>   If a QC is able overnight to spend a large fraction of the supply, your coins in your super non-QC vulnerable-bare-CTV-covenant (that would eventually become vulnerable when trying to use it) are worthless.[1]

I know this has been debated to death, but I really don't think this argument is very convincing. First of all, why are we assuming that if for example, "satoshi's hoard" of 5+ million bitcoins was stolen, that it would mean bitcoin becomes worthless? To me this is an absurd assumption to make. The thief almost certainly wouldn't want to just destroy bitcoin. But even if they did and put it all up for sale overnight, yes it would tank bitcoin's price *temporarily*. But in the long run, this is less than 1/3 of the supply, and it at worst could be considered monetary inflation of < 30%, and so that's the amount that the price should take a hit of: less than 30%. Plenty of fiat currencies have survived worse. 

Second of all, its incredibly unlikely that someone is suddenly going to be able to do QC so well that they jump straight to being able to find "a large fraction" of the private keys out there, or enough private keys to make up a large fraction of the supply. Its far more likely that the first quantum computers that are able to derive *any* private keys will still take a long time (weeks? months?) to do one. If you have your bitcoins in a segwit address, you know that they can't be stolen by a quantum computer.  You can sit back calmly, and figure out what to do next. By contrast, if your life savings is in a taproot address, you have to drop everything with your underwear on fire and recklessly move that stuff ASAP. Chances for hasty mistakes is high. 

But lets say someone *does* jump to being able to derive 1 private key per minute (pretty darn fast if you ask me). It would currently take such a machine 152 years to crack all the 80 million UTXOs in existence. By the time there are practical quantum machines, it'll probably be at least double that many UTXOs. If it was trying to crack revealed private keys from mempool transactions, it could only really hit 10 out of 2000 transactions. Hashing the public key is I think is quite an effective protection to a quantum computing attack in the vast majority of likely QC emergence scenarios. I honestly don't understand how someone could come to a different conclusion. 

It makes a lot of sense in a world where quantum computers are now a very real thing, to store large amounts of bitcoin in a possibly slightly less efficient way in order to ensure that those funds can't be snatched in a QC disaster scenario. I would be very interested to see a proposal to add the option of having a taproot address type that doesn't expose the bare public key. 


On Fri, Apr 29, 2022 at 6:53 AM Nadav Ivgi via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
Correction: thinking about this some more, you can't actually expect to have a stable txid if you allow additional inputs at all...

So yes, amending BIP 118 to commit to sha_sequences (which indirectly also commits to the number of inputs) as proposed in the OP should be sufficient to get stable txids for single-input transactions.

(I initially thought that APO has to cover some additional tx parts for this, but it seems that it's really just the scriptSig which is guarrnated to be empty if you have a single input that is known to be the taproot APO spend.)

So in overall, my (1) and (5) points are only applicable to APO-as-currently-spec'd and not to the suggested APO revision.

On Fri, Apr 29, 2022 at 1:21 PM Nadav Ivgi <nadav@shesek.info> wrote:
> This is *literally* what the post you are replying to is proposing to solve.

I thought the changes mentioned in the OP (+ committing to the spent input index) only solves the half-spend problem, but not the stable txids one?

There can be other inputs with a scriptSig, which doesn't get committed to in the APO hash. I guess this isn't too common, but there might be some cases where you would want to spend some (pre-selected) non-segwit inputs alongside your covenant, maybe for fees. With CTV you would pre-commit to the scriptSig which makes it non-malleable even if the script itself is.

> Hmm? You can't have channel factories without Eltoo. (Well, you can in theory but good luck.)
> Maybe you are refering to non-interactive channel creation?

I was referring to what BIP 119 calls 'Batched Channel Creation' [0], which is a sort of a channel factory construction under a broader definition (and in fact was previously called that in the BIP [1]).

> The case for stable txids is less strong if we have APO (and therefore Eltoo).

There's merit in using these factory constructs for Poon-Dryja channels even if Eltoo was available.
I don't foresee Eltoo taking over the penalty approach entirely, but rather the two living side by side.

(It could theoretically be possible to use APO to open Poon-Dryja channels on top of unstable funding txids, but having stable txids makes this much more easily integratable with existing lightning implementations, without the invasive changes that unstable txids would bring.)

> This has been addressed over and over and over again. If a QC is able overnight to spend a large fraction of
> the supply, your coins in your super non-QC-vulnerable-bare-CTV-covenant (that would eventually become
> vulnerable when trying to use it) are worthless.

It might be the case that a sufficient fraction of supply does switch over to QC-protected outputs in time, with only some small minority that didn't actively switch over and with revealed bare pubkeys losing their funds, which wouldn't make BTC entirely worthless. It makes sense not to want to be in that minority, ideally without requiring further time-sensitive active action (esp if considering long-term deep cold storage for inheritance etc).

(This of course assumes a safe post-QC mechanism to later spend these funds; IIUC there are some viable approaches for that using a two-step spending procedure, where you prove knowledge of the pubkey/script preimage while commiting to a future tx.)

> Sorry for being sarcastic, but at this point it's not fair to use quantum-computer FUD to justify the
> activation of CTV over APO, or encourage the use of legacy transactions over Taproot ones.

Sorry if it came off as FUDing. I don't know enough to hold a strong opinion on whether the fear of QCs is justified or not. I know that many people on this list don't think so, but I also think that this fear is prevalent enough to warrant taking it into consideration (at least for features that target long-term SoV use cases; less so for features targeted at L2 MoE applications like lightning spacechains paypools etc).

> you can also use the internal key optimization .. you can't have NUMS-ness then

Right, which makes this unsuitable for the vaulting use case.

> Also, it's not 33 extra vbytes vs CTV-in-segwitv0, but 33 extra * witness units* (8.25 vbytes).

Ugh yes sorry about that! I realized after hitting send and meant to clarify that it should've been s/vbyte/WU/ in my next reply.

> Are APO signatures more expensive to verify? .. the cost for the network of validating signatures already exists today

Not compared to existing signature verifications, but compared to a CTV/TXHASH-like construction.

Can anyone quantify how much of a difference this makes in practice?

> i appreciate your reply and your efforts to explore the tradeoffs between the two approaches.

Thank you, I appreciate your efforts on this too :-)

shesek


On Fri, Apr 29, 2022 at 11:31 AM darosior <darosior@protonmail.com> wrote:
Hi Shesek,

1. The resulting txids are not stable.

This is *literally* what the post you are replying to is proposing to solve.


This property could be important for some of the proposed CTV use-cases, like channel factories.

Hmm? You can't have channel factories without Eltoo. (Well, you can in theory but good luck.)
Maybe you are refering to non-interactive channel creation? The case for stable txids is less strong if we
have APO (and therefore Eltoo). [0]


2. APO will only be available on Taproot, which some people might prefer to avoid for long-term multi-decade vault storage due to QC concerns. (also see my previous post on this thread [0])

This has been addressed over and over and over again. If a QC is able overnight to spend a large fraction of
the supply, your coins in your super non-QC-vulnerable-bare-CTV-covenant (that would eventually become
vulnerable when trying to use it) are worthless.[1]

Sorry for being sarcastic, but at this point it's not fair to use quantum-computer FUD to justify the
activation of CTV over APO, or encourage the use of legacy transactions over Taproot ones.


3. Higher witness satisfaction cost of roughly 3x vbytes vs CTV-in-Taproot (plus 33 extra vbytes vs CTV-in-segwitv0 in the case of a single CTV branch, for the taproot control block. with more branches CTV-in-taproot eventually becomes preferable).

