Return-Path: Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 94499C002D for ; Wed, 27 Apr 2022 01:52:31 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 6E041400FD for ; Wed, 27 Apr 2022 01:52:31 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: smtp2.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yWEyDkmlmC4I for ; Wed, 27 Apr 2022 01:52:30 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) by smtp2.osuosl.org (Postfix) with ESMTPS id 08796400D1 for ; Wed, 27 Apr 2022 01:52:29 +0000 (UTC) Received: by mail-ej1-x629.google.com with SMTP id bv19so538722ejb.6 for ; Tue, 26 Apr 2022 18:52:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2BC6Y4kz1aMxqL7w0ntWFbqV6pXQCje+T0oQmpePymk=; b=PVtERaxIaTT+6ujY2uBCukr0EMq4rdoqYNF/YBzmY9gSYYLw7EX59F/7MT5DJn0Vig eDqrJE6KfTOTWnF5teInXaBP2pOtQQ1qNHvtLJKPjVtCHDz8aif456msZm0tprwJ74l7 /z8Sd17ZRaDcKYl0f5067s1DIt3S6uztVOp8QMlWHrRqwJXKleee+3YsV5hLZfqxK5Ji vGtxDlmziK8cPYrFgrXtXkD4kjAFgQSLzAyRmOgiMj8cggZkZuINO/aIrRhPeoNTDjog rEQmqn16E8h980Nxyz1Tl3RHCuJCFhS+jCRbzGVxc6hB8CLmre4U1vH02XdOepU8m315 t+Bg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2BC6Y4kz1aMxqL7w0ntWFbqV6pXQCje+T0oQmpePymk=; b=YgVTm1fYD4knUQlrEhPbNftGIDcEh8mLsGRLoo7cVql7EgORdyF2wYvkqwf9qIdqtL W5j12CA4TNZBwnPkI/qGVSZ1Nmbk6K/scKKTuHh+tp9pZ7Odwpf/o4P8nEEVmHotee4P 8iFQb3KZNA5NEJRoSof4LRs08dyTydWUcvHA6DxH6ANPHNtxY1wlnzrnI2tVdipoOPih f3Cijcv9Cp+/L6SpR6jtBvXtf4TLxkdkbNZx+cQzjb/v4YufcHLFxmtNIb/Ha9oN5shH GVld6P6+pCxGhkVnx6TPHleYzGjjpHWpbmDV17pdJ/Pb+JBkEqf/bo5iAuP1cKml9r3t CgUA== X-Gm-Message-State: AOAM530aG/YC/rt1IjHTnEbRvOZAokHKeuAUkosO42C3se/AuC94iISf K0VBHb8+ux4OsOtDfjx+PuydK4VSTKw3TuG6iZc= X-Google-Smtp-Source: ABdhPJxegmlTNJJH4HRR1ueSe60JHNZtSGAVzOifsRrbrrIzn0pWaWfjtDesoFiRgjzzc7/79AeF6b/Z0QiUQjMWYAg= X-Received: by 2002:a17:907:1c87:b0:6f0:29ea:cc01 with SMTP id nb7-20020a1709071c8700b006f029eacc01mr24237649ejc.671.1651024348008; Tue, 26 Apr 2022 18:52:28 -0700 (PDT) MIME-Version: 1.0 References: <64a34b4d46461da322be51b53ec2eb01@dtrt.org> <4b252ef6f86bbd494a67683f6113f3fe@dtrt.org> <48a4546c-85b3-e9ff-83b5-60ba4eae2c76@mattcorallo.com> In-Reply-To: From: Billy Tetrud Date: Tue, 26 Apr 2022 20:52:12 -0500 Message-ID: To: "Russell O'Connor" Content-Type: multipart/alternative; boundary="000000000000c7565405dd990f82" X-Mailman-Approved-At: Wed, 27 Apr 2022 08:09:15 +0000 Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] Vaulting (Was: Automatically reverting ("transitory") soft forks) X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Apr 2022 01:52:31 -0000 --000000000000c7565405dd990f82 Content-Type: text/plain; charset="UTF-8" @Russell > OP_PUBKEY, and OP_PUBKEYHASH as wildcards Ah I see. Very interesting. Thanks for clarifying. @Nadav > You can have a CTV vault where the hot key signer is a multisig to get the advantages of both. Yes, you can create a CTV vault setup where you unvault to a multisig wallet, but you don't get the advantages of both. Rather you get none of the advantages and still have all the downsides you get with a multisig wallet. The whole point of a wallet vault is that you can get the security of a multisig wallet without having to sign using as many keys. On Mon, Apr 25, 2022 at 5:28 PM Russell O'Connor wrote: > On Sun, Apr 24, 2022 at 7:04 PM Billy Tetrud > wrote: > >> @Russel >> > the original MES vault .. commits to the destination address during >> unvaulting >> >> I see. Looking at the MES16 paper, OP_COV isn't described clearly enough >> for me to understand that it does that. However, I can imagine how it >> *might* do that. >> >> One possibility is that the intended destination is predetermined and >> hardcoded. This wouldn't be very useful, and also wouldn't be different >> than how CTV could do it, so I assume that isn't what you envisioned this >> doing. >> >> I can imagine instead that the definition of the pattern could be >> specified as a number indicating the number of stack items in the pattern, >> followed by that number of stack items. If that's how it is done, I can see >> the user inputting an intended destination script (corresponding to the >> intended destination address) which would then be somehow rotated in to the >> right spot within the pattern, allowing the pattern to specify the coins >> eventually reaching an address with that script. However, this could be >> quite cumbersome, and would require fully specifying the scripts along the >> covenant pathways leading to a fair amount of information duplication >> (since scripts must be specified both in the covenant and in spending the >> subsequent output). Both of these things would seem to make OP_COV in >> practice quite an expensive opcode to spend with. It also means that, since >> the transactor must fully specify the script, its not possible to take >> advantage of taproot's script hiding capabilities (were it to send to a >> taproot address). >> > > So my understanding is that the COV proposal in MES lets you check that > the output's scriptPubKey matches the corresponding script item from the > stack, but the script item's value additionally allows some wildcard > values. In particular, it makes use of the otherwise reserved opcodes > OP_PUBKEY, and OP_PUBKEYHASH as wildcards representing any, let's say, > 32-byte or 20-byte push value. > > If you just used COV by itself, then these wildcards would be third-party > malleable, but you also have to sign the transaction with the hot wallet > key, which removes the malleability. > > No need to rotate anything into place. > > I hope this makes sense. > --000000000000c7565405dd990f82 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
@Russell
> OP_PUBKEY, and OP_PUBKEYHASH as wild= cards

Ah I see. Very interesting. Thanks for clari= fying.=C2=A0

@Nadav
> You can have a CTV vault wher= e the hot key signer is a multisig to get the advantages of both.

Yes, you can create a CTV vault setup where you unvault to = a multisig wallet, but you don't get the advantages of both. Rather you= get none of the advantages and still have all the downsides you=C2=A0get w= ith a multisig wallet. The whole point of a wallet vault is that you can ge= t the security of a multisig wallet without having to sign using as many ke= ys.=C2=A0

On Mon, Apr 25, 2022 at 5:28 PM Russell O'Connor <roconnor@blocks= tream.com> wrote:
On Sun, Apr 24, 2022 at 7:04 PM Billy Tetrud <billy.tetrud@gmail.com= > wrote:
=
@Russel
> the original MES vault ..= =C2=A0commits to the destination address during unvaulting

I see. Looking at the MES16 paper, OP_COV isn't described clea= rly enough for me to understand that it does that. However, I can imagine h= ow it *might* do that.=C2=A0

One possibility is th= at the intended destination is predetermined and hardcoded. This wouldn'= ;t be very useful, and also wouldn't be different than how CTV could do= it, so I assume that isn't what you envisioned this doing.
<= br>
I can imagine instead that the definition of the pattern coul= d be specified as a number indicating the number of stack items in the patt= ern, followed by that number of stack items. If that's how it is done, = I can see the user inputting an intended destination script (corresponding = to the intended destination address) which would then be somehow rotated in= to the right spot within the pattern, allowing the pattern to specify the = coins eventually reaching an address with that script. However, this could = be quite cumbersome, and would require fully specifying the scripts along t= he covenant pathways leading to a fair amount of information duplication (s= ince scripts must be specified both in the covenant and in spending the sub= sequent output). Both of these things would seem to make OP_COV in practice= quite an expensive opcode to spend with. It also means that, since the tra= nsactor must fully specify the script, its not possible to take advantage o= f taproot's=C2=A0script hiding capabilities (were it to send to a tapro= ot address).

So my underst= anding is that the COV proposal in MES lets you check that the output's= scriptPubKey matches the corresponding script item from the stack, but the= script item's value additionally allows some wildcard values.=C2=A0 In= particular, it makes use of the otherwise reserved opcodes OP_PUBKEY, and = OP_PUBKEYHASH as wildcards representing any, let's say, 32-byte or 20-b= yte push value.

If you just used COV by itself, th= en these wildcards would be third-party malleable, but you also have to sig= n the transaction with the hot wallet key, which removes the malleability.<= /div>

No need to rotate anything into place.

I hope this makes sense.
--000000000000c7565405dd990f82--