Delivery-date: Sat, 16 Nov 2024 07:02:32 -0800 Received: from mail-qv1-f60.google.com ([209.85.219.60]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1tCKJk-0005l2-4b for bitcoindev@gnusha.org; Sat, 16 Nov 2024 07:02:32 -0800 Received: by mail-qv1-f60.google.com with SMTP id 6a1803df08f44-6d412384987sf7064536d6.0 for ; Sat, 16 Nov 2024 07:02:31 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1731769345; cv=pass; d=google.com; s=arc-20240605; b=lklAW30GAb8vsXAHrTphMrVE0A8TnMJtS1REpE0kvSH0NemST5qWndKKwEl2M/rSZ0 qJ9q5g4WMQPluC4ChZZNsO1IjXRg5qvcHT0jcjmJa5jRDLpXYigEt8s5GMx2eqJUtjRy EXTLLAjU8iLI5SEQhTfEJJWR0Rc2RfD1xL2Qe/06NfRIM6ceRKiw0pDEGY5vqI7M7aqi K2DXqDCxtat6Ws/EDY9vBea6GMfjhROMBsZSiMX5ZPV4ixiqKna5lmjGdToDF+ilfAzu UwBJsDJbNbyE032RCF55YVhUFM6TiyH/Bh+5BMzb5+sFNfZcUqfchYCIxLU5samRvEfX sEeQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:sender:dkim-signature :dkim-signature; bh=c66uVpjbg87ipF7NW40SBn6bhMIxFAPnPq7S6eE7KMg=; fh=wVOgXks5bJF0Hrd9aUz2NX61DCRwrqgqlOiN5XfQZaI=; b=c2AcgHqpYyFthb6mdxiu8ulGmPu51SXEr74OGfo1Cvi8ztaenlnIy5fdTbF16AOgG9 oQQKFxkjr1tfORJshpD7ZlbGO5r1uV2DIhNFQR8azZezQrZ5YIiyugYh6QVa3hxr6RHt 9WeaQog0Yu9ugZAl2D0N8f+Sm5x038wJc/CSLVkS2U+PnxFDLadbkIUTSG/CQVb0bskk C7YUlEJHIaUxKRCk6JI9Go7qkO5V1GGYT1rBMxS0EhxAAc2El2ocEPZICvq1uYbOiv4w 3gm5YSjdfjaYxasylJpX+pnKJiygGxG1CDt2Dx5L96kXRipxF4DL7IadtLM4R6VPLxbO XTRg==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=ZWq3bmK+; spf=pass (google.com: domain of eth3rs@gmail.com designates 2a00:1450:4864:20::634 as permitted sender) smtp.mailfrom=eth3rs@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1731769345; x=1732374145; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:sender:from:to:cc:subject:date:message-id :reply-to; bh=c66uVpjbg87ipF7NW40SBn6bhMIxFAPnPq7S6eE7KMg=; b=T6WBMiHZWT74ZpBYpvEuGh5DfwzbIoAqnoRW3iyhvumdB09/5pGOC6eFhPhlkUNrES wgrupGQePtMscbKYptBHZoXPQgYpy5TmvxN5tzkxptY3zD55CtP+5dFmJBd//F/3PIXU DId6uIGCzY0J5cK5Ges1nDBI6ilCKTHuHMpdigorjGCxu8SQbQXnOHVTnIPmGKSr7OgT aqnoN3I3Fn9RMNUiWOh7FG4+dc5f+z8/Lhmp3meW4YT+1R6o2VXvnS2r0/+7h7n2/hjo 0aue5CqVduR+RqZU//tWdhV5ReZNpV6XTcy+KXTbhduuP1LEXA3l5BwJnT1owOBnj2lK iGew== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1731769345; x=1732374145; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:from:to:cc:subject:date:message-id:reply-to; bh=c66uVpjbg87ipF7NW40SBn6bhMIxFAPnPq7S6eE7KMg=; b=mZ3s2Xuf3tKZihaSN/wpfGVdi2eBCkTh1xdQQbwho/dMdbH12F9Vi61ZZFFH9pLLLr G70QkfgavOJMXl2+ywrYTeUpxWWxgzAXGdpwnlp1G8oLt3rPmKICW6iGLpJ020xk/uXx s1NhAmcM8lr5tR5t6i5sNX7+Tvv+zB+ntxQysEjavy/rmFi9vnFi71b4vz9nhVceFENm /AcycOOFjLgV6CksasZ/iz5w82xUXQqIY79jG3QtBHxLSQEQTlBXcz9A/DXpKHZ46FGe WbSAZoXzTShyLDbYJEvITA8UF5l1pGafOUEy2kbSEv+d9ipeVYYUFanzPfnd9FbJN4ls lZfA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731769345; x=1732374145; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:x-beenthere:x-gm-message-state:sender:from :to:cc:subject:date:message-id:reply-to; bh=c66uVpjbg87ipF7NW40SBn6bhMIxFAPnPq7S6eE7KMg=; b=LcrmlXkrxns2J1VQjB2ZSJvAR7DEclbJiw6uzdRjdP0P9OAk0qAxpo1ampSsltlRHc XhH9s/OsJYDBYh6+6xl5RPz0Cf+UueI1wqV3LoqBC0dLbNBrMMRoRgezvwiNuE8btK7J aZHhdT+MODPQ06B78Qt1SNombi5RP4QMRA/mvPdA906XYTVv3MtD0SL6M25PsV29XJGA ciQzi7+CoCsEMRJbpgocJiDPSyoYCij7Gs4r8LQpBweH9dxu5C2jAL/p6nwcdo0SFF02 Za7ZJa50yFqHUS2CbPFBPPbWCQbT7B9IEw94LIrShKWjeS6XP+VY/Qx2PCbhPwCkX5OB vwHQ== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCU73C52m+D6VdJLu5AY0ezT7VAhckrS2FH3SKnv8H964hlGqNu5MYkDEzTL+cJCNm/xjRSbnIbAim74@gnusha.org X-Gm-Message-State: AOJu0YwiVp54Ba9JNqLtAnD9OLCFTZEkXqVbluEy91Nzc5cTXXJsPzbI xrKoUO/BxsbjEy8zrOSEIGAYjjZWDPuZQp6RLCS/m7DJwukiYUNo X-Google-Smtp-Source: AGHT+IEUw8OPe0ElNir/7ICUNMpb24hLf6USxR7vuDDvk07o40aZnvSNuPNc4qAX+52dJ1caCQq8Hw== X-Received: by 2002:ac8:6f10:0:b0:461:1679:9062 with SMTP id d75a77b69052e-4636352fc17mr104811991cf.9.1731769345447; Sat, 16 Nov 2024 07:02:25 -0800 (PST) X-BeenThere: bitcoindev@googlegroups.com Received: by 2002:a05:622a:15d0:b0:463:f00:e1d1 with SMTP id d75a77b69052e-46356fdd83cls19280501cf.1.-pod-prod-00-us; Sat, 16 Nov 2024 07:02:22 -0800 (PST) X-Received: by 2002:a05:620a:1722:b0:7a6:6b97:4da2 with SMTP id af79cd13be357-7b35a49ff8amr1856924885a.11.1731769342673; Sat, 16 Nov 2024 07:02:22 -0800 (PST) Received: by 2002:a05:620a:1023:b0:7b1:452e:2a50 with SMTP id af79cd13be357-7b35b167ab9ms85a; Sat, 16 Nov 2024 06:56:03 -0800 (PST) X-Received: by 2002:a05:600c:1d1d:b0:431:3b80:6ca7 with SMTP id 5b1f17b1804b1-432d9767819mr103505615e9.13.1731768961263; Sat, 16 Nov 2024 06:56:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1731768961; cv=none; d=google.com; s=arc-20240605; b=AobHg/rW+418N1Dchi2Q9QV8Eq+dm/+/P1P89Z7+uWNtrhivl+dj5GV3nJqV4ot8E9 htrY8Xn2DxBUkVXjPmCG3FAbpyY7AyCBMPwOmbES3kV2cH5/5Qj+5UD93IpCmgkJ1PUz VEI5lZsnlt01crY/T461f7Vskl2DW2DrYJQYioYRzGvp2J9bMJjKxrBWxqsR9SPRCDN3 s4/1G/nWi96j7sIsZOklk+YHRJbL6ThHVSP8dmVqoN0GJZnKn8Vf1krHV6vgpV1j80U3 0PpEsFtPlb9q+JkOi6U9Ke/8kxPcplszxnWlQlhTDfuWplDPQdjldaHgqQJ8SvfpBtdj bwkA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=uR5hu+FiJfeoV/2nyymegH9PKp94Xz74ILLH67KBoUg=; fh=Mxxh5v6Y61dVJ0YavHfeoN+CNs7ePV0Oa5JotjECrHg=; b=Vf1QkfQL2F32Pj1NK5pAaEHdobK/Q6iBSRU4VPeATQ50P1xqZ7mX6tIHDv7aE8DjCo hiTNdSRPOSz1moyZx5TA7zJN77uQW1LpRHIL/rD/Ik5LcugTVJOQFz5SX0PVmPr2AMJz w2Jkjd0sBlyw8aCV6Rk8jTip1wpHA92EaZu93GQAEGQ/dVrYdzNWM82NJHA+FRehAHp1 lydqzZqctA0LI8RzQPl4pCm1mi/H0bCDI8bNrCHerdDj1hKaGcN2+Yt/6ThknTAnA4D9 7HRJUzRKYsZ2zT08BRqVW3gTa3ndZhuaeKOomsbwIxPEL8eo9QkNQSKVCyhPGaooentu zCaQ==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=ZWq3bmK+; spf=pass (google.com: domain of eth3rs@gmail.com designates 2a00:1450:4864:20::634 as permitted sender) smtp.mailfrom=eth3rs@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com. [2a00:1450:4864:20::634]) by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-432dabed334si1108455e9.1.2024.11.16.06.56.01 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 16 Nov 2024 06:56:01 -0800 (PST) Received-SPF: pass (google.com: domain of eth3rs@gmail.com designates 2a00:1450:4864:20::634 as permitted sender) client-ip=2a00:1450:4864:20::634; Received: by mail-ej1-x634.google.com with SMTP id a640c23a62f3a-a9e8522c10bso414548966b.1 for ; Sat, 16 Nov 2024 06:56:01 -0800 (PST) X-Received: by 2002:a17:906:3406:b0:aa4:957b:25 with SMTP id a640c23a62f3a-aa4957b054dmr194285666b.22.1731768960453; Sat, 16 Nov 2024 06:56:00 -0800 (PST) MIME-Version: 1.0 References: <129a9605-7a91-42a7-a9ef-07de6662ca7en@googlegroups.com> In-Reply-To: <129a9605-7a91-42a7-a9ef-07de6662ca7en@googlegroups.com> From: Ethan Heilman Date: Sat, 16 Nov 2024 09:55:48 -0500 Message-ID: Subject: Re: [bitcoindev] Signing a Bitcoin Transaction with Lamport Signatures (no changes needed) To: Xiaohui Liu Cc: Bitcoin Development Mailing List Content-Type: multipart/alternative; boundary="000000000000b89640062708e13e" X-Original-Sender: eth3rs@gmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=ZWq3bmK+; spf=pass (google.com: domain of eth3rs@gmail.com designates 2a00:1450:4864:20::634 as permitted sender) smtp.mailfrom=eth3rs@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) --000000000000b89640062708e13e Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I don't think it is clear how to turn this into a covenant. The bits you are extracting using OP_SIZE are only related to the sighash via a random function. That said, I don't see any reason that with an unlimited number of opcodes you can build an small script that's uses SPV to introspect into the entire blockchains and enforce anything without having to use OP_SIZE or OP_CAT. You could build snarks in small script so the size of the small script would be large but constant in the size of the blockchains. On Fri, Nov 15, 2024, 5:02 PM Xiaohui Liu wrote: > Hi, > > How does covenant work without OP_CAT here, assuming no size limit? Don't > you still need OP_CAT to parse/introspect fields (e.g., input/output) of > the spending transaction? > > Regards, > sCrypt > > On Tuesday, April 30, 2024 at 7:22:54=E2=80=AFAM UTC-7 Andrew Poelstra wr= ote: > >> On Tue, Apr 30, 2024 at 08:32:42AM -0400, Matthew Zipkin wrote: >> > > if an attacker managed to grind a 23-byte r-value at a cost of 2^72 >> > computations, it would provide the attacker some advantage. >> > >> > If we are assuming discrete log is still hard, why do we need Lamport >> > signatures at all? In a post-quantum world, finding k such that r is 2= 1 >> > bytes or less is efficient for the attacker. >> > >> >> Aside from Ethan's point that a variant of this technique is still >> secure in the case that discrete log is totally broken (or even >> partially broken...all we need is that _somebody_ is able to find the >> discrete log of the x=3D1 point and for them to publish this). >> >> Another reason this is useful is that if you have a Lamport signature on >> the stack which is composed of SIZE values, all of which are small >> enough to be manipulated with the numeric script opcodes, then you can >> do covenants in Script. >> >> (Sadly(?), I think none of this works in the context of the 201-opcode >> limit...and absent BitVM challenge-response tricks it's unlikely you can >> do much in the context of the 4MWu block size limit..), but IMO it's a >> pretty big deal that size limits are now the only reason that Bitcoin >> doesn't have covenants.) >> >> -- >> Andrew Poelstra >> Director, Blockstream Research >> Email: apoelstra at wpsoftware.net >> Web: https://www.wpsoftware.net/andrew >> >> The sun is always shining in space >> -Justin Lewis-Webster >> >> -- > You received this message because you are subscribed to the Google Groups > "Bitcoin Development Mailing List" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to bitcoindev+unsubscribe@googlegroups.com. > To view this discussion visit > https://groups.google.com/d/msgid/bitcoindev/129a9605-7a91-42a7-a9ef-07de= 6662ca7en%40googlegroups.com > > . > --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= CAEM%3Dy%2BWMqVLd_ujepgZiC%2B7hJAPxG3i0j%2BEOBFXTxfaaq38LSg%40mail.gmail.co= m. --000000000000b89640062708e13e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I don't think it is clear how to turn this into a cov= enant. The bits you are extracting using OP_SIZE are only related to the si= ghash via a random function.

