public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Jeremy <jlrubin@mit.edu>
To: Peter Todd <pete@petertodd.org>,
	Bitcoin Protocol Discussion
	<bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Stumbling into a contentious soft fork activation attempt
Date: Mon, 10 Jan 2022 19:42:50 -0800	[thread overview]
Message-ID: <CAD5xwhi=H0Nft4Jbqhd3=89BhAB2JLoTc=mPhdcQkoQxa1sAUg@mail.gmail.com> (raw)
In-Reply-To: <YdrJJ3VxoxHVgg7Y@petertodd.org>

[-- Attachment #1: Type: text/plain, Size: 13105 bytes --]

Hi Peter,

Thank you for your review and feedback.

Apologies for the difficulties in reviewing. The branch linked from the BIP
is not the latest, the branch in the PR is what should be considered
https://github.com/bitcoin/bitcoin/pull/21702 for review and has more
thorough well documented tests and test vectors. The version you reviewed
should still be compatible with the current branch as there have not been
any spec changes, though.

I'm not sure what best practice is w.r.t. linking to BIPs and
implementations given need to rebase and respond to feedback with changes.
Appreciate any pointers on how to better solve this. For the time being, I
will suggest an edit to point it to the PR, although I recognize this is
not ideal. I understand your preference for a commit hash and can do one if
it helps. For what it's worth, the taproot BIPs do not link to a reference
implementation of Taproot so I'm not sure what best practice is considered
these days.

One note that is unfortunate in your review is that there is a
discrepancy between the BIP and the implementation (the original reference
or the current PR either) in that caching and DoS is not addressed. This
was an explicit design goal of CTV and for it not to be mentioned in the
BIP (and just the reference) is an oversight on my part to not aid
reviewers more explicitly. Compounding this, I accepted a third-party PR to
make the BIP more clear as to what is required to implement it that does
not have caching (functional correctness), that exposes the issue if
implemented by the BIP directly and not by the reference implementation. I
have explained this in a review last year to pyskell
<https://github.com/bitcoin/bitcoin/pull/21702#discussion_r616853690> on
the PR that caching is required for non-DoS. I will add a note to the BIP
about the importance of caching to avoid DoS as that should make third
party implementers aware of the issue.

That said, this is not a mis-considered part of CTV. The reference
implementation is specifically designed to not have quadratic hashing and
CTV is designed to be friendly to caching to avoid denial of service. It's
just a part of the BIP that can be more clear. I will make a PR to more
clearly describe how that should happen.

------
use cases
------

One thing that's not clear to me is the amount of work a BIP needs to do
within itself to fully describe all applications and use cases. I don't
think it's appropriate for most BIPs to do so, but in some cases it is a
good idea. However, for CTV the applications actually are relatively
fleshed out, just outside the BIP. Further, the availability of generic
tooling through Sapio and it's examples has demonstrated how one might
build a variety of applications. See rubin.io/advent21 for numerous worked
examples.


## Congestion Controlled Transactions

Generally, the existence of these transactions can be tracked using
existing wallets if the transaction is seen in the mempool, it will be
marked as "mine" and can even be marked as "trusted". See
https://utxos.org/analysis/taxes/ which covers the legal obligations of
senders with respect to payees under congestion control. Generally, a
legally identifiable party such as an exchange sending a congestion control
payment must retain and serve it to the user to prove that they made
payment to the user. Users of said exchanges can either download a list of
their transactions at the time of withdrawal or they can wait to see it
e.g. in the mempool. This was also discussed at
https://diyhpl.us/wiki/transcripts/ctv-bip-review-workshop/ where you can
see notes/videos of what was discussed if the notes are hard to parse.

Lightning specific wallets such as Muun and LND particularly plan to use
CTV to batch-open a multitude of channels for users, using both congestion
control and non-interactive batching. Channels have to be opened on-chain
and if channels are to be the future so will on-chain opening of them.
These wallets can be built out to track and receive these opening proofs.

## Wallet Vaults

There exists at least 3 implementations of Vaults using CTV (one by me in
C++, one by me in Sapio, another by Bryan Bishop in python), and there
exist oracles as you mention for emulating it.

## Payment Channels

Actually taking advantage of them is quite simple and has been discussed
and reviewed with a number of independent lightning developers.

You can see here a rudimentary implementation and description of how it can
work https://rubin.io/bitcoin/2021/12/11/advent-14/.

