Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of bitpay.com
	designates 209.85.212.172 as permitted sender)
	client-ip=209.85.212.172; envelope-from=jgarzik@bitpay.com;
	helo=mail-wi0-f172.google.com; 
MIME-Version: 1.0
In-Reply-To: <CAD5xwhhwMyL20nAUXz-Vv6m5ucH7UQcGQLyrFadAvqy4QXkbZw@mail.gmail.com>
References: <CAD5xwhgyCOdJwnXw+YchptfXjtshDi_VVEGOjR-hG2qV=u6m2g@mail.gmail.com>
	<CAJHLa0OFEDQp5umz=6_LUx5oJJmiKJoF90W7nvJPv0CtML+ftA@mail.gmail.com>
	<CAD5xwhhwMyL20nAUXz-Vv6m5ucH7UQcGQLyrFadAvqy4QXkbZw@mail.gmail.com>
From: Jeff Garzik <jgarzik@bitpay.com>
Date: Thu, 17 Jul 2014 02:21:42 -0400
Message-ID: <CAJHLa0OeetO3P6eBHOwN8SUN3ZpN07yWJ0vsGxupZLgcD1MEVQ@mail.gmail.com>
To: Jeremy <jlrubin@mit.edu>
Content-Type: text/plain; charset=UTF-8
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] Pay to MultiScript hash:
Precedence: list

In a system like bitcoin, where the system has to keep running, you
have to consider how to roll out upgrades, and the costs associated
with that.
* the general cost of any network-wide change, versus P2SH which is
already analyzed by devs, rolled out and working
* the cost of P2SH output is predictable, versus less predictable outputs
* the cost of updating everybody to relay this new transaction type,
whereas P2SH Just Works already
* cost of increasing rate of UTXO growth versus P2SH
* "default public", versus P2SH's "default private"

It is true that publishing the script in the txout has the advantage
of being easily audited by third parties scanning the blockchain, but
in the interest of space efficiency you may accomplish the same thing
by offering the script upon request out-of-band.  The script is
hash-sealed by the P2SH address, enabling perfect proof.

Don't have a transcript handy, but these things are usually logged and
google-searchable.

In any case, it would be nice to get together and start building a
"cookbook" of useful scripts like the ones you've been describing.
The power of bitcoin scripts is only beginning to be explored.  Use
cases and examples are very helpful.


On Thu, Jul 17, 2014 at 1:59 AM, Jeremy <jlrubin@mit.edu> wrote:
> Additional costs would be in terms of A) chance of user error/application
> error -- proposed method is much simpler, as well as extra bytes for control
> flow ( 4 per script if I am counting right).
>
>
> The costs on a normal script do seem slightly more friendly, except this
> method allows for hidden-till-spent permission groups, as well as as smaller
> blockchain bloat overall (if scriptSig script has to store the logic for all
> the potential permission group, it will be a larger script  versus only
> needing one permission group's script). An added benefit could also be in
> blockchain analysis -- you can actively monitor the utxo pool for your known
> associated scripts, whereas you couldn't for specialty scripts assembled per
> group. Enables repeated spends with groups as a "cost object" w/o having to
> recall all participants. ie, pay to the same perm groups as the other
> employee did last time, but include me as a root this time.
>
>
> Do you have a transcript of that chat by any chance? An interesting way to
> do that would be to push the sigs onto the stack & have implicit orders,
> then do expressions with their aliases, and then be able to assign "spending
> groups".
> ex:
> code_sep
> push script0
> push script1
> push script2
> push script3
> group_sep
> mkgroup_2, 0,1      ; the id will be 4
> mkgroup_3, 0,2,3   ; the id will be 5
> mkUnionGroup_2, 4,5 ; the id will be 6
> 2_of_3_group 0, 1, 2
> mkIntersectionGroup_2 5, 6
> complement_last  ; complements last group, mutation
> del_group 1          ; deletes the group #1, groups then reindex after
> deletion (maybe the group was useful base class).
> etc...
> multisig check perm groups (checks if any groups on stack are valid from
> script)
>
>
> or even something like adding a little SAT scripting language with an eval.
>
> push script0
> push script1
> push script2
> push script3
> push <a=(1 & 2 & 0), b=a-1, a | 3 | b >
> eval
>
>
>
>
>
>
>
>
>
>
>
> On Thu, Jul 17, 2014 at 12:52 AM, Jeff Garzik <jgarzik@bitpay.com> wrote:
>>
>> On Wed, Jul 16, 2014 at 1:56 PM, Jeremy <jlrubin@mit.edu> wrote:
>> > Right now, this could be expressed multiple ways (ie, using an op_dup if
>> > then else chain) , but all would incur additional costs in terms of
>> > complicated control flows. Instead, I would propose:
>>
>> Can you quantify "additional costs in terms of complicated control flows"?
>>
>>
>> > There is an implication in terms of increased utxo pool bloat, but also
>> > an
>> > implication in terms of increased txn complexity (each 20 byte hash
>> > allows
>> > for a 500 byte script, only one of the 500 byte scripts has to be
>> > permanently stored on blockchain).
>>
>> When considering these costs, using a normal P2SH output + a script
>> with OP_IF and friends seems more straightforward?
>>
>> Doing boolean logic with multisig groups is quite possible, e.g.
>> "group AND group", "group OR (group AND group)" etc.  Definitely a
>> valid use case.  I discussed how to do this on IRC with gmaxwell
>> several months ago.  I call it "multi-multisig" for lack of a better
>> name.
>
>
>
>
> --
> Jeremy Rubin


-- 
Jeff Garzik
Bitcoin core developer and open source evangelist
BitPay, Inc.      https://bitpay.com/