summaryrefslogtreecommitdiff
path: root/a6/5733eedf9307ba74f657a3c2d5eef9cab61cea
blob: 88579d568cf729b59b7c67bf8cf567314521b75f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
Return-Path: <sanket1729@gmail.com>
Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 37B41C000E
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue,  6 Jul 2021 10:51:16 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp1.osuosl.org (Postfix) with ESMTP id 27446835E0
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue,  6 Jul 2021 10:51:16 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level: 
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001,
 HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: smtp1.osuosl.org (amavisd-new);
 dkim=pass (2048-bit key) header.d=gmail.com
Received: from smtp1.osuosl.org ([127.0.0.1])
 by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id lcpAXSUGvCHP
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue,  6 Jul 2021 10:51:14 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.8.0
Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com
 [IPv6:2a00:1450:4864:20::236])
 by smtp1.osuosl.org (Postfix) with ESMTPS id 0987B835CA
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue,  6 Jul 2021 10:51:13 +0000 (UTC)
Received: by mail-lj1-x236.google.com with SMTP id r16so28498046ljk.9
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Tue, 06 Jul 2021 03:51:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=q0IWZ2GzHmVa7Rilb5tOHE/Z3R8J3BMEmbeJSgpfCjk=;
 b=K/A/tJqJHoxAIjMw2mBlDf45L7rlLUYsnt/UA1d7GTggaDPxXoyZx1I8t0GLtGcL4b
 /A0DY3Yw2TEXc7S53zW0AwWCNlDxRd4nAaw74oChjTN49oEqBeTgf5rZUCksR73m5rpd
 yunA4a+jLD3tHj3pmF29oabc3oarvm6YTWj8e2CrhPJJov0j6EOXgWSPfgK3Q8jYguDp
 0Sf20HDgQmOTsNZjjWgXsncLPbtFULvx5LvpEIG/0YuU16tl83Xjpdqi990JUxk1Z/XO
 XJT7FzvRJfVzWfz/VKEze5K5LbnOXfNCN4LmJ1EluiJ8AGDyPr/tcr9WN5KFuFPCHddd
 Ekcw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=q0IWZ2GzHmVa7Rilb5tOHE/Z3R8J3BMEmbeJSgpfCjk=;
 b=b0bK+T0jGm2c7FmwXYyRr4A4vlgc9L7rpmohHRJalv4sSw1tv73TIA69zG9etgMRra
 Pazk+Y+m62yY44LHU+kA3P51YglNzxq25xiriWZkBTtxSLyIErtn/i5OUXC7SaRo/Qgi
 c+YXqPrB+CFRi8lFkrdVgIy9ReaLmD2NDUt3Pic9OJbmkGsPr2BCuZZ40JITXqjU5N2c
 Gno6H6VeLqUcNN6p2kJvbdp03+TubUf0nKhsxXq63jSAjaZz9ehoNfDYPOU75E0HAx3O
 0iWi75PJE4fjqCdBQV1XJ9yhAWLzYKS3iVBYZiULs/GlR+qRq4yRy47Y6rG793aQF5z7
 VacQ==
X-Gm-Message-State: AOAM5303zX8b6x0oGkTpUv5Roj6ULITAhOmPKTLciQqRHBWfCmvvVoDV
 ehnms1VbjLuvqDNVmTrzXevfvn84R624KIBdF2aeL0Vy9Tw=
X-Google-Smtp-Source: ABdhPJzOcQgS5IglxpNKWUgUXR/TlXIxxKYKigg91vXeX/RDhrXWDfWWLPgOYjIqENDtUnXLyN3nj4qQaGv+yh0KTtM=
X-Received: by 2002:a05:6402:b48:: with SMTP id
 bx8mr7597232edb.255.1625566864121; 
 Tue, 06 Jul 2021 03:21:04 -0700 (PDT)
MIME-Version: 1.0
References: <CAD5xwhjmu-Eee47Ho5eA6E6+aAdnchLU0OVZo=RTHaXnN17x8A@mail.gmail.com>
 <20210704011341.ddbiruuomqovrjn6@ganymede>
 <CAD5xwhimPBEV_tLpSPxs9B+XGUhvPx_dnhok=8=hyksyi4=B6g@mail.gmail.com>
 <20210704203230.37hlpdyzr4aijiet@ganymede>
 <5keA_aPvmCO5yBh_mBQ6Z5SwnnvEW0T-3vahesaDh57f-qv4FbG1SFAzDvT3rFhre6kFl282VsxV_pynwn_CdvF7fzH2q9NW1ZQHPH1pmdo=@protonmail.com>
 <CAMZUoKnuRXNG1pyupHrL+Wo80TXTbADVrexoB=+BKC633v-qMw@mail.gmail.com>
 <CAGpPWDZ6FhAn+dBf-_yf7YVzRB7NWV7zaKqKYewgZecBxWUx5A@mail.gmail.com>
In-Reply-To: <CAGpPWDZ6FhAn+dBf-_yf7YVzRB7NWV7zaKqKYewgZecBxWUx5A@mail.gmail.com>
From: Sanket Kanjalkar <sanket1729@gmail.com>
Date: Tue, 6 Jul 2021 03:20:53 -0700
Message-ID: <CAExE9c8eZz5i1gR5txdZaO1gyR5p6pBTzmNus4CHDS=ZQ2xApg@mail.gmail.com>
To: Billy Tetrud <billy.tetrud@gmail.com>, 
 Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="0000000000007ea2b205c671c746"
X-Mailman-Approved-At: Tue, 06 Jul 2021 10:59:58 +0000
Subject: Re: [bitcoin-dev] Unlimited covenants,
 was Re: CHECKSIGFROMSTACK/{Verify} BIP for Bitcoin
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jul 2021 10:51:16 -0000

--0000000000007ea2b205c671c746
Content-Type: text/plain; charset="UTF-8"

After some brainstorming about the possible drawbacks of enabling
covenants, I have also slowly become more comfortable with the idea of
"unlimited" covenants. AJs example clearly shows that _all_ possible
"misuses" of covenants are already possible by Multi-Sig today, so it's not
a new vector that we are adding today.

>  My concerns have always been around ensuring that transaction and block
validation is not unduly burdensome for nodes.  So for Bitcoin Script, we
want to bound the amount of resources needed to execute it, preferably as a
linear function of weight[1], and preferably have it clear what the
evaluation costs are going to be prior to evaluation[2].  We also want to
keep Script execution as a pure function of the transaction data so that
nodes do not need to reevaluate their mempool on every new block.

Many bitcoin upgrades, in particular, Segwit, and tapscript sigops budget
have been along with the same principle. And as mentioned before, none of
these go against enabling recursive covenants.

> Are they? Are you implying that anything that enables covenants is
equivalent to enabling OP_CAT?

No, it is not equivalent. Russell is referring to a way to do covenants by
only using `OP_CAT`(along with Schnorr sigs that we already have) as
mentioned by Andrew Poelstra here
<https://medium.com/blockstream/cat-and-schnorr-tricks-i-faf1b59bd298> .

I also am in general support of the `OP_CHECKSIGFROMSTACK` opcode. We would
need to update the suggestion to BIP340, and add it to sigops budget. I
have no strong preference for splitting R and s values or variable-length
messages.


On Tue, Jul 6, 2021 at 1:36 AM Billy Tetrud via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> >  when people are talking about enabling covenants, we are talking about
> whether OP_CAT should be allowed or not
>
> Are they? Are you implying that anything that enables covenants is
> equivalent to enabling OP_CAT? Generally when I think about enabling
> covenants, I'm thinking more about OP_CTV (or some similarly specific
> opcode
> <https://github.com/fresheneesz/bip-efficient-bitcoin-vaults/blob/main/bip-constraindestination.md>
> ).
>
> > OP_TWEAK
>
> I wasn't able to find anything about what that is. Would you mind
> clarifying what that concept is?
>
> On Mon, Jul 5, 2021 at 10:20 AM Russell O'Connor via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> Hi ZmnSCPxj,
>>
>> I don't believe we need to ban Turing completeness for the sake of
>> banning Turing completeness.  My concerns have always been around ensuring
>> that transaction and block validation is not unduly burdensome for nodes.
>> So for Bitcoin Script, we want to bound the amount of resources needed to
>> execute it, preferably as a linear function of weight[1], and preferably
>> have it clear what the evaluation costs are going to be prior to
>> evaluation[2].  We also want to keep Script execution as a pure function of
>> the transaction data so that nodes do not need to reevaluate their mempool
>> on every new block.  For consensus purposes we prefer to have simple
>> primitive operations that have clear and precise semantics that are as
>> likely as possible to be reimplemented correctly if they are reimplemented
>> (or at least let us not make this problem worse than it already is).  In
>> particular, Script needs to be easy to parse to avoid weird parsing
>> machines that lead to security vulnerabilities within node software.
>>
>> While the above design constraints imply a prohibition on Turing complete
>> computation within a single Script, they do not imply a prohibition on
>> arbitrary, covenant-enabled computations that spans across multiple
>> transactions.  Neither would these constraints prohibit some kind of STARK
>> or SNARK tapleaf version that was somehow capable of succinctly
>> representing arbitrary computations, so long as validation costs remain
>> bounded.
>>
>> And while it is true that covenant-enabled computations could allow users
>> to put their funds at risk through weird machines that manipulate their
>> money on the blockchain, as longs as that weirdness stays at that level of
>> the abstract Bitcoin Script machine, then I suppose it is *caveat emptor*;
>> don't send your funds to random unverified Bitcoin Scripts, advice that is
>> already the case today.  We can keep that potential weirdness at bay by
>> keeping Script simple, and maintaining our understanding that the Script
>> programs (like the rest of the blockchain data) are untrusted inputs and
>> they need to be validated and scrutinized before interpretation.
>>
>> [1] In tapscript I believe all operations are linear time with the
>> exception of OP_ROLL.  However OP_ROLL is still constrained by global
>> limits on stack size, etc.
>> [2] In Bitcoin Script, without loops of any kind, every opcode is
>> evaluated at most once, so counting opcodes is an easy way to put an upper
>> bound on your costs before evaluation.
>>
>> On Sun, Jul 4, 2021 at 8:51 PM ZmnSCPxj via bitcoin-dev <
>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>>> Good morning Dave,
>>>
>>> > On Sun, Jul 04, 2021 at 11:39:44AM -0700, Jeremy wrote:
>>> >
>>> > > However, I think the broader community is unconvinced by the cost
>>> benefit
>>> > > of arbitrary covenants. See
>>> > >
>>> https://medium.com/block-digest-mempool/my-worries-about-too-generalized-covenants-5eff33affbb6
>>> > > as a recent example. Therefore as a critical part of building
>>> consensus on
>>> > > various techniques I've worked to emphasize that specific additions
>>> do not
>>> > > entail risk of accidentally introducing more than was bargained for
>>> to
>>> > > respect the concerns of others.
>>> >
>>> > Respecting the concerns of others doesn't require lobotomizing useful
>>> > tools. Being respectful can also be accomplished by politely showing
>>> > that their concerns are unfounded (or at least less severe than they
>>> > thought). This is almost always the better course IMO---it takes much
>>> > more effort to satisfy additional engineering constraints (and prove to
>>> > reviewers that you've done so!) than it does to simply discuss those
>>> > concerns with reasonable stakeholders. As a demonstration, let's look
>>> > at the concerns from Shinobi's post linked above:
>>> >
>>> > They seem to be worried that some Bitcoin users will choose to accept
>>> > coins that can't subsequently be fungibily mixed with other bitcoins.
>>> > But that's already been the case for a decade: users can accept
>>> altcoins
>>> > that are non-fungible with bitcoins.
>>> >
>>> > They talk about covenants where spending is controlled by governments,
>>> > but that seems to me exactly like China's CBDC trial.
>>> >
>>> > They talk about exchanges depositing users' BTC into a covenant, but
>>> > that's just a variation on the classic not-your-keys-not-your-bitcoins
>>> > problem. For all you know, your local exchange is keeping most of its
>>> > BTC balance commitments in ETH or USDT.
>>> >
>>> > To me, it seems like the worst-case problems Shinobi describes with
>>> > covenants are some of the same problems that already exist with
>>> > altcoins. I don't see how recursive covenants could make any of those
>>> > problems worse, and so I don't see any point in limiting Bitcoin's
>>> > flexibility to avoid those problems when there are so many interesting
>>> > and useful things that unlimited covenants could do.
>>>
>>> The "altcoins are even worse" argument does seem quite convincing, and
>>> if Bitcoin can survive altcoins, surely it can survive covenants too?
>>>
>>> In before "turns out covenants are the next ICO".
>>> i.e. ICOs are just colored coins, which are useful for keeping track of
>>> various stuff, but have then been used as a vehicle to scam people.
>>> But I suppose that is a problem that humans will always have: limited
>>> cognition, so that *good* popular things that are outside your specific
>>> field of study are indistinguishable from *bad* popular things.
>>> So perhaps it should not be a concern on a technical level.
>>> Maybe we should instead make articles about covenants so boring nobody
>>> will hype about it (^^;)v.
>>>
>>> Increased functionality implies increased processing, and hopefully
>>> computation devices are getting cheap enough that the increased processing
>>> implied by new features should not be too onerous.
>>>
>>>
>>>
>>> To my mind, an "inescapable" covenant (i.e. one that requires the output
>>> to be paid to the same covenant) is basically a Turing machine, and
>>> equivalent to a `while (true);` loop.
>>> In a `while (true);` loop, the state of the machine reverts back to the
>>> same state, and it repeats again.
>>> In an inescpable covenant, the control of some amount of funds reverts
>>> back to the same controlling SCRIPT, and it repeats again.
>>> Yes, you can certainly add more functionality on top of that loop, just
>>> think of program main loops for games or daemons, which are, in essence,
>>> "just" `while (true) ...`.
>>> But basically, such unbounded infinite loops are possible only under
>>> Turing machines, thus I consider covenants to be Turing-complete.
>>> Principle of Least Power should make us wonder if we need full Turing
>>> machines for the functionality.
>>>
>>> On the other hand --- codata processing *does* allow for unbounded
>>> loops, without requiring full Turing-completeness; they just require total
>>> functionality, not partial (and Turing-completeness is partial, not total).
>>> Basically, data structures are unbounded storage, while codata
>>> structures are unbounded processing.
>>> Perhaps covenants can encode an upper bound on the number of recursions,
>>> which prevents full Turing-completeness while allowing for a large number
>>> of use-cases.
>>>
>>> (if the above paragraph makes no sense to you, hopefully this Wikipedia
>>> article will help:
>>> https://en.wikipedia.org/wiki/Total_functional_programming )
>>> (basically my argument here is based on academic programming stuff, and
>>> might not actually matter in real life)
>>>
>>> Regards,
>>> ZmnSCPxj
>>> _______________________________________________
>>> bitcoin-dev mailing list
>>> bitcoin-dev@lists.linuxfoundation.org
>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>


-- 
Sanket Kanjalkar

--0000000000007ea2b205c671c746
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">After some brainstorming about the possible drawbacks of e=
nabling covenants, I have also slowly become more comfortable=C2=A0with the=
 idea of &quot;unlimited&quot; covenants. AJs example clearly shows that _a=
ll_ possible &quot;misuses&quot; of covenants are already possible=C2=A0by =
Multi-Sig today, so it&#39;s not a new vector that we are adding today.=C2=
=A0<br><br>&gt;=C2=A0=C2=A0My concerns have always been around ensuring tha=
t transaction and block validation is not unduly burdensome for nodes.=C2=
=A0 So for Bitcoin Script, we want to bound the amount of resources needed =
to execute it, preferably as a linear function of weight[1], and preferably=
 have it clear what the evaluation costs are going to be prior to evaluatio=
n[2].=C2=A0 We also want to keep Script execution as a pure function of the=
 transaction data so that nodes do not need to reevaluate their mempool on =
every new block.=C2=A0<br><br>Many bitcoin upgrades, in particular, Segwit,=
 and tapscript=C2=A0sigops budget have been along with the same principle. =
And as mentioned before, none of these go against enabling recursive covena=
nts.=C2=A0<br><br>&gt; Are they? Are you implying that anything that enable=
s covenants is equivalent to enabling OP_CAT?<br><br>No, it is not equivale=
nt. Russell is referring to a way to do covenants by only=C2=A0using `OP_CA=
T`(along with Schnorr sigs that we already have) as mentioned by Andrew Poe=
lstra <a href=3D"https://medium.com/blockstream/cat-and-schnorr-tricks-i-fa=
f1b59bd298" target=3D"_blank">here</a>=C2=A0.=C2=A0<br><br>I also am in gen=
eral support of=C2=A0the `OP_CHECKSIGFROMSTACK` opcode. We would need to up=
date the suggestion to BIP340, and add it to sigops budget. I have no stron=
g preference for splitting R and s values or variable-length messages.=C2=
=A0<br><br></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"g=
mail_attr">On Tue, Jul 6, 2021 at 1:36 AM Billy Tetrud via bitcoin-dev &lt;=
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a>&gt; wrote:<br></div><blockquote c=
lass=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px soli=
d rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr">&gt;=C2=A0

when people are talking about enabling covenants, we are talking about whet=
her OP_CAT should be allowed or not<div><br></div><div>Are they? Are you im=
plying that anything that enables covenants is equivalent to enabling OP_CA=
T? Generally when I think about enabling covenants, I&#39;m thinking more a=
bout OP_CTV (or some similarly specific <a href=3D"https://github.com/fresh=
eneesz/bip-efficient-bitcoin-vaults/blob/main/bip-constraindestination.md" =
target=3D"_blank">opcode</a>).</div><div><br></div><div>&gt; OP_TWEAK=C2=A0=
</div><div><br></div><div>I wasn&#39;t able to find anything about=C2=A0wha=
t that is. Would you mind clarifying what that concept is?=C2=A0</div></div=
><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Mo=
n, Jul 5, 2021 at 10:20 AM Russell O&#39;Connor via bitcoin-dev &lt;<a href=
=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">bitcoin=
-dev@lists.linuxfoundation.org</a>&gt; wrote:<br></div><blockquote class=3D=
"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(2=
04,204,204);padding-left:1ex"><div dir=3D"ltr"><div>Hi ZmnSCPxj,</div><div>=
<br></div><div>I don&#39;t believe we need to ban Turing completeness for t=
he sake of banning Turing completeness.=C2=A0 My concerns have always been =
around ensuring that transaction and block validation is not unduly burdens=
ome for nodes.=C2=A0 So for Bitcoin Script, we want to bound the amount of =
resources needed to execute it, preferably as a linear function of weight[1=
], and preferably have it clear what the evaluation costs are going to be p=
rior to evaluation[2].=C2=A0 We also want to keep Script execution as a pur=
e function of the transaction data so that nodes do not need to reevaluate =
their mempool on every new block.=C2=A0 For consensus purposes we prefer to=
 have simple primitive operations that have clear and precise semantics tha=
t are as likely as possible to be reimplemented correctly if they are reimp=
lemented (or at least let us not make this problem worse than it already is=
).=C2=A0 In particular, Script needs to be easy to parse to avoid weird par=
sing machines that lead to security vulnerabilities within node software.<b=
r></div><div><br></div><div>While the above design constraints imply a proh=
ibition on Turing complete computation within a single Script, they do not =
imply a prohibition on arbitrary, covenant-enabled computations that spans =
across multiple transactions.=C2=A0 Neither would these constraints prohibi=
t some kind of STARK or SNARK tapleaf version that was somehow capable of s=
uccinctly representing arbitrary computations, so long as validation costs =
remain bounded.</div><div><br></div><div>And while it is true that covenant=
-enabled computations could allow users to put their funds at risk through =
weird machines that manipulate their money on the blockchain, as longs as t=
hat weirdness stays at that level of the abstract Bitcoin Script machine, t=
hen I suppose it is <i>caveat emptor</i>; don&#39;t send your funds to rand=
om unverified Bitcoin Scripts, advice that is already the case today.=C2=A0=
 We can keep that potential weirdness at bay by keeping Script simple, and =
maintaining our understanding that the Script programs (like the rest of th=
e blockchain data) are untrusted inputs and they need to be validated and s=
crutinized before interpretation.<br></div><div><br></div><div>[1] In tapsc=
ript I believe all operations are linear time with the exception of OP_ROLL=
.=C2=A0 However OP_ROLL is still constrained by global limits on stack size=
, etc.</div><div>[2] In Bitcoin Script, without loops of any kind, every op=
code is evaluated at most once, so counting opcodes is an easy way to put a=
n upper bound on your costs before evaluation.<br></div><br><div class=3D"g=
mail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Sun, Jul 4, 2021 at 8:=
51 PM ZmnSCPxj via bitcoin-dev &lt;<a href=3D"mailto:bitcoin-dev@lists.linu=
xfoundation.org" target=3D"_blank">bitcoin-dev@lists.linuxfoundation.org</a=
>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px=
 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Goo=
d morning Dave,<br>
<br>
&gt; On Sun, Jul 04, 2021 at 11:39:44AM -0700, Jeremy wrote:<br>
&gt;<br>
&gt; &gt; However, I think the broader community is unconvinced by the cost=
 benefit<br>
&gt; &gt; of arbitrary covenants. See<br>
&gt; &gt; <a href=3D"https://medium.com/block-digest-mempool/my-worries-abo=
ut-too-generalized-covenants-5eff33affbb6" rel=3D"noreferrer" target=3D"_bl=
ank">https://medium.com/block-digest-mempool/my-worries-about-too-generaliz=
ed-covenants-5eff33affbb6</a><br>
&gt; &gt; as a recent example. Therefore as a critical part of building con=
sensus on<br>
&gt; &gt; various techniques I&#39;ve worked to emphasize that specific add=
itions do not<br>
&gt; &gt; entail risk of accidentally introducing more than was bargained f=
or to<br>
&gt; &gt; respect the concerns of others.<br>
&gt;<br>
&gt; Respecting the concerns of others doesn&#39;t require lobotomizing use=
ful<br>
&gt; tools. Being respectful can also be accomplished by politely showing<b=
r>
&gt; that their concerns are unfounded (or at least less severe than they<b=
r>
&gt; thought). This is almost always the better course IMO---it takes much<=
br>
&gt; more effort to satisfy additional engineering constraints (and prove t=
o<br>
&gt; reviewers that you&#39;ve done so!) than it does to simply discuss tho=
se<br>
&gt; concerns with reasonable stakeholders. As a demonstration, let&#39;s l=
ook<br>
&gt; at the concerns from Shinobi&#39;s post linked above:<br>
&gt;<br>
&gt; They seem to be worried that some Bitcoin users will choose to accept<=
br>
&gt; coins that can&#39;t subsequently be fungibily mixed with other bitcoi=
ns.<br>
&gt; But that&#39;s already been the case for a decade: users can accept al=
tcoins<br>
&gt; that are non-fungible with bitcoins.<br>
&gt;<br>
&gt; They talk about covenants where spending is controlled by governments,=
<br>
&gt; but that seems to me exactly like China&#39;s CBDC trial.<br>
&gt;<br>
&gt; They talk about exchanges depositing users&#39; BTC into a covenant, b=
ut<br>
&gt; that&#39;s just a variation on the classic not-your-keys-not-your-bitc=
oins<br>
&gt; problem. For all you know, your local exchange is keeping most of its<=
br>
&gt; BTC balance commitments in ETH or USDT.<br>
&gt;<br>
&gt; To me, it seems like the worst-case problems Shinobi describes with<br=
>
&gt; covenants are some of the same problems that already exist with<br>
&gt; altcoins. I don&#39;t see how recursive covenants could make any of th=
ose<br>
&gt; problems worse, and so I don&#39;t see any point in limiting Bitcoin&#=
39;s<br>
&gt; flexibility to avoid those problems when there are so many interesting=
<br>
&gt; and useful things that unlimited covenants could do.<br>
<br>
The &quot;altcoins are even worse&quot; argument does seem quite convincing=
, and if Bitcoin can survive altcoins, surely it can survive covenants too?=
<br>
<br>
In before &quot;turns out covenants are the next ICO&quot;.<br>
i.e. ICOs are just colored coins, which are useful for keeping track of var=
ious stuff, but have then been used as a vehicle to scam people.<br>
But I suppose that is a problem that humans will always have: limited cogni=
tion, so that *good* popular things that are outside your specific field of=
 study are indistinguishable from *bad* popular things.<br>
So perhaps it should not be a concern on a technical level.<br>
Maybe we should instead make articles about covenants so boring nobody will=
 hype about it (^^;)v.<br>
<br>
Increased functionality implies increased processing, and hopefully computa=
tion devices are getting cheap enough that the increased processing implied=
 by new features should not be too onerous.<br>
<br>
<br>
<br>
To my mind, an &quot;inescapable&quot; covenant (i.e. one that requires the=
 output to be paid to the same covenant) is basically a Turing machine, and=
 equivalent to a `while (true);` loop.<br>
In a `while (true);` loop, the state of the machine reverts back to the sam=
e state, and it repeats again.<br>
In an inescpable covenant, the control of some amount of funds reverts back=
 to the same controlling SCRIPT, and it repeats again.<br>
Yes, you can certainly add more functionality on top of that loop, just thi=
nk of program main loops for games or daemons, which are, in essence, &quot=
;just&quot; `while (true) ...`.<br>
But basically, such unbounded infinite loops are possible only under Turing=
 machines, thus I consider covenants to be Turing-complete.<br>
Principle of Least Power should make us wonder if we need full Turing machi=
nes for the functionality.<br>
<br>
On the other hand --- codata processing *does* allow for unbounded loops, w=
ithout requiring full Turing-completeness; they just require total function=
ality, not partial (and Turing-completeness is partial, not total).<br>
Basically, data structures are unbounded storage, while codata structures a=
re unbounded processing.<br>
Perhaps covenants can encode an upper bound on the number of recursions, wh=
ich prevents full Turing-completeness while allowing for a large number of =
use-cases.<br>
<br>
(if the above paragraph makes no sense to you, hopefully this Wikipedia art=
icle will help: <a href=3D"https://en.wikipedia.org/wiki/Total_functional_p=
rogramming" rel=3D"noreferrer" target=3D"_blank">https://en.wikipedia.org/w=
iki/Total_functional_programming</a> )<br>
(basically my argument here is based on academic programming stuff, and mig=
ht not actually matter in real life)<br>
<br>
Regards,<br>
ZmnSCPxj<br>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div></div>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div><br clear=3D"all"><div><br></div>-- <br><div dir=3D"ltr"=
><div dir=3D"ltr">Sanket Kanjalkar<br></div></div>

--0000000000007ea2b205c671c746--