This is composable with any `impl Revokable` channel update specification
so generalizes to Lightning.

Of course, making it production grade requires a lot of work, but the
concept is sound.


## CoinJoin


CTV trees may mean more transactions, not less, but if feerates are not
monotonic and CTV allows you to defer the utilization of chainspace.

CTV CoinJoins also open the opportunity to cooperation through payment
pools (which can be opened via a coinjoin), which saves further space.

The opportunity to use embedded non-interactive channels (technically, this
is a part of payment pools) also further decreases the urgency of getting a
UTXO out.

Lastly, while it is a slight privacy leak, CTV also allows coin-joiners of
different fee-priority levels to batch together where previously they would
not have incentive to (see https://utxos.org/analysis/batching_sim/). This
does use overall less chainspace total than if it is not incentive
compatible to batch together. While this is a slight privacy leak, it is
not that large since the batches would otherwise be unable to join together
(worse) and priority is still unlinked from the inputs. Further, priority
already leaks through the observability of coins being spent anyways.


# Covenant Design Trade-Offs and Risks

The important part is the the covenant -- regardless of its length -- must
be entirely known in advance. CTV is a fully enumerated non-recursive
validation-only non-dynamic state covenant. This limits the types of issues
that can arise.

Useful links:
https://medium.com/block-digest-mempool/my-worries-about-too-generalized-covenants-5eff33affbb6
https://rubin.io/bitcoin/2021/12/04/advent-7/

--
@JeremyRubin <https://twitter.com/JeremyRubin>
<https://twitter.com/JeremyRubin>


