From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 3B115C002D for ; Tue, 26 Apr 2022 20:17:45 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 1A08C4191A for ; Tue, 26 Apr 2022 20:17:45 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: 0.076 X-Spam-Level: X-Spam-Status: No, score=0.076 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, PDS_OTHER_BAD_TLD=1.975, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NgFQzq-OO-Tu for ; Tue, 26 Apr 2022 20:17:43 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.8.0 Received: from mslow1.mail.gandi.net (mslow1.mail.gandi.net [217.70.178.240]) by smtp4.osuosl.org (Postfix) with ESMTPS id 39F6D41911 for ; Tue, 26 Apr 2022 20:17:42 +0000 (UTC) Received: from relay1-d.mail.gandi.net (unknown [IPv6:2001:4b98:dc4:8::221]) by mslow1.mail.gandi.net (Postfix) with ESMTP id 14D5FCF602 for ; Tue, 26 Apr 2022 20:13:45 +0000 (UTC) Received: (Authenticated sender: j@rubin.io) by mail.gandi.net (Postfix) with ESMTPSA id 61824240002 for ; Tue, 26 Apr 2022 20:13:39 +0000 (UTC) Received: by mail-lj1-f169.google.com with SMTP id l19so10838747ljb.7 for ; Tue, 26 Apr 2022 13:13:39 -0700 (PDT) X-Gm-Message-State: AOAM532/3rg3WQ0dYXgwkaAP9QXsk9lGbybtax+s2YOj7OIaefIOcm1o o+sGxXe67T1vLzXCsrbtK4Gkr1q0I9TsTmnppuU= X-Google-Smtp-Source: ABdhPJz6hDvZRfvH5IISm0vn0JWGaHA52xk/0ikErCwVclcSPLecbyhdqcAXNYDGq+g3wa8klBwu1RW1B1eOJ9DsRfw= X-Received: by 2002:a2e:a545:0:b0:24d:c472:9969 with SMTP id e5-20020a2ea545000000b0024dc4729969mr15022473ljn.376.1651004018507; Tue, 26 Apr 2022 13:13:38 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Jeremy Rubin Date: Tue, 26 Apr 2022 13:13:26 -0700 X-Gmail-Original-Message-ID: Message-ID: To: darosior , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="0000000000000bc41805dd945442" X-Mailman-Approved-At: Tue, 26 Apr 2022 20:21:40 +0000 Subject: Re: [bitcoin-dev] ANYPREVOUT in place of CTV X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2022 20:17:45 -0000 --0000000000000bc41805dd945442 Content-Type: text/plain; charset="UTF-8" I can't find all of my earlier references around this, I thought I made a thread on it, but as a reminder, my thoughts for mild tweaks to APO that make it a bit less hacky are as follows: - Remove OP_1 key punning and replace it with OP_GENERATOR and OP_INTERNALKEY (maybe OP_EXTERNALKEY too?). The key punning is useful generically, because I may want to reuse the internal key in conjunction with a script path in some circumstances. - Add an additional sequence field that is specific to a signature with no other consensus meaning, so APO can be used with absolute timelocks. For example, this makes it impossible for more than one ratchet to be aggregated within a single transaction under any circumstance if their sequences differ (not sure this is a good example, but an example nonetheless). - Replace tagged keys for APO with either a Checksig2 or a separate feature flag that enables or disables APO behavior so that we can have programmatic control over if APO is allowed for a given key (e..g., OP_IF CSV DROP CHECKSIG2 OP_ELSE CHECKSIG OP_ENDIF enables APO to be turned on after a certain time, perhaps for a pre-approved backup transaction). Overall, this would make eltoo ratchets look something like this: OP_1 OP_INTERNALKEY OP_CHECKSIG2VERIFY OP_GREATERTHAN where checksig2 leaves seq on the stack which can be used to enforce the ratchet. and covenants like: OP_1 OP_1 OP_GENERATOR OP_CHECKSIG2VERIFY On Fri, Apr 22, 2022 at 4:23 AM darosior via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > I would like to know people's sentiment about doing (a very slightly > tweaked version of) BIP118 in place of > (or before doing) BIP119. > > SIGHASH_ANYPREVOUT and its precedent iterations have been discussed for > over 6 years. It presents proven and > implemented usecases, that are demanded and (please someone correct me if > i'm wrong) more widely accepted than > CTV's. > > SIGHASH_ANYPREVOUTANYSCRIPT, if its "ANYONECANPAY" behaviour is made > optional [0], can emulate CTV just fine. > Sure then you can't have bare or Segwit v0 CTV, and it's a bit more > expensive to use. But we can consider CTV > an optimization of APO-AS covenants. > > CTV advocates have been presenting vaults as the flagship usecase. > Although as someone who've been trying to > implement practical vaults for the past 2 years i doubt CTV is necessary > nor sufficient for this (but still > useful!), using APO-AS covers it. And it's not a couple dozen more virtual > bytes that are going to matter for > a potential vault user. > > If after some time all of us who are currently dubious about CTV's stated > usecases are proven wrong by onchain > usage of a less efficient construction to achieve the same goal, we could > roll-out CTV as an optimization. In > the meantime others will have been able to deploy new applications > leveraging ANYPREVOUT (Eltoo, blind > statechains, etc..[1]). > > > Given the interest in, and demand for, both simple covenants and better > offchain protocols it seems to me that > BIP118 is a soft fork candidate that could benefit more (if not most of) > Bitcoin users. > Actually i'd also be interested in knowing if people would oppose the > APO-AS part of BIP118, since it enables > CTV's features, for the same reason they'd oppose BIP119. > > > [0] That is, to not commit to the other inputs of the transaction (via > `sha_sequences` and maybe also > `sha_amounts`). Cf > https://github.com/bitcoin/bips/blob/master/bip-0118.mediawiki#signature-message > . > > [1] https://anyprevout.xyz/ "Use Cases" section > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --0000000000000bc41805dd945442 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I can't find all of m= y earlier references around this, I thought I made a thread on it, but as a= reminder, my thoughts for mild tweaks to APO that make it a bit less hacky= are as follows:

- Remove OP_1 key punning and replace it with OP_GEN= ERATOR and OP_INTERNALKEY (maybe OP_EXTERNALKEY too?). The key punning is u= seful generically, because I may want to reuse the internal key in conjunct= ion with a script path in some circumstances.
- Add an additional sequence field that is specific to a signature= with no other consensus meaning, so APO can be used with absolute timelock= s. For example, this makes it impossible for more than one ratchet to be ag= gregated within a single transaction under any circumstance if their sequen= ces differ (not sure this is a good example, but an example nonetheless).
- Replace tagged keys for APO with eit= her a Checksig2 or a separate feature flag that enables or disables APO beh= avior so that we can have programmatic control over if APO is allowed for a= given key (e..g., OP_IF <N> CSV DROP CHECKSIG2 OP_ELSE CHECKSIG OP_E= NDIF enables APO to be turned on after a certain time, perhaps for a pre-ap= proved backup transaction).

Overall, this would make eltoo ratchets l= ook something like this:

<sig> <seq> OP_1 OP_INTERNALKEY = OP_CHECKSIG2VERIFY <N> OP_GREATERTHAN

where checksig2 leaves se= q on the stack which can be used to enforce the ratchet.

and covenant= s like:

<sig> OP_1 OP_1 OP_GENERATOR OP_CHECKSIG2VERIFY

<= br>





On Fri, Apr 22, 2022 at 4:23 AM darosior v= ia bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
I would like to know people's sentiment about doing (a very slight= ly tweaked version of) BIP118 in place of
(or before doing) BIP119.

SIGHASH_ANYPREVOUT and its precedent iterations have been discussed for ove= r 6 years. It presents proven and
implemented usecases, that are demanded and (please someone correct me if i= 'm wrong) more widely accepted than
CTV's.

SIGHASH_ANYPREVOUTANYSCRIPT, if its "ANYONECANPAY" behaviour is m= ade optional [0], can emulate CTV just fine.
Sure then you can't have bare or Segwit v0 CTV, and it's a bit more= expensive to use. But we can consider CTV
an optimization of APO-AS covenants.

CTV advocates have been presenting vaults as the flagship usecase. Although= as someone who've been trying to
implement practical vaults for the past 2 years i doubt CTV is necessary no= r sufficient for this (but still
useful!), using APO-AS covers it. And it's not a couple dozen more virt= ual bytes that are going to matter for
a potential vault user.

If after some time all of us who are currently dubious about CTV's stat= ed usecases are proven wrong by onchain
usage of a less efficient construction to achieve the same goal, we could r= oll-out CTV as an optimization.=C2=A0 In
the meantime others will have been able to deploy new applications leveragi= ng ANYPREVOUT (Eltoo, blind
statechains, etc..[1]).


Given the interest in, and demand for, both simple covenants and better off= chain protocols it seems to me that
BIP118 is a soft fork candidate that could benefit more (if not most of) Bi= tcoin users.
Actually i'd also be interested in knowing if people would oppose the A= PO-AS part of BIP118, since it enables
CTV's features, for the same reason they'd oppose BIP119.


[0] That is, to not commit to the other inputs of the transaction (via `sha= _sequences` and maybe also
`sha_amounts`). Cf h= ttps://github.com/bitcoin/bips/blob/master/bip-0118.mediawiki#signature-mes= sage.

[1] https://anyprevout.xyz/ "Use Cases" section
_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
--0000000000000bc41805dd945442--