From: Jeremy <jlrubin@mit.edu>
To: Tim Ruffing <tim.ruffing@mmci.uni-saarland.de>,
Bitcoin Protocol Discussion
<bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Implementing Covenants with OP_CHECKSIGFROMSTACKVERIFY
Date: Mon, 7 Nov 2016 11:30:26 -0800 [thread overview]
Message-ID: <CAD5xwhhstv4w+81FrQ+W7W9gCTpN92vhSL95QNCHkHNFwJ7DQQ@mail.gmail.com> (raw)
In-Reply-To: <1478270151.1662.6.camel@mmci.uni-saarland.de>
[-- Attachment #1: Type: text/plain, Size: 6695 bytes --]
I think
the following implementation may be advantageous. It uses the same number
of opcodes, without OP_CAT.
Avoiding use of OP_CAT is still desirable as I think it will be difficult
to agree on semantics for OP_CAT (given necessary measures to prevent
memory abuse) than for OP_LEFT. Another option I would be in support of
would be to have signature flags apply to OP_CHECKSIGFROMSTACK and all
OP_CHECKSIG flags be ignored if they aren't meaningful...
*<signature; SIGHASH_ALL><signatureTxnData>1. <pubkey>
OP_DUP3<pubkey><signature;
SIGHASH_ALL><signatureTxnData><pubkey><signature;
SIGHASH_ALL><signatureTxnData>2.
OP_CHECKSIGVERIFY<signatureTxnData><pubkey><signature;
SIGHASH_ALL><signatureTxnData>3. OP_SHA256 OP_ROT OP_SIZE OP_SUB1
OP_LEFT<signature><sha256(signatureTxnData)><pubkey><signatureTxnData>4.
OP_SWAP OP_ROT OP_CHECKSIGFROMSTACKVERIFY (with same argument order)*
--
@JeremyRubin <https://twitter.com/JeremyRubin>
<https://twitter.com/JeremyRubin>
On Fri, Nov 4, 2016 at 7:35 AM, Tim Ruffing via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> Not a covenant but interesting nevertheless: _One_ of OP_CAT and
> OP_CHECKSIGFROMSTACKVERIFY alone is enough to implement "opt-in miner
> takes double-spend" [1]:
>
> You can create an output, which is spendable by everybody if you ever
> double-spend the output with two different transactions. Then the next
> miner will probably take your money (double-spending against your two
> or more contradicting transactions again).
>
> If you spend such an output, then the recipient may be willing to
> accept a zero-conf transaction, because he knows that you'll lose the
> money when you attempt double-spending (unless you are the lucky
> miner). See the discussion in [1] for details.
>
> The implementation using OP_CHECKSIGFROMSTACKVERIFY is straight-
> forward. You add a case to the script which allows spending if two
> valid signatures on different message under the public key of the
> output are given.
>
> What is less known I think:
> The same functionality can be achieved in a simpler way just using
> OP_CAT, because it's possible to turn Bitcoin's ECDSA to an "opt-in
> one-time signature scheme". With OP_CAT, you can create an output that
> is only spendable using a signature (r,s) with a specific already fixed
> first part r=x_coord(kG). Basically, the creator of this output commits
> on r (and k) already when creating the output. Now, signing two
> different transaction with the same r allows everybody to extract the
> secret key from the two signatures.
>
> The drawbacks of the implementation with OP_CAT is that it's not
> possible to make a distinction between legitimate or illegitimate
> double-spends (yet to be defined) but just every double-spend is
> penalized. Also, it's somewhat hackish and the signer must store k (or
> create it deterministically but that's a good idea anyway).
>
> [1] https://www.mail-archive.com/bitcoin-development@lists.
> sourceforge.net/msg07122.html
>
> Best,
> Tim
>
> On Thu, 2016-11-03 at 07:37 +0000, Daniel Robinson via bitcoin-dev
> wrote:
> > Really cool!
> >
> > How about "poison transactions," the other covenants use case
> > proposed by Möser, Eyal, and Sirer? (I think
> > OP_CHECKSIGFROMSTACKVERIFY will also make it easier to check fraud
> > proofs, the other prerequisite for poison transactions.)