On Mon, Jan 10, 2022 at 10:31 AM Peter Todd via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> On Mon, Jan 03, 2022 at 02:05:20AM +0000, Michael Folkson via bitcoin-dev
> wrote:
> > There have been a number of “soft signals”, many expressing enthusiasm
> for the speculated use cases of OP_CTV. Personally I share that enthusiasm
> like I do with the prospect of curing cancer. But these soft signals seem
> as if they are going to be used to attempt to justify an imminent
> contentious soft fork attempt. The devil is in the details both with
> regards to wording like “reasonable parameters” and the utility and safety
> of a new opcode. Indeed if you share my concerns that there has not been
> sufficient scrutiny and research on the long implications of this proposal
> I encourage you to register a soft signal of “No” on the site like I have.
> You can always change it to “Yes” if and when you support an imminent soft
> fork activation attempt containing exclusively OP_CTV. Enabling covenants
> on Bitcoin is a big step change with barely any existing research on the
> topic and attempting to rush it through by the back door so soon after
> Taproot activation should be resisted. To look at the ~200 lines of code
> for the opcode exclusively (of course this should be done too) in a vacuum
> without considering the broader implications is also incredibly
> shortsighted. The only thing stopping a descent into Ethereum style seat of
> our pants consensus changes is community vigilance. If we ever lose that we
> lose the foundation of this industry.
>
> I have to second your objections.
>
> I spent a bit of time over the past week looking at the current state of
> OP_CTV/BIP-0119, and I too think it's a premature idea with an
> insufficient BIP
> and reference implementation, that current lacks compelling use-cases
> clearly
> beneficial to all users.
>
> Remember that Bitcoin is a nearly $1 trillion network with tens of
> millions of
> users that has gotten to that point with careful, conservative engineering.
> Every change to the protocol poses risks to those users. Previous feature
> upgrades to the Bitcoin protocol have always been done with the intent of
> improving the protocol for everyone: CSV/segwit benefit all users via
> Lightning, because we can reasonably all users to directly take advantage
> of
> those features. We expect _everyone_ to benefit from Taproot via improved
> privacy. I don't think CTV in its current form makes that case
> sufficiently,
> and the technical details are lacking.
>
>
>
> As for some more detailed thoughts, for clarify, I'm referring to:
>
>
> https://github.com/bitcoin/bips/blob/3693cdfd192dacdac89cd742f68cd1bb96bf7f7e/bip-0119.mediawiki
>
> https://github.com/JeremyRubin/bitcoin/tree/8f313d292e426a74d9ce28e5130bbf0cd48f867e
>
> By no means is this a complete list of issues:
>
> # DoS Attacks
>
> Note how above I cited the git hashes to make it clear what exactly I'm
> referring too: the fact that the reference implementation is listed as
> https://github.com/JeremyRubin/bitcoin/tree/checktemplateverify in the
> BIP is
> an immediate problem, as it's not clear what exactly is the specification.
>
> This in turn matters quite a lot, because the BIP itself glosses over the
> quite
> serious DoS attack issues involved in adding more ways that opcodes can
> hash
> txs. Strong resistance to DoS attacks is a _mandatory_ aspect of all
> Bitcoin
> script proposals, so leaving those details to a mostly uncommented
> reference
> implementation without a clear discussion of those trade-offs is
> insufficient.
>
>
> # Use Cases
>
> As Folkson notes, these are barely fleshed out:
>
> ## Congestion Controlled Transactions
>
> While this section appears somewhat fleshed out, with even a simulation, it
> completely ignores the numerous practical issues like the need for
> communication channels between wallets to inform them of the existence of
> these
> batches. It also raises an important question: who needs this? On-chain
> transactions are clearly not the future of Bitcoin and this use-case will
> likely impact a small % of users.
>
>
> ## Wallet Vaults
>
> This use-case can be easily tested, even in production, right now with
> additional "oracle" signers that simply verify the CTV rules have been
> followed.
>
>
> ## Payment Channels
>
> These use-cases sound promising. But they all need to be clearly fleshed
> out as
> actually taking advantage of them is quite complex.
>
>
> ## CoinJoin
>
> > because participants agree on a single output which pays all
> participants,
> > which will be lower fee than before
>
> It is not clear how the fee will be lower, given that taking advantage of
> CTV
> means there are more transactions, not less.
>
>
> # Covenant Design Trade-Offs and Risks
>
> > Covenants have historically been controversial given their potential for
> > fungibility risks -- coins could be minted which have a permanent
> restriction
> > on how they may or may not be spent or required to propagate metadata.
>
> Indeed, this is a significant risk with the potential to harm all Bitcoin
> users.
>
> > In the CHECKTEMPLATEVERIFY approach, the covenants are severely
> restricted to
> > simple templates. The structure of CHECKTEMPLATEVERIFY template is such
> that
> > the outputs must be known exactly at the time of construction. Based on a
> > destructuring argument, it is only possible to create templates which
> expand
> > in a finite number of steps. Thus templated transactions are in theory as
> > safe as transactions which create all the inputs directly in this regard.
>
> The "finite" number of steps could be millions of transactions -
> "infinitely
> long" for any practical purpose.
>
>
> # Test Vectors
>
> Currently the testing is poorly documented, without clear goals as to what
> edge
> cases are actually being tested:
>
> https://github.com/JeremyRubin/bitcoin/commit/e026bae28a774d91effc32862d0246286c114c24
>
> Also, we really need test _vectors_ rather than a Python test: for
> consenus,
> you want to write down explicitly the *data* in the form of serialized
> transactions that is being fed into the consensus engine, to avoid
> mistakes in
> test coverage due to broken test harnesses.
>
> --
> https://petertodd.org 'peter'[:-1]@petertodd.org
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>

[-- Attachment #2: Type: text/html, Size: 20304 bytes --]

  reply	other threads:[~2022-01-11  3:43 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-01-03  2:05 [bitcoin-dev] Stumbling into a contentious soft fork activation attempt Michael Folkson
2022-01-09 11:38 ` Peter Todd
2022-01-11  3:42   ` Jeremy [this message]
2022-01-11  4:38     ` Jeremy
2022-01-04 11:53 Prayank
2022-01-04 14:15 ` Michael Folkson
2022-01-04 15:06   ` Prayank
2022-01-04 16:48     ` Michael Folkson
2022-01-04 17:07       ` Prayank
2022-01-04 14:42 ` Christian Decker
2022-01-04 15:45   ` Prayank
2022-01-18  1:57 Prayank
2022-02-18 23:41 ` Peter Todd
2022-02-20 18:35   ` Erik Aronesty
2022-02-21  3:03     ` Prayank
2022-02-21  9:02       ` ZmnSCPxj
2022-02-21  9:11         ` ZmnSCPxj
2022-02-21  9:48         ` Prayank
2022-02-22 12:57           ` Billy Tetrud
2022-02-21  9:09       ` ZmnSCPxj

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAD5xwhi=H0Nft4Jbqhd3=89BhAB2JLoTc=mPhdcQkoQxa1sAUg@mail.gmail.com' \
    --to=jlrubin@mit.edu \
    --cc=bitcoin-dev@lists.linuxfoundation.org \
    --cc=pete@petertodd.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox