1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
|
Return-Path: <tamas.blummer@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id A5A86AF0
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 13 Jun 2019 08:14:08 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com
[209.85.221.41])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 3FC75174
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 13 Jun 2019 08:14:07 +0000 (UTC)
Received: by mail-wr1-f41.google.com with SMTP id n9so19737251wru.0
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 13 Jun 2019 01:14:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=from:message-id:mime-version:subject:date:in-reply-to:cc:to
:references; bh=mxVZb8lcjiQrpjmF3pr0raIcvBiKwwAWF1eeU3DlERM=;
b=GxD6NqwFBvsizQDpwCBjJQeaKDRq481jt4G602z6N3droLACf7IkcBhECu1z9osoKc
lH3WQoizLNCfN5A1oofz1Utz43M8xdrnKVEjgJ2wWu+nz6M+XLmAaiT8DdjXyMdZknBJ
G4qxT/fYraOnY726XYfT4LHINXrX3l0BnQqgL1y81Wg7Uh+53isYd/DoEdOGjKz9QEI6
c9S1xr1NaO+AYd3Nz8RPKZ+OByjspL7BpSPe8KTVUg6Wo9I1b9lpuzKga3kFvp/QubOr
tsciz2jiux0ICq743HuWyCdSJDFigwmqf5AVfYB6ehmtnDEdefad5m14DctFhbyIYKlj
DzjA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:from:message-id:mime-version:subject:date
:in-reply-to:cc:to:references;
bh=mxVZb8lcjiQrpjmF3pr0raIcvBiKwwAWF1eeU3DlERM=;
b=RgOAjr9Rl8loptehhaNVGUC19Gq6TXsNu4rVVRyLBNVBWwGTLFDpFHJC5/Yu6rMbH9
j7IehrXYBG9pmC981zFNhxlanhtqPpOKarjDTYLVKFe+WOPcN63nv9HNKa7DZVpv+8V8
llElM7AGcWhcTdkMF2q9z5o3QTMyew17YnBCvDiVghuJrrpeoqxLB4AqUu8Ya7xeYprQ
ZfIjp9hlJ2Pl3OjVULVJO0U6Wf0CuXf5uFQsajewCLt3eIH/OgCRhlR4XMj0E0jIlZaY
pLgFNGqLJ1ymlViUsAkVgSvn+MC1lGRxHTnffIRA4Ea305tzw+RT6DrSNiccWrz72vgp
Qhvw==
X-Gm-Message-State: APjAAAUsb0DgQsu0SFG32Sb1nxrAIjPuFicMN0b21LuwdtUkE3+DER8q
83LSVP4eq0dEnY9hLmiqDoE=
X-Google-Smtp-Source: APXvYqzipgqmjs2S19tABAFULEAit3JSQTJtrRXWXndIvI4iSVR46sBNItxXL+xym6BRxyv6o0pDrA==
X-Received: by 2002:a5d:404a:: with SMTP id w10mr40629048wrp.177.1560413645719;
Thu, 13 Jun 2019 01:14:05 -0700 (PDT)
Received: from p200300dd67196b511d34f5eec60431f6.dip0.t-ipconnect.de
(p200300DD67196B511D34F5EEC60431F6.dip0.t-ipconnect.de.
