From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 6D4981B2B for ; Sun, 23 Jun 2019 13:11:14 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-40136.protonmail.ch (mail-40136.protonmail.ch [185.70.40.136]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id EF2F3701 for ; Sun, 23 Jun 2019 13:11:12 +0000 (UTC) Date: Sun, 23 Jun 2019 13:11:03 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=default; t=1561295469; bh=bdT3gDACUfptkcYyH4q4U5RKYLmNWWgTIcWovipgioA=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References: Feedback-ID:From; b=ujtm4j8MVMhg9gGI+h1ddPtuyLrh78isHdaLnnETzGrK0uvjFbdQA/CQbvcWsXdkl a7ouK9Kl33+dzU5mjStpwM7I36swV5+I6lzPMKS/dgtZr9O9PxzYF+Ciky6rAecdKg jNrBoWectzK8lnz1flmshCae6XIq7jFk8V6oY6hE= To: Jeremy Rubin From: ZmnSCPxj Reply-To: ZmnSCPxj Message-ID: In-Reply-To: References: <20190605093039.xfo7lcylqkhsfncv@erisian.com.au> Feedback-ID: el4j0RWPRERue64lIQeq9Y2FP-mdB86tFqjmrJyEPR9VAtMovPEo9tvgA0CrTsSHJeeyPXqnoAu6DN-R04uJUg==:Ext:ProtonMail MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, FROM_LOCAL_NOVOWEL, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Sun, 23 Jun 2019 16:34:08 +0000 Cc: Bitcoin development mailing list Subject: Re: [bitcoin-dev] OP_SECURETHEBAG (supersedes OP_CHECKOUTPUTSVERIFY) X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Jun 2019 13:11:14 -0000 Good morning Jeremy, While `OP_SECURETHEBAG` commits to the desired output script of the spendin= g TX, what is being referred to here is the ability to verify the output sc= ript being spent, i.e. the script that actually contains the `OP_SECURETHEB= AG`. By this, we are able to create a contract that ensures that it is paid agai= n (covenants), which in combination with a little more introspection of TX = data, allows us to verify the execution of steps of a Turing-complete progr= am. It is surprisingly easy to make a language inadvertently Turing-complete, w= hich is basically the argument here, That is, with just a little more power and some additional operations that = would appear reasonable to add by themselves (`OP_CAT`, `OP_LEFT`, `OP_TWEA= KPUBKEY`) on top of some form of requiring a particular output script, it i= s possible to validate the execution of Turing-complete programs on the Bit= coin blockchain. Thus, with quining (a script which gets the text of its own code as part of= the static data it has), `OP_TWEAKPUBKEY`, and a `OP_SECURETHEBAG` that ge= ts its argument from the stack, it will be possible to make Turing-complete= Bitcoin SCRIPT. I would mildly suggest that we might very well want to consider creating a = well-designed way of injecting Turing-completeness into Bitcoin SCRIPT (req= uiring it to be behind a Taproot, so that bugs in Turing-complete code at l= east have a chance to be bugfixed by agreement of the Taproot signing set) = since we might eventually find ourselves introducing it inadvertently later= in any case. Regards, ZmnSCPxj Sent with ProtonMail Secure Email. =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original Me= ssage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 On Sunday, June 23, 2019 6:41 AM, Jeremy Rubin w= rote: > Can you clarify this comment? > > We do in fact commit to the script and scriptsig itself (not the witness = stack) in OP_SECURETHEBAG (unless I'm missing what you meant)? > > On Thu, Jun 20, 2019, 10:59 AM Russell O'Connor via bitcoin-dev wrote: > > > Just to be clear, while OP_CHECKTXDIGESTVERIFY would enable this style = of covenants if it pulled data from the stack, the OP_SECURETHEBAG probably= cannot create covenants even if it were to pull the data from the stack un= less some OP_TWEEKPUBKEY operation is added to Script because the "commitme= nt of the script itself" isn't part of the OP_SECURETHEBAG. > > > > So with regards to OP_SECURETHEBAG, I am also "not really seeing any re= ason to complicate the spec to ensure the digest is precommitted as part of= the opcode." > > > > On Thu, Jun 6, 2019 at 3:33 AM ZmnSCPxj via bitcoin-dev wrote: > > > > > Good morning aj, > > > > > > Sent with ProtonMail Secure Email. > > > > > > =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Origi= nal Message =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80= =90 > > > On Wednesday, June 5, 2019 5:30 PM, Anthony Towns via bitcoin-dev wrote: > > > > > > > On Fri, May 31, 2019 at 10:35:45PM -0700, Jeremy via bitcoin-dev wr= ote: > > > > > > > > > OP_CHECKOUTPUTSHASHVERIFY is retracted in favor of OP_SECURETHEBA= G*. > > > > > > > > I think you could generalise that slightly and make it fit in > > > > with the existing opcode naming by calling it something like > > > > "OP_CHECKTXDIGESTVERIFY" and pull a 33-byte value from the stack, > > > > consisting of a sha256 hash and a sighash-byte, and adding a new si= ghash > > > > value corresponding to the set of info you want to include in the h= ash, > > > > which I think sounds a bit like "SIGHASH_EXACTLY_ONE_INPUT | SIGHAS= H_ALL" > > > > > > > > FWIW, I'm not really seeing any reason to complicate the spec to en= sure > > > > the digest is precommitted as part of the opcode. > > > > > > > > > > I believe in combination with `OP_LEFT` and `OP_CAT` this allows Turi= ng-complete smart contracts, in much the same way as `OP_CHECKSIGFROMSTACK`= ? > > > > > > Pass in the spent transaction (serialised for txid) and the spending = transaction (serialised for sighash) as part of the witness of the spending= transaction. > > > > > > Script verifies that the spending transaction witness value is indeed= the spending transaction by `OP_SHA256 OP_SWAP OP_CAT OP_CHE= CKTXDIGESTVERIFY`. > > > Script verifies the spent transaction witness value is indeed the spe= nt transaction by hashing it, then splitting up the hash with `OP_LEFT` int= o bytes, and comparing the bytes to the bytes in the input of the spending = transaction witness value (txid being the bytes in reversed order). > > > > > > Then the Script can extract a commitment of itself by extracting the = output of the spent transaction. > > > This lets the Script check that the spending transaction also pays to= the same script. > > > > > > The Script can then access a state value, for example from an `OP_RET= URN` output of the spent transaction, and enforce that a correct next-state= is used in the spending transaction. > > > If the state is too large to fit in a standard `OP_RETURN`, then the = current state can be passed in as a witness and validated against a hash co= mmitment in an `OP_RETURN` output. > > > > > > I believe this is the primary reason against not pulling data from th= e stack. > > > > > > Regards, > > > ZmnSCPxj > > > _______________________________________________ > > > bitcoin-dev mailing list > > > bitcoin-dev@lists.linuxfoundation.org > > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > > > > _______________________________________________ > > bitcoin-dev mailing list > > bitcoin-dev@lists.linuxfoundation.org > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev