1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
Return-Path: <luke@dashjr.org>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 957E09C
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 2 Oct 2017 00:47:05 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from zinan.dashjr.org (zinan.dashjr.org [192.3.11.21])
by smtp1.linuxfoundation.org (Postfix) with ESMTP id EBAFEFC
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 2 Oct 2017 00:47:04 +0000 (UTC)
Received: from ishibashi.localnet (unknown
[IPv6:2001:470:5:265:a45d:823b:2d27:961c])
(Authenticated sender: luke-jr)
by zinan.dashjr.org (Postfix) with ESMTPSA id 13F0F38A006A;
Mon, 2 Oct 2017 00:45:36 +0000 (UTC)
X-Hashcash: 1:25:171002:jl2012@xbt.hk::ZVfRVpHYZqfhU2cj:Gw6W
X-Hashcash: 1:25:171002:bitcoin-dev@lists.linuxfoundation.org::TVL6ZbpPeoSgeNVE:eFiA1
X-Hashcash: 1:25:171002:mark@friedenbach.org::aEcFRoXPvytzCVTP:jgtg
X-Hashcash: 1:25:171002:roconnor@blockstream.io::h845iZekWpVTJ7cm:c+H1P
From: Luke Dashjr <luke@dashjr.org>
To: Johnson Lau <jl2012@xbt.hk>
Date: Mon, 2 Oct 2017 00:45:22 +0000
User-Agent: KMail/1.13.7 (Linux/4.12.5-gentoo; KDE/4.14.34; x86_64; ; )
References: <201710010113.30518.luke@dashjr.org>
<30B31B43-B603-4793-BDFB-B7E25FD96D1B@xbt.hk>
In-Reply-To: <30B31B43-B603-4793-BDFB-B7E25FD96D1B@xbt.hk>
X-PGP-Key-Fingerprint: E463 A93F 5F31 17EE DE6C 7316 BD02 9424 21F4 889F
X-PGP-Key-ID: BD02942421F4889F
X-PGP-Keyserver: hkp://pgp.mit.edu
MIME-Version: 1.0
Content-Type: Text/Plain;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <201710020045.30259.luke@dashjr.org>
X-Spam-Status: No, score=-2.3 required=5.0 tests=RCVD_IN_DNSWL_MED,
RP_MATCHES_RCVD autolearn=disabled version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Cc: bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Version 1 witness programs (first draft)
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Oct 2017 00:47:05 -0000
On Sunday 01 October 2017 9:32:56 PM Johnson Lau wrote:
> 1. How do we allow further upgrade within v1 witness? Here are some
> options: a. Minor version in witness. (Johnson / Luke) I prefer this way,
> but we may end up with many minor versions. b. OP_RETURNTRUE (Luke). I
> proposed this in an earlier version of BIP114 but now I think it doesn=E2=
=80=99t
> interact well with signature aggregation, and I worry that it would have
> some other unexpected effects. c. Generalised NOP method: user has to
> provide the returned value, so even VERIFY-type code could do anything
I like (A) and (B). Use B when practical, and (A) when more fundamental=20
changes are needed. SigAgg is a concern, but there are ways to adapt it.
(C) is harmless, but I think unnecessary with (A) and/or (B).
> 2. Do we want to allow signature-time commitment of extra scripts?
> I think all proposals allow this, just with different way
> a. Tail-call semantics with CHECKSIGFROMSTACK (Mark). I think this is too
> rigid as it works only with specially designed scriptPubKey b.
> scriptWitCode: extra scripts are put in some fixed location in witness
> (Johnson). This makes sure static analysability. c. Extra-data as script
> in OP_CHECKSIG (Luke)
Note that my BIP draft supports both (A) and (C).
> 3. Do we want to allow static analysis of sigop?
> BIP114 and the related proposals are specifically designed to allow static
> analysis of sigop. I think this was one of the main reason of OP_EVAL not
> being accepted. This was also the main reason of Ethereum failing to do a
> DAO hacker softfork, leading to the ETH/ETC split. I=E2=80=99m not sure i=
f we
> really want to give up this property. Once we do it, we have to support it
> forever.
It seems inevitable at this point. Maybe we could add a separate "executabl=
e-
witness" array (in the same manner as the current witness was softforked in=
),=20
and require tail-call and condition scripts to merely reference these by ha=
sh,=20
but I'm not sure it's worth the effort?
Thinking further, we could avoid adding a separate executable-witness=20
commitment by either:
A) Define that all the witness elements in v1 are type-tagged (put the minor
witness version on them all, and redefine minor 0 as a stack item?); or
B) Use an empty element as a delimiter between stack and executable items.
To avoid witness malleability, the executable items can be required to be=20
sorted in some manner.
The downside of these approaches is that we now need an addition 20 or 32=20
bytes per script reference... which IMO may possibly be worse than losing=20
static analysis. I wonder if there's a way to avoid that overhead?
Luke
|