* [bitcoin-dev] CTV Signet Parameters
@ 2022-02-17 21:58 Jeremy Rubin
2022-02-18 11:13 ` 0x0ff
2022-04-20 2:31 ` Anthony Towns
0 siblings, 2 replies; 16+ messages in thread
From: Jeremy Rubin @ 2022-02-17 21:58 UTC (permalink / raw)
To: Bitcoin development mailing list
[-- Attachment #1: Type: text/plain, Size: 1854 bytes --]
Hi devs,
I have been running a CTV signet for around a year and it's seen little
use. Early on I had some issues syncing new nodes, but I have verified
syncability to this signet using
https://github.com/JeremyRubin/bitcoin/tree/checktemplateverify-signet-23.0-alpha.
Please use this signet!
```
[signet]
signetchallenge=512102946e8ba8eca597194e7ed90377d9bbebc5d17a9609ab3e35e706612ee882759351ae
addnode=50.18.75.225
```
This should be operational. Let me know if there are any issues you
experience (likely with signet itself, but CTV too).
Feel free to also email me an address and I can send you some signet coins
-- if anyone is interested in running an automatic faucet I would love help
with that and will send you a lot of coins.
AJ Wrote (in another thread):
> I'd much rather see some real
> third-party experimentation *somewhere* public first, and Jeremy's CTV
> signet being completely empty seems like a bad sign to me. Maybe that
> means we should tentatively merge the feature and deploy it on the
> default global signet though? Not really sure how best to get more
> real world testing; but "deploy first, test later" doesn't sit right.
I agree that real experimentation would be great, and think that merging
the code (w/o activation) for signet would likely help users v.s. custom
builds/parameters.
I am unsure that "learning in public" is required -- personally I do
experiments on regtest regularly and on mainnet (using emulators) more
occasionally. I think some of the difficulty is that for setting up signet
stuff you need to wait e.g. 10 minutes for blocks and stuff, source faucet
coins, etc. V.s. regtest you can make tests that run automatically. Maybe
seeing more regtest RPC test samples for regtests would be a sufficient
in-between?
Best,
Jeremy
--
@JeremyRubin <https://twitter.com/JeremyRubin>
[-- Attachment #2: Type: text/html, Size: 4807 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [bitcoin-dev] CTV Signet Parameters 2022-02-17 21:58 [bitcoin-dev] CTV Signet Parameters Jeremy Rubin @ 2022-02-18 11:13 ` 0x0ff 2022-02-22 3:19 ` Jeremy Rubin 2022-04-20 2:31 ` Anthony Towns 1 sibling, 1 reply; 16+ messages in thread From: 0x0ff @ 2022-02-18 11:13 UTC (permalink / raw) To: Jeremy Rubin, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 2235 bytes --] Good day, I've setup the explorer for CTV Signet which is now up and running at [https://explorer.ctvsignet.com](https://explorer.ctvsignet.com/) Best, [@0x0ff](https://twitter.com/0x0ff_) ------- Original Message ------- On Thursday, February 17th, 2022 at 9:58 PM, Jeremy Rubin via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote: > Hi devs, > > I have been running a CTV signet for around a year and it's seen little use. Early on I had some issues syncing new nodes, but I have verified syncability to this signet using https://github.com/JeremyRubin/bitcoin/tree/checktemplateverify-signet-23.0-alpha. Please use this signet! > > ``` > [signet] > signetchallenge=512102946e8ba8eca597194e7ed90377d9bbebc5d17a9609ab3e35e706612ee882759351ae > addnode=50.18.75.225 > ``` > > This should be operational. Let me know if there are any issues you experience (likely with signet itself, but CTV too). > > Feel free to also email me an address and I can send you some signet coins -- if anyone is interested in running an automatic faucet I would love help with that and will send you a lot of coins. > > AJ Wrote (in another thread): > >> I'd much rather see some real> third-party experimentation *somewhere* public first, and Jeremy's CTV >> signet being completely empty seems like a bad sign to me. Maybe that >> means we should tentatively merge the feature and deploy it on the >> default global signet though? Not really sure how best to get more >> real world testing; but "deploy first, test later" doesn't sit right. > > I agree that real experimentation would be great, and think that merging the code (w/o activation) for signet would likely help users v.s. custom builds/parameters. > > I am unsure that "learning in public" is required -- personally I do experiments on regtest regularly and on mainnet (using emulators) more occasionally. I think some of the difficulty is that for setting up signet stuff you need to wait e.g. 10 minutes for blocks and stuff, source faucet coins, etc. V.s. regtest you can make tests that run automatically. Maybe seeing more regtest RPC test samples for regtests would be a sufficient in-between? > > Best, > > Jeremy > > -- > [@JeremyRubin](https://twitter.com/JeremyRubin) [-- Attachment #2: Type: text/html, Size: 8297 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [bitcoin-dev] CTV Signet Parameters 2022-02-18 11:13 ` 0x0ff @ 2022-02-22 3:19 ` Jeremy Rubin 0 siblings, 0 replies; 16+ messages in thread From: Jeremy Rubin @ 2022-02-22 3:19 UTC (permalink / raw) To: 0x0ff; +Cc: Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 2457 bytes --] There's also now a faucet: https://faucet.ctvsignet.com thanks 0x0ff! -- @JeremyRubin <https://twitter.com/JeremyRubin> On Fri, Feb 18, 2022 at 3:13 AM 0x0ff <0x0ff@onsats.org> wrote: > Good day, > > I've setup the explorer for CTV Signet which is now up and running at > https://explorer.ctvsignet.com > > Best, > @0x0ff <https://twitter.com/0x0ff_> > > ------- Original Message ------- > On Thursday, February 17th, 2022 at 9:58 PM, Jeremy Rubin via bitcoin-dev < > bitcoin-dev@lists.linuxfoundation.org> wrote: > > Hi devs, > > I have been running a CTV signet for around a year and it's seen little > use. Early on I had some issues syncing new nodes, but I have verified > syncability to this signet using > https://github.com/JeremyRubin/bitcoin/tree/checktemplateverify-signet-23.0-alpha. > Please use this signet! > > ``` > [signet] > > signetchallenge=512102946e8ba8eca597194e7ed90377d9bbebc5d17a9609ab3e35e706612ee882759351ae > addnode=50.18.75.225 > ``` > > This should be operational. Let me know if there are any issues you > experience (likely with signet itself, but CTV too). > > Feel free to also email me an address and I can send you some signet coins > -- if anyone is interested in running an automatic faucet I would love help > with that and will send you a lot of coins. > > AJ Wrote (in another thread): > > > I'd much rather see some real > > third-party experimentation *somewhere* public first, and Jeremy's CTV > > signet being completely empty seems like a bad sign to me. Maybe that > > means we should tentatively merge the feature and deploy it on the > > default global signet though? Not really sure how best to get more > > real world testing; but "deploy first, test later" doesn't sit right. > > I agree that real experimentation would be great, and think that merging > the code (w/o activation) for signet would likely help users v.s. custom > builds/parameters. > > I am unsure that "learning in public" is required -- personally I do > experiments on regtest regularly and on mainnet (using emulators) more > occasionally. I think some of the difficulty is that for setting up signet > stuff you need to wait e.g. 10 minutes for blocks and stuff, source faucet > coins, etc. V.s. regtest you can make tests that run automatically. Maybe > seeing more regtest RPC test samples for regtests would be a sufficient > in-between? > > > Best, > > Jeremy > > -- > @JeremyRubin <https://twitter.com/JeremyRubin> > > > [-- Attachment #2: Type: text/html, Size: 8531 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [bitcoin-dev] CTV Signet Parameters 2022-02-17 21:58 [bitcoin-dev] CTV Signet Parameters Jeremy Rubin 2022-02-18 11:13 ` 0x0ff @ 2022-04-20 2:31 ` Anthony Towns 2022-04-20 17:05 ` Nadav Ivgi 2022-04-28 12:23 ` Jeremy Rubin 1 sibling, 2 replies; 16+ messages in thread From: Anthony Towns @ 2022-04-20 2:31 UTC (permalink / raw) To: Bitcoin Protocol Discussion On Thu, Feb 17, 2022 at 01:58:38PM -0800, Jeremy Rubin via bitcoin-dev wrote: > AJ Wrote (in another thread): > > I'd much rather see some real > > third-party experimentation *somewhere* public first, and Jeremy's CTV > > signet being completely empty seems like a bad sign to me. There's now been some 2,200 txs on CTV signet, of which (if I haven't missed anything) 317 have been CTV spends: - none have been bare CTV (ie, CTV in scriptPubKey directly, not via p2sh/p2wsh/taproot) - none have been via p2sh - 3 have been via taproot: https://explorer.ctvsignet.com/tx/f73f4671c6ee2bdc8da597f843b2291ca539722a168e8f6b68143b8c157bee20 https://explorer.ctvsignet.com/tx/7e4ade977db94117f2d7a71541d87724ccdad91fa710264206bb87ae1314c796 https://explorer.ctvsignet.com/tx/e05d828bf716effc65b00ae8b826213706c216b930aff194f1fb2fca045f7f11 The first two of these had alternative merkle paths, the last didn't. - 314 have been via p2wsh https://explorer.ctvsignet.com/tx/62292138c2f55713c3c161bd7ab36c7212362b648cf3f054315853a081f5808e (don't think there's any meaningfully different examples?) As far as I can see, all the scripts take the form: [PUSH 32 bytes] [OP_NOP4] [OP_DROP] [OP_1] (I didn't think DROP/1 is necessary here? Doesn't leaving the 32 byte hash on the stack evaluate as true? I guess that means everyone's using sapio to construct the txs?) I don't think there's any demos of jamesob's simple-ctv-vault [0], which I think uses a p2wsh of "IF n CSV DROP hotkey CHECKSIG ELSE lockcoldtx CTV ENDIF", rather than taproot branches. [0] https://github.com/jamesob/simple-ctv-vault Likewise I don't think there's any examples of "this CTV immediately; or if fees are too high, this other CTV that pays more fees after X days", though potentially they could be hidden in the untaken taproot merkle branches. I don't think there's any examples of two CTV outputs being combined and spent in a single transaction. I don't see any txs with nSequence set meaningfully; though most (all?) of the CTV spends seem to set nSequence to 0x00400000 which I think doesn't have a different effect from 0xfffffffe? That looks to me like there's still not much practical (vs theoretical) exploration of CTV going on; but perhaps it's an indication that CTV could be substantially simplified and still get all the benefits that people are particularly eager for. > I am unsure that "learning in public" is required -- For a consensus system, part of the learning is "this doesn't seem that interesting to me; is it actually valuable enough to others that the change is worth the risk it imposes on me?" and that's not something you can do purely in private. One challenge with building a soft fork is that people don't want to commit to spending time building something that relies on consensus features and run the risk that they might never get deployed. But the reverse of that is also a concern: you don't want to deploy consensus changes and run the risk that they won't actually turn out to be useful. Or, perhaps, to "meme-ify" it -- part of the "proof of work" for deploying a consensus change is actually proving that it's going to be useful. Like sha256 hashing, that does require real work, and it might turn out to be wasteful. Cheers, aj ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [bitcoin-dev] CTV Signet Parameters 2022-04-20 2:31 ` Anthony Towns @ 2022-04-20 17:05 ` Nadav Ivgi 2022-04-21 2:36 ` Anthony Towns 2022-04-28 12:23 ` Jeremy Rubin 1 sibling, 1 reply; 16+ messages in thread From: Nadav Ivgi @ 2022-04-20 17:05 UTC (permalink / raw) To: Anthony Towns, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 4110 bytes --] > I didn't think DROP/1 is necessary here? Doesn't leaving the 32 byte hash on the stack evaluate as true? Not with Taproot's CLEANSTACK rule. It can make sense to always use `DROP OP_1` even outside of Taproot, just to keep things consistent and to avoid potential errors when switching from non-Taproot to Taproot. FWIW that's what I found myself doing when playing with CTV in P2WSH On Wed, Apr 20, 2022 at 5:31 AM Anthony Towns via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > On Thu, Feb 17, 2022 at 01:58:38PM -0800, Jeremy Rubin via bitcoin-dev > wrote: > > AJ Wrote (in another thread): > > > I'd much rather see some real > > > third-party experimentation *somewhere* public first, and Jeremy's > CTV > > > signet being completely empty seems like a bad sign to me. > > There's now been some 2,200 txs on CTV signet, of which (if I haven't > missed anything) 317 have been CTV spends: > > - none have been bare CTV (ie, CTV in scriptPubKey directly, not via > p2sh/p2wsh/taproot) > > - none have been via p2sh > > - 3 have been via taproot: > > https://explorer.ctvsignet.com/tx/f73f4671c6ee2bdc8da597f843b2291ca539722a168e8f6b68143b8c157bee20 > > https://explorer.ctvsignet.com/tx/7e4ade977db94117f2d7a71541d87724ccdad91fa710264206bb87ae1314c796 > > https://explorer.ctvsignet.com/tx/e05d828bf716effc65b00ae8b826213706c216b930aff194f1fb2fca045f7f11 > > The first two of these had alternative merkle paths, the last didn't. > > - 314 have been via p2wsh > > https://explorer.ctvsignet.com/tx/62292138c2f55713c3c161bd7ab36c7212362b648cf3f054315853a081f5808e > (don't think there's any meaningfully different examples?) > > As far as I can see, all the scripts take the form: > > [PUSH 32 bytes] [OP_NOP4] [OP_DROP] [OP_1] > > (I didn't think DROP/1 is necessary here? Doesn't leaving the 32 byte > hash on the stack evaluate as true? I guess that means everyone's using > sapio to construct the txs?) > > I don't think there's any demos of jamesob's simple-ctv-vault [0], which > I think uses a p2wsh of "IF n CSV DROP hotkey CHECKSIG ELSE lockcoldtx CTV > ENDIF", rather than taproot branches. > > [0] https://github.com/jamesob/simple-ctv-vault > > Likewise I don't think there's any examples of "this CTV immediately; > or if fees are too high, this other CTV that pays more fees after X > days", though potentially they could be hidden in the untaken taproot > merkle branches. > > I don't think there's any examples of two CTV outputs being combined > and spent in a single transaction. > > I don't see any txs with nSequence set meaningfully; though most (all?) > of the CTV spends seem to set nSequence to 0x00400000 which I think > doesn't have a different effect from 0xfffffffe? > > That looks to me like there's still not much practical (vs theoretical) > exploration of CTV going on; but perhaps it's an indication that CTV > could be substantially simplified and still get all the benefits that > people are particularly eager for. > > > I am unsure that "learning in public" is required -- > > For a consensus system, part of the learning is "this doesn't seem that > interesting to me; is it actually valuable enough to others that the > change is worth the risk it imposes on me?" and that's not something > you can do purely in private. > > One challenge with building a soft fork is that people don't want to > commit to spending time building something that relies on consensus > features and run the risk that they might never get deployed. But the > reverse of that is also a concern: you don't want to deploy consensus > changes and run the risk that they won't actually turn out to be useful. > > Or, perhaps, to "meme-ify" it -- part of the "proof of work" for deploying > a consensus change is actually proving that it's going to be useful. > Like sha256 hashing, that does require real work, and it might turn out > to be wasteful. > > Cheers, > aj > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > [-- Attachment #2: Type: text/html, Size: 5805 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [bitcoin-dev] CTV Signet Parameters 2022-04-20 17:05 ` Nadav Ivgi @ 2022-04-21 2:36 ` Anthony Towns 0 siblings, 0 replies; 16+ messages in thread From: Anthony Towns @ 2022-04-21 2:36 UTC (permalink / raw) To: Nadav Ivgi, Bitcoin Protocol Discussion On Wed, Apr 20, 2022 at 08:05:36PM +0300, Nadav Ivgi via bitcoin-dev wrote: > > I didn't think DROP/1 is necessary here? Doesn't leaving the 32 byte hash > on the stack evaluate as true? > Not with Taproot's CLEANSTACK rule. The CLEANSTACK rule is the same for segwit and tapscript though? For p2wsh/BIP 141 it's "The script must not fail, and result in exactly a single TRUE on the stack." and for tapscript/BIP 342, it's "If the execution results in anything but exactly one element on the stack which evaluates to true with CastToBool(), fail." CastToBool/TRUE is anything that's not false, false is zero (ie, any string of 0x00 bytes) or negative zero (a string of 0x00 bytes but with the high byte being 0x80). Taproot has the MINIMALIF rule that means you have to use exactly 1 or 0 as the input to IF, but I don't think that's relevant for CTV. Cheers, aj ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [bitcoin-dev] CTV Signet Parameters 2022-04-20 2:31 ` Anthony Towns 2022-04-20 17:05 ` Nadav Ivgi @ 2022-04-28 12:23 ` Jeremy Rubin 1 sibling, 0 replies; 16+ messages in thread From: Jeremy Rubin @ 2022-04-28 12:23 UTC (permalink / raw) To: Anthony Towns; +Cc: Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 924 bytes --] Sorry I didn't see this snippet fully earlier, but I caught it in Optech (cc harding) > *(I didn't think DROP/1 is necessary here? Doesn't leaving the 32 byte* > *hash on the stack evaluate as true? I guess that means everyone's using**sapio to > construct the txs?)* Not quite: it would mean that everyone is using *sapio-miniscript**, *which may or may not be in Sapio, or they are using a different miniscript implementation that is compatible with sapio-miniscript's CTV fragment (which is sort of the most obvious way to implement it), or they are hand writing the script and are still using that fragment. E.g., you can see https://min.sc/nextc/#gist=001cf1fcb0e24ca9f3614c4db9bfe57d:2 or https://min.sc/nextc/#gist=001cf1fcb0e24ca9f3614c4db9bfe57d:0 both of these might "look" like sapio, but are built using minsc. The underlying point might still stand, but using miniscript seems different than using Sapio. [-- Attachment #2: Type: text/html, Size: 2632 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [bitcoin-dev] CTV Signet Parameters @ 2022-04-20 17:13 Buck O Perley 2022-04-21 5:03 ` Anthony Towns 0 siblings, 1 reply; 16+ messages in thread From: Buck O Perley @ 2022-04-20 17:13 UTC (permalink / raw) To: bitcoin-dev [-- Attachment #1.1.1: Type: text/plain, Size: 10396 bytes --] Hi AJ, Long time listener first time caller here. All merits (or lack thereof depending on your view) of CTV aside, I find this topic around decision making both interesting and important. While I think I sympathize with the high level concern about making sure there are use cases, interest, and sufficient testing of a particular proposal before soft forking it into consensus code, it does feel like the attempt to attribute hard numbers in this way is somewhat arbitrary. For example, I think it could be reasonable to paint the list of examples you provided where CTV has been used on signet in a positive light. 317 CTV spends “out in the wild” before there’s a known activation date is quite a lot (more than taproot had afaik). If we don’t think it is enough, then what number of unique spends and use cases should we expect to see of a new proposal before it’s been sufficiently tested? Perhaps this is simply a case of the Justice Stewart view on pornography where “you know it when you see it”[1], but then if that’s the case than it really doesn’t seem productive to use these numbers to evaluate the readiness and eagerness to use CTV since they are effectively arbitrary and could be used to make the argument in either direction. So perhaps it just *felt* like there was more need and ready-to-use applications of taproot, and perhaps this feeling is broadly shared and that’s fine, and it doesn’t *feel* that way for CTV, but by the measures you laid out were there as many uses in the wild of taproot spends before it was brought to Speedy Trial? As far as I’m aware there seemed to be more broken [2], premature Taproot spends then actual practical uses of it on a test network before it was fully activated (I might be wrong about this though). Meanwhile the primary tooling necessary to really make it useful (PTLCs, Musig2, FROST) weren’t even fully specced out yet let alone actively being used on a test network and the list of proposed applications on the bitcoin wiki [3] (last updated April 2021) is similarly sparse and not quite up to the standards you’ve set for CTV to be the next soft fork (this is to say nothing of the fact that many prefer to develop, build, and test on regtest than signet at this stage). Maybe this is similarly an argument for Taproot being activated too early and that may be a fair argument (not one I share to be clear). If that’s the case, I think it’s reasonable to put all cards on the table and we should be explicit that Taproot activation was premature for [X] reasons, here’s the new standard we want to have new proposals hit (a signet, expected level of activity, etc.). Then whether it’s CTV or TLUV or ANYPREVOUT, that’s what we as a community, the developers maintaining the proposals, and the developers/companies that plan to build on top of the new proposal should strive to achieve. In absence of the above, the risk of a constantly moving bar means the possibility of either insufficiently reviewed proposals getting activated because we’re complacent and just placing trust in a small cadre of experts (nothing malicious in this, just seems worth avoiding) or personal and subjective reasoning allowing for premature ossification and blocking of upgrades that could otherwise be considered safe, useful, and perhaps even necessary on a long enough time horizon. There’s also the other risk which you point out: > One challenge with building a soft fork is that people don't want tocommit to spending time building something that relies on consensusfeatures and run the risk that they might never get deployed. But thereverse of that is also a concern: you don't want to deploy consensuschanges and run the risk that they won't actually turn out to be useful. Perhaps if we had clear metrics of what would make the work worth it, if we knew what we were working towards, we’d be more likely to get that proof of work. To use your meme, miners know precisely what they’re mining for and what a metric of success looks like which makes the risk/costs of attempting the PoW worth it (or conversely sometimes resulting the decision for miners to be decommissioned). In addition to the examples listed above, even Taproot which most agree had relatively broad consensus didn’t have much work happening on top of it until it was activated. Suredbits as far as I’m aware didn’t want to build DLCs on top of lightning until taproot AND PTLCs were in use (in contrast we already have a DLC implementation that uses CTV[4]). We also have new ideas that only started coming up after Taproot activation (TLUV and Taro for example), so there’s also the unknown of what we could have once it becomes clear that it’s worth devoting mental energy and financial resources towards research. One last wrinkle with regards to using countable metrics to determine a feature’s “worth” is that not all features are the same. Many of the use cases that people are excited to use CTV for ([5], [6]) are very long term in nature and targeted for long term store of value in contrast to medium of exchange. Metrics for measuring value of a store of value upgrade are fundamentally different than those measuring value of MoE. It’s like people pointing to transaction volume on other cryptocurrency systems to show that their chain is more valuable. You can build a CTV vault in signet, but you’ll only really see a lot of people using it when it’s to store real value on a time scale measured in decades not minutes or days like you might find for lightning testing and experimentation. This doesn’t make one more or less desirable or valuable imo, just that the evaluation metrics should be treated totally differently. Anyway, I guess that’s a (very) long way of saying, are these constructive ways to evaluate an upgrade and if they are can we maybe have an idea of what a success vs. a failure metric looks like (and in the interest of retrospection and iterative improvement, it would be useful to know if in retrospect Taproot didn’t reach these metrics and maybe was activated prematurely as a result). To put another way and leave CTV out of it completely, what should an outside, unbiased observer that doesn’t spend much time on Twitter expect to be able to see to evaluate the readiness or acceptability of ANYPREVOUT, TLUV, or any other possible future soft forks? If nothing else, nailing this down would seem to help make the lives of key bitcoin core maintainers much easier by removing politics from decisions that should otherwise be as technical in nature as possible. [1](http://cbldf.org/about-us/case-files/obscenity-case-files/obscenity-case-files-jacobellis-v-ohio-i-know-it-when-i-see-it/) [2](https://suredbits.com/taproot-funds-burned-on-the-bitcoin-blockchain/) [3](https://en.bitcoin.it/wiki/Taproot_Uses) [4](https://github.com/sapio-lang/sapio/blob/master/sapio-contrib/src/contracts/derivatives/dlc.rs) [5](https://github.com/kanzure/python-vaults/blob/master/vaults/bip119_ctv.py) [6](https://github.com/jamesob/simple-ctv-vault) > On Thu, Feb 17, 2022 at 01:58:38PM -0800, Jeremy Rubin via bitcoin-dev wrote:AJ Wrote (in another thread): I'd much rather see some real third-party experimentation *somewhere* public first, and Jeremy's CTV signet being completely empty seems like a bad sign to me. > There's now been some 2,200 txs on CTV signet, of which (if I haven'tmissed anything) 317 have been CTV spends: > - none have been bare CTV (ie, CTV in scriptPubKey directly, not via p2sh/p2wsh/taproot) > - none have been via p2sh > - 3 have been via taproot: https://explorer.ctvsignet.com/tx/f73f4671c6ee2bdc8da597f843b2291ca539722a168e8f6b68143b8c157bee20 https://explorer.ctvsignet.com/tx/7e4ade977db94117f2d7a71541d87724ccdad91fa710264206bb87ae1314c796 https://explorer.ctvsignet.com/tx/e05d828bf716effc65b00ae8b826213706c216b930aff194f1fb2fca045f7f11 > The first two of these had alternative merkle paths, the last didn't. > - 314 have been via p2wsh https://explorer.ctvsignet.com/tx/62292138c2f55713c3c161bd7ab36c7212362b648cf3f054315853a081f5808e (don't think there's any meaningfully different examples?) > As far as I can see, all the scripts take the form: > [PUSH 32 bytes] [OP_NOP4] [OP_DROP] [OP_1] > (I didn't think DROP/1 is necessary here? Doesn't leaving the 32 bytehash on the stack evaluate as true? I guess that means everyone's usingsapio to construct the txs?) > I don't think there's any demos of jamesob's simple-ctv-vault [0], whichI think uses a p2wsh of "IF n CSV DROP hotkey CHECKSIG ELSE lockcoldtx CTVENDIF", rather than taproot branches. > [0] https://github.com/jamesob/simple-ctv-vault > Likewise I don't think there's any examples of "this CTV immediately;or if fees are too high, this other CTV that pays more fees after Xdays", though potentially they could be hidden in the untaken taprootmerkle branches. > I don't think there's any examples of two CTV outputs being combinedand spent in a single transaction. > I don't see any txs with nSequence set meaningfully; though most (all?)of the CTV spends seem to set nSequence to 0x00400000 which I thinkdoesn't have a different effect from 0xfffffffe? > That looks to me like there's still not much practical (vs theoretical)exploration of CTV going on; but perhaps it's an indication that CTVcould be substantially simplified and still get all the benefits thatpeople are particularly eager for. > I am unsure that "learning in public" is required -- > For a consensus system, part of the learning is "this doesn't seem thatinteresting to me; is it actually valuable enough to others that thechange is worth the risk it imposes on me?" and that's not somethingyou can do purely in private. > One challenge with building a soft fork is that people don't want tocommit to spending time building something that relies on consensusfeatures and run the risk that they might never get deployed. But thereverse of that is also a concern: you don't want to deploy consensuschanges and run the risk that they won't actually turn out to be useful. > Or, perhaps, to "meme-ify" it -- part of the "proof of work" for deployinga consensus change is actually proving that it's going to be useful.Like sha256 hashing, that does require real work, and it might turn outto be wasteful. > Cheers, [-- Attachment #1.1.2.1: Type: text/html, Size: 22450 bytes --] [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 249 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [bitcoin-dev] CTV Signet Parameters 2022-04-20 17:13 Buck O Perley @ 2022-04-21 5:03 ` Anthony Towns 2022-04-21 6:16 ` Jeremy Rubin 2022-04-21 13:22 ` Russell O'Connor 0 siblings, 2 replies; 16+ messages in thread From: Anthony Towns @ 2022-04-21 5:03 UTC (permalink / raw) To: Buck O Perley, Bitcoin Protocol Discussion On Wed, Apr 20, 2022 at 05:13:19PM +0000, Buck O Perley via bitcoin-dev wrote: > All merits (or lack thereof depending on your view) of CTV aside, I find this topic around decision making both interesting and important. While I think I sympathize with the high level concern about making sure there are use cases, interest, and sufficient testing of a particular proposal before soft forking it into consensus code, it does feel like the attempt to attribute hard numbers in this way is somewhat arbitrary. Sure. I included the numbers for falsifiability mostly -- so people could easily check if my analysis was way off the mark. > For example, I think it could be reasonable to paint the list of examples you provided where CTV has been used on signet in a positive light. 317 CTV spends “out in the wild” before there’s a known activation date is quite a lot Not really? Once you can make one transaction, it's trivial to make hundreds. It's more interesting to see if there's multiple wallets or similar that support it; or if one wallet has a particularly compelling use case. > (more than taproot had afaik). Yes; as I've said a few times now, I think we should have had more real life demos before locking taproot's activation in. I think that would have helped avoid bugs like Neutrino's [0] and made it easier for hardware wallets etc to have support for taproot as soon as it was active, without having to rush around adding library support at the last minute. [0] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-November/019589.html Lightning's "two independent implementations" rule might be worth aspiring too, eg. > If we don’t think it is enough, then what number of unique spends and use cases should we expect to see of a new proposal before it’s been sufficiently tested? I don't really think that's the metric. I'd go for something more like: 1a) can you make transactions using the new feature with bitcoin-cli, eg createrawtransaction etc? 1b) can you make transactions using the new feature with some other library? 1c) can you make transactions using the new feature with most common libraries? 2) has anyone done a usable prototype of the major use cases of the new feature? I think the answers for CTV are: 1a) no 1b) yes, core's python test suite, sapio 1c) no 2) no Though presumably jamesob's simple ctv vault is close to being an answer for (2)? For taproot, we had, 1a) yes, with difficulty [1] 1b) yes, core's python test suite; kalle's btcdeb sometimes worked too 1c) no 2) optech's python notebook [2] from it's taproot workshops had demos for musig and degrading multisig via multiple merkle paths, though I think they were out of date with the taproot spec for a while [1] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-October/019543.html [2] https://github.com/bitcoinops/taproot-workshop/ To some extent those things are really proxies for: 3) how well do people actually understand the feature? 4) are we sure the tradeoffs being made in this implementation of the feature, vs other implementations or other features actually make sense? 5) how useful is the feature? I think we were pretty confident in the answers for those questions for taproot. At least personally, I'm still not super confident in the answers for CTV. In particular: - is there really any benefit to doing it as a NOP vs a taproot-only opcode like TXHASH? Theoretically, sure, that saves some bytes; but as was pointed out on #bitcoin-wizards the other day, you can't express those outputs as an address, which makes them not very interoperable, and if they're not interoperable between, say, an exchange and its users trying to do a withdraw, how useful is that really ever going to be? - the scriptSig commitments seems very kludgy; combining multiple inputs likewise seems kludgy The continual push to rush activation of it certainly doesn't increase my confidence either. Personally, I suspect it's counterproductive; better to spend the time answering questions and improving the proposal, rather than spending time going around in circles about activating something people aren't (essentially) unanimously confident about. > In absence of the above, the risk of a constantly moving bar I'd argue the bar *should* be constantly moving, in the sense that we should keep raising it. > To use your meme, miners know precisely what they’re mining for and what a metric of success looks like which makes the risk/costs of attempting the PoW worth it The difference between mining and R&D is variance: if you're competing for 50k blocks a year, you can get your actual returns to closely match your expected return, especially if you pool with others so your probability of success isn't miniscule -- for consensus dev, you can reasonably only work on a couple of projects a year, so your median return is likely $0, rather than a close match to your average/expected return. > We also have new ideas that only started coming up after Taproot activation (TLUV and Taro for example), so there’s also the unknown of what we could have once it becomes clear that it’s worth devoting mental energy and financial resources towards research. TLUV was an offshoot of SCRIPTREPLACE which was public (though not really published) since 2019. > One last wrinkle with regards to using countable metrics to determine a feature’s “worth” is that not all features are the same. Many of the use cases that people are excited to use CTV for ([5], [6]) are very long term in nature and targeted for long term store of value in contrast to medium of exchange. I mean, if those use cases are so exciting, it really doesn't seem much to ask to see them demoed live on the CTV signet that already exists? > You can build a CTV vault in signet, but you’ll only really see a lot of people using it when it’s to store real value on a time scale measured in decades not minutes or days On the other hand, if the value is really "very long term" and there's no rush to implement these features and demo them ASAP, then it doesn't seem like there should be a rush to adapt consensus to these use cases either. Why not wait until someone does have time to finish sketching out the use case so they can demo them in public? > To put another way and leave CTV out of it completely, what should an outside, unbiased observer that doesn’t spend much time on Twitter expect to be able to see to evaluate the readiness or acceptability of ANYPREVOUT, TLUV, For ANYPREVOUT, I would like to see a toy implementation of eltoo using it, that can handle fees and layered transactions (or has a good argument why layered transactions aren't necessary). It's going to take a while even to update LN to taproot and PTLCs though, so eltoo doesn't seem like it's on the immediate horizon. Besides eltoo, I don't think ANYPREVOUT is an optimal design for covenants, so if that was the motivation and not eltoo, maybe some other approach would be better. TLUV's design parameters don't really seem optimal (the mess with x-only pubkeys, alternatives like OP_EVICT), so I think it's still on the whiteboard. Cheers, aj ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [bitcoin-dev] CTV Signet Parameters 2022-04-21 5:03 ` Anthony Towns @ 2022-04-21 6:16 ` Jeremy Rubin 2022-04-21 6:25 ` Jeremy Rubin 2022-04-21 13:22 ` Russell O'Connor 1 sibling, 1 reply; 16+ messages in thread From: Jeremy Rubin @ 2022-04-21 6:16 UTC (permalink / raw) To: Anthony Towns, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 12010 bytes --] Probably merits a more thorough response, but, I wanted to respond on the framework above: 1a) can you make transactions using the new feature with bitcoin-cli, eg createrawtransaction etc? (*YES)* since ~Feb 2020, this has existed: https://github.com/JeremyRubin/bitcoin/tree/checktemplateverify-feb1-workshop CTV hasn't changed so this code should work un-rebased. The transaction outputs may need to be manually submitted to the network, but the covenant is enforced. This covers congestion control and vaults. 1b) can you make transactions using the new feature with some other library? *(YES)* Sapio, Test Framework, also https://min.sc/nextc/ produced independently by Shesek 1c) can you make transactions using the new feature with most common libraries? *(YES, kinda)* Yes, https://crates.io/crates/sapio-miniscript and https://crates.io/crates/sapio-bitcoin have been maintained for about 1 year, and are now taproot compatible. Sapio's use of these libraries has even helped find bugs in the release process of Taproot for rust-bitcoin. kinda: It's not _most_ common libraries, it's _a_ common library. it's also not upstreamed, because the patches would not be accepted were it to be. 2) has anyone done a usable prototype of the major use cases of the new feature?* (YES)* In addition to https://github.com/jamesob/simple-ctv-vault, there is also https://github.com/kanzure/python-vaults, although it has an interesting bug. There's also a myriad of uses shown in https://github.com/sapio-lang/sapio/tree/master/sapio-contrib/src/contracts and in https://github.com/sapio-lang/sapio/tree/master/plugin-example. While these aren't quite "usable" as an end-to-end application, e.g., something you'd want to put real money on, they are a part of a *massive* infrastructure investment in general purpose smart contract tooling for covenant design with CTV. That CTV can be targeted with a compiler to generate a wide variety of composable use cases *is* one of the use cases for CTV, since it enables people to design many different types of thing relatively easily. That is a feature of CTV! It's not just for one use case. The suite of Sapio apps are less "production ready" than they could be for a few reasons: 1) I've been working hard at pushing the limits of what is possible & the theory of it v.s. making it production ready 2) I prioritized supporting Taproot v.s. legacy script, and much of the taproot tooling isn't production ready 3) Sapio is really ambitious undertaking, and it will take time to make it production That said, https://rubin.io/bitcoin/2022/03/22/sapio-studio-btc-dev-mtg-6/ tutorial was completed by people who weren't me, and at the pleb.fi/miami2022 one of the projects was able to use sapio congestion control transactions as well, so it does "work". As it matures, we'll get a number of implemented use cases people have been excited about like DLCs, which are implemented here https://github.com/sapio-lang/sapio/blob/master/sapio-contrib/src/contracts/derivatives/dlc.rs. You can see the test case shows how to construct one. Why did I not focus on production grade? Well, production grade can always happen later, and I don't think it takes as much imagination. But the main critique I'd heard of CTV was that no one could see it being used for anything but one or two use cases. So I built Sapio, in part, to show how CTV could be used for an incredibly wide and diverse set of applications, as opposed to the polish on them. If I knew the bar to surpass was to be polish, I probably could have taken a less ambitious approach with Sapio and shown like 1-2 applications working end-to-end. But because the main feedback I got was that CTV wasn't powerful enough, I opted to build a very general framework for covenants and demonstrate how CTV fits that. -- @JeremyRubin <https://twitter.com/JeremyRubin> On Thu, Apr 21, 2022 at 12:05 AM Anthony Towns via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > On Wed, Apr 20, 2022 at 05:13:19PM +0000, Buck O Perley via bitcoin-dev > wrote: > > All merits (or lack thereof depending on your view) of CTV aside, I find > this topic around decision making both interesting and important. While I > think I sympathize with the high level concern about making sure there are > use cases, interest, and sufficient testing of a particular proposal before > soft forking it into consensus code, it does feel like the attempt to > attribute hard numbers in this way is somewhat arbitrary. > > Sure. I included the numbers for falsifiability mostly -- so people > could easily check if my analysis was way off the mark. > > > For example, I think it could be reasonable to paint the list of > examples you provided where CTV has been used on signet in a positive > light. 317 CTV spends “out in the wild” before there’s a known activation > date is quite a lot > > Not really? Once you can make one transaction, it's trivial to make > hundreds. It's more interesting to see if there's multiple wallets or > similar that support it; or if one wallet has a particularly compelling > use case. > > > (more than taproot had afaik). > > Yes; as I've said a few times now, I think we should have had more > real life demos before locking taproot's activation in. I think that > would have helped avoid bugs like Neutrino's [0] and made it easier for > hardware wallets etc to have support for taproot as soon as it was active, > without having to rush around adding library support at the last minute. > > [0] > https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-November/019589.html > > Lightning's "two independent implementations" rule might be worth aspiring > too, eg. > > > If we don’t think it is enough, then what number of unique spends and > use cases should we expect to see of a new proposal before it’s been > sufficiently tested? > > I don't really think that's the metric. I'd go for something more like: > > 1a) can you make transactions using the new feature with bitcoin-cli, > eg createrawtransaction etc? > 1b) can you make transactions using the new feature with some other > library? > 1c) can you make transactions using the new feature with most common > libraries? > > 2) has anyone done a usable prototype of the major use cases of the new > feature? > > I think the answers for CTV are: > > 1a) no > 1b) yes, core's python test suite, sapio > 1c) no > 2) no > > Though presumably jamesob's simple ctv vault is close to being an answer > for (2)? > > For taproot, we had, > > 1a) yes, with difficulty [1] > 1b) yes, core's python test suite; kalle's btcdeb sometimes worked too > 1c) no > 2) optech's python notebook [2] from it's taproot workshops had demos for > musig and degrading multisig via multiple merkle paths, though I > think they were out of date with the taproot spec for a while > > [1] > https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-October/019543.html > [2] https://github.com/bitcoinops/taproot-workshop/ > > To some extent those things are really proxies for: > > 3) how well do people actually understand the feature? > > 4) are we sure the tradeoffs being made in this implementation of the > feature, vs other implementations or other features actually make > sense? > > 5) how useful is the feature? > > I think we were pretty confident in the answers for those questions > for taproot. At least personally, I'm still not super confident in > the answers for CTV. In particular: > > - is there really any benefit to doing it as a NOP vs a taproot-only > opcode like TXHASH? Theoretically, sure, that saves some bytes; but as > was pointed out on #bitcoin-wizards the other day, you can't express > those outputs as an address, which makes them not very interoperable, > and if they're not interoperable between, say, an exchange and its > users trying to do a withdraw, how useful is that really ever going > to be? > > - the scriptSig commitments seems very kludgy; combining multiple > inputs likewise seems kludgy > > The continual push to rush activation of it certainly doesn't increase my > confidence either. Personally, I suspect it's counterproductive; better > to spend the time answering questions and improving the proposal, rather > than spending time going around in circles about activating something > people aren't (essentially) unanimously confident about. > > > In absence of the above, the risk of a constantly moving bar > > I'd argue the bar *should* be constantly moving, in the sense that we > should keep raising it. > > > To use your meme, miners know precisely what they’re mining for and what > a metric of success looks like which makes the risk/costs of attempting the > PoW worth it > > The difference between mining and R&D is variance: if you're competing for > 50k blocks a year, you can get your actual returns to closely match your > expected return, especially if you pool with others so your probability > of success isn't miniscule -- for consensus dev, you can reasonably only > work on a couple of projects a year, so your median return is likely $0, > rather than a close match to your average/expected return. > > > We also have new ideas that only started coming up after Taproot > activation (TLUV and Taro for example), so there’s also the unknown of what > we could have once it becomes clear that it’s worth devoting mental energy > and financial resources towards research. > > TLUV was an offshoot of SCRIPTREPLACE which was public (though not > really published) since 2019. > > > One last wrinkle with regards to using countable metrics to determine a > feature’s “worth” is that not all features are the same. Many of the use > cases that people are excited to use CTV for ([5], [6]) are very long term > in nature and targeted for long term store of value in contrast to medium > of exchange. > > I mean, if those use cases are so exciting, it really doesn't seem much > to ask to see them demoed live on the CTV signet that already exists? > > > You can build a CTV vault in signet, but you’ll only really see a lot of > people using it when it’s to store real value on a time scale measured in > decades not minutes or days > > On the other hand, if the value is really "very long term" and there's no > rush to implement these features and demo them ASAP, then it doesn't seem > like there should be a rush to adapt consensus to these use cases either. > Why not wait until someone does have time to finish sketching out the > use case so they can demo them in public? > > > To put another way and leave CTV out of it completely, what should an > outside, unbiased observer that doesn’t spend much time on Twitter expect > to be able to see to evaluate the readiness or acceptability of ANYPREVOUT, > TLUV, > > For ANYPREVOUT, I would like to see a toy implementation of eltoo using > it, that can handle fees and layered transactions (or has a good argument > why layered transactions aren't necessary). It's going to take a while > even to update LN to taproot and PTLCs though, so eltoo doesn't seem like > it's on the immediate horizon. Besides eltoo, I don't think ANYPREVOUT > is an optimal design for covenants, so if that was the motivation and > not eltoo, maybe some other approach would be better. > > TLUV's design parameters don't really seem optimal (the mess with x-only > pubkeys, alternatives like OP_EVICT), so I think it's still on the > whiteboard. > > Cheers, > aj > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > [-- Attachment #2: Type: text/html, Size: 18994 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [bitcoin-dev] CTV Signet Parameters 2022-04-21 6:16 ` Jeremy Rubin @ 2022-04-21 6:25 ` Jeremy Rubin 0 siblings, 0 replies; 16+ messages in thread From: Jeremy Rubin @ 2022-04-21 6:25 UTC (permalink / raw) To: Anthony Towns, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 12852 bytes --] Missed one for part 2: Shesek's social recovery wallet using CTV to enforce timelocks without expiry, using his Minsc toolchain: https://twitter.com/shesek/status/1511619296367153153 https://docs.google.com/presentation/d/1B59CdMIXW-wSW6CaLSgo7y4kvgrEwVgfY14IW2XV_MA/edit#slide=id.g1235f9ffb79_0_81 https://github.com/shesek/plebfi2022-social-recovery -- @JeremyRubin <https://twitter.com/JeremyRubin> On Thu, Apr 21, 2022 at 1:16 AM Jeremy Rubin <jeremy.l.rubin@gmail.com> wrote: > Probably merits a more thorough response, but, I wanted to respond on the > framework above: > > > 1a) can you make transactions using the new feature with bitcoin-cli, > eg createrawtransaction etc? (*YES)* > > since ~Feb 2020, this has existed: > https://github.com/JeremyRubin/bitcoin/tree/checktemplateverify-feb1-workshop > > CTV hasn't changed so this code should work un-rebased. The transaction > outputs may need to be manually submitted to the network, but the covenant > is enforced. This covers congestion control and vaults. > > > 1b) can you make transactions using the new feature with some other > library? *(YES)* > Sapio, Test Framework, also https://min.sc/nextc/ produced independently > by Shesek > > 1c) can you make transactions using the new feature with most common > libraries? *(YES, kinda)* > > Yes, https://crates.io/crates/sapio-miniscript and > https://crates.io/crates/sapio-bitcoin have been maintained for about 1 > year, and are now taproot compatible. > > Sapio's use of these libraries has even helped find bugs in the release > process of Taproot for rust-bitcoin. > > kinda: It's not _most_ common libraries, it's _a_ common library. it's > also not upstreamed, because the patches would not be accepted were it to > be. > > 2) has anyone done a usable prototype of the major use cases of the new > feature?* (YES)* > > In addition to https://github.com/jamesob/simple-ctv-vault, there is also > https://github.com/kanzure/python-vaults, although it has an interesting > bug. > > There's also a myriad of uses shown in > https://github.com/sapio-lang/sapio/tree/master/sapio-contrib/src/contracts > and in https://github.com/sapio-lang/sapio/tree/master/plugin-example. > While these aren't quite "usable" as an end-to-end application, e.g., > something you'd want to put real money on, they are a part of a *massive* > infrastructure investment in general purpose smart contract tooling for > covenant design with CTV. That CTV can be targeted with a compiler to > generate a wide variety of composable use cases *is* one of the use cases > for CTV, since it enables people to design many different types of thing > relatively easily. That is a feature of CTV! It's not just for one use case. > > The suite of Sapio apps are less "production ready" than they could be for > a few reasons: > > 1) I've been working hard at pushing the limits of what is possible & the > theory of it v.s. making it production ready > 2) I prioritized supporting Taproot v.s. legacy script, and much of the > taproot tooling isn't production ready > 3) Sapio is really ambitious undertaking, and it will take time to make it > production > > That said, https://rubin.io/bitcoin/2022/03/22/sapio-studio-btc-dev-mtg-6/ > tutorial was completed by people who weren't me, and at the > pleb.fi/miami2022 one of the projects was able to use sapio congestion > control transactions as well, so it does "work". As it matures, we'll get a > number of implemented use cases people have been excited about like DLCs, > which are implemented here > https://github.com/sapio-lang/sapio/blob/master/sapio-contrib/src/contracts/derivatives/dlc.rs. > You can see the test case shows how to construct one. > > Why did I not focus on production grade? Well, production grade can always > happen later, and I don't think it takes as much imagination. But the main > critique I'd heard of CTV was that no one could see it being used for > anything but one or two use cases. So I built Sapio, in part, to show how > CTV could be used for an incredibly wide and diverse set of applications, > as opposed to the polish on them. > > If I knew the bar to surpass was to be polish, I probably could have taken > a less ambitious approach with Sapio and shown like 1-2 applications > working end-to-end. But because the main feedback I got was that CTV wasn't > powerful enough, I opted to build a very general framework for covenants > and demonstrate how CTV fits that. > > > > > > -- > @JeremyRubin <https://twitter.com/JeremyRubin> > > On Thu, Apr 21, 2022 at 12:05 AM Anthony Towns via bitcoin-dev < > bitcoin-dev@lists.linuxfoundation.org> wrote: > >> On Wed, Apr 20, 2022 at 05:13:19PM +0000, Buck O Perley via bitcoin-dev >> wrote: >> > All merits (or lack thereof depending on your view) of CTV aside, I >> find this topic around decision making both interesting and important. >> While I think I sympathize with the high level concern about making sure >> there are use cases, interest, and sufficient testing of a particular >> proposal before soft forking it into consensus code, it does feel like the >> attempt to attribute hard numbers in this way is somewhat arbitrary. >> >> Sure. I included the numbers for falsifiability mostly -- so people >> could easily check if my analysis was way off the mark. >> >> > For example, I think it could be reasonable to paint the list of >> examples you provided where CTV has been used on signet in a positive >> light. 317 CTV spends “out in the wild” before there’s a known activation >> date is quite a lot >> >> Not really? Once you can make one transaction, it's trivial to make >> hundreds. It's more interesting to see if there's multiple wallets or >> similar that support it; or if one wallet has a particularly compelling >> use case. >> >> > (more than taproot had afaik). >> >> Yes; as I've said a few times now, I think we should have had more >> real life demos before locking taproot's activation in. I think that >> would have helped avoid bugs like Neutrino's [0] and made it easier for >> hardware wallets etc to have support for taproot as soon as it was active, >> without having to rush around adding library support at the last minute. >> >> [0] >> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-November/019589.html >> >> Lightning's "two independent implementations" rule might be worth aspiring >> too, eg. >> >> > If we don’t think it is enough, then what number of unique spends and >> use cases should we expect to see of a new proposal before it’s been >> sufficiently tested? >> >> I don't really think that's the metric. I'd go for something more like: >> >> 1a) can you make transactions using the new feature with bitcoin-cli, >> eg createrawtransaction etc? >> 1b) can you make transactions using the new feature with some other >> library? >> 1c) can you make transactions using the new feature with most common >> libraries? >> >> 2) has anyone done a usable prototype of the major use cases of the new >> feature? >> >> I think the answers for CTV are: >> >> 1a) no >> 1b) yes, core's python test suite, sapio >> 1c) no >> 2) no >> >> Though presumably jamesob's simple ctv vault is close to being an answer >> for (2)? >> >> For taproot, we had, >> >> 1a) yes, with difficulty [1] >> 1b) yes, core's python test suite; kalle's btcdeb sometimes worked too >> 1c) no >> 2) optech's python notebook [2] from it's taproot workshops had demos for >> musig and degrading multisig via multiple merkle paths, though I >> think they were out of date with the taproot spec for a while >> >> [1] >> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-October/019543.html >> [2] https://github.com/bitcoinops/taproot-workshop/ >> >> To some extent those things are really proxies for: >> >> 3) how well do people actually understand the feature? >> >> 4) are we sure the tradeoffs being made in this implementation of the >> feature, vs other implementations or other features actually make >> sense? >> >> 5) how useful is the feature? >> >> I think we were pretty confident in the answers for those questions >> for taproot. At least personally, I'm still not super confident in >> the answers for CTV. In particular: >> >> - is there really any benefit to doing it as a NOP vs a taproot-only >> opcode like TXHASH? Theoretically, sure, that saves some bytes; but as >> was pointed out on #bitcoin-wizards the other day, you can't express >> those outputs as an address, which makes them not very interoperable, >> and if they're not interoperable between, say, an exchange and its >> users trying to do a withdraw, how useful is that really ever going >> to be? >> >> - the scriptSig commitments seems very kludgy; combining multiple >> inputs likewise seems kludgy >> >> The continual push to rush activation of it certainly doesn't increase my >> confidence either. Personally, I suspect it's counterproductive; better >> to spend the time answering questions and improving the proposal, rather >> than spending time going around in circles about activating something >> people aren't (essentially) unanimously confident about. >> >> > In absence of the above, the risk of a constantly moving bar >> >> I'd argue the bar *should* be constantly moving, in the sense that we >> should keep raising it. >> >> > To use your meme, miners know precisely what they’re mining for and >> what a metric of success looks like which makes the risk/costs of >> attempting the PoW worth it >> >> The difference between mining and R&D is variance: if you're competing for >> 50k blocks a year, you can get your actual returns to closely match your >> expected return, especially if you pool with others so your probability >> of success isn't miniscule -- for consensus dev, you can reasonably only >> work on a couple of projects a year, so your median return is likely $0, >> rather than a close match to your average/expected return. >> >> > We also have new ideas that only started coming up after Taproot >> activation (TLUV and Taro for example), so there’s also the unknown of what >> we could have once it becomes clear that it’s worth devoting mental energy >> and financial resources towards research. >> >> TLUV was an offshoot of SCRIPTREPLACE which was public (though not >> really published) since 2019. >> >> > One last wrinkle with regards to using countable metrics to determine a >> feature’s “worth” is that not all features are the same. Many of the use >> cases that people are excited to use CTV for ([5], [6]) are very long term >> in nature and targeted for long term store of value in contrast to medium >> of exchange. >> >> I mean, if those use cases are so exciting, it really doesn't seem much >> to ask to see them demoed live on the CTV signet that already exists? >> >> > You can build a CTV vault in signet, but you’ll only really see a lot >> of people using it when it’s to store real value on a time scale measured >> in decades not minutes or days >> >> On the other hand, if the value is really "very long term" and there's no >> rush to implement these features and demo them ASAP, then it doesn't seem >> like there should be a rush to adapt consensus to these use cases either. >> Why not wait until someone does have time to finish sketching out the >> use case so they can demo them in public? >> >> > To put another way and leave CTV out of it completely, what should an >> outside, unbiased observer that doesn’t spend much time on Twitter expect >> to be able to see to evaluate the readiness or acceptability of ANYPREVOUT, >> TLUV, >> >> For ANYPREVOUT, I would like to see a toy implementation of eltoo using >> it, that can handle fees and layered transactions (or has a good argument >> why layered transactions aren't necessary). It's going to take a while >> even to update LN to taproot and PTLCs though, so eltoo doesn't seem like >> it's on the immediate horizon. Besides eltoo, I don't think ANYPREVOUT >> is an optimal design for covenants, so if that was the motivation and >> not eltoo, maybe some other approach would be better. >> >> TLUV's design parameters don't really seem optimal (the mess with x-only >> pubkeys, alternatives like OP_EVICT), so I think it's still on the >> whiteboard. >> >> Cheers, >> aj >> >> _______________________________________________ >> bitcoin-dev mailing list >> bitcoin-dev@lists.linuxfoundation.org >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >> > [-- Attachment #2: Type: text/html, Size: 20998 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [bitcoin-dev] CTV Signet Parameters 2022-04-21 5:03 ` Anthony Towns 2022-04-21 6:16 ` Jeremy Rubin @ 2022-04-21 13:22 ` Russell O'Connor 2022-04-21 15:05 ` Jeremy Rubin 1 sibling, 1 reply; 16+ messages in thread From: Russell O'Connor @ 2022-04-21 13:22 UTC (permalink / raw) To: Anthony Towns, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 4340 bytes --] On Thu, Apr 21, 2022 at 1:04 AM Anthony Towns via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > > - is there really any benefit to doing it as a NOP vs a taproot-only > opcode like TXHASH? Theoretically, sure, that saves some bytes; but as > was pointed out on #bitcoin-wizards the other day, you can't express > those outputs as an address, which makes them not very interoperable, > and if they're not interoperable between, say, an exchange and its > users trying to do a withdraw, how useful is that really ever going > to be? > FWIW, this is also approximately where my sticking point lies with BIP-119. Overall I've come around to the idea of something like CTV. The ability to construct "smart contracts" that commit to *multiple* possible payout schemes based on some conditions seems like a very useful construct, and there have been several examples of schemes proposed that use this feature. However, I'm still skeptical of the bare-CTV part of BIP-119 (and I'm told that bare-CTV hasn't even appeared on the CTV signet). Unlike the general smart-contracting case, bare-CTV does not have any branches. All it can do is commit to a subsequent transaction's outputs. At first glance this appears to be a waste because, for less bandwidth, that transaction could just realize those outputs immediately, so why would anyone want to delay the inevitable? One reason might be that you want to commit to the output early during a high-fee time, and then complete the transaction later during a low-fee time. While there are fee-rate situations where this could result in lower fees than committing to the outputs all at once, it would be even cheaper still to just wait to do the payout at the low-fee time. I'm struggling to understand the advantages of the advanced commitment, along with all the overhead that entails. Doesn't it just cause more blockspace to be used overall? There are some other proposed use cases for bare-CTV. A bare-CTV can be used to delay a "trigger"-transaction. Some contracts, such as vaults, use a relative-locktime as part of their construction and it could make sense to make an output commitment but not realize those outputs yet until you are ready to start your relative-time lock clock. But bare-CTV doesn't support any co-signing ability here, so you are relying entirely on keeping the transaction data secret to prevent a third-party from triggering your relative-lock clock. More specifically for a vault scheme, since bare-CTV's are currently unaddressable, and AFAIK, there is no address format proposal yet, it is impossible to receive funds directly into a vault. You must shuffle received funds into your vault yourself, which seems very likely to negate the cost savings of using bare-CTV in the first place (please correct me if I'm wrong). Better to receive funds directly into a taproot-CTV vault, which has an address, and while you are at it, you could place the cold-key as the taproot key to save even more when using the cold-key to move vault funds. There might be even more exotic use cases of bare-CTV. For example you could commit to a transaction that has a second input that doesn't yet exist in the UTXO set in an attempt to coax it into existence. I don't know if there have been any proposals to take advantage of this. With that said, everything that bare-CTV can do, can also be done by tapscript-CTV; so it is just a matter of cost. I'm struggling to understand where this cost savings is and how much those savings are going to be given that bare-CTV is unaddressable and seems to ultimately occupy more-blockspace than if the outputs were directly committed to. I also believe the bare-CTV question is material, because if bare-CTV were not part of the spec, then I'd be advocating for using an OP_SUCCESS code from tapscript instead, and either use push-style semantics for CTV, which would be composed with EQUAL_VERIFY to mimic the currently proposed verification style-semantics, or a hybrid push-or-verify semantics that would either push or verify depending on the size of the input. (And I still think a more general TXHASH would be even better, though if I cannot convince aj then perhaps I'm wrong.) I'm not saying bare-CTV is necessarily a bad idea. I'm just struggling with its justification. [-- Attachment #2: Type: text/html, Size: 5027 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [bitcoin-dev] CTV Signet Parameters 2022-04-21 13:22 ` Russell O'Connor @ 2022-04-21 15:05 ` Jeremy Rubin 2022-04-22 0:58 ` Anthony Towns 0 siblings, 1 reply; 16+ messages in thread From: Jeremy Rubin @ 2022-04-21 15:05 UTC (permalink / raw) To: Russell O'Connor, Bitcoin Protocol Discussion; +Cc: Anthony Towns [-- Attachment #1: Type: text/plain, Size: 7692 bytes --] Hi Russell, Thank you for your feedback here. > However, I'm still skeptical of the bare-CTV part of BIP-119 (and I'm told > that bare-CTV hasn't even appeared on the CTV signet). Unlike the general > smart-contracting case, bare-CTV does not have any branches. All it can do > is commit to a subsequent transaction's outputs. At first glance this > appears to be a waste because, for less bandwidth, that transaction could > just realize those outputs immediately, so why would anyone want to delay > the inevitable? > I can probably make some show up sometime soon. Note that James' vault uses one at the top-level https://github.com/jamesob/simple-ctv-vault, but I think the second use of it (since it's not segwit wrapped) wouldn't be broadcastable since it's nonstandard. > > One reason might be that you want to commit to the output early during a > high-fee time, and then complete the transaction later during a low-fee > time. While there are fee-rate situations where this could result in lower > fees than committing to the outputs all at once, it would be even cheaper > still to just wait to do the payout at the low-fee time. I'm struggling to > understand the advantages of the advanced commitment, along with all the > overhead that entails. Doesn't it just cause more blockspace to be used > overall? > One case where you actually use less space is if you have a few different sets of customers at N different fee priority level. Then, you might need to have N independent batches, or risk overpaying against the customer's priority level. Imagine I have 100 tier 1 customers and 1000 tier 2 customers. If I batcher tier 1 with tier 2, to provide tier 1 guarantees I'd need to pay tier 1 rate for 10x the customers. With CTV, I can combine my batch into a root and N batch outputs. This eliminates the need for inputs, signatures, change outputs, etc per batch, and can be slightly smaller. Since the marginal benefit on that is still pretty small, having bare CTV improves the margin of byte wise saving. I give this as an example where CTV uses less space, it is detailed more here: https://utxos.org/analysis/batching_sim/. This benefit might be marginal and absurd, given these are already big transactions, but it may _also_ be absurd that feerates only ever go up and congestion control is not valuable. Another example where this arises is where you have a transaction set you need to pay top-of-mempool rate for the soonest confirmation you can get. CTV has a decongesting effect, because your top-of-mempool transaction is small, which doesn't trigger as much rivalrous behavior with other transactors. Concretely, the current policy max txn size is 100kb, or 10% of a block. If you bump out of next block window 10% of the mempool, then if those transactors care to maintain their positioning, they will need to put themselves into a higher percentile with e.g. RBF or CPFP. Whereas if you put in a transaction that is just 100 bytes, you only bump out 100 bytes of rivals (0.01%), not 10%. Lastly, perhaps a more realistic scenario, is where I am batching to 100 customers who all wish to do something else after I pay them. E.g., open a lightning channel. Being able to use CTV noninteractive channels cuts through the extra hop transaction (unless dual funded channels, unless the channels are opened between two customers, then they can be dual funded again). So using CTV here also saves in net blockspace (although, note, this is sort of orthogonal to using CTV over the batch itself, just a good example for the related question of 'doesn't ctv generally use more blockspace'). > There are some other proposed use cases for bare-CTV. A bare-CTV can be > used to delay a "trigger"-transaction. Some contracts, such as vaults, use > a relative-locktime as part of their construction and it could make sense > to make an output commitment but not realize those outputs yet until you > are ready to start your relative-time lock clock. But bare-CTV doesn't > support any co-signing ability here, so you are relying entirely on keeping > the transaction data secret to prevent a third-party from triggering your > relative-lock clock. More specifically for a vault scheme, since > bare-CTV's are currently unaddressable, and AFAIK, there is no address > format proposal yet, it is impossible to receive funds directly into a > vault. You must shuffle received funds into your vault yourself, which > seems very likely to negate the cost savings of using bare-CTV in the first > place (please correct me if I'm wrong). Better to receive funds directly > into a taproot-CTV vault, which has an address, and while you are at it, > you could place the cold-key as the taproot key to save even more when > using the cold-key to move vault funds. > > This is not quite true, you can receive funds into a bare-CTV from your vault software, and you can send into one from your vault software. What doesn't work is exporting or creating an address for that. As a reminder for those following along at home, not all standard output types have addresses, even today. For example, OP_RETURN. However, this is a standarness question. If the market _wanted_ such an address, one could be adopted without requiring consensus processes. Generally, the vault designs I work on use Sapio and therefore also use Taproot since I have not added support for non-taproot scripts / removed support for witness v0. I will eventually add these back, but it's a marginal fee savings optimization and I'm focused primarily on feature completeness. > There might be even more exotic use cases of bare-CTV. For example you > could commit to a transaction that has a second input that doesn't yet > exist in the UTXO set in an attempt to coax it into existence. I don't know > if there have been any proposals to take advantage of this. > There are, but it's not specific to how bare ctv works, it should work from any CTV context. > > With that said, everything that bare-CTV can do, can also be done by > tapscript-CTV; so it is just a matter of cost. I'm struggling to > understand where this cost savings is and how much those savings are going > to be given that bare-CTV is unaddressable and seems to ultimately occupy > more-blockspace than if the outputs were directly committed to. > > I also believe the bare-CTV question is material, because if bare-CTV were > not part of the spec, then I'd be advocating for using an OP_SUCCESS code > from tapscript instead, and either use push-style semantics for CTV, which > would be composed with EQUAL_VERIFY to mimic the currently proposed > verification style-semantics, or a hybrid push-or-verify semantics that > would either push or verify depending on the size of the input. (And I > still think a more general TXHASH would be even better, though if I cannot > convince aj then perhaps I'm wrong.) > Even if we got rid of bare ctv, segwit v0 CTV would still exist, so we couldn't use OP_SUCCESSx there either. segwitv0 might be desired if someone has e.g. hardware modules or MPC Threshold Crypto that only support ECDSA signatures, but still want CTV. > > I'm not saying bare-CTV is necessarily a bad idea. I'm just struggling > with its justification. > Fair. I wouldn't have a big problem removing it, if it were clear that were it to become desired, we could add it back. I think the case for CTV in Segwitv0 is stronger, which has the same implication for a PUSH variant of CTV. Thanks again, Jeremy > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > [-- Attachment #2: Type: text/html, Size: 13088 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [bitcoin-dev] CTV Signet Parameters 2022-04-21 15:05 ` Jeremy Rubin @ 2022-04-22 0:58 ` Anthony Towns 2022-04-22 1:10 ` Nadav Ivgi 2022-04-22 5:30 ` Jeremy Rubin 0 siblings, 2 replies; 16+ messages in thread From: Anthony Towns @ 2022-04-22 0:58 UTC (permalink / raw) To: bitcoin-dev On Thu, Apr 21, 2022 at 10:05:20AM -0500, Jeremy Rubin via bitcoin-dev wrote: > I can probably make some show up sometime soon. Note that James' vault uses > one at the top-level https://github.com/jamesob/simple-ctv-vault, but I > think the second use of it (since it's not segwit wrapped) wouldn't be > broadcastable since it's nonstandard. The whole point of testing is so that bugs like "wouldn't be broadcastable since it's nonstandard" get fixed. If these things are still in the "interesting thought experiment" stage, but nobody but Jeremy is interested enough to start making them consistent with the proposed consensus and policy rules, it seems very premature to be changing consensus or policy rules. > One case where you actually use less space is if you have a few different > sets of customers at N different fee priority level. Then, you might need > to have N independent batches, or risk overpaying against the customer's > priority level. Imagine I have 100 tier 1 customers and 1000 tier 2 > customers. If I batcher tier 1 with tier 2, to provide tier 1 guarantees > I'd need to pay tier 1 rate for 10x the customers. With CTV, I can combine > my batch into a root and N batch outputs. This eliminates the need for > inputs, signatures, change outputs, etc per batch, and can be slightly > smaller. Since the marginal benefit on that is still pretty small, having > bare CTV improves the margin of byte wise saving. Bare CTV only saves bytes when *spending* -- but this is when you're creating the 1100 outputs, so an extra 34 or 67 bytes of witness data seems fairly immaterial (0.05% extra vbytes?). It doesn't make the small commitment tx any smaller. ie, scriptPubKey looks like: - bare ctv: [push][32 bytes][op_nop4] - p2wsh: [op_0][push][32 bytes] - p2tr: [op_1][push][32 bytes] while witness data looks like: - bare ctv: empty scriptSig, no witness - pw2sh: empty scriptSig, witness = "[push][32 bytes][op_nop4]" - p2tr: empty scriptSig, witness = 33B control block, "[push][32 bytes][op_nop4]" You might get more a benefit from bare ctv if you don't pay all 1100 outputs in a single tx when fees go lower; but if so, you're also wasting quite a bit more block space in that case due to the intermediate transactions you're introducing, which makes it seem unlikely that you care about the extra 9 or 17 vbytes bare CTV would save you per intermediate tx... I admit that I am inclined towards micro-optimising things to save those bytes if it's easy, which does incline me towards bare CTV; but the closest thing we have to real user data suggests that nobody's going to benefit from that possibility anyway. > Even if we got rid of bare ctv, segwit v0 CTV would still exist, so we > couldn't use OP_SUCCESSx there either. segwitv0 might be desired if someone > has e.g. hardware modules or MPC Threshold Crypto that only support ECDSA > signatures, but still want CTV. If you desire new features, then you might have to upgrade old hardware that can't support them. Otherwise that would be an argument to never use OP_SUCCESSx: someone might want to use whatever new feature we might imagine on hardware that only supports ECDSA signatures. Cheers, aj ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [bitcoin-dev] CTV Signet Parameters 2022-04-22 0:58 ` Anthony Towns @ 2022-04-22 1:10 ` Nadav Ivgi 2022-04-22 5:30 ` Jeremy Rubin 1 sibling, 0 replies; 16+ messages in thread From: Nadav Ivgi @ 2022-04-22 1:10 UTC (permalink / raw) To: Anthony Towns, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 4037 bytes --] > nobody's going to benefit from that possibility anyway. James O'Beirne's simple-ctv-vault appears to be using bare CTV outputs: https://github.com/jamesob/simple-ctv-vault/blob/7dd6c4ca25debb2140cdefb79b302c65d1b24937/main.py#L217-L218 https://github.com/jamesob/simple-ctv-vault/blob/7dd6c4ca25debb2140cdefb79b302c65d1b24937/main.py#L324-L325 I guess this suggests that it was not tested on signet? On Fri, Apr 22, 2022 at 3:58 AM Anthony Towns via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > On Thu, Apr 21, 2022 at 10:05:20AM -0500, Jeremy Rubin via bitcoin-dev > wrote: > > I can probably make some show up sometime soon. Note that James' vault > uses > > one at the top-level https://github.com/jamesob/simple-ctv-vault, but I > > think the second use of it (since it's not segwit wrapped) wouldn't be > > broadcastable since it's nonstandard. > > The whole point of testing is so that bugs like "wouldn't be broadcastable > since it's nonstandard" get fixed. If these things are still in the > "interesting thought experiment" stage, but nobody but Jeremy is > interested enough to start making them consistent with the proposed > consensus and policy rules, it seems very premature to be changing > consensus or policy rules. > > > One case where you actually use less space is if you have a few different > > sets of customers at N different fee priority level. Then, you might need > > to have N independent batches, or risk overpaying against the customer's > > priority level. Imagine I have 100 tier 1 customers and 1000 tier 2 > > customers. If I batcher tier 1 with tier 2, to provide tier 1 guarantees > > I'd need to pay tier 1 rate for 10x the customers. With CTV, I can > combine > > my batch into a root and N batch outputs. This eliminates the need for > > inputs, signatures, change outputs, etc per batch, and can be slightly > > smaller. Since the marginal benefit on that is still pretty small, having > > bare CTV improves the margin of byte wise saving. > > Bare CTV only saves bytes when *spending* -- but this is when you're > creating the 1100 outputs, so an extra 34 or 67 bytes of witness data > seems fairly immaterial (0.05% extra vbytes?). It doesn't make the small > commitment tx any smaller. > > ie, scriptPubKey looks like: > - bare ctv: [push][32 bytes][op_nop4] > - p2wsh: [op_0][push][32 bytes] > - p2tr: [op_1][push][32 bytes] > > while witness data looks like: > - bare ctv: empty scriptSig, no witness > - pw2sh: empty scriptSig, witness = "[push][32 bytes][op_nop4]" > - p2tr: empty scriptSig, witness = 33B control block, > "[push][32 bytes][op_nop4]" > > You might get more a benefit from bare ctv if you don't pay all 1100 > outputs in a single tx when fees go lower; but if so, you're also wasting > quite a bit more block space in that case due to the intermediate > transactions you're introducing, which makes it seem unlikely that > you care about the extra 9 or 17 vbytes bare CTV would save you per > intermediate tx... > > I admit that I am inclined towards micro-optimising things to save > those bytes if it's easy, which does incline me towards bare CTV; but > the closest thing we have to real user data suggests that nobody's going > to benefit from that possibility anyway. > > > Even if we got rid of bare ctv, segwit v0 CTV would still exist, so we > > couldn't use OP_SUCCESSx there either. segwitv0 might be desired if > someone > > has e.g. hardware modules or MPC Threshold Crypto that only support ECDSA > > signatures, but still want CTV. > > If you desire new features, then you might have to upgrade old hardware > that can't support them. > > Otherwise that would be an argument to never use OP_SUCCESSx: someone > might want to use whatever new feature we might imagine on hardware that > only supports ECDSA signatures. > > Cheers, > aj > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > [-- Attachment #2: Type: text/html, Size: 5541 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: [bitcoin-dev] CTV Signet Parameters 2022-04-22 0:58 ` Anthony Towns 2022-04-22 1:10 ` Nadav Ivgi @ 2022-04-22 5:30 ` Jeremy Rubin 1 sibling, 0 replies; 16+ messages in thread From: Jeremy Rubin @ 2022-04-22 5:30 UTC (permalink / raw) To: Anthony Towns, Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 5306 bytes --] small note, it's a savings of 34 or 67 bytes *per histogram bucket* to have bare CTV v.s. v0/v1, so the interesting thing is that by making it cheaper bytes wise it might enable one to have, for the same byte budget, more buckets, which would make the feerate savings for the user even greater. E.g., assume user priorities are exponential, like: [10, 12, 14, 17, 20, 24, 29, 35, 42, 51] suppose binning into 4 groups yields: [10, 12, 14], [17, 20, 24], [29, 35, 42], [51] then the feerate of each group summarized by the max times bin count is [14 x 3], [24 x 3], [42 x 3], [51 x 1] = 291 suppose binning into 5 groups yields: [10, 12], [14, 17], [20, 24], [29, 35], [42, 51] [12 x 2] [17 x 2] [24 x 2] [35 x 2] [51x2] = 278 so it's clear that bins of 5 yields a discount, and the marginal cost difference of 5 bins vs 4 can be more than "paid for" by switching to bare instead of segwit v0. E.g., 4 segwits = 4*34 additional 5 bares = 1 extra output (34 bytes) + 1 extra input (41 bytes) + extra tx body (~10 bytes?) = ~2.5 x 34 additional weight so while in this particular case, the savings mean that 4 would likely be a better binning than 5 even if bare were available, if you imagine the groups scaled to more elements under the same distribution would have eventually the cost (291-278)*S > 2.5*34 make it worth switching the binning to 5 bins earlier than with would if the bins were more expensive. Kinda hard to perfectly characterize this type of knock-on effect, but it's also cool to think about how cheapness of the nodes in the graph changes the optimal graph, which means you can't just do a simple comparison of how much is a bigger than b. On Thu, Apr 21, 2022 at 7:58 PM Anthony Towns via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > On Thu, Apr 21, 2022 at 10:05:20AM -0500, Jeremy Rubin via bitcoin-dev > wrote: > > I can probably make some show up sometime soon. Note that James' vault > uses > > one at the top-level https://github.com/jamesob/simple-ctv-vault, but I > > think the second use of it (since it's not segwit wrapped) wouldn't be > > broadcastable since it's nonstandard. > > The whole point of testing is so that bugs like "wouldn't be broadcastable > since it's nonstandard" get fixed. If these things are still in the > "interesting thought experiment" stage, but nobody but Jeremy is > interested enough to start making them consistent with the proposed > consensus and policy rules, it seems very premature to be changing > consensus or policy rules. > > > One case where you actually use less space is if you have a few different > > sets of customers at N different fee priority level. Then, you might need > > to have N independent batches, or risk overpaying against the customer's > > priority level. Imagine I have 100 tier 1 customers and 1000 tier 2 > > customers. If I batcher tier 1 with tier 2, to provide tier 1 guarantees > > I'd need to pay tier 1 rate for 10x the customers. With CTV, I can > combine > > my batch into a root and N batch outputs. This eliminates the need for > > inputs, signatures, change outputs, etc per batch, and can be slightly > > smaller. Since the marginal benefit on that is still pretty small, having > > bare CTV improves the margin of byte wise saving. > > Bare CTV only saves bytes when *spending* -- but this is when you're > creating the 1100 outputs, so an extra 34 or 67 bytes of witness data > seems fairly immaterial (0.05% extra vbytes?). It doesn't make the small > commitment tx any smaller. > > ie, scriptPubKey looks like: > - bare ctv: [push][32 bytes][op_nop4] > - p2wsh: [op_0][push][32 bytes] > - p2tr: [op_1][push][32 bytes] > > while witness data looks like: > - bare ctv: empty scriptSig, no witness > - pw2sh: empty scriptSig, witness = "[push][32 bytes][op_nop4]" > - p2tr: empty scriptSig, witness = 33B control block, > "[push][32 bytes][op_nop4]" > > You might get more a benefit from bare ctv if you don't pay all 1100 > outputs in a single tx when fees go lower; but if so, you're also wasting > quite a bit more block space in that case due to the intermediate > transactions you're introducing, which makes it seem unlikely that > you care about the extra 9 or 17 vbytes bare CTV would save you per > intermediate tx... > > I admit that I am inclined towards micro-optimising things to save > those bytes if it's easy, which does incline me towards bare CTV; but > the closest thing we have to real user data suggests that nobody's going > to benefit from that possibility anyway. > > > Even if we got rid of bare ctv, segwit v0 CTV would still exist, so we > > couldn't use OP_SUCCESSx there either. segwitv0 might be desired if > someone > > has e.g. hardware modules or MPC Threshold Crypto that only support ECDSA > > signatures, but still want CTV. > > If you desire new features, then you might have to upgrade old hardware > that can't support them. > > Otherwise that would be an argument to never use OP_SUCCESSx: someone > might want to use whatever new feature we might imagine on hardware that > only supports ECDSA signatures. > > Cheers, > aj > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > [-- Attachment #2: Type: text/html, Size: 9781 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2022-04-28 12:23 UTC | newest] Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-02-17 21:58 [bitcoin-dev] CTV Signet Parameters Jeremy Rubin 2022-02-18 11:13 ` 0x0ff 2022-02-22 3:19 ` Jeremy Rubin 2022-04-20 2:31 ` Anthony Towns 2022-04-20 17:05 ` Nadav Ivgi 2022-04-21 2:36 ` Anthony Towns 2022-04-28 12:23 ` Jeremy Rubin 2022-04-20 17:13 Buck O Perley 2022-04-21 5:03 ` Anthony Towns 2022-04-21 6:16 ` Jeremy Rubin 2022-04-21 6:25 ` Jeremy Rubin 2022-04-21 13:22 ` Russell O'Connor 2022-04-21 15:05 ` Jeremy Rubin 2022-04-22 0:58 ` Anthony Towns 2022-04-22 1:10 ` Nadav Ivgi 2022-04-22 5:30 ` Jeremy Rubin
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox