public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
* [Bitcoin-development] Pay to MultiScript hash:
@ 2014-07-16 17:56 Jeremy
  2014-07-17  4:52 ` Jeff Garzik
  2014-07-17 20:08 ` Gregory Maxwell
  0 siblings, 2 replies; 6+ messages in thread
From: Jeremy @ 2014-07-16 17:56 UTC (permalink / raw)
  To: bitcoin-development

[-- Attachment #1: Type: text/plain, Size: 1524 bytes --]

Hey all,

I had an idea for a new transaction type. The base idea is that it is
matching on script hashes much like pay to script hash, but checks for one
of N scripts.

A motivating case is for "permission groups". Let's say I want to have a
single "root user" script, a 2 of 3 group, and a 2 of 2 group able to spend
a utxo. This would allow for any one of these permission groups to spend.

Right now, this could be expressed multiple ways (ie, using an op_dup if
then else chain) , but all would incur additional costs in terms of
complicated control flows. Instead, I would propose:

OP_HASH160 [20-byte-hash-value 1]...[20-byte-hash-value N] OP_N
OP_MULTISCRIPTHASHVERIFY


could be spent with

...signatures... {serialized script}


​And the alternative formulation: (more complex!)​

​OP_HASH160 OP_DUP [20-byte-hash-value 1]​
​ OP_IF OP_EQUAL​
​ OP_VERIFY OP_ELSE   <OP_DUP  [20-byte-hash-value 2]​​  OP_IF......>
OP_ENDIF​



Of course, the permission group example is just one use case, there could
be other interesting combinations as well
​.


There is an implication in terms of increased utxo pool bloat, but also an
implication in terms of increased txn complexity (each 20 byte hash allows
for a 500 byte script, only one of the 500 byte scripts has to be
permanently stored on blockchain).


Looking forward to your feedback -- the idea is a bit preliminary, but I
think it could be exciting.

Best,

Jeremy




-- 
Jeremy Rubin

[-- Attachment #2: Type: text/html, Size: 3176 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Bitcoin-development] Pay to MultiScript hash:
  2014-07-16 17:56 [Bitcoin-development] Pay to MultiScript hash: Jeremy
@ 2014-07-17  4:52 ` Jeff Garzik
  2014-07-17  5:59   ` Jeremy
  2014-07-17 20:08 ` Gregory Maxwell
  1 sibling, 1 reply; 6+ messages in thread
From: Jeff Garzik @ 2014-07-17  4:52 UTC (permalink / raw)
  To: Jeremy; +Cc: Bitcoin Dev

On Wed, Jul 16, 2014 at 1:56 PM, Jeremy <jlrubin@mit.edu> wrote:
> Right now, this could be expressed multiple ways (ie, using an op_dup if
> then else chain) , but all would incur additional costs in terms of
> complicated control flows. Instead, I would propose:

Can you quantify "additional costs in terms of complicated control flows"?


> There is an implication in terms of increased utxo pool bloat, but also an
> implication in terms of increased txn complexity (each 20 byte hash allows
> for a 500 byte script, only one of the 500 byte scripts has to be
> permanently stored on blockchain).

When considering these costs, using a normal P2SH output + a script
with OP_IF and friends seems more straightforward?

Doing boolean logic with multisig groups is quite possible, e.g.
"group AND group", "group OR (group AND group)" etc.  Definitely a
valid use case.  I discussed how to do this on IRC with gmaxwell
several months ago.  I call it "multi-multisig" for lack of a better
name.



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Bitcoin-development] Pay to MultiScript hash:
  2014-07-17  4:52 ` Jeff Garzik
@ 2014-07-17  5:59   ` Jeremy
  2014-07-17  6:21     ` Jeff Garzik
  0 siblings, 1 reply; 6+ messages in thread
From: Jeremy @ 2014-07-17  5:59 UTC (permalink / raw)
  To: Jeff Garzik; +Cc: Bitcoin Dev

[-- Attachment #1: Type: text/plain, Size: 2986 bytes --]

Additional costs would be in terms of A) chance of user error/application
error -- proposed method is much simpler, as well as extra bytes for
control flow ( 4 per script if I am counting right).


The costs on a normal script do seem slightly more friendly, except this
method allows for hidden-till-spent permission groups, as well as as
smaller blockchain bloat overall (if scriptSig script has to store the
logic for all the potential permission group, it will be a larger script
versus only needing one permission group's script). An added benefit could
also be in blockchain analysis -- you can actively monitor the utxo pool
for your known associated scripts, whereas you couldn't for specialty
scripts assembled per group. Enables repeated spends with groups as a "cost
object" w/o having to recall all participants. ie, pay to the same perm
groups as the other employee did last time, but include me as a root this
time.


Do you have a transcript of that chat by any chance? An interesting way to
do that would be to push the sigs onto the stack & have implicit orders,
then do expressions with their aliases, and then be able to assign
"spending groups".
ex:
code_sep
push script0
push script1
push script2
push script3
group_sep
mkgroup_2, 0,1      ; the id will be 4
mkgroup_3, 0,2,3   ; the id will be 5
mkUnionGroup_2, 4,5 ; the id will be 6
2_of_3_group 0, 1, 2
mkIntersectionGroup_2 5, 6
complement_last  ; complements last group, mutation
del_group 1          ; deletes the group #1, groups then reindex after
deletion (maybe the group was useful base class).
etc...
multisig check perm groups (checks if any groups on stack are valid from
script)


or even something like adding a little SAT scripting language with an eval.

push script0
push script1
push script2
push script3
push <a=(1 & 2 & 0), b=a-1, a | 3 | b >
eval











On Thu, Jul 17, 2014 at 12:52 AM, Jeff Garzik <jgarzik@bitpay.com> wrote:

> On Wed, Jul 16, 2014 at 1:56 PM, Jeremy <jlrubin@mit.edu> wrote:
> > Right now, this could be expressed multiple ways (ie, using an op_dup if
> > then else chain) , but all would incur additional costs in terms of
> > complicated control flows. Instead, I would propose:
>
> Can you quantify "additional costs in terms of complicated control flows"?
>
>
> > There is an implication in terms of increased utxo pool bloat, but also
> an
> > implication in terms of increased txn complexity (each 20 byte hash
> allows
> > for a 500 byte script, only one of the 500 byte scripts has to be
> > permanently stored on blockchain).
>
> When considering these costs, using a normal P2SH output + a script
> with OP_IF and friends seems more straightforward?
>
> Doing boolean logic with multisig groups is quite possible, e.g.
> "group AND group", "group OR (group AND group)" etc.  Definitely a
> valid use case.  I discussed how to do this on IRC with gmaxwell
> several months ago.  I call it "multi-multisig" for lack of a better
> name.
>



-- 
Jeremy Rubin

[-- Attachment #2: Type: text/html, Size: 7287 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Bitcoin-development] Pay to MultiScript hash:
  2014-07-17  5:59   ` Jeremy
@ 2014-07-17  6:21     ` Jeff Garzik
  2014-07-17 19:55       ` Jeremy
  0 siblings, 1 reply; 6+ messages in thread
From: Jeff Garzik @ 2014-07-17  6:21 UTC (permalink / raw)
  To: Jeremy; +Cc: Bitcoin Dev

In a system like bitcoin, where the system has to keep running, you
have to consider how to roll out upgrades, and the costs associated
with that.
* the general cost of any network-wide change, versus P2SH which is
already analyzed by devs, rolled out and working
* the cost of P2SH output is predictable, versus less predictable outputs
* the cost of updating everybody to relay this new transaction type,
whereas P2SH Just Works already
* cost of increasing rate of UTXO growth versus P2SH
* "default public", versus P2SH's "default private"

It is true that publishing the script in the txout has the advantage
of being easily audited by third parties scanning the blockchain, but
in the interest of space efficiency you may accomplish the same thing
by offering the script upon request out-of-band.  The script is
hash-sealed by the P2SH address, enabling perfect proof.

Don't have a transcript handy, but these things are usually logged and
google-searchable.

In any case, it would be nice to get together and start building a
"cookbook" of useful scripts like the ones you've been describing.
The power of bitcoin scripts is only beginning to be explored.  Use
cases and examples are very helpful.



On Thu, Jul 17, 2014 at 1:59 AM, Jeremy <jlrubin@mit.edu> wrote:
> Additional costs would be in terms of A) chance of user error/application
> error -- proposed method is much simpler, as well as extra bytes for control
> flow ( 4 per script if I am counting right).
>
>
> The costs on a normal script do seem slightly more friendly, except this
> method allows for hidden-till-spent permission groups, as well as as smaller
> blockchain bloat overall (if scriptSig script has to store the logic for all
> the potential permission group, it will be a larger script  versus only
> needing one permission group's script). An added benefit could also be in
> blockchain analysis -- you can actively monitor the utxo pool for your known
> associated scripts, whereas you couldn't for specialty scripts assembled per
> group. Enables repeated spends with groups as a "cost object" w/o having to
> recall all participants. ie, pay to the same perm groups as the other
> employee did last time, but include me as a root this time.
>
>
> Do you have a transcript of that chat by any chance? An interesting way to
> do that would be to push the sigs onto the stack & have implicit orders,
> then do expressions with their aliases, and then be able to assign "spending
> groups".
> ex:
> code_sep
> push script0
> push script1
> push script2
> push script3
> group_sep
> mkgroup_2, 0,1      ; the id will be 4
> mkgroup_3, 0,2,3   ; the id will be 5
> mkUnionGroup_2, 4,5 ; the id will be 6
> 2_of_3_group 0, 1, 2
> mkIntersectionGroup_2 5, 6
> complement_last  ; complements last group, mutation
> del_group 1          ; deletes the group #1, groups then reindex after
> deletion (maybe the group was useful base class).
> etc...
> multisig check perm groups (checks if any groups on stack are valid from
> script)
>
>
> or even something like adding a little SAT scripting language with an eval.
>
> push script0
> push script1
> push script2
> push script3
> push <a=(1 & 2 & 0), b=a-1, a | 3 | b >
> eval
>
>
>
>
>
>
>
>
>
>
>
> On Thu, Jul 17, 2014 at 12:52 AM, Jeff Garzik <jgarzik@bitpay.com> wrote:
>>
>> On Wed, Jul 16, 2014 at 1:56 PM, Jeremy <jlrubin@mit.edu> wrote:
>> > Right now, this could be expressed multiple ways (ie, using an op_dup if
>> > then else chain) , but all would incur additional costs in terms of
>> > complicated control flows. Instead, I would propose:
>>
>> Can you quantify "additional costs in terms of complicated control flows"?
>>
>>
>> > There is an implication in terms of increased utxo pool bloat, but also
>> > an
>> > implication in terms of increased txn complexity (each 20 byte hash
>> > allows
>> > for a 500 byte script, only one of the 500 byte scripts has to be
>> > permanently stored on blockchain).
>>
>> When considering these costs, using a normal P2SH output + a script
>> with OP_IF and friends seems more straightforward?
>>
>> Doing boolean logic with multisig groups is quite possible, e.g.
>> "group AND group", "group OR (group AND group)" etc.  Definitely a
>> valid use case.  I discussed how to do this on IRC with gmaxwell
>> several months ago.  I call it "multi-multisig" for lack of a better
>> name.
>
>
>
>
> --
> Jeremy Rubin



-- 
Jeff Garzik
Bitcoin core developer and open source evangelist
BitPay, Inc.      https://bitpay.com/



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Bitcoin-development] Pay to MultiScript hash:
  2014-07-17  6:21     ` Jeff Garzik
@ 2014-07-17 19:55       ` Jeremy
  0 siblings, 0 replies; 6+ messages in thread
From: Jeremy @ 2014-07-17 19:55 UTC (permalink / raw)
  To: Jeff Garzik; +Cc: Bitcoin Dev

[-- Attachment #1: Type: text/plain, Size: 6893 bytes --]

* the general cost of any network-wide change, versus P2SH which is
already analyzed by devs, rolled out and working
* the cost of updating everybody to relay this new transaction type,
whereas P2SH Just Works already
fair -- I think that there may be a big benefit realizable with this kind
of system.

* cost of increasing rate of UTXO growth versus P2SH
This operation is similar in cost to multisig? Although I suppose there is
the proposal to make all multisigs p2sh

* the cost of P2SH output is predictable, versus less predictable outputs
 * "default public", versus P2SH's "default private"
-- Can you elaborate on these?

I think part of the problem is that there is low incentive for
development/cataloging  of these useful types of script because there isn't
a horizon on getting them broadcastable by nodes other than testnet? Even
with pay to script hash it is still currently relegated to a subset of
script types iirc (I think I'm wrong on this one maybe (hopefully) -- if
so, let's get writing!)?



Hmm... another idea... what about doing a p2sh with a switch statement, ie:

OP_HASH160 <script set hash> OP_EQUAL

payable by:

{signatures...} <scriptX> <<script1 hash>, <script2 hash>...<scriptN hash>
in sorted order> OP_DUP

And then executed like a normal p2sh transaction except before the
<scriptX> is run, the set of hashes is checked for set membership (can't
find a concise way to express this, but it should be doable within the
current framework of p2sh processing).

Which lets you select one of n scripts each 520 bytes long without bloating
the utxo pool more than a p2sh, the cost being purely on disk.

In theory, this could represent a space savings on disk longterm for
regular p2sh. ie, if I have two 2 of 3 groups I want to be able to spend,
this system would represent an overall space savings.


Adding some kind of "function-hash-pointer jump table / switch statement"
could be pretty cool in terms of space savings as well as allowing for more
complicated scripts to be built.



On Thu, Jul 17, 2014 at 2:21 AM, Jeff Garzik <jgarzik@bitpay.com> wrote:

> In a system like bitcoin, where the system has to keep running, you
> have to consider how to roll out upgrades, and the costs associated
> with that.
> * the general cost of any network-wide change, versus P2SH which is
> already analyzed by devs, rolled out and working
> * the cost of P2SH output is predictable, versus less predictable outputs
> * the cost of updating everybody to relay this new transaction type,
> whereas P2SH Just Works already
> * cost of increasing rate of UTXO growth versus P2SH
> * "default public", versus P2SH's "default private"
>
> It is true that publishing the script in the txout has the advantage
> of being easily audited by third parties scanning the blockchain, but
> in the interest of space efficiency you may accomplish the same thing
> by offering the script upon request out-of-band.  The script is
> hash-sealed by the P2SH address, enabling perfect proof.
>
> Don't have a transcript handy, but these things are usually logged and
> google-searchable.
>
> In any case, it would be nice to get together and start building a
> "cookbook" of useful scripts like the ones you've been describing.
> The power of bitcoin scripts is only beginning to be explored.  Use
> cases and examples are very helpful.
>
>
>
> On Thu, Jul 17, 2014 at 1:59 AM, Jeremy <jlrubin@mit.edu> wrote:
> > Additional costs would be in terms of A) chance of user error/application
> > error -- proposed method is much simpler, as well as extra bytes for
> control
> > flow ( 4 per script if I am counting right).
> >
> >
> > The costs on a normal script do seem slightly more friendly, except this
> > method allows for hidden-till-spent permission groups, as well as as
> smaller
> > blockchain bloat overall (if scriptSig script has to store the logic for
> all
> > the potential permission group, it will be a larger script  versus only
> > needing one permission group's script). An added benefit could also be in
> > blockchain analysis -- you can actively monitor the utxo pool for your
> known
> > associated scripts, whereas you couldn't for specialty scripts assembled
> per
> > group. Enables repeated spends with groups as a "cost object" w/o having
> to
> > recall all participants. ie, pay to the same perm groups as the other
> > employee did last time, but include me as a root this time.
> >
> >
> > Do you have a transcript of that chat by any chance? An interesting way
> to
> > do that would be to push the sigs onto the stack & have implicit orders,
> > then do expressions with their aliases, and then be able to assign
> "spending
> > groups".
> > ex:
> > code_sep
> > push script0
> > push script1
> > push script2
> > push script3
> > group_sep
> > mkgroup_2, 0,1      ; the id will be 4
> > mkgroup_3, 0,2,3   ; the id will be 5
> > mkUnionGroup_2, 4,5 ; the id will be 6
> > 2_of_3_group 0, 1, 2
> > mkIntersectionGroup_2 5, 6
> > complement_last  ; complements last group, mutation
> > del_group 1          ; deletes the group #1, groups then reindex after
> > deletion (maybe the group was useful base class).
> > etc...
> > multisig check perm groups (checks if any groups on stack are valid from
> > script)
> >
> >
> > or even something like adding a little SAT scripting language with an
> eval.
> >
> > push script0
> > push script1
> > push script2
> > push script3
> > push <a=(1 & 2 & 0), b=a-1, a | 3 | b >
> > eval
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > On Thu, Jul 17, 2014 at 12:52 AM, Jeff Garzik <jgarzik@bitpay.com>
> wrote:
> >>
> >> On Wed, Jul 16, 2014 at 1:56 PM, Jeremy <jlrubin@mit.edu> wrote:
> >> > Right now, this could be expressed multiple ways (ie, using an op_dup
> if
> >> > then else chain) , but all would incur additional costs in terms of
> >> > complicated control flows. Instead, I would propose:
> >>
> >> Can you quantify "additional costs in terms of complicated control
> flows"?
> >>
> >>
> >> > There is an implication in terms of increased utxo pool bloat, but
> also
> >> > an
> >> > implication in terms of increased txn complexity (each 20 byte hash
> >> > allows
> >> > for a 500 byte script, only one of the 500 byte scripts has to be
> >> > permanently stored on blockchain).
> >>
> >> When considering these costs, using a normal P2SH output + a script
> >> with OP_IF and friends seems more straightforward?
> >>
> >> Doing boolean logic with multisig groups is quite possible, e.g.
> >> "group AND group", "group OR (group AND group)" etc.  Definitely a
> >> valid use case.  I discussed how to do this on IRC with gmaxwell
> >> several months ago.  I call it "multi-multisig" for lack of a better
> >> name.
> >
> >
> >
> >
> > --
> > Jeremy Rubin
>
>
>
> --
> Jeff Garzik
> Bitcoin core developer and open source evangelist
> BitPay, Inc.      https://bitpay.com/
>



-- 
Jeremy Rubin

[-- Attachment #2: Type: text/html, Size: 10495 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Bitcoin-development] Pay to MultiScript hash:
  2014-07-16 17:56 [Bitcoin-development] Pay to MultiScript hash: Jeremy
  2014-07-17  4:52 ` Jeff Garzik
@ 2014-07-17 20:08 ` Gregory Maxwell
  1 sibling, 0 replies; 6+ messages in thread
From: Gregory Maxwell @ 2014-07-17 20:08 UTC (permalink / raw)
  To: Jeremy; +Cc: Bitcoin Development

On Wed, Jul 16, 2014 at 10:56 AM, Jeremy <jlrubin@mit.edu> wrote:
> Hey all,
> I had an idea for a new transaction type. The base idea is that it is
> matching on script hashes much like pay to script hash, but checks for one
> of N scripts.

This seems strictly less flexible and efficient than the Merkelized
Abstract Syntax Tree construction, though perhaps slightly easier to
implement it wouldn't be any easier to deploy.

Something like this was very recently proposed on this list (by Tier
Nolan), you might want to see the "Selector Script" thread.



^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2014-07-17 20:08 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-07-16 17:56 [Bitcoin-development] Pay to MultiScript hash: Jeremy
2014-07-17  4:52 ` Jeff Garzik
2014-07-17  5:59   ` Jeremy
2014-07-17  6:21     ` Jeff Garzik
2014-07-17 19:55       ` Jeremy
2014-07-17 20:08 ` Gregory Maxwell

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox