Return-Path: <ZmnSCPxj@protonmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 94884AA5
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Thu,  6 Jun 2019 07:30:19 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-40130.protonmail.ch (mail-40130.protonmail.ch
	[185.70.40.130])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id CE77C844
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Thu,  6 Jun 2019 07:30:18 +0000 (UTC)
Date: Thu, 06 Jun 2019 07:30:13 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
	s=default; t=1559806216;
	bh=99nLeGrnYWYZh1U6Ihdsij+bY6L1sioBFHn57TcVMp4=;
	h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:
	Feedback-ID:From;
	b=xRAp2CPnDx9fuO9kh99GXFz+2IfxjdBVVW7Ku/h7pi31/DAqSiQRQ6k3jbJcxfT7n
	pT7DAyB7p4+ItwmCnybYWkjW+7W3NYVKj7iGp6585F8dGmVHRFe2jALst/YYm9U5k1
	H2HCClhZhusGQWKej5DHe6SCTWNgJ+p59DPuKvNc=
To: Anthony Towns <aj@erisian.com.au>,
	Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
From: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Reply-To: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Message-ID: <im0q8670MxshmvMLmoJU0dv4rFhwWZNvQeQYv7i4fBWJOx0ghAdH8fYuQSqNxO2z8uxXGV-kurinUDfl0FsLWD0knw_U_h3zVZ0xy7vmn8o=@protonmail.com>
In-Reply-To: <20190605093039.xfo7lcylqkhsfncv@erisian.com.au>
References: <CAD5xwhjSj82YYuQHHbwgSLvUNV2RDY0b=yMYeLj-p6j7PpS9-Q@mail.gmail.com>
	<20190605093039.xfo7lcylqkhsfncv@erisian.com.au>
Feedback-ID: el4j0RWPRERue64lIQeq9Y2FP-mdB86tFqjmrJyEPR9VAtMovPEo9tvgA0CrTsSHJeeyPXqnoAu6DN-R04uJUg==:Ext:ProtonMail
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, FROM_LOCAL_NOVOWEL,
	RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
X-Mailman-Approved-At: Thu, 06 Jun 2019 07:32:41 +0000
Subject: Re: [bitcoin-dev] OP_SECURETHEBAG (supersedes OP_CHECKOUTPUTSVERIFY)
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Jun 2019 07:30:19 -0000

Good morning aj,


Sent with ProtonMail Secure Email.

=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original Me=
ssage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90
On Wednesday, June 5, 2019 5:30 PM, Anthony Towns via bitcoin-dev <bitcoin-=
dev@lists.linuxfoundation.org> wrote:

> On Fri, May 31, 2019 at 10:35:45PM -0700, Jeremy via bitcoin-dev wrote:
>
> > OP_CHECKOUTPUTSHASHVERIFY is retracted in favor of OP_SECURETHEBAG*.
>
> I think you could generalise that slightly and make it fit in
> with the existing opcode naming by calling it something like
> "OP_CHECKTXDIGESTVERIFY" and pull a 33-byte value from the stack,
> consisting of a sha256 hash and a sighash-byte, and adding a new sighash
> value corresponding to the set of info you want to include in the hash,
> which I think sounds a bit like "SIGHASH_EXACTLY_ONE_INPUT | SIGHASH_ALL"
>
> FWIW, I'm not really seeing any reason to complicate the spec to ensure
> the digest is precommitted as part of the opcode.
>

I believe in combination with `OP_LEFT` and `OP_CAT` this allows Turing-com=
plete smart contracts, in much the same way as `OP_CHECKSIGFROMSTACK`?

Pass in the spent transaction (serialised for txid) and the spending transa=
ction (serialised for sighash) as part of the witness of the spending trans=
action.

Script verifies that the spending transaction witness value is indeed the s=
pending transaction by `OP_SHA256 <SIGHASH_ALL> OP_SWAP OP_CAT OP_CHECKTXDI=
GESTVERIFY`.
Script verifies the spent transaction witness value is indeed the spent tra=
nsaction by hashing it, then splitting up the hash with `OP_LEFT` into byte=
s, and comparing the bytes to the bytes in the input of the spending transa=
ction witness value (txid being the bytes in reversed order).

Then the Script can extract a commitment of itself by extracting the output=
 of the spent transaction.
This lets the Script check that the spending transaction also pays to the s=
ame script.

The Script can then access a state value, for example from an `OP_RETURN` o=
utput of the spent transaction, and enforce that a correct next-state is us=
ed in the spending transaction.
If the state is too large to fit in a standard `OP_RETURN`, then the curren=
t state can be passed in as a witness and validated against a hash commitme=
nt in an `OP_RETURN` output.

I believe this is the primary reason against not pulling data from the stac=
k.

Regards,
ZmnSCPxj