Antoine,

One high level reason to not prefer APO is that it gets 'dangerously close' to fully recursive covenants.

E.g., just by tweaking APO to use a Schnorr signature without PK commitment, Pubkey Recovery would be possible, and fully recursive covenants could be done.

Short of that type of modification, you can still do a "trusted setup" key deletion covenant with APO and have a fully recursive covenant set up. E.g.

<1 || N-N MuSig> APO

where the N-N MuSig pregenerates a signature of a transaction that commits to an output with itself, e.g., using SIGHASH_SINGLE.

By itself, this is not super useful, but does create the type of thing that people might worry about with a recursive covenant since after initialization it is autonomous.

One use case for this might be, for example, a spacechain backbone that infinitely iterates, so it isn't entirely useless.

If other opcodes are added, such as OP_IN_OUT_AMOUNT, then you can get all sorts of recursive covenant interesting stuff on top of that, since you could pre-sign e.g. for a quanitzed vault a number of different deposit/withdraw programs as well as increasing balances depending on timeout waited.

Therefore, I think reasonable people might discriminate the "complexity class" of the design space available with just CTV v.s. APO.

In contrast, the approach of smaller independent steps:

1) Adding CTV

2) Adding CSFS (enables APO-like behavior, sufficient for Eltoo)

3) Adding flags to CTV, similar to TXHASH, or just adding TXHASH (enables full covenants)

4) Ergonomic OPCodes for covenants like TLUV, EcTweak, MAST building, etc (enables efficient covenants)

is a much more granular path where we are able to cleanly 'level up' into each covenant complexity class only if we deem it to be safe.

<redacted>comment about timelines to produce a modified APO</redacted>

Best,

Jeremy

--
@JeremyRubin

On Fri, Apr 22, 2022 at 4:23 AM darosior via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:

I would like to know people's sentiment about doing (a very slightly tweaked version of) BIP118 in place of
(or before doing) BIP119.

SIGHASH_ANYPREVOUT and its precedent iterations have been discussed for over 6 years. It presents proven and
implemented usecases, that are demanded and (please someone correct me if i'm wrong) more widely accepted than
CTV's.

SIGHASH_ANYPREVOUTANYSCRIPT, if its "ANYONECANPAY" behaviour is made optional [0], can emulate CTV just fine.
Sure then you can't have bare or Segwit v0 CTV, and it's a bit more expensive to use. But we can consider CTV
an optimization of APO-AS covenants.

CTV advocates have been presenting vaults as the flagship usecase. Although as someone who've been trying to
implement practical vaults for the past 2 years i doubt CTV is necessary nor sufficient for this (but still
useful!), using APO-AS covers it. And it's not a couple dozen more virtual bytes that are going to matter for
a potential vault user.

If after some time all of us who are currently dubious about CTV's stated usecases are proven wrong by onchain
usage of a less efficient construction to achieve the same goal, we could roll-out CTV as an optimization. In
the meantime others will have been able to deploy new applications leveraging ANYPREVOUT (Eltoo, blind
statechains, etc..[1]).

Given the interest in, and demand for, both simple covenants and better offchain protocols it seems to me that
BIP118 is a soft fork candidate that could benefit more (if not most of) Bitcoin users.
Actually i'd also be interested in knowing if people would oppose the APO-AS part of BIP118, since it enables
CTV's features, for the same reason they'd oppose BIP119.

[0] That is, to not commit to the other inputs of the transaction (via `sha_sequences` and maybe also
`sha_amounts`). Cf https://github.com/bitcoin/bips/blob/master/bip-0118.mediawiki#signature-message.

[1] https://anyprevout.xyz/ "Use Cases" section
_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev