Re: [bitcoindev] CHECKSIGFROMSTACK(VERIFY/ADD)

["'moonsettler' via Bitcoin Development Mailing List" <bitcoindev@googlegroups.com>]

Hi Brandon,

For what it's worth, I also think signature aggregation will be the dominant
form of CSFS use. LNhance at it's core is CTV + CSFS, and so it makes sense
to have both of those available in pre-tapscript.

No strong opinion on CHECKSIGFROMSTACKADD, agree with the general reasoning.

It's a bit weird to backport Schnorr this way, and the NOP upgrade path
leaving 3 elements on the stack is also unfortunate. On the other hand,
reverting CSFSV to use ECDSA in pre-tapscript would force us to consider
implementing script multisig, to do anything really worthwhile there.

BR,
moonsettler




Sent with Proton Mail secure email.

On Thursday, November 14th, 2024 at 11:02 PM, Brandon Black <freedom@reardencode.com> wrote:

> Hi list,
> 
> As we're working toward numbering and merge for the CHECKSIGFROMSTACK
> (CSFS) BIP, there are 2 open questions[1] that may be worth resolving
> before it is merged as a draft:
> 
> * Should CHECKSIGFROMSTACKVERIFY (CSFSV) be added to pre-tapscript?
> 
> The proposed opcode always evaluates BIP340 Schnorr signatures
> regardless of script version, so making it available in earlier script
> versions makes Schnorr signatures available on those script versions for
> certain use cases.
> 
> My personal thinking in initially including CSFSV in earlier script
> versions was basically that it's compatible with NOP forking, so why
> not. Because LNHANCE includes CTV which is designed as a NOP compatible
> upgrade, also including CSFSV fits well with CTV.
> 
> The other side of the argument is that we shouldn't include
> compatibility with earlier script versions unless there's a concrete
> benefit to doing so. For CTV, the possibility of bare CTV is a
> compelling reason to add it to earlier script versions, but there's not
> a similarly compelling reason to include CSFSV.
> 
> Using a scarce NOP to provide Schnorr signed commitments to earlier
> scripts may not be worthwhile.
> 
> 
> * Should we include CHECKSIGFROMSTACKADD?
> 
> Obviously, if script multisig is going to be a common use case for
> checking signatures on stack data CHECKSIGFROMSTACKADD simplifies the
> corresponding scripts by a few WU per key. As MuSig2 and FROST are
> progressing in standardization and implementation, I do not expect
> script multisig to be a dominant use for these opcodes, so I did not
> include CSFSA initially.
> 
> Here the argument is somewhat the inverse of CSFSV on legacy: We have
> many OP_SUCCESSes available, so the cost of allocating one for CSFSA is
> low, and the benefit is that making script multisigs with CSFSA (such as
> those produced by miniscript) is simpler and less error prone.
> 
> --
> 
> I would love to hear thoughts about both of these questions from the
> list, and will update the BIP and implementations of CSFS(V/A) based on
> your feedback.
> 
> Thanks much!
> 
> --Brandon
> 
> [1]: https://github.com/bitcoin/bips/pull/1535#issuecomment-2111195930
> 
> --
> You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/ZzZziZOy4IrTNbNG%40console.

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/83CBONdqGnLg2CP1tqiIPtOaG4Lx35UTqrmRBv2hagwsMlmZAMG0e165Wq_k43h-7pgS9yDdWx8qsAAB9AxQWr_RH_CaJdDZztNvXCGM6Rc%3D%40protonmail.com.