From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1YkT5b-0008Sm-3q for bitcoin-development@lists.sourceforge.net; Tue, 21 Apr 2015 07:59:27 +0000 Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of petertodd.org designates 62.13.149.58 as permitted sender) client-ip=62.13.149.58; envelope-from=pete@petertodd.org; helo=outmail149058.authsmtp.co.uk; Received: from outmail149058.authsmtp.co.uk ([62.13.149.58]) by sog-mx-4.v43.ch3.sourceforge.com with esmtp (Exim 4.76) id 1YkT5Y-0007Le-VI for bitcoin-development@lists.sourceforge.net; Tue, 21 Apr 2015 07:59:27 +0000 Received: from mail-c235.authsmtp.com (mail-c235.authsmtp.com [62.13.128.235]) by punt16.authsmtp.com (8.14.2/8.14.2/) with ESMTP id t3L7xHPF017429; Tue, 21 Apr 2015 08:59:17 +0100 (BST) Received: from savin.petertodd.org (75-119-251-161.dsl.teksavvy.com [75.119.251.161]) (authenticated bits=128) by mail.authsmtp.com (8.14.2/8.14.2/) with ESMTP id t3L7xDYX010068 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Tue, 21 Apr 2015 08:59:16 +0100 (BST) Date: Tue, 21 Apr 2015 03:59:12 -0400 From: Peter Todd To: Matt Corallo Message-ID: <20150421075912.GA25282@savin.petertodd.org> References: <20141001130826.GM28710@savin.petertodd.org> <55075795.20904@bluematt.me> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="C7zPtVaVf+AK4Oqc" Content-Disposition: inline In-Reply-To: <55075795.20904@bluematt.me> User-Agent: Mutt/1.5.21 (2010-09-15) X-Server-Quench: 4ecde619-e7fc-11e4-b396-002590a15da7 X-AuthReport-Spam: If SPAM / abuse - report it at: http://www.authsmtp.com/abuse X-AuthRoute: OCd2Yg0TA1ZNQRgX IjsJECJaVQIpKltL GxAVKBZePFsRUQkR aAdMdAMUGUUGAgsB AmMbW1xeVVR7WGU7 bA9PbARUfEhLXhtr VklWR1pVCwQmRR99 AVZqO3FydgVGfnY+ Z0RmWXkVWBEpIRN7 Q0dJQGpQNnphaTUb TRJbfgVJcANIexZF O1F6ACIKLwdSbGoL NQ4vNDcwO3BTJTpY RgYVKF8UXXNDJDM4 TgwDAzhnNm0obAYX CDcFFn85MXg8CGQc ABNhRlsDezQ2NjM8 V1lXBzdePFAFBkIA X-Authentic-SMTP: 61633532353630.1023:706 X-AuthFastPath: 0 (Was 255) X-AuthSMTP-Origin: 75.119.251.161/587 X-AuthVirus-Status: No virus detected - but ensure you scan with your own anti-virus system. X-Spam-Score: -1.5 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1YkT5Y-0007Le-VI Cc: bitcoin-development@lists.sourceforge.net Subject: Re: [Bitcoin-development] Relative CHECKLOCKTIMEVERIFY (was CLTV proposal) X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Apr 2015 07:59:27 -0000 --C7zPtVaVf+AK4Oqc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Mar 16, 2015 at 10:22:13PM +0000, Matt Corallo wrote: > In building some CLTV-based contracts, it is often also useful to have a > method of requiring, instead of locktime-is-at-least-N, > locktime-is-at-least-N-plus-the-height-of-my-input. ie you could imagine > an OP_RELATIVECHECKLOCKTIMEVERIFY that reads (does not pop) the top > stack element, adds the height of the output being spent and then has > identical semantics to CLTV. Depending on what you mean by "identical" this isn't actually reorg safe. For instance consider this implementation: nLockTime =3D stack[-1] + prevout.nHeight if (nLockTime > txTo.nLockTime): return False Used with this scriptPubKey: 10 RCLTV DROP CHECKSIG If I create that output in tx1 which is mined at height 42 I can spend it in a tx2 at height > 42+10 by setting tx2's nLockTime to >42+10, for instance 53. However if a reorg happens and tx1 ends up at height 43 after the reorg I'm stuck - tx2's nLockTime is set at 42. Thus RCTLV is only reorg safe if the height is compared against the actual block height of the block containing the spending transaction, not the spending transaction's nLockTime. > A slightly different API (and different name) was described by maaku at > http://www.reddit.com/r/Bitcoin/comments/2z2l91/time_to_lobby_bitcoins_co= re_devs_sf_bitcoin_devs/cpgc154 > which does a better job of saving softfork-available opcode space. >=20 > There are two major drawbacks to adding such an operation, however. >=20 > 1) More transaction information is exposed inside the script (prior to > CLTV we only had the sigchecking operation exposed, with a CLTV and > RCLTV/OP_CHECK_MATURITY_VERIFY we expose two more functions). >=20 > 2) Bitcoin Core's mempool invariant of "all transactions in the mempool > could be thrown into one overside block and aside from block size, it > would be valid" becomes harder to enforce. Currently, during reorgs, > coinbase spends need checked (specifically, anything spending THE > coinbase 100 blocks ago needs checked) and locktime transactions need > checked. With such a new operation, any script which used this new > opcode during its execution would need to be re-evaluated during reorgs. Yup, definitely kinda ugly. If the above style of RCTLV was used, one possibility might be to make the relative locktime difference be required to be at least 100 blocks, same as the coinbase maturity, and just accept that it's probably not going to cause any problems, but could in an extremely big reorg. But re-orgs that big might be big enough that we're screwed anyway... With the 100 block rule, during a sufficiently large reorg that coinbases become unavailble, simply disconnect entire blocks - all txouts created by them. > I think both of these requirements are reasonable and not particularly > cumbersome, and the value of such an operation is quite nice for some > protocols (including settings setting up a contest interval in a > sidechain data validation operation). So to be clear, right now the minimal interface to script execution is simply: int bitcoinconsensus_verify_script(const unsigned char *scriptPubKey, u= nsigned int scriptPubKeyLen, const unsigned char *txTo , u= nsigned int txToLen, unsigned int nIn, unsigned int flags= , bitcoinconsensus_error* err); Where scriptPubKey is derived from the unspent coin in the UTXO set and txTo is the transaction containing the script that is being executed. The UTXO set itself currently contains CCoins entries, one for each transaction with unspent outputs, which basically contain: nVersion - tx nVersion nHeight - Height of the block the transaction is contained in. vout - Unspent CTxOut's of the transaction. The block nTime isn't directly available through the UTXO set, although it can be found in the block headers. This does require nodes to have the block headers, but at 4MB/year growth it's reasonable to assume the UTXO set will grow faster. Script execution does not have direct access to the current block height/block time, however it does have indirect access via nLockTime. Thus we have a few possibilities: 1) RCLTV against nLockTime Needs a minimum age > COINBASE_MATURITY to be safe. 2) RCLTV against current block height/time Completely reorg safe. 3) GET_TXOUT_HEIGHT/TIME ADD CLTV To be reorg safe GET_TXOUT_HEIGHT/TIME must fail if minimum age < COINBASE_MATURITY. This can be implemented by comparing against nLockTime. All three possibilities require us to make information about the prevout's height/time available to VerifyScript(). The only question is if we want VerifyScript() to also take the current block height/time - I see no reason why it can't. As for the mempool, keeping track of what transactions made use of these opcodes so they can be reevaluated if their prevouts are re-organised seems fine to me. Absolute CLTV =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D If we are going to make the block height/time available to VerifyScript() to implement RCLTV, should absolute CLTV should continue to have the proposed behavior of checking against nLockTime? If we go with RCLTV against current block height/time, I'm going to vote no, because doing so needlessly limits it to only being able to compare against a block height or a block time in a single transaction. Similarly it can complicate multi-party signatures in some circumstances, as all parties must agree on a common nLockTime. Time-based locks =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Do we want to support them at all? May cause incentive issues with mining, see #bitcoin-wizards discussion, Jul 17th 2013: https://download.wpsoftware.net/bitcoin/wizards/2013/07/13-07-17.log --=20 'peter'[:-1]@petertodd.org 0000000000000000015e09479548c5b63b99a62d31b019e6479f195bf0cbd935 --C7zPtVaVf+AK4Oqc Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- iQGrBAEBCACVBQJVNgNMXhSAAAAAABUAQGJsb2NraGFzaEBiaXRjb2luLm9yZzAw MDAwMDAwMDAwMDAwMDAwZjI3MTFlYWY4NjZjOTVlNzc1Yzg0NDEwNDY2NzIwY2Vh NGI1ZjY1MTYzYTdmODEvFIAAAAAAFQARcGthLWFkZHJlc3NAZ251cGcub3JncGV0 ZUBwZXRlcnRvZC5vcmcACgkQJIFAPaXwkfv+Fwf/ZB7Xw7GwCoM881lW4h1nQaVA QDxXe/cRte9PGF90nLKP/fHAcj4bNwK+Gn6KYWgnzK/2Dl7lOqFbODeGXaDEDPTl bFLKzFeSXweatLJSJn1OLlYgvHLWQNyRiZc6dQro6On6qfslGJb4sdxpb8LrU3ik dEshPwjRnGeqgEAkcCb3UcbV4LcGQFCGxhKFcJMhY/WrDOKlvl26eV39dmETm3pv 3IDj4XTH1410KpbvrHqaXevhvylSGS0/d54HH5jcyf1Jh7ECfHTU6RfE7fdVu75Z pgPp5Lv06xlKBBZtMxByEZiFhSiiT7hs1ePLa3Iudij06B3qvLR2LJ5QKxmiow== =e89O -----END PGP SIGNATURE----- --C7zPtVaVf+AK4Oqc--