T= hat said, I don't see any reason that with an unlimited number of opcod= es you can build an small script that's uses SPV to introspect into the= entire blockchains and enforce anything without having to use OP_SIZE or O= P_CAT. You could build snarks in small script so the size of the small scri= pt would be large but constant in the size of the blockchains.
<= br>
On Fri,= Nov 15, 2024, 5:02 PM Xiaohui Liu <x.liu@scrypt.io> wrote:
Hi,

<= /div>How does covenant work without OP_CAT here, assuming no size limit? Do= n't you still need OP_CAT to parse/introspect fields (e.g., input/outpu= t) of the spending transaction?

Regards,
sCryp= t

On Tuesday, April 30, 2024 at 7:22:54=E2=80=AFAM UTC-7 Andrew = Poelstra wrote:
= On Tue, Apr 30, 2024 at 08:32:42AM -0400, Matthew Zipkin wrote:
> > if an attacker managed to grind a 23-byte r-value at a cost o= f 2^72
> computations, it would provide the attacker some advantage.
>=20
> If we are assuming discrete log is still hard, why do we need Lamp= ort
> signatures at all? In a post-quantum world, finding k such that r = is 21
> bytes or less is efficient for the attacker.
>

Aside from Ethan's point that a variant of this technique is still
secure in the case that discrete log is totally broken (or even
partially broken...all we need is that _somebody_ is able to find the
discrete log of the x=3D1 point and for them to publish this).

Another reason this is useful is that if you have a Lamport signature o= n
the stack which is composed of SIZE values, all of which are small
enough to be manipulated with the numeric script opcodes, then you can
do covenants in Script.

(Sadly(?), I think none of this works in the context of the 201-opcode
limit...and absent BitVM challenge-response tricks it's unlikely yo= u can
do much in the context of the 4MWu block size limit..), but IMO it'= s a
pretty big deal that size limits are now the only reason that Bitcoin
doesn't have covenants.)

--=20
Andrew Poelstra
Director, Blockstream Research
Email: apoelstra at wpsoftware.net
Web: https://www.wpsoftware.net/andrew

The sun is always shining in space
-Justin Lewis-Webster

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to
bitcoindev+unsubscribe@googlegroups= .com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/129a9605-7a91-42a7= -a9ef-07de6662ca7en%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.= com/d/msgid/bitcoindev/CAEM%3Dy%2BWMqVLd_ujepgZiC%2B7hJAPxG3i0j%2BEOBFXTxfa= aq38LSg%40mail.gmail.com.
--000000000000b89640062708e13e--