Again, this is what my post discusses. Here are the arguments from my post about why i don't think it's a big deal:

    1. You can in this case see CTV as an optimization of (tweaked) APOAS. A lot of us are doubtful about CTV
       usecases for real people. So much that it was even proposed to temporarily activate it to see if it would
       ever have any real traction! [2]
       My point with this post was: what if we do (a slightly tweaked) BIP118, that is otherwise useful. And
       if this use of covenants is really getting traction then we can roll out an optimization in the form of
       CTV (or better covenants, as we'd have had more research put into it by this time).
    2. CTV is mainly sold for its usage inside vaults. While i'm not convinced, a few more vbytes should not
       matter for this usecase.

Also, it's not 33 extra vbytes vs CTV-in-segwitv0, but 33 extra * witness units* (8.25 vbytes).
Aside, you can also use the internal key optimization with APO. But i don't think it's desirable just to save
32 WU, as you can't have NUMS-ness then. [3]


4. Higher network-wide full-node validation costs (checking a signature is quite more expensive than hashing, and the hashing is done in both cases).

Are APO signatures more expensive to verify? If not i don't think this should be a reason to constrain us to a
much less useful construction, as the cost for the network of validating signatures already exists today. Even
if it didn't, the tradeoff of cost/usefulness needs to be considered.


5. As APO is currently spec'd, it would suffer from the half-spend problem: if you have multiple outputs encumbered under an APO covenant that requires the same tx sigmsg hash, it becomes possible to spend all of them together as multiple inputs in a single transaction and burn the extra to mining fees.

If I'm not mistaken, I believe this makes the simple-apo-vault implementation [1] vulnerable to spending multiple vaulted outputs of the same denomination together and burning all but the first one. I asked the author for a more definitive answer on twitter [2].

Fixing this requires amending BIP 118 with some new sigmsg flags (making the ANYONECANPAY behaviour optional, as mentioned in the OP).

Yes! And as i mentioned on Twitter also committing to the input index which i forgot to add in the OP here.


While i don't think the specific points are valid, i appreciate your reply and your efforts to explore the
tradeoffs between the two approaches.

Thanks,
Antoine


This is definitely possible but also means that APO as-is isn't a CTV-replacement candidate, without first going through some more design and review iterations.

shesek





On Fri, Apr 22, 2022 at 2:23 PM darosior via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
I would like to know people's sentiment about doing (a very slightly tweaked version of) BIP118 in place of
(or before doing) BIP119.

SIGHASH_ANYPREVOUT and its precedent iterations have been discussed for over 6 years. It presents proven and
implemented usecases, that are demanded and (please someone correct me if i'm wrong) more widely accepted than
CTV's.

SIGHASH_ANYPREVOUTANYSCRIPT, if its "ANYONECANPAY" behaviour is made optional [0], can emulate CTV just fine.
Sure then you can't have bare or Segwit v0 CTV, and it's a bit more expensive to use. But we can consider CTV
an optimization of APO-AS covenants.

CTV advocates have been presenting vaults as the flagship usecase. Although as someone who've been trying to
implement practical vaults for the past 2 years i doubt CTV is necessary nor sufficient for this (but still
useful!), using APO-AS covers it. And it's not a couple dozen more virtual bytes that are going to matter for
a potential vault user.

If after some time all of us who are currently dubious about CTV's stated usecases are proven wrong by onchain
usage of a less efficient construction to achieve the same goal, we could roll-out CTV as an optimization. In
the meantime others will have been able to deploy new applications leveraging ANYPREVOUT (Eltoo, blind
statechains, etc..[1]).


Given the interest in, and demand for, both simple covenants and better offchain protocols it seems to me that
BIP118 is a soft fork candidate that could benefit more (if not most of) Bitcoin users.
Actually i'd also be interested in knowing if people would oppose the APO-AS part of BIP118, since it enables
CTV's features, for the same reason they'd oppose BIP119.


[0] That is, to not commit to the other inputs of the transaction (via `sha_sequences` and maybe also
`sha_amounts`). Cf https://github.com/bitcoin/bips/blob/master/bip-0118.mediawiki#signature-message.

[1] https://anyprevout.xyz/ "Use Cases" section
_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev