Return-Path: Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 7491BC0032 for ; Sat, 21 Oct 2023 05:08:57 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 46D9D706E6 for ; Sat, 21 Oct 2023 05:08:57 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 46D9D706E6 Authentication-Results: smtp3.osuosl.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601 header.b=Qr8h9COk X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URI_DOTEDU=0.001] autolearn=ham autolearn_force=no Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7cVHJQ3x3u68 for ; Sat, 21 Oct 2023 05:08:46 +0000 (UTC) Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) by smtp3.osuosl.org (Postfix) with ESMTPS id DA893706E5 for ; Sat, 21 Oct 2023 05:08:41 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org DA893706E5 Received: by mail-ed1-x532.google.com with SMTP id 4fb4d7f45d1cf-53da72739c3so2157170a12.3 for ; Fri, 20 Oct 2023 22:08:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1697864919; x=1698469719; darn=lists.linuxfoundation.org; h=content-transfer-encoding:to:subject:message-id:date:from :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=w6HSKFi9mZ3KFhO9GuIAzl8gfGeUA4Wm8i+4M5aRgBc=; b=Qr8h9COk3wRx82SWl1XWT9f5RSPLM+k3J2OY8laB9t7gAsjByZXmzY/+zFkva/lln3 cxdNTjUEsqFFChYO8C93SQgxcMOqkHvWVX/Noj1pYyMTD1MYOt/IaLm2JzdKrQkIay2q enHkyOPGNOP30xLDwkbC2h9iSrbf4jZl71Up+DQodn7pf0BxYKWM2bLfo/Sn7U1fhuYT ToDFBKlGb27y5JMnNguQBhwBEQrNoq3uZs2ijP0j9TIFVfOgn2d6z2F3hEeh2u6s6uEY ac4pT9ELfuoIV3G2yNL9IeVe6uY+G22Rdp8D6V2tpOARNzwdubYSlaRl+CC8WS9CAlza 1nfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697864919; x=1698469719; h=content-transfer-encoding:to:subject:message-id:date:from :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=w6HSKFi9mZ3KFhO9GuIAzl8gfGeUA4Wm8i+4M5aRgBc=; b=CHOI9XZXWb+5x5yjZwCqIaaXjWgw/4qHUbDqx/oOqTW/g7cgl+Zhqp3jBSA5lGVCTY XCvHnauJ00wahhBriP7DVqoWO3I7kBATXbKvLukh0HVy3vQ8snwy/6FVfs1v0PBX4JmU lXYMV6IgWIJAvqilYNGNmQFlAiCRP8ig8LVIqjWTvyZZeWBGH/bLd7L2yMlSAHfYmGgQ KkBuzFpomL3Dy4pf5r8Bm8rZ8yzooagE/xXuKLiTtGthRgFkqpa7KTbWxSMT/Bw0mosz vCPerdtR742pwpq76ds+SnuBF5Q3uKysJzyFiS6e2//WOhBN3r1UFSXTO2E6zpSF0abM Rxzg== X-Gm-Message-State: AOJu0Ywr+LPHBPL7UGOVLYN/wKrYRfkBUSBxNVcsPBQ0JwJFCqqoo2gr F7lu5kuV52jVBHzBd8Zv78r2tO8ilUaY1u2J+TSnEL/stpE= X-Google-Smtp-Source: AGHT+IEvVusbL3ebFbd52sfT8S3fnPcAVxNB3ADKBABXf7JX8XKz1rhoEdpHOh1f2od70BKrQSSbQR5ojmwqQk7mEK4= X-Received: by 2002:a50:d655:0:b0:53d:ec2d:3ee5 with SMTP id c21-20020a50d655000000b0053dec2d3ee5mr2935961edj.32.1697864919355; Fri, 20 Oct 2023 22:08:39 -0700 (PDT) MIME-Version: 1.0 From: Ethan Heilman Date: Sat, 21 Oct 2023 01:08:03 -0400 Message-ID: To: Bitcoin Dev Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Subject: [bitcoin-dev] Proposed BIP for OP_CAT X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Oct 2023 05:08:57 -0000 Hi everyone, We've posted a draft BIP to propose enabling OP_CAT as Tapscript opcode. https://github.com/EthanHeilman/op_cat_draft/blob/main/cat.mediawiki OP_CAT was available in early versions of Bitcoin. It was disabled as it allowed the construction of a script whose evaluation could create stack elements exponential in the size of the script. This is no longer an issue in the current age as tapscript enforces a maximum stack element size of 520 Bytes. Thanks, Ethan =3D=3DAbstract=3D=3D This BIP defines OP_CAT a new tapscript opcode which allows the concatenation of two values on the stack. This opcode would be activated via a soft fork by redefining the opcode OP_SUCCESS80. When evaluated the OP_CAT instruction: # Pops the top two values off the stack, # concatenate the popped values together, # and then pushes the concatenated value on the top of the stack. OP_CAT fails if there are less than two values on the stack or if a concatenated value would have a combined size of greater than the maximum script element size of 520 Bytes. =3D=3DMotivation=3D=3D Bitcoin tapscript lacks a general purpose way of combining objects on the stack restricting the expressiveness and power of tapscript. For instance this prevents among many other things the ability to construct and evaluate merkle trees and other hashed data structures in tapscript. OP_CAT by adding a general purpose way to concatenate stack values would overcome this limitation and greatly increase the functionality of tapscript. OP_CAT aims to expand the toolbox of the tapscript developer with a simple, modular and useful opcode in the spirit of Unix[1]. To demonstrate the usefulness of OP_CAT below we provide a non-exhaustive list of some usecases that OP_CAT would enable: * Tree Signatures provide a multisignature script whose size can be logarithmic in the number of public keys and can encode spend conditions beyond n-of-m. For instance a transaction less than 1KB in size could support tree signatures with a thousand public keys. This also enables generalized logical spend conditions. [2] * Post-Quantum Lamport Signatures in Bitcoin transactions. Lamport signatures merely requires the ability to hash and concatenate values on the stack. [3] * Non-equivocation contracts [4] in tapscript provide a mechanism to punish equivocation/double spending in Bitcoin payment channels. OP_CAT enables this by enforcing rules on the spending transaction's nonce. The capability is a useful building block for payment channels and other Bitcoin protocols. * Vaults [5] which are a specialized covenant that allows a user to block a malicious party who has compromised the user's secret key from stealing the funds in that output. As shown in A. Poelstra, "CAT and Schnorr Tricks II", 2021, https://www.wpsoftware.net/andrew/blog/cat-and-schnorr-tricks-ii.html OP_CAT is sufficent to build vaults in Bitcoin. * Replicating CheckSigFromStack A. Poelstra, "CAT and Schnorr Tricks I", 2021, https://medium.com/blockstream/cat-and-schnorr-tricks-i-faf1b59bd298 which would allow the creation of simple covenants and other advanced contracts without having to presign spending transactions, possibly reducing complexity and the amount of data that needs to be stored. Originally shown to work with Schnorr signatures, this result has been extended to ECDSA signatures. [6] The opcode OP_CAT was available in early versions of Bitcoin. However OP_CAT was removed because it enabled the construction of a script for which an evaluation could have memory usage exponential in the size of the script. For instance a script which pushed an 1 Byte value on the stack then repeated the opcodes OP_DUP, OP_CAT 40 times would result in a stack value whose size was greater than 1 Terabyte. This is no longer an issue because tapscript enforces a maximum stack element size of 520 Bytes. =3D=3DSpecification=3D=3D Implementation
  if (stack.size() < 2)
    return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);
  valtype vch1 =3D stacktop(-2);
  valtype vch2 =3D stacktop(-1);

  if (vch1.size() + vch2.size() > MAX_SCRIPT_ELEMENT_SIZE)
      return set_error(serror, SCRIPT_ERR_INVALID_STACK_OPERATION);

  valtype vch3;
  vch3.reserve(vch1.size() + vch2.size());
  vch3.insert(vch3.end(), vch1.begin(), vch1.end());
  vch3.insert(vch3.end(), vch2.begin(), vch2.end());

  popstack(stack);
  popstack(stack);
  stack.push_back(vch3);
The value of MAX_SCRIPT_ELEMENT_SIZE is 520 Bytes =3D=3D Reference Implementation =3D=3D [Elements](https://github.com/ElementsProject/elements/blob/master/src/scri= pt/interpreter.cpp#L1043) =3D=3DReferences=3D=3D [1]: R. Pike and B. Kernighan, "Program design in the UNIX environment", 1983, https://harmful.cat-v.org/cat-v/unix_prog_design.pdf [2]: P. Wuille, "Multisig on steroids using tree signatures", 2015, https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-July/019233.ht= ml [3]: J. Rubin, "[bitcoin-dev] OP_CAT Makes Bitcoin Quantum Secure [was CheckSigFromStack for Arithmetic Values]", 2021, https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-July/019233.ht= ml [4]: T. Ruffing, A. Kate, D. Schr=C3=B6der, "Liar, Liar, Coins on Fire: Penalizing Equivocation by Loss of Bitcoins", 2015, https://citeseerx.ist.psu.edu/viewdoc/download?doi=3D10.1.1.727.6262&rep=3D= rep1&type=3Dpdf [5]: M. Moser, I. Eyal, and E. G. Sirer, Bitcoin Covenants, http://fc16.ifca.ai/bitcoin/papers/MES16.pdf [6]: R. Linus, "Covenants with CAT and ECDSA", 2023, https://gist.github.com/RobinLinus/9a69f5552be94d13170ec79bf34d5e85#file-co= venants_cat_ecdsa-md