Return-Path: Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 0E66FC002D for ; Fri, 13 May 2022 21:43:59 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 0495760672 for ; Fri, 13 May 2022 21:43:59 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zT_QLZLxLsY2 for ; Fri, 13 May 2022 21:43:58 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.8.0 Received: from azure.erisian.com.au (azure.erisian.com.au [172.104.61.193]) by smtp3.osuosl.org (Postfix) with ESMTPS id 2176E605D5 for ; Fri, 13 May 2022 21:43:57 +0000 (UTC) Received: from aj@azure.erisian.com.au (helo=sapphire.erisian.com.au) by azure.erisian.com.au with esmtpsa (Exim 4.92 #3 (Debian)) id 1npd4i-0001mF-Vj; Sat, 14 May 2022 07:43:55 +1000 Received: by sapphire.erisian.com.au (sSMTP sendmail emulation); Sat, 14 May 2022 07:43:47 +1000 Date: Sat, 14 May 2022 07:43:47 +1000 From: Anthony Towns To: Russell O'Connor , Bitcoin Protocol Discussion Message-ID: <20220513214347.GA2463@erisian.com.au> References: <161946014-482cdec305e2bd7a2c3fc4774c70239d@pmq1v.m5r2.onet> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) X-Spam-Score-int: -18 X-Spam-Bar: - Subject: Re: [bitcoin-dev] Speedy covenants (OP_CAT2) X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 May 2022 21:43:59 -0000 On Thu, May 12, 2022 at 06:48:44AM -0400, Russell O'Connor via bitcoin-dev wrote: > On Wed, May 11, 2022 at 11:07 PM ZmnSCPxj wrote: > > So really: are recursive covenants good or...? > My view is that recursive covenants are inevitable. It is nearly > impossible to have programmable money without it because it is so difficult > to avoid. I think my answer is that yes they are good: they enable much more powerful contracting. Of course, like any cryptographic tool they can also be harmful to you if you misuse them, and so before you use them yourself you should put in the time to understand them well enough that you *don't* misuse them. Same as using a kitchen knife, or riding a bicycle, or swimming. Can be natural to be scared at first, too. > Given that we cannot have programmable money without recursive covenants > and given all the considerations already discussed regarding them, i.e. no > worse than being compelled to co-sign transactions, and that user generated > addresses won't be encumbered by a covenant unless they specifically > generate it to be, I do think it makes sense to embrace them. I think that's really the easy way to be sure *you* aren't at risk from covenants: just follow the usual "not your keys, not your coins" philosophy. The way you currently generate an address from a private key already guarantees that *your* funds won't be encumbered by any covenants; all you need to do is to keep doing that. And generating the full address yourself is already necessary with taproot: if you don't understand all the tapscript MAST paths, then even though you can spend the coin, one of those paths you don't know about might already allow someone to steal your funds. But if you generated the address, you (or at least your software) will understand everything and not include anything dangerous, so your funds really are safu. It may be that some people will refuse to send money to your address because they have some rule that says "I'll only send money to people who encumber all their funds with covenant X" and you didn't encumber your address in that way -- but that just means they're refusing to pay you, just as people who say "I'll only pay you off-chain via coinbase" or "I'll only pay you via SWIFT" won't send funds to your bitcoin address. Other examples might include "we only support segwit-v0 addresses not taproot ones", or "you're on an OFAC sanctions list so I can't send to you or the government will put me in prison" or "my funds are in a multisig with the government who won't pay to anyone who isn't also in a multisig with them". It does mean you still need people with the moral fortitude to say "no, if you can't pay me properly, we can't do business" though. Even better: in so far as wallet software will just ignore any funds sent to addresses that they didn't generate themselves according to the rules you selected, you can already kind of outsource that policy to your wallet. And covenants, recursive or otherwise, don't change that. For any specific opcode proposal, I think you still want to consider 1) how much you can do with it 2) how efficient it is to validate (and thus how cheap it is to use) 3) how easy it is to make it do what you want 4) how helpful it is at preventing bugs 5) how clean and maintainable the validation code is I guess to me CTV and APO are weakest at (1); CAT/CSFS falls down on (3) and (4); OP_TX is probably weakest at (5) and maybe not as good as we'd like at (3) and (4)? Cheers, aj