path: root/b2/17ecbd919103e74c5fff76d3c84d774788eee0

Return-Path: <nadav@shesek.info>
Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])
 by lists.linuxfoundation.org (Postfix) with ESMTP id F31D5C002D
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Fri, 29 Apr 2022 10:21:47 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp4.osuosl.org (Postfix) with ESMTP id D21A541CB5
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Fri, 29 Apr 2022 10:21:47 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: 0.278
X-Spam-Level: 
X-Spam-Status: No, score=0.278 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1,
 HTML_MESSAGE=0.001, PDS_OTHER_BAD_TLD=1.975,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001]
 autolearn=no autolearn_force=no
Authentication-Results: smtp4.osuosl.org (amavisd-new); dkim=neutral
 reason="invalid (public key: not available)" header.d=shesek.info
Received: from smtp4.osuosl.org ([127.0.0.1])
 by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id jBF2hamuIJv7
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Fri, 29 Apr 2022 10:21:45 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.8.0
Received: from mail-il1-x130.google.com (mail-il1-x130.google.com
 [IPv6:2607:f8b0:4864:20::130])
 by smtp4.osuosl.org (Postfix) with ESMTPS id 886F041CB4
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Fri, 29 Apr 2022 10:21:45 +0000 (UTC)
Received: by mail-il1-x130.google.com with SMTP id b5so3675241ile.0
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Fri, 29 Apr 2022 03:21:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shesek.info; s=shesek;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=+W1RW+AW/Lhdkhujav1ht94+R4yyUNH4jngwDv4LX4Y=;
 b=lEcYwV+Ya8jGv8dr8cjrBGRXIQsUmR9/XP4+cD65akm6qpisfyNHO8YL/71wsjedLP
 fWGD2BO6zG2glyA7Gc9OCfoIs8cA6dn8834GEOmsQxMnK5nXkDpgp5KOvg2UUhg0Ul6w
 hkPcY9g4cMExIRsRseeHwQHYcvPFymD9sQlSE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=+W1RW+AW/Lhdkhujav1ht94+R4yyUNH4jngwDv4LX4Y=;
 b=luw6M5NyiSmg++FGO5zHaTQvs/BRb1SZY9NnhbJJMNBvSE/4Dn7VxcuFrMq099mQGL
 bMmnwmJWJglcv8ByBF94pI0lQIw+G6nFJXCIoKYiG1ssaItvGNGimj/9JBqS6qh+tA60
 U8/w8e+2ARRRFscfI1Ejqm9wrjYXfvFJ6tnFSFg050pHLPX3LIIGu5hYH7FEfvZ5g8aC
 Bg3Ldh703QjS18hi0ZsZZjJBMfPpAvKLlbAUDGft3VCRnSsVNw0UOtTli1/pihezs+Yc
 Ho0oi3UO4M3smytth67JikWHU64kAZL6V8VXAjOm0fP2cHCoaj6/XRvuaxuNCwFEDYFE
 mUig==
X-Gm-Message-State: AOAM53178tawYvqglsi8lUJ9dMjMM7hTG3G05OMi9gxR+E8HjeBSqxWI
 QWvNhlBYR+l65DBvEtvQRKMWriDNZVB9UQ7tZNk4Wg==
X-Google-Smtp-Source: ABdhPJxES0ClwAcLyB5ikYhQ0JSrvtBDvxGjC9SRAz45hNfk9GExe1JT0QT2oSEcQvJCK79zgncAq3Tu/K69AGQOcWc=
X-Received: by 2002:a92:b305:0:b0:2c8:267b:7e25 with SMTP id
 p5-20020a92b305000000b002c8267b7e25mr15473837ilh.312.1651227704348; Fri, 29
 Apr 2022 03:21:44 -0700 (PDT)
MIME-Version: 1.0
References: <p3P0m2_aNXd-4oYhFjCKJyI8zQXahmZed6bv7lnj9M9HbP9gMqMtJr-pP7XRAPs-rn_fJuGu1cv9ero5i8f0cvyZrMXYPzPx17CxJ2ZSvRk=@protonmail.com>
 <CAGXD5f3CyoRytWi4rsTUJocBS3Kqb=T2z6fOe+eORc-uxALrDg@mail.gmail.com>
 <u_rOSYZh92yALI9zZLk2M7DwQEccOLpQpCQrWN3Sz2HrH8M4WNvTtyp17ByfWhee3d1Ler62Wi3PmlM7AZduC4G8_qRRJAUIB0Bw3UP9q2M=@protonmail.com>
In-Reply-To: <u_rOSYZh92yALI9zZLk2M7DwQEccOLpQpCQrWN3Sz2HrH8M4WNvTtyp17ByfWhee3d1Ler62Wi3PmlM7AZduC4G8_qRRJAUIB0Bw3UP9q2M=@protonmail.com>
From: Nadav Ivgi <nadav@shesek.info>
Date: Fri, 29 Apr 2022 13:21:33 +0300
Message-ID: <CAGXD5f3z9q1ggUemHUvEkDhRDQa9Xb04=zPzzKdX=hLGNBadVQ@mail.gmail.com>
To: darosior <darosior@protonmail.com>
Content-Type: multipart/alternative; boundary="000000000000c2ea2105ddc868c8"
X-Mailman-Approved-At: Fri, 29 Apr 2022 10:27:36 +0000
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] ANYPREVOUT in place of CTV
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Apr 2022 10:21:48 -0000

--000000000000c2ea2105ddc868c8
Content-Type: text/plain; charset="UTF-8"

> This is *literally* what the post you are replying to is proposing to
solve.

I thought the changes mentioned in the OP (+ committing to the spent input
index) only solves the half-spend problem, but not the stable txids one?

There can be other inputs with a scriptSig, which doesn't get committed to
in the APO hash. I guess this isn't too common, but there might be some
cases where you would want to spend some (pre-selected) non-segwit inputs
alongside your covenant, maybe for fees. With CTV you would pre-commit to
the scriptSig which makes it non-malleable even if the script itself is.

> Hmm? You can't have channel factories without Eltoo. (Well, you can in
theory but good luck.)
> Maybe you are refering to non-interactive channel creation?

I was referring to what BIP 119 calls 'Batched Channel Creation' [0], which
is a sort of a channel factory construction under a broader definition (and
in fact was previously called that in the BIP [1]).

> The case for stable txids is less strong if we have APO (and therefore
Eltoo).

There's merit in using these factory constructs for Poon-Dryja channels
even if Eltoo was available.
I don't foresee Eltoo taking over the penalty approach entirely, but rather
the two living side by side.

(It could theoretically be possible to use APO to open Poon-Dryja channels
on top of unstable funding txids, but having stable txids makes this much
more easily integratable with existing lightning implementations, without
the invasive changes that unstable txids would bring.)

> This has been addressed over and over and over again. If a QC is able
overnight to spend a large fraction of
> the supply, your coins in your super non-QC-vulnerable-bare-CTV-covenant
(that would eventually become
> vulnerable when trying to use it) are worthless.

It might be the case that a sufficient fraction of supply does switch over
to QC-protected outputs in time, with only some small minority that didn't
actively switch over *and* with revealed bare pubkeys losing their funds,
which wouldn't make BTC entirely worthless. It makes sense not to want to
be in that minority, ideally without requiring further time-sensitive
active action (esp if considering long-term deep cold storage for
inheritance etc).

(This of course assumes a safe post-QC mechanism to later spend these
funds; IIUC there are some viable approaches for that using a two-step
spending procedure, where you prove knowledge of the pubkey/script preimage
while commiting to a future tx.)

> Sorry for being sarcastic, but at this point it's not fair to use
quantum-computer FUD to justify the
> activation of CTV over APO, or encourage the use of legacy transactions
over Taproot ones.

Sorry if it came off as FUDing. I don't know enough to hold a strong opinion
on whether the fear of QCs is justified or not. I know that many people on
this list don't think so, but I also think that this fear is prevalent
enough to warrant taking it into consideration (at least for features that
target long-term SoV use cases; less so for features targeted at L2 MoE
applications like lightning spacechains paypools etc).

> you can also use the internal key optimization .. you can't have
NUMS-ness then

Right, which makes this unsuitable for the vaulting use case.

> Also, it's not 33 extra vbytes vs CTV-in-segwitv0, but 33 extra * witness
units* (8.25 vbytes).

Ugh yes sorry about that! I realized after hitting send and meant to
clarify that it should've been s/vbyte/WU/ in my next reply.

> Are APO signatures more expensive to verify? .. the cost for the network
of validating signatures already exists today

Not compared to existing signature verifications, but compared to a
CTV/TXHASH-like construction.

Can anyone quantify how much of a difference this makes in practice?

> i appreciate your reply and your efforts to explore the tradeoffs between
the two approaches.

Thank you, I appreciate your efforts on this too :-)

shesek

[0]
https://github.com/bitcoin/bips/blob/master/bip-0119.mediawiki#Batched_Channel_Creation
[1] https://github.com/bitcoin/bips/pull/1273

On Fri, Apr 29, 2022 at 11:31 AM darosior <darosior@protonmail.com> wrote:

> Hi Shesek,
>
> 1. The resulting txids are not stable.
>
>
> This is *literally* what the post you are replying to is proposing to
> solve.
>
>
> This property could be important for some of the proposed CTV use-cases,
> like channel factories.
>
>
> Hmm? You can't have channel factories without Eltoo. (Well, you can in
> theory but good luck.)
> Maybe you are refering to non-interactive channel creation? The case for
> stable txids is less strong if we
> have APO (and therefore Eltoo). [0]
>
>
> 2. APO will only be available on Taproot, which some people might prefer
> to avoid for long-term multi-decade vault storage due to QC concerns. (also
> see my previous post on this thread [0])
>
>
> This has been addressed over and over and over again. If a QC is able
> overnight to spend a large fraction of
> the supply, your coins in your super non-QC-vulnerable-bare-CTV-covenant
> (that would eventually become
> vulnerable when trying to use it) are worthless.[1]
>
> Sorry for being sarcastic, but at this point it's not fair to use
> quantum-computer FUD to justify the
> activation of CTV over APO, or encourage the use of legacy transactions
> over Taproot ones.
>
>
> 3. Higher witness satisfaction cost of roughly 3x vbytes vs CTV-in-Taproot
> (plus 33 extra vbytes vs CTV-in-segwitv0 *in the case of a single CTV
> branch*, for the taproot control block. with more branches CTV-in-taproot
> eventually becomes preferable).
>
>
> Again, this is what my post discusses. Here are the arguments from my post
> about why i don't think it's a big deal:
>
>     1. You can in this case see CTV as an optimization of (tweaked) APOAS.
> A lot of us are doubtful about CTV
>        usecases for real people. So much that it was even proposed to
> temporarily activate it to see if it would
>        ever have any real traction! [2]
>        My point with this post was: what if we do (a slightly tweaked)
> BIP118, that is otherwise useful. And
>        if this use of covenants is really getting traction then we can
> roll out an optimization in the form of
>        CTV (or better covenants, as we'd have had more research put into
> it by this time).
>     2. CTV is mainly sold for its usage inside vaults. While i'm not
> convinced, a few more vbytes should not
>        matter for this usecase.
>
> Also, it's not 33 extra vbytes vs CTV-in-segwitv0, but 33 extra * witness
> units* (8.25 vbytes).
> Aside, you can also use the internal key optimization with APO. But i
> don't think it's desirable just to save
> 32 WU, as you can't have NUMS-ness then. [3]
>
>
> 4. Higher network-wide full-node validation costs (checking a signature is
> quite more expensive than hashing, and the hashing is done in both cases).
>
>
> Are APO signatures more expensive to verify? If not i don't think this
> should be a reason to constrain us to a
> much less useful construction, as the cost for the network of validating
> signatures already exists today. Even
> if it didn't, the tradeoff of cost/usefulness needs to be considered.
>
>
> 5. As APO is currently spec'd, it would suffer from the half-spend
> problem: if you have multiple outputs encumbered under an APO covenant that
> requires the same tx sigmsg hash, it becomes possible to spend all of them
> together as multiple inputs in a single transaction and burn the extra to
> mining fees.
>
> If I'm not mistaken, I believe this makes the simple-apo-vault
> implementation [1] vulnerable to spending multiple vaulted outputs of the
> same denomination together and burning all but the first one. I asked the
> author for a more definitive answer on twitter [2].
>
> Fixing this requires amending BIP 118 with some new sigmsg flags (making
> the ANYONECANPAY behaviour optional, as mentioned in the OP).
>
>
> Yes! And as i mentioned on Twitter also committing to the input index
> which i forgot to add in the OP here.
>
>
> While i don't think the specific points are valid, i appreciate your reply
> and your efforts to explore the
> tradeoffs between the two approaches.
>
> Thanks,
> Antoine
>
> [0]
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-January/019813.html
> [1] https://bitcoin.stackexchange.com/a/91050/101498
> [2]
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-April/020242.html
> [3]
> https://twitter.com/darosior/status/1518979155362254849?s=20&t=mGkw7K8mcyQwdLImFvdebw
>
>
> This is definitely possible but also means that APO as-is isn't a
> CTV-replacement candidate, without first going through some more design and
> review iterations.
>
> shesek
>
>
> [0]
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-April/020326.html
> [1] https://github.com/darosior/simple-anyprevout-vault
> [2] https://twitter.com/shesek/status/1519874493434544128
>
>
>
> On Fri, Apr 22, 2022 at 2:23 PM darosior via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> I would like to know people's sentiment about doing (a very slightly
>> tweaked version of) BIP118 in place of
>> (or before doing) BIP119.
>>
>> SIGHASH_ANYPREVOUT and its precedent iterations have been discussed for
>> over 6 years. It presents proven and
>> implemented usecases, that are demanded and (please someone correct me if
>> i'm wrong) more widely accepted than
>> CTV's.
>>
>> SIGHASH_ANYPREVOUTANYSCRIPT, if its "ANYONECANPAY" behaviour is made
>> optional [0], can emulate CTV just fine.
>> Sure then you can't have bare or Segwit v0 CTV, and it's a bit more
>> expensive to use. But we can consider CTV
>> an optimization of APO-AS covenants.
>>
>> CTV advocates have been presenting vaults as the flagship usecase.
>> Although as someone who've been trying to
>> implement practical vaults for the past 2 years i doubt CTV is necessary
>> nor sufficient for this (but still
>> useful!), using APO-AS covers it. And it's not a couple dozen more
>> virtual bytes that are going to matter for
>> a potential vault user.
>>
>> If after some time all of us who are currently dubious about CTV's stated
>> usecases are proven wrong by onchain
>> usage of a less efficient construction to achieve the same goal, we could
>> roll-out CTV as an optimization. In
>> the meantime others will have been able to deploy new applications
>> leveraging ANYPREVOUT (Eltoo, blind
>> statechains, etc..[1]).
>>
>>
>> Given the interest in, and demand for, both simple covenants and better
>> offchain protocols it seems to me that
>> BIP118 is a soft fork candidate that could benefit more (if not most of)
>> Bitcoin users.
>> Actually i'd also be interested in knowing if people would oppose the
>> APO-AS part of BIP118, since it enables
>> CTV's features, for the same reason they'd oppose BIP119.
>>
>>
>> [0] That is, to not commit to the other inputs of the transaction (via
>> `sha_sequences` and maybe also
>> `sha_amounts`). Cf
>> https://github.com/bitcoin/bips/blob/master/bip-0118.mediawiki#signature-message
>> .
>>
>> [1] https://anyprevout.xyz/ "Use Cases" section
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>
>

--000000000000c2ea2105ddc868c8
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><span class=3D"gmail-im"><div><span>&gt; This is *literall=
y* what the post you are replying to is proposing to solve.</span></div><di=
v><span><br></span></div></span><div><span>I
 thought the changes mentioned in the OP (+ committing to the spent=20
input index) only solves the half-spend problem, but not the stable=20
txids one?<br></span></div><div><span><br></span></div><div><span></span></=
div><div><span>There
 can be other inputs with a scriptSig, which doesn&#39;t get committed to i=
n
 the APO hash. I guess this isn&#39;t too common, but there might be some c=
ases=20
where you would want to spend some (pre-selected) non-segwit inputs=20
alongside your covenant, maybe for fees. With CTV you would pre-commit=20
to the scriptSig which makes it non-malleable even if the script itself=20
is.</span></div><div><span><br></span></div><span class=3D"gmail-im"><div><=
span>&gt; Hmm? You can&#39;t have channel factories without Eltoo. (Well, y=
ou can in theory but good luck.)</span></div><div><span>&gt; Maybe you are =
refering to non-interactive channel creation?</span></div><div><span><br></=
span></div></span><div><span>I
 was referring to what BIP 119 calls &#39;Batched Channel Creation&#39; [0]=
,=20
which is a sort of a channel factory construction under a broader=20
definition (and in fact was previously called that in the BIP [1]).</span><=
/div><span class=3D"gmail-im"><div><span><br></span></div><div><span>&gt; T=
he case for stable txids is less strong if we have APO (and therefore Eltoo=
).</span></div><div><span><br></span></div></span><div><span>There&#39;s me=
rit in using these factory constructs for Poon-Dryja channels even if Eltoo=
 was available.</span></div><div><span>I don&#39;t foresee Eltoo taking ove=
r <span>the penalty approach entirely, but rather the two living side by si=
de.<br></span></span></div><div><span><span><br></span></span></div><div><s=
pan><span>(It could theoretically be possible to use APO to open <span>Poon=
-Dryja channels on top of unstable funding txids, but</span>
 having stable txids makes this much more easily integratable with=20
existing lightning implementations, without the invasive changes that=20
unstable txids would bring.)<br></span></span></div><div><span><span><br></=
span></span></div><div><span class=3D"gmail-im"><span><span><span>&gt; This=
 has been addressed over and over and over again. If a QC is able overnight=
 to spend a large fraction of</span></span></span><div><span>&gt; the suppl=
y, your coins in your super non-QC-vulnerable-bare-CTV-covenant (that would=
 eventually become</span></div><div><span>&gt; vulnerable when trying to us=
e it) are worthless.</span></div><div><span><br></span></div></span><div><s=
pan>It
 might be the case that a sufficient fraction of supply does switch over
 to QC-protected outputs in time, with only some small minority that=20
didn&#39;t actively switch over <i>and</i> with revealed bare pubkeys losin=
g
 their funds, which wouldn&#39;t make BTC entirely worthless. It makes sens=
e
 not to want to be in that minority, ideally without requiring further=20
time-sensitive active action (esp if considering long-term deep cold=20
storage for inheritance etc).</span></div><div><span><br></span></div><div>=
<span>(This of course assumes a safe<span> post-QC</span>
 mechanism to later spend these funds; IIUC there are some viable=20
approaches for that using a two-step spending procedure, where you prove
 knowledge of the pubkey/script preimage while commiting to a future=20
tx.)<br></span></div><span class=3D"gmail-im"><div><br></div><div><span>&gt=
; Sorry for being sarcastic, but at this point it&#39;s not fair to use qua=
ntum-computer FUD to justify the</span></div><span>&gt; activation of CTV o=
ver APO, or encourage the use of legacy transactions over Taproot ones.</sp=
an></span></div><div><span><br></span></div><div><span>Sorry if it came off=
 as FUDing. I don&#39;t know enough to hold a strong <span>opinion</span>
 on whether the fear of QCs is justified or not. I know that many people
 on this list don&#39;t think so, but I also think that this fear is=20
prevalent enough to warrant taking it into consideration (at least for=20
features that target <span>long-term </span>SoV use cases; less so for feat=
ures targeted at L2 MoE applications like lightning spacechains paypools et=
c).<br></span></div><div><span><br></span></div><div><span>&gt; <span><span=
