey can all be fired by node-runners at any time, it is also not in miners i=
nterests to reorg the chain if say an anonymous miner mines some transactio=
ns that were being censored. Sustained, successful censorship in any capaci=
ty assumes that bitcoin is compromised, a 51% attack has occurred, and nece=
ssitates a change in PoW algorithm. A sufficient CSV in LN-like protocols i=
s always sufficient to avoid being attacked in this way.<br>
<br>
The addition of most forms of covenant does not assist any of these attacks=
 afaict because they already make assumptions rendering them invalid.<br>
<br>
<br>
Symphonic<br>
<br>
------- Original Message -------<br>
On Monday, August 14th, 2023 at 3:00 AM, Antoine Riard via bitcoin-dev &lt;=
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a>&gt; wrote:<br>
<br>
<br>
&gt; Hi Salvatore,<br>
&gt; &gt; This also allows inspection of other inputs, that was not possibl=
e with the original opcodes.<br>
&gt; <br>
&gt; I think cross-input inspection (not cross-input signature aggregation =
which is different) is opening a pandora box in terms of &quot;malicious&qu=
ot; off-chain contracts than one could design. E.g miners bribing contracts=
 to censor the confirmation of time-sensitive lightning channel transaction=
s, where the bribes are paid on the hashrate distribution of miners during =
the previous difficulty period, thanks to the coinbase pubkey.<br>
&gt; <br>
&gt; See <a href=3D"https://blog.bitmex.com/txwithhold-smart-contracts/" re=
l=3D"noreferrer" target=3D"_blank">https://blog.bitmex.com/txwithhold-smart=
-contracts/</a> and <a href=3D"https://lists.linuxfoundation.org/pipermail/=
bitcoin-dev/2023-February/021395.html" rel=3D"noreferrer" target=3D"_blank"=
>https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2023-February/0213=
95.html</a><br>
&gt; <br>
&gt; I wonder if we might face the dilemma of miners censorship attacks, if=
 we wish to have more advanced bitcoin contracts, though I think it would b=
e safe design practice to rule out those types of concerns thanks to smart =
bitcoin contracting primitives.<br>
&gt; <br>
&gt; I think this is a common risk to all second-layers vaults, lightning c=
hannels and payment pools.<br>
&gt; <br>
&gt; &gt; A flag can disable this behavior&quot;<br>
&gt; <br>
&gt; More than a binary flag like a matrix could be introduced to encode su=
bset of introspected inputs /outputs to enable sighash_group-like semantic:=
<br>
&gt; <a href=3D"https://lists.linuxfoundation.org/pipermail/bitcoin-dev/202=
1-July/019243.html" rel=3D"noreferrer" target=3D"_blank">https://lists.linu=
xfoundation.org/pipermail/bitcoin-dev/2021-July/019243.html</a><br>
&gt; <br>
&gt; &gt; There are two defined flags:<br>
&gt; &gt; - CCV_FLAG_CHECK_INPUT =3D 1: if present, &lt;index&gt; refers to=
 an input;<br>
&gt; &gt; otherwise, it refers to an output.<br>
&gt; &gt; - CCV_FLAG_IGNORE_OUTPUT_AMOUNT =3D 2: only defined when _CHECK_I=
NPUT<br>
&gt; &gt; is absent, it disables the deferred checks logic for amounts.<br>
&gt; <br>
&gt; Or even beyond a matrix, it could be a set of &quot;tags&quot;. There =
could be a generalized tag for unstructured data, and another one for bitco=
in transaction / script data types (e.g scriptpubkey, amount, nsequence, me=
rkle branch) that could be fetched from the taproot annex.<br>
&gt; <br>
&gt; &gt; After the evaluation of all inputs, it is verified that each outp=
ut&#39;s<br>
&gt; &gt; amount is greater than or equal to the total amount in the bucket=
<br>
&gt; &gt; if that output (validation of the deferred checks).<br>
&gt; <br>
&gt; At the very least, I think for the payment pool, where you&#39;re fann=
ing-out satoshis value from a subset of inputs to another subset of outputs=
, I think you would need more malleability here.<br>
&gt; <br>
&gt; &gt; It is unclear if all the special values above will be useful in<b=
r>
&gt; &gt; applications; however, as each special case requires very little =
added<br>
&gt; &gt; code, I tried to make the specs as flexible as possible at this t=
ime.<br>
&gt; <br>
&gt; I think this generic framework is interesting for joinpool / coinpool =
/ payment pool, as you can check that any withdrawal output can be committe=
d as part of the input scriptpubkey, and spend it on blessed-with-one-parti=
cipant-sig script. There is still a big open question if it&#39;s efficient=
 in terms of witness space consumed.<br>
&gt; <br>
&gt; That said, I still think you would need at least ANYPREVOUT and more m=
alleability for the amount transfer validation as laid out above.<br>
&gt; <br>
&gt; Looking on the `DeferredCheck` framework commit, one obvious low-level=
 concern is the DoS risk for full-nodes participating in transaction-relay,=
 and that maybe policy rules should be introduced to keep the worst-CPU inp=
ut in the ranges of current transaction spend allowed to propagate on the n=
etwork today.<br>
&gt; <br>
&gt; Thanks for the proposal,<br>
&gt; <br>
&gt; Best,<br>
&gt; Antoine<br>
&gt; <br>
&gt; <br>
&gt; <br>
&gt; Le dim. 30 juil. 2023 =C3=A0 22:52, Salvatore Ingala via bitcoin-dev &=
lt;<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blan=
k">bitcoin-dev@lists.linuxfoundation.org</a>&gt; a =C3=A9crit :<br>
&gt; <br>
&gt; &gt; Hi all,<br>
&gt; &gt; <br>
&gt; &gt; I have put together a first complete proposal for the core opcode=
s of<br>
&gt; &gt; MATT [1][2].<br>
&gt; &gt; The changes make the opcode functionally complete, and the<br>
&gt; &gt; implementation is revised and improved.<br>
&gt; &gt; <br>
&gt; &gt; The code is implemented in the following fork of the<br>
&gt; &gt; bitcoin-inquisition repo:<br>
&gt; &gt; <br>
&gt; &gt; <a href=3D"https://github.com/Merkleize/bitcoin/tree/checkcontrac=
tverify" rel=3D"noreferrer" target=3D"_blank">https://github.com/Merkleize/=
bitcoin/tree/checkcontractverify</a><br>
&gt; &gt; <br>
&gt; &gt; Therefore, it also includes OP_CHECKTEMPLATEVERIFY, as in a<br>
&gt; &gt; previous early demo for vaults [3].<br>
&gt; &gt; <br>
&gt; &gt; Please check out the diff [4] if you are interested in the<br>
&gt; &gt; implementation details. It includes some basic functional tests f=
or<br>
&gt; &gt; the main cases of the opcode.<br>
&gt; &gt; <br>
&gt; &gt; ## Changes vs the previous draft<br>
&gt; &gt; <br>
&gt; &gt; These are the changes compared to the initial incomplete proposal=
:<br>
&gt; &gt; - OP_CHECK{IN,OUT}CONTRACTVERIFY are replaced by a single opcode<=
br>
&gt; &gt; OP_CHECKCONTRACTVERIFY (CCV). An additional `flags` parameter all=
ows<br>
&gt; &gt; to specify if the opcode operates on an input or an output.<br>
&gt; &gt; This also allows inspection of other inputs, that was not possibl=
e<br>
&gt; &gt; with the original opcodes.<br>
&gt; &gt; - For outputs, the default behavior is to have the following defe=
rred<br>
&gt; &gt; checks mechanism for amounts: all the inputs that have a CCV towa=
rds<br>
&gt; &gt; the same output, have their input amounts summed, and that act as=
 a<br>
&gt; &gt; lower bound for that output&#39;s amount.<br>
&gt; &gt; A flag can disable this behavior. [*]<br>
&gt; &gt; - A number of special values of the parameters were defined in or=
der<br>
&gt; &gt; to optimize for common cases, and add some implicit introspection=
.<br>
&gt; &gt; - The order of parameters is modified (particularly, &lt;data&gt;=
 is at the<br>
&gt; &gt; bottom of the arguments, as so is more natural when writing Scrip=
ts).<br>
&gt; &gt; <br>
&gt; &gt; ## Semantics<br>
&gt; &gt; <br>
&gt; &gt; The new OP_CHECKCONTRACTVERIFY takes 5 parameters from the stack:=
<br>
&gt; &gt; <br>
&gt; &gt; &lt;data&gt;, &lt;index&gt;, &lt;pk&gt;, &lt;taptree&gt;, &lt;fla=
gs&gt;<br>
&gt; &gt; <br>
&gt; &gt; The core logic of the opcode is as follows:<br>
&gt; &gt; <br>
&gt; &gt; &quot;Check if the &lt;index&gt;-th input/output&#39;s scriptPubK=
ey is a P2TR<br>
&gt; &gt; whose public key is obtained from &lt;pk&gt;, (optionally) tweake=
d with<br>
&gt; &gt; &lt;data&gt;, (optionally) tap-tweaked with &lt;taptree&gt;&quot;=
.<br>
&gt; &gt; <br>
&gt; &gt; The following are special values of the parameters:<br>
&gt; &gt; <br>
&gt; &gt; - if &lt;pk&gt; is empty, it is replaced with a fixed NUMS point.=
 [**]<br>
&gt; &gt; - if &lt;pk&gt; is -1, it is replaced with the current input&#39;=
s taproot<br>
&gt; &gt; internal key.<br>
&gt; &gt; - if &lt;index&gt; is -1, it is replaced with the current input&#=
39;s index.<br>
&gt; &gt; - if &lt;data&gt; is empty, the data tweak is skipped.<br>
&gt; &gt; - if &lt;taptree&gt; is empty, the taptweak is skipped.<br>
&gt; &gt; - if &lt;taptree&gt; is -1, it is replaced with the current input=
&#39;s root<br>
&gt; &gt; of the taproot merkle tree.<br>
&gt; &gt; <br>
&gt; &gt; There are two defined flags:<br>
&gt; &gt; - CCV_FLAG_CHECK_INPUT =3D 1: if present, &lt;index&gt; refers to=
 an input;<br>
&gt; &gt; otherwise, it refers to an output.<br>
&gt; &gt; - CCV_FLAG_IGNORE_OUTPUT_AMOUNT =3D 2: only defined when _CHECK_I=
NPUT<br>
&gt; &gt; is absent, it disables the deferred checks logic for amounts.<br>
&gt; &gt; <br>
&gt; &gt; Finally, if both the flags CCV_FLAG_CHECK_INPUT and<br>
&gt; &gt; CCV_FLAG_IGNORE_OUTPUT_AMOUNT are absent:<br>
&gt; &gt; - Add the current input&#39;s amount to the &lt;index&gt;-th outp=
ut&#39;s bucket.<br>
&gt; &gt; <br>
&gt; &gt; After the evaluation of all inputs, it is verified that each outp=
ut&#39;s<br>
&gt; &gt; amount is greater than or equal to the total amount in the bucket=
<br>
&gt; &gt; if that output (validation of the deferred checks).<br>
&gt; &gt; <br>
&gt; &gt; ## Comment<br>
&gt; &gt; <br>
&gt; &gt; It is unclear if all the special values above will be useful in<b=
r>
&gt; &gt; applications; however, as each special case requires very little =
added<br>
&gt; &gt; code, I tried to make the specs as flexible as possible at this t=
ime.<br>
&gt; &gt; <br>
&gt; &gt; With this new opcode, the full generality of MATT (including the =
fraud<br>
&gt; &gt; proofs) can be obtained with just two opcodes: OP_CHECKCONTRACTVE=
RIFY<br>
&gt; &gt; and OP_CAT.<br>
&gt; &gt; However, additional opcodes (and additional introspection) would<=
br>
&gt; &gt; surely benefit some applications.<br>
&gt; &gt; <br>
&gt; &gt; I look forward to your comments, and to start drafting a BIP prop=
osal.<br>
&gt; &gt; <br>
&gt; &gt; Best,<br>
&gt; &gt; Salvatore Ingala<br>
&gt; &gt; <br>
&gt; &gt; <br>
&gt; &gt; [*] - Credits go to James O&#39;Beirne for this approach, taken f=
rom his<br>
&gt; &gt; OP_VAULT proposal. I cherry-picked the commit containing the<br>
&gt; &gt; Deferred Checks framework.<br>
&gt; &gt; [**] - The same NUMS point suggested in BIP-0341 was used.<br>
&gt; &gt; <br>
&gt; &gt; <br>
&gt; &gt; References:<br>
&gt; &gt; <br>
&gt; &gt; [1] - <a href=3D"https://merkle.fun/" rel=3D"noreferrer" target=
=3D"_blank">https://merkle.fun/</a><br>
&gt; &gt; [2] - <a href=3D"https://lists.linuxfoundation.org/pipermail/bitc=
oin-dev/2022-November/021182.html" rel=3D"noreferrer" target=3D"_blank">htt=
ps://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-November/021182.h=
tml</a><br>
&gt; &gt; [3] - <a href=3D"https://lists.linuxfoundation.org/pipermail/bitc=
oin-dev/2023-April/021588.html" rel=3D"noreferrer" target=3D"_blank">https:=
//lists.linuxfoundation.org/pipermail/bitcoin-dev/2023-April/021588.html</a=
><br>
&gt; &gt; [4] - <a href=3D"https://github.com/bitcoin-inquisition/bitcoin/c=
ompare/24.0...Merkleize:bitcoin:checkcontractverify" rel=3D"noreferrer" tar=
get=3D"_blank">https://github.com/bitcoin-inquisition/bitcoin/compare/24.0.=
..Merkleize:bitcoin:checkcontractverify</a><br>
&gt; &gt; _______________________________________________<br>
&gt; &gt; bitcoin-dev mailing list<br>
&gt; &gt; <a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=
=3D"_blank">bitcoin-dev@lists.linuxfoundation.org</a><br>
&gt; &gt; <a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bit=
coin-dev" rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundatio=
n.org/mailman/listinfo/bitcoin-dev</a><br>
</blockquote></div>

--000000000000a82c2f0605435b06--