From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Thu, 25 Apr 2024 03:41:07 -0700 Received: from mail-qv1-f63.google.com ([209.85.219.63]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1rzwXK-00023A-HU for bitcoindev@gnusha.org; Thu, 25 Apr 2024 03:41:07 -0700 Received: by mail-qv1-f63.google.com with SMTP id 6a1803df08f44-690dd4cf6fbsf10146426d6.0 for ; Thu, 25 Apr 2024 03:41:06 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714041660; cv=pass; d=google.com; s=arc-20160816; b=f1KfcEDzOk7n//TV9cbnCpRC0cCCdBQeeqatispwAZE6Es02qERfdAyYmHfADOYKLq 1jPEIs5/LVr43pKUqw3gQDj0NvZHfL8XUglG70hGau+dJTAe8HYLwjVhy7o18ZZxoTuc oiFA0R77AFmE+b0s3MYtaFZZeQFwwa+YeoGfRoJOS3AgipVQog97CfVUg2XgOFlZD263 phI37dSA7ANzl5USP4AXHdJry83Yd+fbPDOzGbudKEQRNEw3k9l1EfeiqLuepLow+UI1 o0WE1t0BNzb9KWVk2xdm5poQEi8CgjEPnc9xrbjgwhqpZcLz2KjtvgUiYDUtjWSI6gpN D/RA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:content-disposition:mime-version :message-id:subject:cc:to:from:date:sender:dkim-signature; bh=HG1DI89aXnRM6qqnWgAjbsg8GORvc7OljFpLT0JNz2c=; fh=9N8ZnMzZwUKbIq28ZIwtv456/rmMIbrB52KoimGWSbw=; b=UgxkTBL1X0x4XmNFjV8UXLEU73AKnJVE1UfCH6yom2H36fkSuyzwokArSxitKk6icD bJxXkSXBW3HvDa9gNuKqzeTf87jm0JZpsAAXP6xfhw/YFUytPBm+bbN5lWAgxP55FG6U esui4oMavDsus+mRxLxbXhHHVcWCGqH5nnbhOns2YjCSnmf2FPp23zqTbTKYtMiOrDhn l5qICtbX/U6uuVBc623nP6s7h2etRsiJuv1UYGVxGEBunJ+yu6shqS6D0ekzJ2fWOXOu pt1xePZReu5+2TQsSFPvKuQ+1qcK8r4VrP1QRceYykkvifMyi579mUsxf+nm9uwj0fOn MuaQ==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@reardencode.com header.s=mail header.b=IIuhdvuH; spf=pass (google.com: domain of freedom@reardencode.com designates 206.125.169.165 as permitted sender) smtp.mailfrom=freedom@reardencode.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=reardencode.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1714041660; x=1714646460; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-disposition:mime-version:message-id :subject:cc:to:from:date:sender:from:to:cc:subject:date:message-id :reply-to; bh=HG1DI89aXnRM6qqnWgAjbsg8GORvc7OljFpLT0JNz2c=; b=Yao5Lis4YlhFuAqV4KgH3z+/uqb6Yd6tut65eqLtQSLw3C6grGMUskQIreUe3nxvGK bu8Jxo4/U8nDpRD2MfJL2sHS9pkfR4zq2KD/47zB1+jGiWOh6sdKMwRfnSrHvpHiQ4Vt gdJ3ML1c8H+6LnqccZyCtVfm8/hoA2r6a+WWys1yO4CtUWYL3qdnUQQfTwuO+HldUErO IrSL9ie9knjpB/DRHCyY9FXjnEW943T3rtYZ0LOA3ejPU18tJygcIs2NfBTfHT83kpF5 uLSP+C6laJI5SLuszyaAQNHgbKQ2+36A5z2el9gMDdOgMz/gze9v4BStBV8AnPJ+rfbH 0mWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714041660; x=1714646460; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-disposition:mime-version:message-id :subject:cc:to:from:date:x-beenthere:x-gm-message-state:sender:from :to:cc:subject:date:message-id:reply-to; bh=HG1DI89aXnRM6qqnWgAjbsg8GORvc7OljFpLT0JNz2c=; b=D/WeJaUM0d22HKsVsgHQEspSfghy5PRBMrratvMksgaSbOhhqCAOEh599zXrTstQsC vgF1UmwVR+DzSa4GdX5Uz5c1CoNDn/D8u8cqQ20eB0KsmWvy0FJCF+7anF0So8eQrWWm 6sI+eOLhiYAeT2ULIyi3SLcSXMWR6OJSNMNUCzYuM9DjI2DJoL6KDi8AWDK35/cWqjxX 3SXQXdyGHQMweVGw9qsrjL9CuKx6JLljeGh1iSe5DE0o50dIlob0WvKx3188674+MC87 rAkboS1zokHXAHXmiDKhmFMbl7ONGAtYwQRe7cQ6ikQ1Fm7SOtzUCvvPcVw97npm8/vc ivtQ== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCXvAqvjj8VoSZK7kJvHBCcPMX/7ixSmc+A8ofRu27irH292JW1L4XujawK8i4SrqZrrXiUDwhJ5dJXpUzXP+QS+omeO+WA= X-Gm-Message-State: AOJu0YyTBDZXVhEO6FBtbEv53N1g7JhFegfwUq9KOl0mW5S2zHPE9yld G9EAaOKs8vWMo49ikJrgbzrdbR8N5L6Pmgt3X4dE+tQbJwbdPLQs X-Google-Smtp-Source: AGHT+IFApSSkKPC/sVko0q3hYDRpbqnC+mDnX9hvHGYC2usZT11ySmOBNfZAztX0vB46FH1OKp2HQg== X-Received: by 2002:a0c:e344:0:b0:6a0:817e:b694 with SMTP id a4-20020a0ce344000000b006a0817eb694mr5863695qvm.10.1714041660012; Thu, 25 Apr 2024 03:41:00 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com Received: by 2002:a05:6214:2303:b0:69b:4c5f:b8d4 with SMTP id 6a1803df08f44-6a09c647ddels10523276d6.2.-pod-prod-09-us; Thu, 25 Apr 2024 03:40:58 -0700 (PDT) X-Received: by 2002:a05:6214:20e8:b0:6a0:5e93:ecc1 with SMTP id 8-20020a05621420e800b006a05e93ecc1mr411367qvk.12.1714041658324; Thu, 25 Apr 2024 03:40:58 -0700 (PDT) Received: by 2002:a05:620a:19a7:b0:790:9728:7a6d with SMTP id af79cd13be357-7909a6dbf6cms85a; Wed, 24 Apr 2024 22:13:01 -0700 (PDT) X-Received: by 2002:a0c:e991:0:b0:6a0:95a4:c65b with SMTP id z17-20020a0ce991000000b006a095a4c65bmr3815082qvn.13.1714021980671; Wed, 24 Apr 2024 22:13:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1714021980; cv=none; d=google.com; s=arc-20160816; b=RVbBTNJHUnwueOPZK5lkqSeTxKUdFgnXfTvI7vLG4/fFVohEHXn6r3IWgMKJ6RVHAG W/31PFbHVquZiMNSWL5IA62H8CB8Z+Tku0gIksQE2bTj4O8ohaXqyztKvEvvQK8TExag 7DMfFtbjikTgIPB6zRHrIvlTR7PgrxpLPKauAhv/VNUInsutISEl8eHlsrxpdkgLY2+4 3r1zlPC3r9HDrGRW7Pt5YUIWnUX553QZRd0hiAQdDOwgZHOtoNyKiEWwHBeRvbZEvPmt Or/9X0Y7L4/2BdCGUK8GB15IvlihScVIZSAGDuPj7NEQUk+ozR+G44xWWG3WnGoUyIPw mqtw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-disposition:mime-version:message-id:subject:cc:to:from :dkim-signature:date; bh=/dUn7cdIOHZB6qsut3FSeF9M8c/Hu6RxS1dbrhztfMQ=; fh=KeArRNdNZ+eyyjenzK10WGIwxM0PtlSJ2crjCld+h2U=; b=LmdnF2B9XFYk7pm2BwA1wogzYSou/n/Q+8eQNCqKSA3dIIZQfehKUUKfCpLb2vgzgH aRXK8/gXQearrCzlt8Fg2xoQ/knWcD9JRugkGKswardCBV4oAOec86HLYxWdpmv2XGFq fFUlJCzgNePLgmSL89Alpgm43cakXH1AWbbKMM4/5QnGXKZG69qjFXEo3fc0X6T6hsBM Fue57Xp2CiRpn9NKDzMZrr0ddWrA76WFq8+fzYR2sL/20Itc/gMVqRwlmAqLa+wBW8hE 8zf6ukvM3fbmB97IjejLU1N+hTlvWjPKk6hgqbjA5ZYTwSX8DGgWjmQEQ9APoKoxfU34 dpmg==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@reardencode.com header.s=mail header.b=IIuhdvuH; spf=pass (google.com: domain of freedom@reardencode.com designates 206.125.169.165 as permitted sender) smtp.mailfrom=freedom@reardencode.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=reardencode.com Received: from mail.reardencode.com (mail.reardencode.com. [206.125.169.165]) by gmr-mx.google.com with ESMTPS id qd23-20020ad44817000000b0069922ab8ec8si1119235qvb.7.2024.04.24.22.13.00 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Apr 2024 22:13:00 -0700 (PDT) Received-SPF: pass (google.com: domain of freedom@reardencode.com designates 206.125.169.165 as permitted sender) client-ip=206.125.169.165; Date: Wed, 24 Apr 2024 22:12:52 -0700 From: Brandon Black To: bitcoindev@googlegroups.com Cc: j@rubin.io Subject: [bitcoindev] BIP for OP_CHECKSIGFROMSTACK Message-ID: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="XsieHfV3m9x3h4XG" Content-Disposition: inline X-Operating-System: Linux 6.1.74 x86_64 X-Original-Sender: freedom@reardencode.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@reardencode.com header.s=mail header.b=IIuhdvuH; spf=pass (google.com: domain of freedom@reardencode.com designates 206.125.169.165 as permitted sender) smtp.mailfrom=freedom@reardencode.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=reardencode.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.8 (/) --XsieHfV3m9x3h4XG Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Hello list, Back in 2021, Jeremy wrote[0] about bringing OP_CHECKSIGFROMSTACK (or OP_CHECKDATASIG) to bitcoin. That email proposed adopting the specification from Bitcoin Cash for Bitcoin, but it is not directly suitable, as it verifies DER encoded ECDSA signatures and not R||S encoded BIP340 Schnorr signatures. The BIP here included, and proposed for the BIPs repository[2] is a bitcoin-specific design for OP_CHECKSIGFROMSTACK and OP_CHECKSIGFROMSTACKVERIFY. It further differs from Jeremy's email by specifying the repurposing of a NOP (NOP5) for OP_CHECKSIGFROMSTACKVERIFY to bring data signature verification to all script types, not only tapscript (although this is subject to change)[1]. ----------- ## Abstract This BIP describes two new opcodes for the purpose of checking cryptographic signatures in bitcoin scripts against data other than bitcoin transactions. ## Summary We propose replacing `OP_NOP5` (0xb4) in bitcoin script with `OP_CHECKSIGFROMSTACKVERIFY`. When verifying taproot script spends having leaf version 0xc0 (as defined in [BIP 342]), we propose `OP_CHECKSIGFROMSTACK` to replace `OP_SUCCESS204` (0xcc). `OP_CHECKSIGFROMSTACK` and `OP_CHECKSIGFROMSTACKVERIFY` have semantics similar to `OP_CHECKSIG` and `OP_CHECKSIGVERIFY` respectively, as specified below. Only 32-byte keys are constrained. Similar to [BIP 341] unknown key types, for other key lengths no signature verification is performed. ## Specification * If fewer than 3 elements are on the stack, the script MUST fail and terminate immediately. * The public key (top element), message (second to top element), and signature (third from top element) are read from the stack. * For `OP_CHECKSIGFROMSTACK` the top three elements are popped from the stack. * If the public key size is zero, the script MUST fail and terminate immediately. * If the public key size is 32 bytes, it is considered to be a public key as described in [BIP 340]: * If the signature is not the empty vector, the signature is validated against the public key and message according to [BIP 340]. Validation failure in this case immediately terminates script execution with failure. * If the public key size is not zero, and it is not a [BIP 340] public key; the public key is of an unknown public key type, and no actual signature verification is applied. During script execution of signature opcodes they behave exactly as known public key types except that signature validation is considered to be successful. * If the script did not fail and terminate before this step, regardless of the public key type: * If the signature is the empty vector: * For `OP_CHECKSIGFROMSTACKVERIFY`, the script MUST fail and terminate immediately. * For `OP_CHECKSIGFROMSTACK`, an empty vector is pushed onto the stack, and execution continues with the next opcode. * If the signature is not the empty vector: * For tapscript 0xc0, the opcode is counted towards the sigops budget as described in [BIP 342]. * For legacy and segwit v0, the opcode is counted towards the sigops limit, as described in [BIP 141] * For `OP_CHECKSIGFROMSTACKVERIFY`, execution continues without any further changes to the stack. * For `OP_CHECKSIGFROMSTACK`, a 1-byte value 0x01 is pushed onto the stack. ## Design Considerations 1. Message hashing: [BIP 340] is compatible with any size of message and does not require it to be a securely hashed input, so the message is not hashed prior to [BIP 340] verification. 2. Verify NOP upgrade: To bring stack signature verification to legacy and segwitv0 bitcoin script, a NOP upgrade path was chosen for `OP_CHECKSIGFROMSTACKVERIFY`. This necessarily means leaving the 3 arguments on the stack when executing `OP_CHECKSIGFROMSTACKVERIFY`. Scripts will need to drop or otherwise manage these stack elements. 3. Add/multisig: No concession is made to `OP_CHECKMULTISIG` or `OP_CHECKSIGADD` semantics with `OP_CHECKSIGFROMSTACK(VERIFY)`. In Tapscript, add semantics can be implemented with 1 additional vByte per key (`OP_TOALTSTACK OP_CHECKSIGFROMSTACK OP_FROMALTSTACK OP_ADD`). 4. Splitting R/S on the stack: Implementing split/separate signatures is left as an exercise for other bitcoin upgrades, such as `OP_CAT`. 5. [BIP 118]-style Taproot internal key: Rather than introducing an additional key type in this change, we suggest implementing OP_INTERNALKEY or separately introducing that key type for all Tapscript signature checking operations in a separate change. 6. Unknown key lengths: The semantics of other signature checking opcodes in their respective script types (legacy, segwit-v0, tapscript-c0) are applied. ## Resource Limits These opcodes are treated identically to other signature checking opcodes and count against the various sigops limits and budgets in their respective script types. ## Motivation ### LN Symmetry When combined with [BIP 119] (`OP_CHECKTEMPLATEVERIFY`/CTV), `OP_CHECKSIGFROMSTACK` (CSFS) can be used in Lightning Symmetry channels. The construction `OP_CHECKTEMPLATEVERIFY OP_CHECKSIGFROMSTACK` with a spend stack containing the CTV hash and a signature for it is logically equivalent to ` OP_CHECKSIG` and a signature over `SIGHASH_ALL|SIGHASH_ANYPREVOUTANYSCRIPT`. The `OP_CHECKSIGFROMSTACK` construction is 8 vBytes larger. ### Delegation Using a script like: ` SWAP IF 2 PICK SWAP CSFSV ENDIF CHECKSIG` either direct verification or delegation can be achieved by the following unlock stacks: ` 0` or ` 1` ## Reference Implementation A reference implementation is provided in provided here: https://github.com/bitcoin/bitcoin/pull/29270 ## Backward Compatibility By constraining the behavior of an OP_SUCCESS opcode and an OP_NOP opcode, deployment of the BIP can be done in a backwards compatible, soft-fork manner. If anyone were to rely on the OP_SUCCESS behavior of `OP_SUCCESS204`, `OP_CHECKSIGFROMSTACK` would invalidate their spend. ## Deployment TBD ## Credits Reference implementation was made with reference to the implementation in Elements and started by moonsettler. ## Copyright This document is licensed under the 3-clause BSD license. [BIP 119]: https://github.com/bitcoin/bips/blob/master/bip-0119.mediawiki [BIP 118]: https://github.com/bitcoin/bips/blob/master/bip-0118.mediawiki [BIP 340]: https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki [BIP 341]: https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki [BIP 342]: https://github.com/bitcoin/bips/blob/master/bip-0342.mediawiki [OP_CAT]: https://github.com/EthanHeilman/op_cat_draft/blob/main/cat.mediawiki ----------- [0]: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-July/019192.html [1]: https://github.com/bitcoin/bips/pull/1535#discussion_r1578562450 [2]: https://github.com/bitcoin/bips/pull/1535 -- --Brandon -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/ZinmVPFt9VQn8QLF%40console. --XsieHfV3m9x3h4XG Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEElgaKyex6kx4Msa9rZoVG1geFvKEFAmYp5koACgkQZoVG1geF vKFmZhAAsAR5/dIIeAEQeTy9M2XudA0+Wt3Ro14rNH9EsjSfpuh2956zHHoIB5Jg 7O/xHQu07ENG0r1N9o3TwAbM4uaEnc7L7Gx1zQLSVp79WaejQnht347flMnb0Ghk Q7Xh3ydmgJIWoIlty2H3cX9/4SA4eodkP2y4Gfwd8ygeBF6sg/8If8acx4V51nGl hmEjk6BmUIFPqRmYoRvR00lyjP8ExJyY4v2C3DfE5cWgfICAlc8kN/sbASoQLVpH NUpJRi9rQ24cxwMZOv/RyG1+J7uZ6hGSxGbKwHqBUO4kcjGnCGkBsnm7Dwh7wPFv EBzh35/s+AGFB5LpoyDAe/48chGq2ts/apzz0Z+7CWaYhoRa+5y/qiKiVMOUZQwd StIdgVnFgg7Vfkb25+IrvtIn+8C5FY7oVlBJ1TnaRSPU8VxL1UMZHgOI/A7c6lrA 4eorFiEKbyTVMNF22lnifg+IF9rXXDXk3A75JiEcXobjMWt/0muYhUjc2feD6fRp JZtGOvW7uTL9nY2wbBbHFen/CeTic2a/Dj+NBClRwTyk5oen73ouIUfqHKxdGFQh pklpahe53ykqA48BElWPGq24vrYvc6Kj7j/tUInKIylN4xDdoJG09QbyzNSo3cE1 tcSUpnRPHcxig21P7bSXqiFAL5VjTd8m/IuTROpiD5aSF0Az1bI= =C7qa -----END PGP SIGNATURE----- --XsieHfV3m9x3h4XG--