MIME-Version: 1.0
References: <afde051e-4e63-368c-3251-70f829a51c4e@achow101.com>
 <Y8ZSXrxfR8HrB8zD@erisian.com.au>
In-Reply-To: <Y8ZSXrxfR8HrB8zD@erisian.com.au>
From: "James O'Beirne" <james.obeirne@gmail.com>
Date: Wed, 18 Jan 2023 17:45:01 -0500
Message-ID: <CAPfvXfKMsOF1g85Td8UpZdWSH+a0sRXK9Rur1ODduMauJhM+6A@mail.gmail.com>
To: Anthony Towns <aj@erisian.com.au>, 
 Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="00000000000085c6a905f29191aa"
Subject: Re: [bitcoin-dev] OP_VAULT: a new vault proposal
Precedence: list

--00000000000085c6a905f29191aa
Content-Type: text/plain; charset="UTF-8"

I've implemented three changes based on suggestions from Greg Sanders
and AJ Towns.

I've segmented the changes into commits that should be
reasonable to follow, even though I'll probably rearrange the commit
structure later on.

1. Greg's suggestion: OP_UNVAULT outputs can now live behind
scripthashes. This means that the lifecycle of a vault can live entirely
within, say, Taproot. In this case the only thing that would reveal
the operation of the vault would be the content of the witness stack
when triggering an unvault or recovering. So I think no real privacy
benefits over the previous scheme, but certainly some efficiency ones
since we're moving more content from the scriptPubKey into the witness.

 Commit here:
https://github.com/bitcoin/bitcoin/pull/26857/commits/cd33d120c67cda7eb5c6bbfe3a1ea9fb6c5b93d1

2. AJ's suggestion: unvault trigger transactions can now have an extra
"revault" output that redeposits some balance to the same vault
scriptPubKey from which it came. This is nice because if the delay
period is long, you may want to manage a remaining vault balance
separately while the spent balance is pending an unvault.

 Commit here:
https://github.com/bitcoin/bitcoin/pull/26857/commits/cf3764fb503bc17c4438d1322ecf780b9dc3ef30

3. AJ's suggestion: instead of specifying <recovery-spk-hash>, introduce
a replacement parameter: <recovery-params>. This contains the same
target recovery sPK hash as before, but the remaining bytes contain a
scriptPubKey that functions as authorization for the recovery process.
This allows users to optionally avoid the risk of "recovery replays" at
the expense of having to maintain a recovery key. Users can opt out of
this by passing OP_TRUE for the recovery sPK. I guess maybe I could even
support just omitting an sPK altogether for the legacy behavior.

Commit here:
https://github.com/bitcoin/bitcoin/pull/26857/commits/fdfd5e93f96856fbb41243441177a40ebbac6085


The suggestions were good ones, and I think they've improved the
proposal.

My next steps are to do minor updates to the paper and start writing a
BIP draft.

Thanks to achow for the valuable feedback, which I'm still mulling on.

James

--00000000000085c6a905f29191aa
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">I&#39;ve implemented three changes based =
on suggestions from Greg Sanders<br>and AJ Towns. <br><br>I&#39;ve segmente=
d the changes into commits that should be<br>reasonable to follow, even tho=
ugh I&#39;ll probably rearrange the commit<br>structure later on.<br><br>1.=
 Greg&#39;s suggestion: OP_UNVAULT outputs can now live behind<br>scripthas=
hes. This means that the lifecycle of a vault can live entirely<br>within, =
say, Taproot. In this case the only thing that would reveal<br>the operatio=
n of the vault would be the content of the witness stack<br>when triggering=
 an unvault or recovering. So I think no real privacy<br>benefits over the =
previous scheme, but certainly some efficiency ones<br>since we&#39;re movi=
ng more content from the scriptPubKey into the witness.<br><br>=C2=A0Commit=
 here: <a href=3D"https://github.com/bitcoin/bitcoin/pull/26857/commits/cd3=
3d120c67cda7eb5c6bbfe3a1ea9fb6c5b93d1">https://github.com/bitcoin/bitcoin/p=
ull/26857/commits/cd33d120c67cda7eb5c6bbfe3a1ea9fb6c5b93d1</a><br><br>2. AJ=
&#39;s suggestion: unvault trigger transactions can now have an extra<br>&q=
uot;revault&quot; output that redeposits some balance to the same vault<br>=
scriptPubKey from which it came. This is nice because if the delay<br>perio=
d is long, you may want to manage a remaining vault balance<br>separately w=
hile the spent balance is pending an unvault.<br><br>=C2=A0Commit here: <a =
href=3D"https://github.com/bitcoin/bitcoin/pull/26857/commits/cf3764fb503bc=
17c4438d1322ecf780b9dc3ef30">https://github.com/bitcoin/bitcoin/pull/26857/=
commits/cf3764fb503bc17c4438d1322ecf780b9dc3ef30</a><br><br>3. AJ&#39;s sug=
gestion: instead of specifying &lt;recovery-spk-hash&gt;, introduce<br>a re=
placement parameter: &lt;recovery-params&gt;. This contains the same<br>tar=
get recovery sPK hash as before, but the remaining bytes contain a<br>scrip=
tPubKey that functions as authorization for the recovery process.<br>This a=
llows users to optionally avoid the risk of &quot;recovery replays&quot; at=
<br>the expense of having to maintain a recovery key. Users can opt out of<=
br>this by passing OP_TRUE for the recovery sPK. I guess maybe I could even=
<br>support just omitting an sPK altogether for the legacy behavior.<br><br=
>Commit here: <a href=3D"https://github.com/bitcoin/bitcoin/pull/26857/comm=
its/fdfd5e93f96856fbb41243441177a40ebbac6085">https://github.com/bitcoin/bi=
tcoin/pull/26857/commits/fdfd5e93f96856fbb41243441177a40ebbac6085</a><br><b=
r><br>The suggestions were good ones, and I think they&#39;ve improved the<=
br>proposal.<br><br>My next steps are to do minor updates to the paper and =
start writing a<br>BIP draft.</div><div dir=3D"ltr"><br></div><div dir=3D"l=
tr">Thanks to achow for the valuable feedback, which I&#39;m still mulling =
on.</div><div dir=3D"ltr"><br>James</div></div>

--00000000000085c6a905f29191aa--