1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
|
Return-Path: <mark@friedenbach.org>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id A4E7F97
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 2 Oct 2017 00:35:41 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-pf0-f173.google.com (mail-pf0-f173.google.com
[209.85.192.173])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 7720DAA
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 2 Oct 2017 00:35:40 +0000 (UTC)
Received: by mail-pf0-f173.google.com with SMTP id y29so2144847pff.0
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 01 Oct 2017 17:35:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=friedenbach-org.20150623.gappssmtp.com; s=20150623;
h=mime-version:subject:from:in-reply-to:date:cc
:content-transfer-encoding:message-id:references:to;
bh=mcVkx4fzhFvUQBHK8sZKOVZ+etwv6IbPZHiw0mhsVUE=;
b=WCTtt8Wi5BhgMEtQcJVOMVzdq0FvAAtYWWB/Y4k3Bws2eMwjIaAQV0r7fwxLr6Psjw
mUUjsdpqjrdMiPd3uXHCYcWSmKpk3oXy/CGrufjWsqe95m23G3DNeVigttRJgzzY4C4B
qg3KeZE5NFPROGhIp+ZqBupNhqU6Pbpn2u04n4DHuRyexQ/fcJeGTc0F0ruEoPZdOQvM
AzqS0cyWG4MyhFeEfWQ8qg/JlMhhzqQcS9Az7Nqlx35WVUMLorsReqeyXdYn9I/8EVOp
RUM8KKJjxUB5IX4SYvy1huvOkYs3UHI5QTjOWC/yKlnJswyF7/rnpf1XSSrD5DIopXtV
C5cQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc
:content-transfer-encoding:message-id:references:to;
bh=mcVkx4fzhFvUQBHK8sZKOVZ+etwv6IbPZHiw0mhsVUE=;
b=W7/acR+eisUWi/041bxozbDPYS9XcD83/IwN92+rcq8JvF4bQN8LJ7PmcoUoegxmIW
lMBCSaZoJcwn3vk9q1t5rb86ngvP/8DuPx+EqTyJa9hz0kBHt7wGCVgST1k8eCSn+2E8
M39lwSdLlnoS0M1lkl8kVgoRZmLaIkLiQwOvoAHqGXjm0BkYB3oLMmwXXZrrD1hA/ZPF
fsK3JwdHXU2hNKYJgAsQSbQIn4xfkazLbjilsLx3ATk1yR7TyQwyOXZVNpzLg8CgRvQa
P8pN+d0r0aOj0lfI2s0vLwXMtrbSLnFiOsXBbxSU2/HkaxqEPPn9R1yFS6elbgeHHFZJ
u9Ng==
X-Gm-Message-State: AMCzsaUHyXPxfT3JbL1t4h6CHK7d5ErFxbarhiacnmdFWV9zv3ulhP60
3uulzwc61sv1H/akPCFuNQmKCE8vaDI=
X-Google-Smtp-Source: AOwi7QAEH/wTJlOxvd+e4A96kAE0FToZ1mHvmB+TrrCKmFLIkRgxywNg6Mvx1SAZ3nX0hj/YgBAFsw==
X-Received: by 10.98.2.16 with SMTP id 16mr2770415pfc.248.1506904539823;
Sun, 01 Oct 2017 17:35:39 -0700 (PDT)
Received: from ?IPv6:2601:646:8080:1291:d07f:9ead:ff74:eb2e?
([2601:646:8080:1291:d07f:9ead:ff74:eb2e])
by smtp.gmail.com with ESMTPSA id
d18sm14689903pfk.11.2017.10.01.17.35.38
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Sun, 01 Oct 2017 17:35:39 -0700 (PDT)
Content-Type: text/plain;
charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.0 \(3445.1.6\))
From: Mark Friedenbach <mark@friedenbach.org>
In-Reply-To: <30B31B43-B603-4793-BDFB-B7E25FD96D1B@xbt.hk>
Date: Sun, 1 Oct 2017 17:35:38 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <50CA8523-3D1A-409E-9B7D-51EA5FC4B898@friedenbach.org>
References: <201710010113.30518.luke@dashjr.org>
<30B31B43-B603-4793-BDFB-B7E25FD96D1B@xbt.hk>
To: Johnson Lau <jl2012@xbt.hk>
X-Mailer: Apple Mail (2.3445.1.6)
X-Spam-Status: No, score=0.5 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
RCVD_IN_DNSWL_NONE, RCVD_IN_SORBS_SPAM autolearn=disabled version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Cc: bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Version 1 witness programs (first draft)
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Oct 2017 00:35:41 -0000
> On Oct 1, 2017, at 2:32 PM, Johnson Lau <jl2012@xbt.hk> wrote:
>=20
> So there are 3 proposals with similar goal but different designs. I =
try to summarise some questions below:
>=20
> 1. How do we allow further upgrade within v1 witness? Here are some =
options:
> a. Minor version in witness. (Johnson / Luke) I prefer this way, but =
we may end up with many minor versions.
I'm not sure I agree with the "minor version" nomenclature, or that we =
would necessarily end up with any consensus-visible fields beyond 2. =
There are two separate soft-fork version fields that were, I think it is =
fair to say now, inappropriately merged in the "script version=E2=80=9D =
feature of segregated witness as described in BIP141.
First there is the witness type, which combined with the length of the =
commitment that follows specifies how data from the witness stack is =
used to calculate/verify the witness commitment in the scriptPubKey of =
the output being spent. For v0 with a 20-byte hash, it says that those =
20 bytes are the HASH160 of the top element of the stack. For v0 with a =
32-byte hash, it says that those 32 bytes are the HASH256 of the top =
element of the stack.
Second there is the script version, which is not present as a separate =
field for witness type v0. Implicitly though, the script version for =
v0,20-byte is that the witness consists of two elements, and these are =
interpreted as a pubkey and a signature. For v0,32-byte the script =
version is that the witness consists of 1 or more elements; with max 520 =
byte size constraints for all but the top element, which has a higher =
limit of 10,000 bytes; and the top-most element is interpreted as a =
script and executed with the modified CHECKSIG behavior defined by =
BIP141 and the CLEANSTACK rule enforced.
These are separate roles, one not being derivative of the other. In an =
ideal world the witness type (of which there are only 16 remaining =
without obsoleting BIP141) is used only to specify a new function for =
transforming the witness stack into a commitment for verification =
purposes. Merklized script would be one example: v2,32-byte could be =
defined to require a witness stack of at least two elements, the top =
most of which is a Merkle inclusion proof of the second item in a tree =
whose root is given in the 32-byte payload of the output. Maybe v3 =
would prove inclusion by means of some sort of RSA accumulator or =
something.
Such a specification says nothing about the features of the subscript =
drawn from the Merkle tree, or even whether it is bitcoin script at all =
vs something else (Simplicity, DEX, RISC-V, Joy, whatever). All that is =
necessary is that a convention be adopted about where to find the script =
version from whatever data is left on the stack after doing the witness =
type check (hashing the script, calculating a Merkle root, checking =
inclusion in an RSA accumulator, whatever). A simple rule is that it is =
serialized and prefixed to the beginning of the string that was checked =
against the commitment in the output.
So v0,32-byte says that the top item is hashed and that hash must match =
the 32-byte value in the output. This new v1,32-byte witness type being =
talked about in this thread would have exactly the same hashing rules, =
but will execute the resulting string based on its prefix, the script =
version, which is first removed before execution.
Sure first script version used could be a cleaned up script with a bunch =
of the weirdness removed (CHECKMULTISIG, I'm looking at you!); CLTV, =
CSV, and MBV drop arguments; disabled opcodes and unassigned NOPs become =
"return true"; etc. Maybe v2 adds new opcodes. But we can imagine =
script version that do something totally different, like introduce a new =
script based on a strongly-typed Merklized lambda calculus, or a RISC-V =
executable format, or whatever.
This has pragmatic implications with the separation of witness type and =
script version: we could then define a "MAST" output that proves the =
script used is drawn from a set represented by the Merkle tree. However =
different scripts in that tree can use different versions. It would be =
useful if the most common script is the key aggregated everyone-signs =
outcome, which looks like a regular bitcoin payment, and then =
contingency cases can be handled by means of a complicated script =
written in some newly added general computation language or a whole =
emulated RISC-V virtual machine.
> b. OP_RETURNTRUE (Luke). I proposed this in an earlier version of =
BIP114 but now I think it doesn=E2=80=99t interact well with signature =
aggregation, and I worry that it would have some other unexpected =
effects.
> c. Generalised NOP method: user has to provide the returned value, so =
even VERIFY-type code could do anything
I see no reason to do either. Gate new behavior based on script =
execution flags, which are set based on the script version. Script =
versions not understood are treated as "return true" to begin with. The =
interpreter isn't even going to try to decode the script according to =
the old rules, let alone try to execute it, so there's no reason for the =
old soft-fork compatability tricks.
The new soft-fork trick is that you increment the script version number. =
That is all.
> 2. Do we want to allow signature-time commitment of extra scripts?
> I think all proposals allow this, just with different way
> a. Tail-call semantics with CHECKSIGFROMSTACK (Mark). I think this is =
too rigid as it works only with specially designed scriptPubKey
This is not signature-time commitment of extra script. Not without =
CHECKSIGFROMSTACK or something like it.
> b. scriptWitCode: extra scripts are put in some fixed location in =
witness (Johnson). This makes sure static analysability.
> c. Extra-data as script in OP_CHECKSIG (Luke)
Propose these as their own script updates. Script versioning makes such =
new features cheap. There's no reason to create some sort of complex =
omnibus overhaul that does everything.
> 3. Do we want to allow static analysis of sigop?
> BIP114 and the related proposals are specifically designed to allow =
static analysis of sigop. I think this was one of the main reason of =
OP_EVAL not being accepted. This was also the main reason of Ethereum =
failing to do a DAO hacker softfork, leading to the ETH/ETC split. I=E2=80=
=99m not sure if we really want to give up this property. Once we do it, =
we have to support it forever.
Again, this is off-topic for this thread. I don't think a v1 witness =
type upgrade should do any of these things. The v1 witness type should =
add a proper script version in the witness, and remove or simplify =
limits or unnecessary verification rules that are no longer necessary =
and/or hindering progress. That=E2=80=99s it.
For example, I don't think a v1 witness version should be coupled with =
my tail-call semantics or the introduction of MERKLEBRANCHVERIFY (but if =
MBV was released already we could have it drop its arguments, which =
would be nice). However it should drop the CLEANSTACK rule in favor of =
something else (like signatures committing to the witness depth and/or =
weight) since the tail-call BIP demonstrates it to be an impediment to =
extensibility and alternatives are not. And it should drop the 520 byte =
push limitation, as the MBV BIP demonstrates use cases that have =
serialized proofs larger than that, like a k-of-N threshold with N=3D16.=
|