[2003:dd:6719:6b51:1d34:f5ee:c604:31f6])
by smtp.gmail.com with ESMTPSA id x3sm2048807wrp.78.2019.06.13.01.14.04
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Thu, 13 Jun 2019 01:14:04 -0700 (PDT)
From: Tamas Blummer <tamas.blummer@gmail.com>
Message-Id: <FADC3B05-60D2-4E41-AA59-6A0C1519C5B1@gmail.com>
Content-Type: multipart/signed;
boundary="Apple-Mail=_33E73E44-2178-4D77-AA3A-F44A391DE819";
protocol="application/pgp-signature"; micalg=pgp-sha512
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Thu, 13 Jun 2019 10:14:02 +0200
In-Reply-To: <CAMZUoK=0YhqxguphmaKsMGZCy_NYVE_i53qGBfPVES=GAYTy1g@mail.gmail.com>
To: Russell O'Connor <roconnor@blockstream.io>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
References: <CAMZUoK=0YhqxguphmaKsMGZCy_NYVE_i53qGBfPVES=GAYTy1g@mail.gmail.com>
X-Mailer: Apple Mail (2.3273)
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE,
RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Thu, 13 Jun 2019 13:26:27 +0000
Subject: Re: [bitcoin-dev] An alternative: OP_CAT & OP_CHECKSIGFROMSTACK
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Jun 2019 08:14:08 -0000
--Apple-Mail=_33E73E44-2178-4D77-AA3A-F44A391DE819
Content-Type: multipart/alternative;
boundary="Apple-Mail=_15765CC3-F1E4-4D7C-9807-B3057F36F669"
--Apple-Mail=_15765CC3-F1E4-4D7C-9807-B3057F36F669
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
ZmnSCPxj already observed in [1] that these ops would enable =
introspection of any field of the transactions and make both =
`OP_CHECKLOCKTIMEVERIFY` and `OP_CHECKSEQUENCEVERIFY` superfluous.
There is much more to this as enumerated in generic terms by Russel =
O=E2=80=99Connor below and I would like to add a concrete example.
We could implement oracle less difficulty contracts without the need the =
of a CISC type OP_WORKVERIFY but instead through resurrection/extension =
of OP_CAT, OP_GREATERTHANOREQUAL and introduction of a new RISC opcode =
OP_CHECKBLOCKATHEIGHT[3] suggested by Luke Dashjr. Thanks for the =
pointer to Nathan Cook [4]
Technically we could resurrect and add them without burning more than =
one OP_NOP by redefining it as a prefix (OP_EXTENSION), such as:
OP_EXTENSION OP_CAT would become a two byte opcode pointing to a =
resurrected implementation of OP_CAT.
This could be soft forked in.
A concrete oracle less difficulty contract could look like:
It is an european digital call option on target difficulty after =
maturity and 10 blocks notice period. I gave you reasons while having =
these would increase bitcoin's security in [2]
IF
<maturity as block height + 10> CHECKLOCKTIMEVERIFY DROP
<speculator=E2=80=99s key> CHECKSIGVERIFY
ELSE
OP_DUP <maturity as block height - 1> OP_CHECKBLOCKATHEIGHT =
OP_LESSTHANEQUAL OP_VERIFY
OP_SWAP OP_CAT OP_CAT OP_HASH256 <contracted target> =
OP_LESSTHANEQUAL OP_VERIFY
<miner=E2=80=99s key> CHECKSIGVERIFY
ENDIF
insurance premium could be collected by the seller of the insurance =
after maturity + 10 blocks if target difficulty was not reached
<speculator=E2=80=99s signature>
miner would get back its insurance premium plus collateral of the seller =
if target difficulty was not reached at maturity. Miner has 10 blocks =
time after maturity to claim with:
<maturity block header after prevhash> <maturity block version> =
<prevhash>
The stack would be in second case processed as:
1: after pushes
<maturity block prevhash>
<maturity block version>
<maturity block block header after prevhash>
2: after OP_DUP:
<maturity block prevhash>
<maturity block prevhash>
<maturity block version>
<maturity block block header after prevhash>
3: after push
<maturity as block height - 1>
<maturity block prevhash>
<maturity block prevhash>
<maturity block version>
<maturity block block header after prevhash>
4: after OP_CHECKBLOCKATHEIGHT OP_VERIFY is successful proving that =
prevhash is the block at maturity block height - 1
<maturity block prevhash>
<maturity block version>
<maturity block block header after prevhash>
5: after OP_SWAP
<block version>
<maturity block prevhash>
<block header after prevhash>
6: after OP_CAT
<maturity block version concatenated with maturity prevhash>
<maturity block block header after maturity prevhash>
7: after OP_CAT
<complete block header>
8: after OP_HASH256
<block hash computed for header>
9: after push
<contracted target>
<block hash computed for header>
10: after OP_GREATERTHANOREQUAL OP_VERIFY proves that contracted target =
was reached
Tamas Blummer
[1] =
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-May/016966.ht=
ml =
<https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-May/016966.h=
tml>
[2] =
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-June/017019.h=
tml =
<https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-June/017019.=
html>
[3] https://github.com/luke-jr/bips/blob/bip-cbah/bip-cbah.mediawiki =
<https://github.com/luke-jr/bips/blob/bip-cbah/bip-cbah.mediawiki>
[4] =
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-May/016954.ht=
ml =
<https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-May/016954.h=
tml>
[5] https://github.com/bitcoin/bitcoin/blob/master/src/script/script.h =
<https://github.com/bitcoin/bitcoin/blob/master/src/script/script.h>
> On May 22, 2019, at 23:01, Russell O'Connor via bitcoin-dev =
<bitcoin-dev@lists.linuxfoundation.org> wrote:
>=20
> Recently there have been some tapscript proposals, SIGHASH_ANYPREVOUT =
and OP_CHECKOUTPUTHASHVERIFY, that aim to enable particular new features =
for Bitcoin via new Script operations. However, I think that these =
proposals miss the mark when it comes to how they approach Bitcoin =
Script and language features.
>=20
> Bitcoin Script appears designed to be a flexible programmable system =
that provides generic features to be composed to achieve various =
purposes. Thus, when we design new language features for Script, we =
should be striving, as much as possible, to similarly build general =
purpose tools which can in turn be used for a variety of purposes.
>=20
> I feel the SIGHASH_ANYPREVOUT and OP_CHECKOUTPUTHASHVERIFY proposals =
fail to achieve these design goals. They are both are designed with =
very narrow applications in mind, while also going out of their way to =
extend the semantic domain of the interpretation of Bitcoin operations =
in new ways that complicate their specification. In the case of =
SIGHASH_ANYPREVOUT, the semantic domain is extended by adding new =
counters to track the use of various v0 and v2 signature types. In the =
case of OP_CHECKOUTPUTHASHVERIFY, it employs a new context-sensitive =
operation that peeks at the value of surrounding opcodes.
>=20
> Instead, I propose that, for the time being, we simply implement =
OP_CAT and OP_CHECKSIGFROMSTACKVERIFY. OP_CAT pops two byte arrays off =
the stack and pushes their concatenation back onto the stack. =
OP_CHECKSIGFROMSTACKVERIFY pops a signature, message, and pubkey off the =
stack and performs a bip-schnorr verification on the SHA256 hash of the =
message.
>=20
> In concert, these two operations enable:
>=20
> * Oracle signature verification, including discrete log contracts.
> * Amortized secure multiparty computations (see "Amortizing Secure =
Computation with Penalties" by Kumaresan and Bentov).
> * Transaction introspection including:
> + <> Simulated SIGHASH_ANYPREVOUT, which are necessarily chaperoned =
simply by the nature of the construction.
> + <> Decide if a transaction has exactly one input or not. (etc.)
> + Weak covenants, which can verify output scripts to see if they are =
among a set of predefined values or verify the output hash.
>=20
> and presumably more applications as well.
>=20
> For better or for worse, without an OP_PUBKEYTWEEK operation =
available, the more interesting recursive-covenants remain largely out =
of reach, with the exception of a recursive covenant that is only able =
to send back to its own address, possibly abusing its own TXO value as a =
state variable.
>=20
> All this is accomplished by two straightforward opcodes whose =
semantics are pure computational operations on stack values. The only =
semantic side-effect is that OP_CHECKSIGFROMSTACKVERIFY would count =
towards the existing 'sigops_passed' count. Moreover, I feel that =
adding these operations does not preclude adding more specialized =
opcodes in the future as an optimization for whatever popular =
constructions come up, once we know what those are.
>=20
> I feel that this style of generic building blocks truly embodies what =
is meant by "programmable money".
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
--Apple-Mail=_15765CC3-F1E4-4D7C-9807-B3057F36F669
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=utf-8
<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D"">ZmnSCPxj already observed in [1] that these ops would enable =
introspection of any field of the transactions and make both =
`OP_CHECKLOCKTIMEVERIFY` and `OP_CHECKSEQUENCEVERIFY` superfluous.<br =
class=3D"">There is much more to this as enumerated in generic terms by =
Russel O=E2=80=99Connor below and I would like to add a concrete =
example.<br class=3D""><br class=3D"">We could implement oracle less =
difficulty contracts without the need the of a CISC type OP_WORKVERIFY =
but instead through resurrection/extension of OP_CAT, =
OP_GREATERTHANOREQUAL and introduction of a new RISC opcode =
OP_CHECKBLOCKATHEIGHT[3] suggested by Luke Dashjr. Thanks for the =
pointer to Nathan Cook [4]<br class=3D""><br class=3D"">Technically we =
could resurrect and add them without burning more than one OP_NOP by =
redefining it as a prefix (OP_EXTENSION), such as:<br class=3D""><br =
class=3D"">OP_EXTENSION OP_CAT would become a two byte opcode pointing =
to a resurrected implementation of OP_CAT.<br class=3D""><br =
class=3D"">This could be soft forked in.<br class=3D""><br class=3D"">A =
concrete oracle less difficulty contract could look like:<br class=3D"">It=
is an european digital call option on target difficulty after maturity =
and 10 blocks notice period. I gave you reasons while having these would =
increase bitcoin's security in [2]<br class=3D""><br class=3D"">IF<br =
class=3D""><span class=3D"Apple-tab-span" style=3D"white-space: pre;"> =
</span><maturity as block height + 10> CHECKLOCKTIMEVERIFY DROP<br =
class=3D""> <speculator=E2=80=99s =
key> CHECKSIGVERIFY<br class=3D"">ELSE<br class=3D""><span =
class=3D"Apple-tab-span" style=3D"white-space: pre;"> </span>OP_DUP =
<maturity as block height - 1> OP_CHECKBLOCKATHEIGHT =
OP_LESSTHANEQUAL OP_VERIFY<br class=3D""><span class=3D"Apple-tab-span" =
style=3D"white-space: pre;"> </span>OP_SWAP OP_CAT OP_CAT =
OP_HASH256 <contracted target> OP_LESSTHANEQUAL OP_VERIFY<br =
class=3D""><span class=3D"Apple-tab-span" style=3D"white-space: pre;"> =
</span><miner=E2=80=99s key> CHECKSIGVERIFY<br class=3D"">ENDIF<br =
class=3D""><br class=3D"">insurance premium could be collected by the =
seller of the insurance after maturity + 10 blocks if target difficulty =
was not reached<br class=3D""><br class=3D""><speculator=E2=80=99s =
signature><br class=3D""><br class=3D"">miner would get back its =
insurance premium plus collateral of the seller if target difficulty was =
not reached at maturity. Miner has 10 blocks time after maturity to =
claim with:<br class=3D""><br class=3D""><maturity block header after =
prevhash> <maturity block version> <prevhash><br =
class=3D""><br class=3D"">The stack would be in second case processed =
as:<br class=3D""><br class=3D"">1: after pushes<br =
class=3D""><maturity block prevhash><br class=3D""><maturity =
block version><br class=3D""><maturity block block header after =
prevhash><br class=3D""><br class=3D"">2: after OP_DUP:<br =
class=3D""><maturity block prevhash><br class=3D""><maturity =
block prevhash><br class=3D""><maturity block version><br =
class=3D""><maturity block block header after prevhash><br =
class=3D""><br class=3D"">3: after push<br class=3D""><maturity as =
block height - 1><br class=3D""><maturity block prevhash><br =
class=3D""><maturity block prevhash><br class=3D""><maturity =
block version><br class=3D""><maturity block block header after =
prevhash><br class=3D""><br class=3D"">4: after OP_CHECKBLOCKATHEIGHT =
OP_VERIFY is successful proving that prevhash is the block at maturity =
block height - 1<br class=3D""><maturity block prevhash><br =
class=3D""><maturity block version><br class=3D""><maturity =
block block header after prevhash><br class=3D""><br class=3D"">5: =
after OP_SWAP<br class=3D""><block version><br =
class=3D""><maturity block prevhash><br class=3D""><block =
header after prevhash><br class=3D""><br class=3D"">6: after =
OP_CAT<br class=3D""><maturity block version concatenated with =
maturity prevhash><br class=3D""><maturity block block header =
after maturity prevhash><br class=3D""><br class=3D"">7: after =
OP_CAT<br class=3D""><complete block header><br class=3D""><br =
class=3D"">8: after OP_HASH256<br class=3D""><block hash computed for =
header><br class=3D""><br class=3D"">9: after push<br =
class=3D""><contracted target><br class=3D""><block hash =
computed for header><br class=3D""><br class=3D"">10: after =
OP_GREATERTHANOREQUAL OP_VERIFY proves that contracted target was =
reached<br class=3D""><br class=3D"">Tamas Blummer<br class=3D""><br =
class=3D""><br class=3D"">[1] <a =
href=3D"https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-May/0=
16966.html" =
class=3D"">https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-Ma=
y/016966.html</a><br class=3D"">[2] <a =
href=3D"https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-June/=
017019.html" =
class=3D"">https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-Ju=
ne/017019.html</a><br class=3D"">[3] <a =
href=3D"https://github.com/luke-jr/bips/blob/bip-cbah/bip-cbah.mediawiki" =
class=3D"">https://github.com/luke-jr/bips/blob/bip-cbah/bip-cbah.mediawik=
i</a><br class=3D"">[4] <a =
href=3D"https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-May/0=
16954.html" =
class=3D"">https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-Ma=
y/016954.html</a><br class=3D"">[5] <a =
href=3D"https://github.com/bitcoin/bitcoin/blob/master/src/script/script.h=
" =
class=3D"">https://github.com/bitcoin/bitcoin/blob/master/src/script/scrip=
t.h</a><br class=3D""><div><blockquote type=3D"cite" class=3D""><div =
class=3D"">On May 22, 2019, at 23:01, Russell O'Connor via bitcoin-dev =
<<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" =
class=3D"">bitcoin-dev@lists.linuxfoundation.org</a>> wrote:</div><br =
class=3D"Apple-interchange-newline"><div class=3D""><div dir=3D"ltr" =
class=3D""><div dir=3D"ltr" class=3D""><div dir=3D"ltr" class=3D""><div =
dir=3D"ltr" class=3D""><div dir=3D"ltr" class=3D""><div =
class=3D"">Recently there have been some tapscript proposals, =
SIGHASH_ANYPREVOUT and OP_CHECKOUTPUTHASHVERIFY, that aim to enable =
particular new features for Bitcoin via new Script operations. =
However, I think that these proposals miss the mark when it comes to how =
they approach Bitcoin Script and language features.</div><div =
class=3D""><br class=3D""></div><div class=3D"">Bitcoin Script appears =
designed to be a flexible programmable system that provides generic =
features to be composed to achieve various purposes. Thus, when we =
design new language features for Script, we should be striving, as much =
as possible, to similarly build general purpose tools which can in turn =
be used for a variety of purposes.</div><div class=3D""><br =
class=3D""></div><div class=3D"">I feel the SIGHASH_ANYPREVOUT and =
OP_CHECKOUTPUTHASHVERIFY proposals fail to achieve these design =
goals. They are both are designed with very narrow applications in =
mind, while also going out of their way to extend the semantic domain of =
the interpretation of Bitcoin operations in new ways that complicate =
their specification. In the case of SIGHASH_ANYPREVOUT, the =
semantic domain is extended by adding new counters to track the use of =
various v0 and v2 signature types. In the case of =
OP_CHECKOUTPUTHASHVERIFY, it employs a new context-sensitive operation =
that peeks at the value of surrounding opcodes.</div><div class=3D""><br =
class=3D""></div><div class=3D"">Instead, I propose that, for the time =
being, we simply implement OP_CAT and OP_CHECKSIGFROMSTACKVERIFY. =
OP_CAT pops two byte arrays off the stack and pushes their concatenation =
back onto the stack. OP_CHECKSIGFROMSTACKVERIFY pops a signature, =
message, and pubkey off the stack and performs a bip-schnorr =
verification on the SHA256 hash of the message.<br class=3D""></div><div =
class=3D""><br class=3D""></div><div class=3D"">In concert, these two =
operations enable:</div><div class=3D""><br class=3D""></div><div =
class=3D"">* Oracle signature verification, including discrete log =
contracts.</div><div class=3D"">* Amortized secure multiparty =
computations (see "Amortizing Secure Computation with Penalties" by =
Kumaresan and Bentov).</div><div class=3D"">* Transaction introspection =
including:<br class=3D""></div><div class=3D""><a =
class=3D"gmail_plusreply" =
id=3D"gmail-plusReplyChip-0">+</a> Simulated SIGHASH_ANYPREVOUT, =
which are necessarily chaperoned simply by the nature of the =
construction.<br class=3D""></div><div class=3D""><a =
class=3D"gmail_plusreply" id=3D"gmail-plusReplyChip-1">+</a> Decide if a =
transaction has exactly one input or not. (etc.)</div><div class=3D"">+ =
Weak covenants, which can verify output scripts to see if they are among =
a set of predefined values or verify the output hash.<br =
class=3D""></div><div class=3D""><br class=3D""></div><div class=3D"">and =
presumably more applications as well.<br class=3D""></div><div =
class=3D""><br class=3D""></div><div class=3D"">For better or for worse, =
without an OP_PUBKEYTWEEK operation available, the more interesting =
recursive-covenants remain largely out of reach, with the exception of a =
recursive covenant that is only able to send back to its own address, =
possibly abusing its own TXO value as a state variable.</div><div =
class=3D""><br class=3D""></div><div class=3D"">All this is accomplished =
by two straightforward opcodes whose semantics are pure computational =
operations on stack values. The only semantic side-effect is that =
OP_CHECKSIGFROMSTACKVERIFY would count towards the existing =
'sigops_passed' count. Moreover, I feel that adding these =
operations does not preclude adding more specialized opcodes in the =
future as an optimization for whatever popular constructions come up, =
once we know what those are.<br class=3D""></div><div class=3D""><br =
class=3D""></div><div class=3D"">I feel that this style of generic =
building blocks truly embodies what is meant by "programmable money".<br =
class=3D""></div></div></div></div></div></div>
_______________________________________________<br class=3D"">bitcoin-dev =
mailing list<br class=3D""><a =
href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" =
class=3D"">bitcoin-dev@lists.linuxfoundation.org</a><br =
class=3D"">https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev<=
br class=3D""></div></blockquote></div><br class=3D""></body></html>=
--Apple-Mail=_15765CC3-F1E4-4D7C-9807-B3057F36F669--
--Apple-Mail=_33E73E44-2178-4D77-AA3A-F44A391DE819
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEE6YNJViYMM6Iv5f9e9nKRxRdxORwFAl0CBcoACgkQ9nKRxRdx
ORxwSgf/TMM26xgNKdWdzeldeJnd2bVfrzrEFXar0RPLoB26gKR4VxzkiTRGZEYn
ZS+C0bEjZ5oz0YaIl5x1te9R5LjEnb6EvmJ/WNcpRH6d1RkrxXdM79VSDXkVmtxB
18mtXGtAAYNDkbBb2vUUUfW7LLAwYPayyAzKkQ3GAuNzUOrvDjPBHi908+o4wgPc
B8lJUSUalFQ0VK0Yagnc4dp46RsnWBPylMr8/vxwf8r19atHsQuBS3HApbbgdl/V
+M+Rfz8M5bb28AoAejy7vCL9G5CW+XUOiZTJsO8+VPCOGuz3MmkEON2RkbqytAyy
09VeTKM7XmULXBHPAca7lJ0F1D0+8w==
=448m
-----END PGP SIGNATURE-----
--Apple-Mail=_33E73E44-2178-4D77-AA3A-F44A391DE819--
|