Return-Path: Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 58924C0032 for ; Tue, 4 Jul 2023 20:18:37 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 2081240524 for ; Tue, 4 Jul 2023 20:18:37 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 2081240524 Authentication-Results: smtp2.osuosl.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20221208 header.b=JkDeSwRO X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oxgxOQCi7l5v for ; Tue, 4 Jul 2023 20:18:35 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org A3EB14014E Received: from mail-io1-xd31.google.com (mail-io1-xd31.google.com [IPv6:2607:f8b0:4864:20::d31]) by smtp2.osuosl.org (Postfix) with ESMTPS id A3EB14014E for ; Tue, 4 Jul 2023 20:18:35 +0000 (UTC) Received: by mail-io1-xd31.google.com with SMTP id ca18e2360f4ac-78625caa702so229174239f.1 for ; Tue, 04 Jul 2023 13:18:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1688501914; x=1691093914; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=eJKqLQ5E3tlnLDy1xCOpsVCIPghNDMqCzxby8qiK8aM=; b=JkDeSwRO7wyhAoF9a/jHcHx6nCauo4xpuxDlIJK83IZYge1PuD4HivBO6yulelHjm+ wfekNxAzKgTnHprPLxk5cHo5DTuWrMy+NYnyqeLviTLjUPosSZJ/UzxJeaEHkWv5APQc sxPHzv5Z4SMCVJsd/JpnTmx/uPQIdLALMatyLG5H7eamOK7q9f6udRHg0MhbqiuRoXKR 9arBy4xPOQlKdBlyCoK8G0xlAOeoBzpo7YWIv9UehFFjVPd8bdO2pOQ48dw9wr1x0n2k Fiu1VtERuA+vHJKnQlSu8YTjI18wWS5lENvzul8kIvktp/Wk4/VfpZghY95Yo8XZ0xn/ u88A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1688501914; x=1691093914; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=eJKqLQ5E3tlnLDy1xCOpsVCIPghNDMqCzxby8qiK8aM=; b=ioBic/RlQswfJGRWy/4aNukTDe4N7ww2uQCTRmfYu8EPrROVTj/rUQPwDzVP5w4rro fKI7QRWadGGA4ZRemf5AnLEplp6vhLi0q3DXvgtIQ3OzT+ZKg+RU/dl1IAvrtvNNjnln ou2ZtTO1UjljKDK4pNOyNC4T8ycQDYQdeNZbQa/+nkaF/NGfw7+dJx9DDiESxRVP+yGG nk0xK6Uf++G3UADXd71NR6slkOzlRNXSdcns4lFskhyH+87XiFOB94yWezJD87rTGzJt CzVOeZEUiaGa2MGblQox00hZsKXUafeh3P84DS8ksSCkUjulK2KRo2eAxP3Drt6OjBOh a9pw== X-Gm-Message-State: AC+VfDxc7/jjGfQ2vODXtq6mqSCoqaGhdu6TiTigEIeHR3lCR9Sz64Ky iugj8Nw54ZdrRjQoBi23Aw2SVJkIvHnLcNesvD0= X-Google-Smtp-Source: ACHHUZ64dZEk9Zuva2gqzue/LIOJBz/zWea8le2/UUKC+IbumiOcJdZ1LH86dM4X9/oZmtmwmm5oLSTfA3ivSOHS9iI= X-Received: by 2002:a5d:930b:0:b0:783:4590:e40e with SMTP id l11-20020a5d930b000000b007834590e40emr14605351ion.12.1688501914600; Tue, 04 Jul 2023 13:18:34 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Antoine Riard Date: Tue, 4 Jul 2023 21:18:23 +0100 Message-ID: To: Joost Jager Content-Type: multipart/alternative; boundary="000000000000d28d8305ffaefc8e" X-Mailman-Approved-At: Tue, 04 Jul 2023 22:13:18 +0000 Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] Standardisation of an unstructured taproot annex X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Jul 2023 20:18:37 -0000 --000000000000d28d8305ffaefc8e Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Joost, > Hopefully this further raises awareness of the on-chain ephemeral signature backup functionality that the annex uniquely enables. From my perspective, if vault applications can be made more robust by on-chain backing up of ephemeral signatures, this can be rational to make the annex standard. There is the observation that other critical elements of vault's application state could be backed up in this way (e.g pubkeys and amounts of the destination output) to rebuild from scratch a pre-signed withdrawal. The unstructured data could be even marked by an application-level "tag" or "signaling" to identify all the backup annexes composing your vault application state. Of course, such backing up of more critical elements comes with its own drawbacks in terms of confidentiality, as you would leak your vault policy on-chain, so they would need to be ciphered first, I think. It sounds to me another economically rational set of use-cases can be to simplify protocols using the chain as a publication space for collectibles. Using the annex as a publication space enables a clear chain of collectible ownership thanks to the key signing the annex, which is not permissible with op_return outputs today. Best, Antoine Le mar. 20 juin 2023 =C3=A0 13:30, Joost Jager a = =C3=A9crit : > Hi all, > > On Sat, Jun 10, 2023 at 9:43=E2=80=AFAM Joost Jager wrote: > >> However, the primary advantage I see in the annex is that its data isn't >> included in the calculation of the txid or a potential parent commit >> transaction's txid (for inscriptions). I've explained this at [1]. This >> feature makes the annex a powerful tool for applications that would idea= lly >> use covenants. >> >> The most critical application in this category, for me, involves >> time-locked vaults. Given the positive reception to proposals such as >> OP_VAULT [2], I don't think I'm alone in this belief. OP_VAULT is probab= ly >> a bit further out, but pre-signed transactions signed using an ephemeral >> key can fill the gap and improve the safeguarding of Bitcoin in the shor= t >> term. >> >> Backing up the ephemeral signatures of the pre-signed transactions on th= e >> blockchain itself is an excellent way to ensure that the vault can alway= s >> be 'opened'. However, without the annex, this is not as safe as it could >> be. Due to the described circular reference problem, the vault creation = and >> signature backup can't be executed in one atomic operation. For example, >> you can store the backup in a child commit/reveal transaction set, but t= he >> vault itself can be confirmed independently and the backup may never >> confirm. If you create a vault and lose the ephemeral signatures, the fu= nds >> will be lost. >> >> This use case for the annex has been labeled 'speculative' elsewhere. To >> me, every use case appears speculative at this point because the annex >> isn't available. However, if you believe that time-locked vaults are >> important for Bitcoin and also acknowledge that soft forks, such as the = one >> required for OP_VAULT, aren't easy to implement, I'd argue that the >> intermediate solution described above is very relevant. >> > > To support this use case of the taproot annex, I've create a simple demo > application here: https://github.com/joostjager/annex-covenants > > This demo shows how a coin can be spent to a special address from which i= t > can - at a later stage - only move to a pre-defined final destination. It > makes use of the annex to store the ephemeral signature for the presigned > transaction so that the coin cannot get lost. This is assuming that nodes > do not prune witness data en masse and also that the destination address > itself is known. > > The application may not be the most practically useful, but more advanced > covenants such as time-locked vaults can be implemented similarly. > > Hopefully this further raises awareness of the on-chain ephemeral > signature backup functionality that the annex uniquely enables. > > Joost > --000000000000d28d8305ffaefc8e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Joost,

> Hopefully this further r= aises awareness of the on-chain ephemeral signature backup functionality th= at the annex uniquely enables.

From my perspective= , if vault applications can be made more robust by on-chain backing up of e= phemeral signatures, this can be rational to make the annex standard.
=

There is the observation that other critical elements= =C2=A0of vault's application state could be backed up in this way (e.g = pubkeys and amounts of the=C2=A0destination output) to rebuild from scratch= a pre-signed withdrawal. The unstructured data could be even marked by an = application-level "tag" or "signaling" to identify all = the backup annexes composing your vault application state.

Of course, such backing up of more critical elements comes with it= s own drawbacks in terms of confidentiality, as you=C2=A0would leak your va= ult policy on-chain, so they would need to be ciphered first, I think.

It sounds to me another economically rational set of u= se-cases can be to simplify protocols using the chain as a publication spac= e for collectibles. Using the annex as a publication space enables a clear = chain of collectible ownership thanks to the key signing the annex, which i= s not permissible with op_return outputs today.

Be= st,
Antoine


Le= =C2=A0mar. 20 juin 2023 =C3=A0=C2=A013:30, Joost Jager <joost.jager@gmail.com> a =C3=A9crit=C2=A0:<= br>
Hi all,

On Sat, Jun 10, 2023= at 9:43=E2=80=AFAM Joost Jager <joost.jager@gmail.com> wrote:
However, the primary advant= age I see in the annex is that its data isn't included in the calculati= on of the txid or a potential parent commit transaction's txid (for ins= criptions). I've explained this at [1]. This feature makes the annex a = powerful tool for applications that would ideally use covenants.

The= most critical application in this category, for me, involves time-locked v= aults. Given the positive reception to proposals such as OP_VAULT [2], I do= n't think I'm alone in this belief. OP_VAULT is probably a bit furt= her out, but pre-signed transactions signed using an ephemeral key can fill= the gap and improve the safeguarding of Bitcoin in the short term.

= Backing up the ephemeral signatures of the pre-signed transactions on the b= lockchain itself is an excellent way to ensure that the vault can always be= 'opened'. However, without the annex, this is not as safe as it co= uld be. Due to the described circular reference problem, the vault creation= and signature backup can't be executed in one atomic operation. For ex= ample, you can store the backup in a child commit/reveal transaction set, b= ut the vault itself can be confirmed independently and the backup may never= confirm. If you create a vault and lose the ephemeral signatures, the fund= s will be lost.

This use case for the annex has been labeled 'sp= eculative' elsewhere. To me, every use case appears speculative at this= point because the annex isn't available. However, if you believe that = time-locked vaults are important for Bitcoin and also acknowledge that soft= forks, such as the one required for OP_VAULT, aren't easy to implement= , I'd argue that the intermediate solution described above is very rele= vant.

To support this use case = of the taproot annex, I've create a simple demo application here:=C2=A0= https://github.com/joostjager/annex-covenants

This demo shows how a coin can be spent to a special address from which it= can - at a later stage - only move to a pre-defined final destination. It = makes use of the annex to store the ephemeral signature for the presigned t= ransaction so that the coin cannot get lost. This is assuming that nodes do= not prune witness data en masse and also that the destination address itse= lf is known.

The application may not be the most p= ractically useful, but more advanced covenants such as time-locked vaults c= an be implemented similarly.

Hopefully this furthe= r raises awareness of the on-chain ephemeral signature backup functionality= that the annex uniquely enables.

Joost
--000000000000d28d8305ffaefc8e--