summaryrefslogtreecommitdiff
path: root/aa/0c08cd6ef1631c70a22c0ca33e523aaf207c89
blob: bfbb46d40dc3faf698a2317c6f1fc1510dde0090 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
Return-Path: <mark@friedenbach.org>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 9EF94AAC
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Wed,  1 Nov 2017 15:08:49 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-pf0-f177.google.com (mail-pf0-f177.google.com
	[209.85.192.177])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id D5A9C4C7
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Wed,  1 Nov 2017 15:08:48 +0000 (UTC)
Received: by mail-pf0-f177.google.com with SMTP id x7so2188614pfa.1
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Wed, 01 Nov 2017 08:08:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=friedenbach-org.20150623.gappssmtp.com; s=20150623;
	h=mime-version:subject:from:in-reply-to:date:cc
	:content-transfer-encoding:message-id:references:to;
	bh=SGvAlvlV27fDrOLxA6WLSQfUyd7mwjqPOqAcBy8AaW0=;
	b=tyyIHg3VJcku+KSAkCMLZw0HQSohq9E3ypPSPfCZkdWpswEggNp/OtuNa+F/IECms0
	95Xx6dljCulENAg4OcANgmD3sOn1Z2RXk/cm+vttlPe1MjUL4uW9ckJo6BBHVtsTiL73
	NFAHV/Pbovjtu/4THWFozm299t5AcJO03BxKKQuQkxinu5kFas9nv6XW2UZ4jIOQIN0J
	r3kYLKToWIRp3GH/ad3wvNyHva0ToFFe+VVXk3mi+qMMAaHplQxQxQ0YwD60VZdrnlIn
	8WLnpaEkrkczVroUJ8j5TGNypX+5Hs9uhYe8QQH8A8DO7m63A99n4FiMtMh9Jrf0c+DH
	bDbw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc
	:content-transfer-encoding:message-id:references:to;
	bh=SGvAlvlV27fDrOLxA6WLSQfUyd7mwjqPOqAcBy8AaW0=;
	b=k35HEy1PkqKnhcIzNTML/LLWVGnrxY6KO1tAXEXMNfLqd+2oU/XgeEq5xIyV8bVVlz
	MoeDNyp6ZghIj2x01c7Elb2+xbFat8NqWz+WLAGdvgsYnW0WYIUCZsiCd/+3A7GP4ROQ
	rt6PyK2OrTXiZUCqf47fN0cGtVlQAk6A1fTzu9pIfl8vTr6lFq9EtHwjXxYOcV0Jiu+t
	1diydUWlMv9cRgdQCqg2wogmnDIFhE+47e7UC+TNq5QTvyKR3cBugmJURc9Z2iPEOzgt
	hGTSFssUOwSfrktqpYaMeXgV/rZbZIS5k0xI3+OTWT4AC6LNFQ555yQ3FgdGa1dLEDto
	JV1A==
X-Gm-Message-State: AMCzsaXM5k2pD5YnGxgnPS8IzangSh+6gGgFf4YFDshHLoo8lBR4K/lV
	dA0+MPdokXozsG8KKYoIIVFD1PbA9cs=
X-Google-Smtp-Source: ABhQp+Tk1MOByTKlC6kTGFA2DrrOHWmVT2UA6ToKhQK7kCNP7p/GsN4WEjukHLWyIpG0oUssBN8+nA==
X-Received: by 10.98.72.198 with SMTP id q67mr241415pfi.110.1509548928025;
	Wed, 01 Nov 2017 08:08:48 -0700 (PDT)
Received: from ?IPv6:2607:fb90:a45b:cc2c:ddb4:9930:9e3d:3dfb?
	([2607:fb90:a45b:cc2c:ddb4:9930:9e3d:3dfb])
	by smtp.gmail.com with ESMTPSA id
	t18sm2082603pfi.98.2017.11.01.08.08.47
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 01 Nov 2017 08:08:47 -0700 (PDT)
Content-Type: text/plain;
	charset=gb2312
Mime-Version: 1.0 (1.0)
From: Mark Friedenbach <mark@friedenbach.org>
X-Mailer: iPhone Mail (15A432)
In-Reply-To: <201711010843.49771.luke@dashjr.org>
Date: Wed, 1 Nov 2017 08:08:46 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <4F328120-94E0-4EFF-A76D-99E6007FA906@friedenbach.org>
References: <5B6756D0-6BEF-4A01-BDB8-52C646916E29@friedenbach.org>
	<3FE16880-868C-40BA-BCC5-954B15478FB2@friedenbach.org>
	<201711010843.49771.luke@dashjr.org>
To: Luke Dashjr <luke@dashjr.org>
X-Spam-Status: No, score=0.5 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	MIME_QP_LONG_LINE, RCVD_IN_DNSWL_NONE,
	RCVD_IN_SORBS_SPAM autolearn=disabled version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Merkle branch verification & tail-call semantics
	for generalized MAST
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Nov 2017 15:08:49 -0000

Yes, if you use a witness script version you can save about 40 witness bytes=
 by templating the MBV script, which I think is equivalent to what you are s=
uggesting. 32 bytes from the saved hash, plus another 8 bytes or so from scr=
ipt templates and more efficient serialization.

I believe the conservatively correct approach is to do this in stages, howev=
er. First roll out MBV and tail call to witness v0. Then once there is exper=
ience with people using it in production, design and deploy a hashing templa=
te for script v1. It might be that we learn more and think of something bett=
er in the meantime.

> On Nov 1, 2017, at 1:43 AM, Luke Dashjr <luke@dashjr.org> wrote:
>=20
> Mark,
>=20
> I think I have found an improvement that can be made.
>=20
> As you recall, a downside to this approach is that one must make two=20
> commitments: first, to the particular "membership-checking script"; and th=
en=20
> in that script, to the particular merkle root of possible scripts.
>=20
> Would there be any harm in, instead of checking membership, *calculating* t=
he=20
> root? If not, then we could define that instead of the witness program=20
> committing to H(membership-check script), it rather commits to H(membershi=
p-
> calculation script | data added by an OP_ADDTOSCRIPTHASH). This would, I=20=

> believe, securely reduce the commitment of both to a single hash.
>=20
> It also doesn't reduce flexibility, since one could omit OP_ADDTOSCRIPTHAS=
H=20
> from their "membership-calculation" script to get the previous membership-=

> check behaviour, and use <hash> OP_EQUAL in its place.
>=20
> What do you think?
>=20
> Luke
>=20
>=20
>> On Saturday 28 October 2017 4:40:01 AM Mark Friedenbach wrote:
>> I have completed updating the three BIPs with all the feedback that I hav=
e
>> received so far. In short summary, here is an incomplete list of the
>> changes that were made:
>>=20
>> * Modified the hashing function fast-SHA256 so that an internal node cann=
ot
>> be interpreted simultaneously as a leaf. * Changed MERKLEBRANCHVERIFY to
>> verify a configurable number of elements from the tree, instead of just
>> one. * Changed MERKLEBRANCHVERIFY to have two modes: one where the inputs=

>> are assumed to be hashes, and one where they are run through double-SHA25=
6
>> first. * Made tail-call eval compatible with BIP141=A1=AFs CLEANSTACK con=
sensus
>> rule by allowing parameters to be passed on the alt-stack. * Restricted
>> tail-call eval to segwit scripts only, so that checking sigop and opcode
>> limits of the policy script would not be necessary.
>>=20
>> There were a bunch of other small modifications, typo fixes, and
>> optimizations that were made as well.
>>=20
>> I am now ready to submit these BIPs as a PR against the bitcoin/bips repo=
,
>> and I request that the BIP editor assign numbers.
>>=20
>> Thank you,
>> Mark Friedenbach
>>=20
>>> On Sep 6, 2017, at 5:38 PM, Mark Friedenbach <mark@friedenbach.org>
>>> wrote:
>>>=20
>>> I would like to propose two new script features to be added to the
>>> bitcoin protocol by means of soft-fork activation. These features are
>>> a new opcode, MERKLE-BRANCH-VERIFY (MBV) and tail-call execution
>>> semantics.
>>>=20
>>> In brief summary, MERKLE-BRANCH-VERIFY allows script authors to force
>>> redemption to use values selected from a pre-determined set committed
>>> to in the scriptPubKey, but without requiring revelation of unused
>>> elements in the set for both enhanced privacy and smaller script
>>> sizes. Tail-call execution semantics allows a single level of
>>> recursion into a subscript, providing properties similar to P2SH while
>>> at the same time more flexible.
>>>=20
>>> These two features together are enough to enable a range of
>>> applications such as tree signatures (minus Schnorr aggregation) as
>>> described by Pieter Wuille [1], and a generalized MAST useful for
>>> constructing private smart contracts. It also brings privacy and
>>> fungibility improvements to users of counter-signing wallet/vault
>>> services as unique redemption policies need only be revealed if/when
>>> exceptional circumstances demand it, leaving most transactions looking
>>> the same as any other MAST-enabled multi-sig script.
>>>=20
>>> I believe that the implementation of these features is simple enough,
>>> and the use cases compelling enough that we could BIP 8/9 rollout of
>>> these features in relatively short order, perhaps before the end of
>>> the year.
>>>=20
>>> I have written three BIPs to describe these features, and their
>>> associated implementation, for which I now invite public review and
>>> discussion:
>>>=20
>>> Fast Merkle Trees
>>> BIP: https://gist.github.com/maaku/41b0054de0731321d23e9da90ba4ee0a
>>> Code: https://github.com/maaku/bitcoin/tree/fast-merkle-tree
>>>=20
>>> MERKLEBRANCHVERIFY
>>> BIP: https://gist.github.com/maaku/bcf63a208880bbf8135e453994c0e431
>>> Code: https://github.com/maaku/bitcoin/tree/merkle-branch-verify
>>>=20
>>> Tail-call execution semantics
>>> BIP: https://gist.github.com/maaku/f7b2e710c53f601279549aa74eeb5368
>>> Code: https://github.com/maaku/bitcoin/tree/tail-call-semantics
>>>=20
>>> Note: I have circulated this idea privately among a few people, and I
>>> will note that there is one piece of feedback which I agree with but
>>> is not incorporated yet: there should be a multi-element MBV opcode
>>> that allows verifying multiple items are extracted from a single
>>> tree. It is not obvious how MBV could be modified to support this
>>> without sacrificing important properties, or whether should be a
>>> separate multi-MBV opcode instead.
>>>=20
>>> Kind regards,
>>> Mark Friedenbach