Return-Path: Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 48B10C002D for ; Thu, 12 May 2022 03:07:54 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 229FF82ECF for ; Thu, 12 May 2022 03:07:54 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -1.601 X-Spam-Level: X-Spam-Status: No, score=-1.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: smtp1.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ln0eE2fr4UyF for ; Thu, 12 May 2022 03:07:50 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from mail-4325.protonmail.ch (mail-4325.protonmail.ch [185.70.43.25]) by smtp1.osuosl.org (Postfix) with ESMTPS id 6B93282EC7 for ; Thu, 12 May 2022 03:07:50 +0000 (UTC) Date: Thu, 12 May 2022 03:07:45 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail2; t=1652324867; bh=vjHy6oRMX7nr0vKs9+PAdTSn0ZAW9DV5fQtMYDFqKSI=; h=Date:To:From:Cc:Reply-To:Subject:Message-ID:In-Reply-To: References:Feedback-ID:From:To:Cc:Date:Subject:Reply-To: Feedback-ID:Message-ID; b=G/pqaZqdyTGzJj8vkrcpdFdowHIeqPgV5pQAoFs+l/OHodwYjCc/8t+0qW7GQBbcl WOwZiFIsxxrZj2qobyvGhe/l+l+sNmZyz6OnaWDhfCyRPaCoGIZX1CCPoeaJPUx2lG XN346JqlX6W7xwYu+oDt2p30m3hNAmanZIJvgb8obcftezBKSFdjGArbz1wohp5Mr7 MrE5Dm2sHWpvF2GI+KHHRLghg/29QIiflKKKWzzK11vocKGSvY9ypLOMYLkSvAA4nJ c48bGJPdpdl6iJkCLOb2IoCIaH4azfqcT+fwq1vzXzP0Buod4Fw8IirgmsS4/6Sgb0 GmkzbULPm5X4g== To: Russell O'Connor From: ZmnSCPxj Reply-To: ZmnSCPxj Message-ID: In-Reply-To: References: <161946014-482cdec305e2bd7a2c3fc4774c70239d@pmq1v.m5r2.onet> Feedback-ID: 2872618:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] Speedy covenants (OP_CAT2) X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 May 2022 03:07:54 -0000 Good morning Russell, > On Wed, May 11, 2022 at 7:42 AM ZmnSCPxj via bitcoin-dev wrote: > > > REMEMBER: `OP_CAT` BY ITSELF DOES NOT ENABLE COVENANTS, WHETHER RECURSI= VE OR NOT. > > > I think the state of the art has advanced to the point where we can say "= OP_CAT in tapscript enables non recursive covenants and it is unknown wheth= er OP_CAT can enable recursive covenants or not". > > A. Poelstra in https://www.wpsoftware.net/andrew/blog/cat-and-schnorr-tri= cks-i.html show how to use CAT to use the schnorr verification opcode to ge= t the sighash value + 1 onto the stack, and then through some grinding and = some more CAT, get the actual sighash value on the stack. From there we can= use SHA256 to get the signed transaction data onto the stack and apply int= rospect (using CAT) to build functionality similar to OP_CTV. > > The missing bits for enabling recursive covenants comes down to needing t= o transform a scriptpubkey into an taproot address, which involves some twe= aking. Poelstra has suggested that it might be possible to hijack the ECDSA= checksig operation from a parallel, legacy input, in order to perform the = calculations for this tweaking. But as far as I know no one has yet been ab= le to achieve this feat. Hmm, I do not suppose it would have worked in ECDSA? Seems like this exploits linearity in the Schnorr. For the ECDSA case it seems that the trick in that link leads to `s =3D e += G[x]` where `G[x]` is the x-coordinate of `G`. (I am not a mathist, so I probably am not making sense; in particular, ther= e may be an operation to add two SECP256K1 scalars that I am not aware of) In that case, since Schnorr was added later, I get away by a technicality, = since it is not *just* `OP_CAT` which enabled this style of covenant, it wa= s `OP_CAT` + BIP340 v(^^);;;;; Also holy shit math is scary. Seems this also works with `OP_SUBSTR`, simply by inverting it into "valida= te that the concatenation is correct" rather than "concatenate it ourselves= ". So really: are recursive covenants good or...? Because if recursive covenants are good, what we should really work on is m= aking them cheap (in CPU load/bandwidth load terms) and private, to avoid c= entralization and censoring. Regards, ZmnSCPxj