public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Jeremy <jlrubin@mit.edu>
To: Anthony Towns <aj@erisian.com.au>,
	Bitcoin Protocol Discussion
	<bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] OP_SECURETHEBAG (supersedes OP_CHECKOUTPUTSVERIFY)
Date: Sat, 22 Jun 2019 23:43:22 -0700	[thread overview]
Message-ID: <CAD5xwhgEQKdTCSLQn4-X_atT5_aE-1hEKk0xd1wm1m0qotwYXQ@mail.gmail.com> (raw)
In-Reply-To: <20190620220552.metrqaul3iporwma@erisian.com.au>

[-- Attachment #1: Type: text/plain, Size: 2750 bytes --]

This is insufficient: sequences must be committed to because they affect
TXID. As with scriptsigs (witness data fine to ignore). NUM_IN too.

Any malleability makes this much less useful.
--
@JeremyRubin <https://twitter.com/JeremyRubin>
<https://twitter.com/JeremyRubin>


On Fri, Jun 21, 2019 at 10:31 AM Anthony Towns via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> On Tue, Jun 18, 2019 at 04:57:34PM -0400, Russell O'Connor wrote:
> > So with regards to OP_SECURETHEBAG, I am also "not really seeing any
> reason to
> > complicate the spec to ensure the digest is precommitted as part of the
> > opcode."
>
> Also, I think you can simulate OP_SECURETHEBAG with an ANYPREVOUT
> (NOINPUT) sighash (Johnson Lau's mentioned this before, but not sure if
> it's been spelled out anywhere); ie instead of constructing
>
>   X = Hash_BagHash( version, locktime, [outputs], [sequences], num_in )
>
> and having the script be "<X> OP_SECURETHEBAG" you calculate an
> ANYPREVOUT sighash for SIGHASH_ANYPREVOUTANYSCRIPT | SIGHASH_ALL:
>
>   Y = Hash_TapSighash( 0, 0xc1, version, locktime, [outputs], 0,
>                        amount, sequence)
>
> and calculate a signature sig = Schnorr(P,m) for some pubkey P, and
> make your script be "<sig> <P> CHECKSIG".
>
> That loses the ability to commit to the number of inputs or restrict
> the nsequence of other inputs, and requires a bigger script (sig and P
> are ~96 bytes instead of X's 32 bytes), but is otherwise pretty much the
> same as far as I can tell. Both scripts are automatically satisfied when
> revealed (with the correct set of outputs), and don't need any additional
> witness data.
>
> If you wanted to construct "X" via script instead of hardcoding a value
> because it got you generalised covenants or whatever; I think you could
> get the same effect with CAT,LEFT, and RIGHT: you'd construct Y in much
> the same way you construct X, but you'd then need to turn that into a
> signature. You could do so by using pubkey P=G and nonce R=G, which
> means you need to calculate s=1+hash(G,G,Y)*1 -- calculating the hash
> part is easy, multiplying it by 1 is easy, and to add 1 you can probably
> do something along the lines of:
>
>     OP_DUP 4 OP_RIGHT 1 OP_ADD OP_SWAP 28 OP_LEFT OP_SWAP OP_CAT
>
> (ie, take the last 4 bytes, increment it using 4-byte arithmetic,
> then cat the first 28 bytes and the result. There's overflow issues,
> but I think they can be worked around either by allowing you to choose
> different locktimes, or by more complicated script)
>
> Cheers,
> aj
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>

[-- Attachment #2: Type: text/html, Size: 4010 bytes --]

  reply	other threads:[~2019-06-23  6:43 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-06-01  5:35 [bitcoin-dev] OP_SECURETHEBAG (supersedes OP_CHECKOUTPUTSVERIFY) Jeremy
2019-06-02  5:35 ` ZmnSCPxj
2019-06-02 14:32 ` Russell O'Connor
2019-06-02 21:32   ` Jeremy
2019-06-05  9:30 ` Anthony Towns
2019-06-06  7:30   ` ZmnSCPxj
2019-06-18 20:57     ` Russell O'Connor
2019-06-20 22:05       ` Anthony Towns
2019-06-23  6:43         ` Jeremy [this message]
2019-07-08 10:26           ` Dmitry Petukhov
2019-10-03 23:22             ` Jeremy
     [not found]       ` <CAD5xwhj8o8Vbrk2KADBOFGfkD3fW3eMZo5aHJytGAj_5LLhYCg@mail.gmail.com>
2019-06-23 13:11         ` ZmnSCPxj
2019-06-24 14:34         ` Russell O'Connor
2019-06-24 18:07           ` Jeremy
2019-06-24 18:48             ` Russell O'Connor
2019-06-24 22:47               ` Jeremy
2019-06-25 17:05                 ` Russell O'Connor

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAD5xwhgEQKdTCSLQn4-X_atT5_aE-1hEKk0xd1wm1m0qotwYXQ@mail.gmail.com \
    --to=jlrubin@mit.edu \
    --cc=aj@erisian.com.au \
    --cc=bitcoin-dev@lists.linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox