1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
|
Return-Path: <bram@chia.net>
Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])
by lists.linuxfoundation.org (Postfix) with ESMTP id 16954C001E
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 31 Dec 2021 23:22:23 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp3.osuosl.org (Postfix) with ESMTP id 0207D60D95
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 31 Dec 2021 23:22:23 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: 0.601
X-Spam-Level:
X-Spam-Status: No, score=0.601 tagged_above=-999 required=5
tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001,
RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
Authentication-Results: smtp3.osuosl.org (amavisd-new);
dkim=pass (2048-bit key) header.d=chia.net
Received: from smtp3.osuosl.org ([127.0.0.1])
by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id v-xQYu65EthA
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 31 Dec 2021 23:22:21 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.8.0
Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com
[IPv6:2a00:1450:4864:20::12d])
by smtp3.osuosl.org (Postfix) with ESMTPS id 8662460C27
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 31 Dec 2021 23:22:21 +0000 (UTC)
Received: by mail-lf1-x12d.google.com with SMTP id h2so51891846lfv.9
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 31 Dec 2021 15:22:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chia.net; s=google;
h=mime-version:from:date:message-id:subject:to;
bh=iT0VHAfHF0TYZPBzmOXCM0Df/zPlTspUTmsa1L/g+U8=;
b=vkq/kdl+/Fc7w1d2nF3c5K28FW5aIgOaaZJAlMH0598P0TOHlhOW2hGlD4UYP6lcbk
uDEsSmOjX7OpstB47ke40wrfDbL+OLknS9tfWmXakrLQI9cm9tW5naeDG8t2m2qVtYYS
wM4K4FIuUvcvHVmyczYtQKoOzAKHHKvVlsXufM3aG8ojN5CzTP+jleo9ZrSWsiGZedsP
SBTWbuJfR83WnYkpeU5fileyrOaCzzK6dhIwef6P0aMrqSK4aWH+dY6tbqcdjt2q9P0q
sGZPkolfjcMA/6/0vmoWJtIqSGaoHJLJIK9nxmrCgyaSDm99nUWy60+0TgCGcQE8uxWf
Tdvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
bh=iT0VHAfHF0TYZPBzmOXCM0Df/zPlTspUTmsa1L/g+U8=;
b=DwolhfPKjGQYiO2MPCiX4DmVyz32g60aHmEbVIUxfwbY+rvvSIT7vC/HvkuelEcAUn
apxg23GqBG6FBtkOHmiISA6LJgOVqcphPZB+V7oOC3ixnpzeXIzWwuNqIQQ83zeFWynO
Elf3xJtIdJHD2qfrgt1Vkbr9F9Txn7cpVbNycjzhvWy8DuZJCO9i7I546KG5x1nB4fc4
NWeQ+ISHXDivwXwLIALRsuyNwnPS5zG/Wp+1PJU5IiQZX+tmwiPY1/BeA40bKcSEcvfq
NkB/7j00kdm4k+25XjKpGlG/LIORvDnAz80lZCc4oCZ+Z7TsHj4EsPgBEGDEn+tiN3fe
qkFg==
X-Gm-Message-State: AOAM5306H4SPHa15HKZTiLbBO+T57mwTbpi3O+GS1G2CYBbdGKCVMUM5
pKBAfufr+6kfCQR/iZ7qo2mEVmdeMj5k38XUH4QFnosDRPFt9g==
X-Google-Smtp-Source: ABdhPJwG29rOBmUTwbZ8vCDrE4+nM3rP3h5P2FnbgSf0KKqkbau/UlyuvzrRh5aW8431WnDwrA7l8KfiIbzl0FXQwEg=
X-Received: by 2002:a05:6512:b1f:: with SMTP id
w31mr32936980lfu.240.1640992939216;
Fri, 31 Dec 2021 15:22:19 -0800 (PST)
MIME-Version: 1.0
From: Bram Cohen <bram@chia.net>
Date: Fri, 31 Dec 2021 15:22:08 -0800
Message-ID: <CAHUJnBBFsS597ZRdAtwONMAz1r7gQbrXULzdNtEVxOPENx+tDg@mail.gmail.com>
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="00000000000038a46505d47971f7"
X-Mailman-Approved-At: Sat, 01 Jan 2022 00:41:43 +0000
Subject: [bitcoin-dev] Covenants and capabilities in the UTXO model
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Dec 2021 23:22:23 -0000
--00000000000038a46505d47971f7
Content-Type: text/plain; charset="UTF-8"
There are a few different approaches to adding covenants and capabilities
to the UTXO model with varying tradeoffs. It turns out that it can be done
while making very few but not quite zero compromises to practices Bitcoin
has been following so far.
First, the good news: Full support for both capabilities and covenants can
be added without changing the UTXO model whatsoever by adding some more
programmatic capabilities to the language and doing some programmatic
tricks. Since scriptpubkeys/scriptsigs continue to run ephemerally at
validation time full turing completeness is much less dangerous than people
fear. The main thing missing from what's expressed in transactions
themselves is a coherent notion of a single parent of each output instead
of the all-inputs-lead-to-all-outputs approach of transactions currently.
It would also probably be a good idea to add in a bunch of special purpose
opcodes for making coherent statements about transactions since in Bitcoin
they're a very complex and hard to parse format.
Now for the controversial stuff. Once you start implementing complex
general purpose functionality it tends to get very expensive very fast and
is likely impractical unless there's a way to compress or at least
de-duplicate snippets of code which are repeated on chain. Currently
Bitcoin has a strong policy that deciding which transactions to let into a
block for maximum fee is a strictly linear optimization problem and while
it's possible to keep things mostly that way making it completely strict is
unlikely to workable. About as close as you can get is to make it so that
each block can reference code snippets in previous blocks for
deduplication, so at least the optimization is linear for each block by
itself.
Having covenants and capabilities at all is controversial in and of itself.
With covenants the main issue is whether they're opt-in or opt-out. For a
payment to someone to come with a rider where they could accept it and
think their system was working properly for a while until you exercised
some kind of retroactive veto on new action or even clawback would
obviously be unacceptable behavior. But for payments to come with covenants
but the recipient not even be able to parse them unless they're fully
buying into that behavior is much more reasonable.
The main issue which people have raised with capabilities is that if you
were to have colored coins whose value was substantially greater than the
chain they were tokenized on then that could potentially create a business
model for attacking the underlying chain. While this is a real concern
tokenized assets have been out for a while now and have never come close to
causing this to happen, so maybe people aren't so worried about it now.
Given all the above caveats it turns out one weird trick is all you need to
support general purpose capabilities: for a UTXO to have a capability its
scriptpubkey asserts that its parent must either be the originator of that
capability or also conform to the same parent-asserting format. More
complex functionality such as supporting on-chain verifiable colored coins
can also be done but it follows the same pattern: Capabilities are
implemented as backwards pointing covenants.
If you'd like to see a fleshed out implementation of these ideas (albeit in
a slightly different model) there's quite a bit of stuff on chialisp.com
--00000000000038a46505d47971f7
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">There are a few different approaches to adding covenants a=
nd capabilities to the UTXO model with varying tradeoffs. It turns out that=
it can be done while making very few but not quite zero compromises to pra=
ctices Bitcoin has been following so far.<div><br></div><div>First, the goo=
d news: Full support for both capabilities and covenants can be added witho=
ut changing the UTXO model whatsoever by adding some more programmatic capa=
bilities to the language and doing some programmatic tricks. Since scriptpu=
bkeys/scriptsigs=C2=A0continue to run ephemerally at validation time full t=
uring completeness is much less dangerous than people fear. The main thing =
missing from what's expressed in transactions themselves is a coherent =
notion of a single parent of each output instead of the all-inputs-lead-to-=
all-outputs approach of transactions currently. It would also probably be a=
good idea to add in a bunch of special purpose opcodes for making coherent=
statements about transactions since in Bitcoin they're a very complex =
and hard to parse format.</div><div><br></div><div>Now for the controversia=
l stuff. Once you start implementing complex general purpose functionality =
it tends to get very expensive very fast and is likely impractical unless t=
here's a way to compress or at least de-duplicate=C2=A0snippets of code=
which are repeated on chain. Currently Bitcoin has a strong policy that de=
ciding which transactions to let into a block for maximum fee is a strictly=
linear optimization problem and while it's possible to keep things mos=
tly that way making it completely strict is unlikely to workable. About as =
close as you can get is to make it so that each block can reference code sn=
ippets in previous blocks for deduplication, so at least the optimization i=
s linear for each block by itself.</div><div><br></div><div>Having covenant=
s and capabilities at all is controversial in and of itself. With covenants=
the main issue is whether they're opt-in or opt-out. For a payment to =
someone to come with a rider where they could accept it and think their sys=
tem was working properly for a while until you exercised some kind of retro=
active veto on new action or even clawback would obviously be unacceptable =
behavior. But for payments to come with covenants but the recipient not eve=
n be able to parse them unless they're fully buying into that behavior =
is much more reasonable.=C2=A0</div><div><br></div><div>The main issue whic=
h people have raised with capabilities is that if you were to have colored =
coins whose value was substantially greater than the chain they were tokeni=
zed on then that could potentially create a business model for attacking th=
e underlying chain. While this is a real concern tokenized assets have been=
out for a while now and have never come close to causing this to happen, s=
o maybe people aren't so worried about it now.</div><div><br></div><div=
>Given all the above caveats it turns out one weird trick is all you need t=
o support general purpose capabilities: for a UTXO to have a capability its=
scriptpubkey asserts that its parent must either be the originator of that=
capability or also conform to the same parent-asserting format. More compl=
ex functionality such as supporting on-chain verifiable colored coins can a=
lso be done but it follows the same pattern: Capabilities are implemented a=
s backwards pointing covenants.</div><div><br></div><div>If you'd like =
to see a fleshed out implementation of these ideas (albeit in a slightly di=
fferent model) there's quite a bit of stuff on <a href=3D"http://chiali=
sp.com">chialisp.com</a></div><div><br></div></div>
--00000000000038a46505d47971f7--
|