> you can also use the internal key optimization .. </span>you can&#39;t ha=
ve NUMS-ness then<br><br></span></span></div><div><span><span>Right, which =
makes this unsuitable for the vaulting use case.<br></span></span></div><sp=
an class=3D"gmail-im"><div><span><br></span></div><div><span>&gt;</span><sp=
an> Also, it&#39;s not 33 extra vbytes vs CTV-in-segwitv0, but 33 extra * w=
itness units* (8.25 vbytes).</span></div><div><span><br></span></div></span=
><div><span>Ugh yes sorry about that! I realized after hitting send and mea=
nt to clarify that it should&#39;ve been <span style=3D"font-family:monospa=
ce">s/vbyte/WU/</span> in my next reply.<br></span></div><div><span><br></s=
pan></div><div><span>&gt; <span>Are APO signatures more expensive to verify=
? .. <span>the cost for the network of validating signatures already exists=
 today</span></span></span></div><div><span><span><br></span></span></div><=
div><span><span>Not compared to existing signature verifications, but compa=
red to a CTV/TXHASH-like construction.</span></span></div><div><span><span>=
<br></span></span></div><div><span><span>Can anyone quantify how much of a =
difference this makes in practice?<br></span></span></div><span class=3D"gm=
ail-im"><div><span><br></span></div><div><span>&gt; <span><span>i appreciat=
e your reply and your efforts to explore the</span><span> tradeoffs between=
 the two approaches.</span></span></span></div><div><span><span><span><br><=
/span></span></span></div></span><div><span><span><span>Thank you, I apprec=
iate your efforts on this too :-)<br></span></span></span></div><div><span>=
<span><span><br></span></span></span></div><div><span><span><span>shesek<br=
></span></span></span></div><div><span><br></span></div><div><span>[0] <a h=
ref=3D"https://github.com/bitcoin/bips/blob/master/bip-0119.mediawiki#Batch=
ed_Channel_Creation" target=3D"_blank">https://github.com/bitcoin/bips/blob=
/master/bip-0119.mediawiki#Batched_Channel_Creation</a></span></div><div><s=
pan>[1] <a href=3D"https://github.com/bitcoin/bips/pull/1273" target=3D"_bl=
ank">https://github.com/bitcoin/bips/pull/1273</a></span></div></div><br><d=
iv class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Fri, Apr =
29, 2022 at 11:31 AM darosior &lt;<a href=3D"mailto:darosior@protonmail.com=
">darosior@protonmail.com</a>&gt; wrote:<br></div><blockquote class=3D"gmai=
l_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,20=
4,204);padding-left:1ex"><div>Hi Shesek,</div><div><br>
        <blockquote type=3D"cite">
            <div dir=3D"ltr"><div>1. The resulting txids are not stable.</d=
iv></div></blockquote><div><br></div><div>This is *literally* what the post=
 you are replying to is proposing to solve.</div><div><br></div><div><br></=
div><blockquote type=3D"cite"><div dir=3D"ltr"><div>This property could be =
important for some of the proposed CTV use-cases, like channel factories.</=
div></div></blockquote><div><br></div><div></div><span>Hmm? You can&#39;t h=
ave channel factories without Eltoo. (Well, you can in theory but good luck=
.)</span><div><span>Maybe you are refering to non-interactive channel creat=
ion? The case for stable txids is less strong if we</span></div><span>have =
APO (and therefore Eltoo). [0]</span><div><br></div><div><br></div><blockqu=
ote type=3D"cite"><div dir=3D"ltr"><div><div><div>2. APO will only be avail=
able on Taproot, which some people might prefer
 to avoid for long-term multi-decade vault storage due to QC concerns. (als=
o see my previous post on this thread [0])<br></div></div></div></div></blo=
ckquote><div><br></div><div></div><span></span><span>This has been addresse=
d over and over and over again. If a QC is able overnight to spend a large =
fraction of</span><div><span>the supply, your coins in your super non-QC-vu=
lnerable-bare-CTV-covenant (that would eventually become</span></div><div><=
span>vulnerable when trying to use it) are worthless.[1]</span></div><div><=
br></div><div><span>Sorry for being sarcastic, but at this point it&#39;s n=
ot fair to use quantum-computer FUD to justify the</span></div><span>activa=
tion of CTV over APO, or encourage the use of legacy transactions over Tapr=
oot ones.</span><span></span><div></div><div><br></div><div><br></div><bloc=
kquote type=3D"cite"><div dir=3D"ltr"><div><div><div>3. Higher witness sati=
sfaction cost of roughly 3x vbytes vs CTV-in-Taproot (plus 33 extra vbytes =
vs CTV-in-segwitv0 <i>in the case of a single CTV branch</i>, for the tapro=
ot control block. with more branches CTV-in-taproot eventually becomes pref=
erable).</div></div></div></div></blockquote><div><br></div><div></div><spa=
n></span><span>Again, this is what my post discusses. Here are the argument=
s from my post about why i don&#39;t think it&#39;s a big deal:</span><div>=
<br></div><div><span>=C2=A0 =C2=A0 1. You can in this case see CTV as an op=
timization of (tweaked) APOAS. A lot of us are doubtful about CTV</span></d=
iv><div><span>=C2=A0 =C2=A0 =C2=A0 =C2=A0usecases for real people. So much =
that it was even proposed to temporarily activate it to see if it would</sp=
an></div><div><span>=C2=A0 =C2=A0 =C2=A0 =C2=A0ever have any real traction!=
 [2]</span></div><div><span>=C2=A0 =C2=A0 =C2=A0 =C2=A0My point with this p=
ost was: what if we do (a slightly tweaked) BIP118, that is otherwise usefu=
l. And</span></div><div><span>=C2=A0 =C2=A0 =C2=A0 =C2=A0if this use of cov=
enants is really getting traction then we can roll out an optimization in t=
he form of</span></div><div><span>=C2=A0 =C2=A0 =C2=A0 =C2=A0CTV (or better=
 covenants, as we&#39;d have had more research put into it by this time).</=
span></div><div><span>=C2=A0 =C2=A0 2. CTV is mainly sold for its usage ins=
ide vaults. While i&#39;m not convinced, a few more vbytes should not</span=
></div><div><span>=C2=A0 =C2=A0 =C2=A0 =C2=A0matter for this usecase.</span=
></div><div><br></div><div><span>Also, it&#39;s not 33 extra vbytes vs CTV-=
in-segwitv0, but 33 extra * witness units* (8.25 vbytes).</span></div><div>=
<span>Aside, you can also use the internal key optimization with APO. But i=
 don&#39;t think it&#39;s desirable just to save</span></div><span>32 WU, a=
s you can&#39;t have NUMS-ness then. [3]</span><div><br></div><div><br></di=
v><blockquote type=3D"cite"><div dir=3D"ltr"><div><div><div>4. Higher netwo=
rk-wide full-node validation costs (checking a signature is quite more expe=
nsive than hashing, and the hashing is done in both cases).</div></div></di=
v></div></blockquote><div><br></div><div><span>Are APO signatures more expe=
nsive to verify? If not i don&#39;t think this should be a reason to constr=
ain us to a</span><div><span>much less useful construction, as the cost for=
 the network of validating signatures already exists today. Even</span></di=
v><span>if it didn&#39;t, the tradeoff of cost/usefulness needs to be consi=
dered.</span><br></div><div><br></div><div><br></div><blockquote type=3D"ci=
te"><div dir=3D"ltr"><div><div>5. As APO is currently spec&#39;d, it would =
suffer from the half-spend problem: if you
have multiple outputs encumbered under an APO covenant that requires the
 same tx sigmsg hash, it becomes possible to spend all of them together
as multiple inputs in a single transaction and burn the extra to mining
fees.</div><div><br></div><div><div>If I&#39;m not
mistaken, I believe this makes the simple-apo-vault implementation [1]
vulnerable to spending multiple vaulted outputs of the same denomination
 together and burning all but the first one. I asked the author for a
more definitive answer on twitter [2].</div><div><br></div><div>Fixing this=
 requires amending BIP 118 with some new sigmsg flags (making the ANYONECAN=
PAY behaviour optional, as mentioned in the OP).</div></div></div></div></b=
lockquote><div><br></div><div>Yes! And as i mentioned on Twitter also commi=
tting to the input index which i forgot to add in the OP here.</div><div><b=
r></div><div><br></div><div></div><span><span>While i don&#39;t think the s=
pecific points are valid, i appreciate your reply and your efforts to explo=
re the</span><br><span>tradeoffs between the two approaches.</span><br></sp=
an></div><div><br></div><div><div>Thanks,<br>Antoine</div><div><br><span>[0=
] <span><a rel=3D"noreferrer nofollow noopener" href=3D"https://lists.linux=
foundation.org/pipermail/bitcoin-dev/2022-January/019813.html" target=3D"_b=
lank">https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-January/=
019813.html</a><br></span></span></div><div>[1] <span><a rel=3D"noreferrer =
nofollow noopener" href=3D"https://bitcoin.stackexchange.com/a/91050/101498=
" target=3D"_blank">https://bitcoin.stackexchange.com/a/91050/101498</a></s=
pan></div><div><span>[2] <span><a rel=3D"noreferrer nofollow noopener" href=
=3D"https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-April/0202=
42.html" target=3D"_blank">https://lists.linuxfoundation.org/pipermail/bitc=
oin-dev/2022-April/020242.html</a></span></span><br><span>[3] <span><a rel=
=3D"noreferrer nofollow noopener" href=3D"https://twitter.com/darosior/stat=
us/1518979155362254849?s=3D20&amp;t=3DmGkw7K8mcyQwdLImFvdebw" target=3D"_bl=
ank">https://twitter.com/darosior/status/1518979155362254849?s=3D20&amp;t=
=3DmGkw7K8mcyQwdLImFvdebw</a></span></span><br></div><div><br></div><div><b=
r></div><blockquote type=3D"cite"><div dir=3D"ltr"><div><div><div>This is d=
efinitely possible but also means that APO as-is isn&#39;t a CTV-replacemen=
t candidate, without first going through some more design and review iterat=
ions.</div><div><br></div><div>shesek</div><div><br></div></div></div><div>=
<br></div><div>[0] <a href=3D"https://lists.linuxfoundation.org/pipermail/b=
itcoin-dev/2022-April/020326.html" rel=3D"noreferrer nofollow noopener" tar=
get=3D"_blank">https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022=
-April/020326.html</a></div><div></div><div>[1] <a href=3D"https://github.c=
om/darosior/simple-anyprevout-vault" rel=3D"noreferrer nofollow noopener" t=
arget=3D"_blank">https://github.com/darosior/simple-anyprevout-vault</a></d=
iv><div>[2] <a href=3D"https://twitter.com/shesek/status/151987449343454412=
8" rel=3D"noreferrer nofollow noopener" target=3D"_blank">https://twitter.c=
om/shesek/status/1519874493434544128</a></div><div><br></div><div><br></div=
></div><br><div class=3D"gmail_quote"><div class=3D"gmail_attr" dir=3D"ltr"=
>On Fri, Apr 22, 2022 at 2:23 PM darosior via bitcoin-dev &lt;<a href=3D"ma=
ilto:bitcoin-dev@lists.linuxfoundation.org" rel=3D"noreferrer nofollow noop=
ener" target=3D"_blank">bitcoin-dev@lists.linuxfoundation.org</a>&gt; wrote=
:<br></div><blockquote style=3D"margin:0px 0px 0px 0.8ex;border-left:1px so=
lid rgb(204,204,204);padding-left:1ex" class=3D"gmail_quote">I would like t=
o know people&#39;s sentiment about doing (a very slightly tweaked version =
of) BIP118 in place of<br>
(or before doing) BIP119.<br>
<br>
SIGHASH_ANYPREVOUT and its precedent iterations have been discussed for ove=
r 6 years. It presents proven and<br>
implemented usecases, that are demanded and (please someone correct me if i=
&#39;m wrong) more widely accepted than<br>
CTV&#39;s.<br>
<br>
SIGHASH_ANYPREVOUTANYSCRIPT, if its &quot;ANYONECANPAY&quot; behaviour is m=
ade optional [0], can emulate CTV just fine.<br>
Sure then you can&#39;t have bare or Segwit v0 CTV, and it&#39;s a bit more=
 expensive to use. But we can consider CTV<br>
an optimization of APO-AS covenants.<br>
<br>
CTV advocates have been presenting vaults as the flagship usecase. Although=
 as someone who&#39;ve been trying to<br>
implement practical vaults for the past 2 years i doubt CTV is necessary no=
r sufficient for this (but still<br>
useful!), using APO-AS covers it. And it&#39;s not a couple dozen more virt=
ual bytes that are going to matter for<br>
a potential vault user.<br>
<br>
If after some time all of us who are currently dubious about CTV&#39;s stat=
ed usecases are proven wrong by onchain<br>
usage of a less efficient construction to achieve the same goal, we could r=
oll-out CTV as an optimization.  In<br>
the meantime others will have been able to deploy new applications leveragi=
ng ANYPREVOUT (Eltoo, blind<br>
statechains, etc..[1]).<br>
<br>
<br>
Given the interest in, and demand for, both simple covenants and better off=
chain protocols it seems to me that<br>
BIP118 is a soft fork candidate that could benefit more (if not most of) Bi=
tcoin users.<br>
Actually i&#39;d also be interested in knowing if people would oppose the A=
PO-AS part of BIP118, since it enables<br>
CTV&#39;s features, for the same reason they&#39;d oppose BIP119.<br>
<br>
<br>
[0] That is, to not commit to the other inputs of the transaction (via `sha=
_sequences` and maybe also<br>
`sha_amounts`). Cf <a rel=3D"noreferrer nofollow noopener" href=3D"https://=
github.com/bitcoin/bips/blob/master/bip-0118.mediawiki#signature-message" t=
arget=3D"_blank">https://github.com/bitcoin/bips/blob/master/bip-0118.media=
wiki#signature-message</a>.<br>
<br>
[1] <a rel=3D"noreferrer nofollow noopener" href=3D"https://anyprevout.xyz/=
" target=3D"_blank">https://anyprevout.xyz/</a> &quot;Use Cases&quot; secti=
on<br>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" rel=3D"noreferrer =
nofollow noopener" target=3D"_blank">bitcoin-dev@lists.linuxfoundation.org<=
/a><br>
<a rel=3D"noreferrer nofollow noopener" href=3D"https://lists.linuxfoundati=
on.org/mailman/listinfo/bitcoin-dev" target=3D"_blank">https://lists.linuxf=
oundation.org/mailman/listinfo/bitcoin-dev</a><br>
</blockquote></div>

        </blockquote><br>
    </div></blockquote></div>

--000000000000c2ea2105ddc868c8--