> >
> > Seems a little wasteful to do those two "unnecessary" signature
> > checks, and to have to construct the entire transaction data
> > structure, just to verify a single output in the transaction. Any
> > plans to add more flexible introspection opcodes to Elements, such as
> > OP_CHECKOUTPUTVERIFY?
> >
> > Really minor nit: "Notice that we have appended 0x83 to the end of
> > the transaction data"—should this say "to the end of the signature"?
> >
> > On Thu, Nov 3, 2016 at 12:28 AM Russell O'Connor via bitcoin-dev <bit
> > coin-dev@lists.linuxfoundation.org> wrote:
> > > Right. There are minor trade-offs to be made with regards to that
> > > design point of OP_CHECKSIGFROMSTACKVERIFY. Fortunately this
> > > covenant construction isn't sensitive to that choice and can be
> > > made to work with either implementation of
> > > OP_CHECKSIGFROMSTACKVERIFY.
> > >
> > > On Wed, Nov 2, 2016 at 11:35 PM, Johnson Lau <jl2012@xbt.hk> wrote:
> > > > Interesting. I have implemented OP_CHECKSIGFROMSTACKVERIFY in a
> > > > different way from the Elements. Instead of hashing the data on
> > > > stack, I directly put the 32 byte hash to the stack. This should
> > > > be more flexible as not every system are using double-SHA256
> > > >
> > > > https://github.com/jl2012/bitcoin/commits/mast_v3_master
> > > >
> > > >
> > > >
> > > > > On 3 Nov 2016, at 01:30, Russell O'Connor via bitcoin-dev <bitc
> > > > > oin-dev@lists.linuxfoundation.org> wrote:
> > > > >
> > > > > Hi all,
> > > > >
> > > > > It is possible to implement covenants using two script
> > > > > extensions: OP_CAT and OP_CHECKSIGFROMSTACKVERIFY. Both of
> > > > > these op codes are already available in the Elements Alpha
> > > > > sidechain, so it is possible to construct covenants in Elements
> > > > > Alpha today. I have detailed how the construction works in a
> > > > > blog post at <https://blockstream.com/2016/11/02/covenants-in-e
> > > > > lements-alpha.html>. As an example, I've constructed scripts
> > > > > for the Moeser-Eyal-Sirer vault.
> > > > >
> > > > > I'm interested in collecting and implementing other useful
> > > > > covenants, so if people have ideas, please post them.
> > > > >
> > > > > If there are any questions, I'd be happy to answer.
> > > > >
> > > > > --
> > > > > Russell O'Connor
> > > > > _______________________________________________
> > > > > bitcoin-dev mailing list
> > > > > bitcoin-dev@lists.linuxfoundation.org
> > > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> > >
> > > _______________________________________________
> > > bitcoin-dev mailing list
> > > bitcoin-dev@lists.linuxfoundation.org
> > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> > >
> >
> > _______________________________________________
> > bitcoin-dev mailing list
> > bitcoin-dev@lists.linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 10859 bytes --]
next prev parent reply other threads:[~2016-11-07 19:30 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-11-02 17:30 [bitcoin-dev] Implementing Covenants with OP_CHECKSIGFROMSTACKVERIFY Russell O'Connor
2016-11-03 3:35 ` Johnson Lau
[not found] ` <E8BB95A5-09B3-443C-B197-29DA3C4767D8@xbt.hk>
2016-11-03 4:19 ` Russell O'Connor
2016-11-03 7:37 ` Daniel Robinson
2016-11-03 20:02 ` Russell O'Connor
2016-11-04 14:35 ` Tim Ruffing
2016-11-07 19:30 ` Jeremy [this message]
2016-11-03 17:42 ` Ryan Grant
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAD5xwhhstv4w+81FrQ+W7W9gCTpN92vhSL95QNCHkHNFwJ7DQQ@mail.gmail.com \
--to=jlrubin@mit.edu \
--cc=bitcoin-dev@lists.linuxfoundation.org \
--cc=tim.ruffing@mmci.uni-saarland.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox