Return-Path: Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id CD384C002D for ; Mon, 16 Jan 2023 23:56:54 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id A1F8D81FC7 for ; Mon, 16 Jan 2023 23:56:54 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org A1F8D81FC7 Authentication-Results: smtp1.osuosl.org; dkim=pass (2048-bit key, unprotected) header.d=achow101.com header.i=@achow101.com header.a=rsa-sha256 header.s=protonmail header.b=Zajh0DIk X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.102 X-Spam-Level: X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D4OHA9A04iYS for ; Mon, 16 Jan 2023 23:56:53 +0000 (UTC) X-Greylist: delayed 00:09:20 by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 58C3C81FC4 Received: from mail-41103.protonmail.ch (mail-41103.protonmail.ch [185.70.41.103]) by smtp1.osuosl.org (Postfix) with ESMTPS id 58C3C81FC4 for ; Mon, 16 Jan 2023 23:56:52 +0000 (UTC) Date: Mon, 16 Jan 2023 23:47:09 +0000 Authentication-Results: mail-41103.protonmail.ch; dkim=pass (2048-bit key) header.d=achow101.com header.i=@achow101.com header.b="Zajh0DIk" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=achow101.com; s=protonmail; t=1673912839; x=1674172039; bh=HQPUpe4WKj6VxxkjARiR0Q3FLAp4CxSkg70ntH/H3+s=; h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector; b=Zajh0DIkCHuhQ53iwgb2wfYLKVqICrdYxkcNFR8q417Q9dchujBrgIbI83p39PKY1 gcE7a3L/xdjR/gPTjWHxtzLJzyANndkHhrRHTPTtJ92fqkR6dRqD3FORUx24F6VD3O QjAIbZvisQnZ10iEjhFbrFRf94tlTXOw7YohbVRRK3zqP6aRfNcKw8cpDb190T7K0N cD8IUXZRACr4gAPpXVvmMQzT8b6yX4uHfAvKOjUvCjaAaaa/LX/zYXvmUg8nwnj+WP wrlAiTt+7DK68IgbBV04lYAcqM2j/cBe8BaXikbqDqRCJQnXoHd6I9jFcnE3Dso/uo HJQC+Vrn2dcCw== To: bitcoin-dev@lists.linuxfoundation.org From: Andrew Chow Message-ID: Feedback-ID: 53660394:user:proton MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Tue, 17 Jan 2023 00:02:24 +0000 Subject: Re: [bitcoin-dev] OP_VAULT: a new vault proposal X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2023 23:56:54 -0000 Hi James, This seems like a promising proposal, but I noticed have a few issues regarding batching and privacy. It seems like this proposal will encourage address reuse for vaults, at least in some parts. It seems like it would not be difficult to ensure that each vault address was unique through the use of key derivation. The recovery and unvault scripts could be produced from ranged descriptors and so there would each vault address would be unique as each recovery and unvault script is unique. It would not be hard to have descriptors for vaults, which would then allow for usage of other descriptors and miniscript into the recovery and unvault scripts. However the current construction makes it impossible to spend these vaults together. Since OP_VAULT requires the recovery script of the unvault output to match what's provided in the input, if there are multiple inputs with different recovery scripts, then the transaction will fail. I'm not sure how this could be solved though. But from my reading of the code, it looks like the unvault scripts can be unique, so at least address reuse can be avoided here. It just means that the recovery scripts must be the same, and this would leave an identifying mark on chain for every unvault. An observer would be able to correlate unvault transactions by the hashes of the recovery scripts, and I think this would be rather detrimental to user privacy, not to mention that sweeping to recovery would also reveal all of your coins too. On the topic of address reuse, the implemented optional re-vault output explicitly requires address reuse, as well as breaking the batched unvaulting of scripts that have different unvault scripts. It's currently implemented as requiring the unvault script to exactly match the prevout script of the inputs being spent. This means that all inputs must have the same script. I think it would be sufficient to do the same check as the OP_UNVAULT script and just require that the recovery script and the delay are the same, with the hash of the trigger script being provided in the input in the same way the target hash is provided for OP_UNVAULT. This would break the address reuse requirement. I'm also not convinced that OP_VAULT and OP_UNVAULT should be allowed for bare and P2WSH outputs. It seems like it would make sense to just limit their usage to tapscripts as this would simply their implementation. Andrew On 01/09/2023 11:07 AM, James O'Beirne via bitcoin-dev wrote: > For the last few years, I've been interested in vaults as a way to > substantially derisk custodying Bitcoin, both at personal and commercial > scales. Instead of abating with familiarity, as enthusiasm sometimes > does, my conviction that vaults are an almost necessary part of bitcoin's > viability has only grown over the years. > > Since people first started discussing vaults, it's been pretty clear that > some kind of covenant-enabling consensus functionality is necessary to > provide the feature set necessary to make vault use practical. > > Earlier last year I experimented with using OP_CTV[1], a limited covenant > mechanism, to implement a "minimum-viable" vault design. I found that the > inherent limitations of a precomputed covenant scheme left the resulting > vault implementation wanting, even though it was an improvement over > existing strategies that rely on presigned transactions and (hopefully) > ephemeral keys. > > But I also found proposed "general" covenant schemes to be > unsuitable for this use. The bloated scriptPubKeys, both in size and > complexity, that would result when implementing something like a vault > weren't encouraging. Also importantly, the social-consensus quagmire > regarding which covenant proposal to actually deploy feels at times > intractable. > > As a result, I wanted to explore a middle way: a design solely concerned > with making the best vault use possible, with covenant functionality as a > secondary consideration. In other words, a proposal that would deliver > the safety benefits of vaults to users without getting hung up on > trying to solve the general problem of covenants. > > At first this design, OP_VAULT, was just sort of a pipe dream. But as I > did more thinking (and eventually implementing) I became more convinced > that, even if it isn't considered for soft-fork, it is a worthwhile > device to serve as a standard benchmark against which other proposals > might be judged. > > I wrote a paper that summarizes my findings and the resulting proposal: > https://jameso.be/vaults.pdf > > along with an accompanying draft implementation: > https://github.com/bitcoin/bitcoin/pull/26857 > > I might work on a BIP if there's interest. > > James > > [1]: https://github.com/jamesob/simple-ctv-vault