1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
|
Return-Path: <jlrubin@mit.edu>
Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])
by lists.linuxfoundation.org (Postfix) with ESMTP id E85D1C001E
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 11 Jan 2022 03:43:07 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp4.osuosl.org (Postfix) with ESMTP id C89B34099E
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 11 Jan 2022 03:43:07 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -4.197
X-Spam-Level:
X-Spam-Status: No, score=-4.197 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3,
RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from smtp4.osuosl.org ([127.0.0.1])
by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id k-xlahilS-Eh
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 11 Jan 2022 03:43:05 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11])
by smtp4.osuosl.org (Postfix) with ESMTPS id 8FA50409A6
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 11 Jan 2022 03:43:05 +0000 (UTC)
Received: from mail-lf1-f42.google.com (mail-lf1-f42.google.com
[209.85.167.42]) (authenticated bits=0)
(User authenticated as jlrubin@ATHENA.MIT.EDU)
by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 20B3h2U5021777
(version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT)
for <bitcoin-dev@lists.linuxfoundation.org>; Mon, 10 Jan 2022 22:43:03 -0500
Received: by mail-lf1-f42.google.com with SMTP id br17so20470541lfb.6
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 10 Jan 2022 19:43:03 -0800 (PST)
X-Gm-Message-State: AOAM532tFFYoTko7aN1/So6r42O0CopBKDtFbGxeXp+aEs8HNiMvr3X2
sz7TzaeZuhhOcpKjceRjNL/xYizQ/gwv58X3Q64=
X-Google-Smtp-Source: ABdhPJz5bJa2yi4F38KmEAGHdLOVqEzUWK79Bp9l5aLbMi4jNU7+tmX6bQuCNaYZ+YC8PkeciK1mK8wxywxNcL6JA1w=
X-Received: by 2002:a05:6512:31c7:: with SMTP id
j7mr1828462lfe.363.1641872581818;
Mon, 10 Jan 2022 19:43:01 -0800 (PST)
MIME-Version: 1.0
References: <XuO20TMFGBqz53WYWxi9bgAdB3iGmqEIUE84AupRxCpHQVd3-YbGVzZUFz21dOgb_AgwlGWaruzE8NGxhes6HCKHpRZLmL1d1kNu1yobAIU=@protonmail.com>
<YdrJJ3VxoxHVgg7Y@petertodd.org>
In-Reply-To: <YdrJJ3VxoxHVgg7Y@petertodd.org>
From: Jeremy <jlrubin@mit.edu>
Date: Mon, 10 Jan 2022 19:42:50 -0800
X-Gmail-Original-Message-ID: <CAD5xwhi=H0Nft4Jbqhd3=89BhAB2JLoTc=mPhdcQkoQxa1sAUg@mail.gmail.com>
Message-ID: <CAD5xwhi=H0Nft4Jbqhd3=89BhAB2JLoTc=mPhdcQkoQxa1sAUg@mail.gmail.com>
To: Peter Todd <pete@petertodd.org>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="000000000000017f8105d54640dc"
Subject: Re: [bitcoin-dev] Stumbling into a contentious soft fork activation
attempt
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jan 2022 03:43:08 -0000
--000000000000017f8105d54640dc
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hi Peter,
Thank you for your review and feedback.
Apologies for the difficulties in reviewing. The branch linked from the BIP
is not the latest, the branch in the PR is what should be considered
https://github.com/bitcoin/bitcoin/pull/21702 for review and has more
thorough well documented tests and test vectors. The version you reviewed
should still be compatible with the current branch as there have not been
any spec changes, though.
I'm not sure what best practice is w.r.t. linking to BIPs and
implementations given need to rebase and respond to feedback with changes.
Appreciate any pointers on how to better solve this. For the time being, I
will suggest an edit to point it to the PR, although I recognize this is
not ideal. I understand your preference for a commit hash and can do one if
it helps. For what it's worth, the taproot BIPs do not link to a reference
implementation of Taproot so I'm not sure what best practice is considered
these days.
One note that is unfortunate in your review is that there is a
discrepancy between the BIP and the implementation (the original reference
or the current PR either) in that caching and DoS is not addressed. This
was an explicit design goal of CTV and for it not to be mentioned in the
BIP (and just the reference) is an oversight on my part to not aid
reviewers more explicitly. Compounding this, I accepted a third-party PR to
make the BIP more clear as to what is required to implement it that does
not have caching (functional correctness), that exposes the issue if
implemented by the BIP directly and not by the reference implementation. I
have explained this in a review last year to pyskell
<https://github.com/bitcoin/bitcoin/pull/21702#discussion_r616853690> on
the PR that caching is required for non-DoS. I will add a note to the BIP
about the importance of caching to avoid DoS as that should make third
party implementers aware of the issue.
That said, this is not a mis-considered part of CTV. The reference
implementation is specifically designed to not have quadratic hashing and
CTV is designed to be friendly to caching to avoid denial of service. It's
just a part of the BIP that can be more clear. I will make a PR to more
clearly describe how that should happen.
------
use cases
------
One thing that's not clear to me is the amount of work a BIP needs to do
within itself to fully describe all applications and use cases. I don't
think it's appropriate for most BIPs to do so, but in some cases it is a
good idea. However, for CTV the applications actually are relatively
fleshed out, just outside the BIP. Further, the availability of generic
tooling through Sapio and it's examples has demonstrated how one might
build a variety of applications. See rubin.io/advent21 for numerous worked
examples.
## Congestion Controlled Transactions
Generally, the existence of these transactions can be tracked using
existing wallets if the transaction is seen in the mempool, it will be
marked as "mine" and can even be marked as "trusted". See
https://utxos.org/analysis/taxes/ which covers the legal obligations of
senders with respect to payees under congestion control. Generally, a
legally identifiable party such as an exchange sending a congestion control
payment must retain and serve it to the user to prove that they made
payment to the user. Users of said exchanges can either download a list of
their transactions at the time of withdrawal or they can wait to see it
e.g. in the mempool. This was also discussed at
https://diyhpl.us/wiki/transcripts/ctv-bip-review-workshop/ where you can
see notes/videos of what was discussed if the notes are hard to parse.
Lightning specific wallets such as Muun and LND particularly plan to use
CTV to batch-open a multitude of channels for users, using both congestion
control and non-interactive batching. Channels have to be opened on-chain
and if channels are to be the future so will on-chain opening of them.
These wallets can be built out to track and receive these opening proofs.
## Wallet Vaults
There exists at least 3 implementations of Vaults using CTV (one by me in
C++, one by me in Sapio, another by Bryan Bishop in python), and there
exist oracles as you mention for emulating it.
## Payment Channels
Actually taking advantage of them is quite simple and has been discussed
and reviewed with a number of independent lightning developers.
You can see here a rudimentary implementation and description of how it can
work https://rubin.io/bitcoin/2021/12/11/advent-14/.
This is composable with any `impl Revokable` channel update specification
so generalizes to Lightning.
Of course, making it production grade requires a lot of work, but the
concept is sound.
## CoinJoin
CTV trees may mean more transactions, not less, but if feerates are not
monotonic and CTV allows you to defer the utilization of chainspace.
CTV CoinJoins also open the opportunity to cooperation through payment
pools (which can be opened via a coinjoin), which saves further space.
The opportunity to use embedded non-interactive channels (technically, this
is a part of payment pools) also further decreases the urgency of getting a
UTXO out.
Lastly, while it is a slight privacy leak, CTV also allows coin-joiners of
different fee-priority levels to batch together where previously they would
not have incentive to (see https://utxos.org/analysis/batching_sim/). This
does use overall less chainspace total than if it is not incentive
compatible to batch together. While this is a slight privacy leak, it is
not that large since the batches would otherwise be unable to join together
(worse) and priority is still unlinked from the inputs. Further, priority
already leaks through the observability of coins being spent anyways.
# Covenant Design Trade-Offs and Risks
The important part is the the covenant -- regardless of its length -- must
be entirely known in advance. CTV is a fully enumerated non-recursive
validation-only non-dynamic state covenant. This limits the types of issues
that can arise.
Useful links:
https://medium.com/block-digest-mempool/my-worries-about-too-generalized-co=
venants-5eff33affbb6
https://rubin.io/bitcoin/2021/12/04/advent-7/
--
@JeremyRubin <https://twitter.com/JeremyRubin>
<https://twitter.com/JeremyRubin>
On Mon, Jan 10, 2022 at 10:31 AM Peter Todd via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> On Mon, Jan 03, 2022 at 02:05:20AM +0000, Michael Folkson via bitcoin-dev
> wrote:
> > There have been a number of =E2=80=9Csoft signals=E2=80=9D, many expres=
sing enthusiasm
> for the speculated use cases of OP_CTV. Personally I share that enthusias=
m
> like I do with the prospect of curing cancer. But these soft signals seem
> as if they are going to be used to attempt to justify an imminent
> contentious soft fork attempt. The devil is in the details both with
> regards to wording like =E2=80=9Creasonable parameters=E2=80=9D and the u=
tility and safety
> of a new opcode. Indeed if you share my concerns that there has not been
> sufficient scrutiny and research on the long implications of this proposa=
l
> I encourage you to register a soft signal of =E2=80=9CNo=E2=80=9D on the =
site like I have.
> You can always change it to =E2=80=9CYes=E2=80=9D if and when you support=
an imminent soft
> fork activation attempt containing exclusively OP_CTV. Enabling covenants
> on Bitcoin is a big step change with barely any existing research on the
> topic and attempting to rush it through by the back door so soon after
> Taproot activation should be resisted. To look at the ~200 lines of code
> for the opcode exclusively (of course this should be done too) in a vacuu=
m
> without considering the broader implications is also incredibly
> shortsighted. The only thing stopping a descent into Ethereum style seat =
of
> our pants consensus changes is community vigilance. If we ever lose that =
we
> lose the foundation of this industry.
>
> I have to second your objections.
>
> I spent a bit of time over the past week looking at the current state of
> OP_CTV/BIP-0119, and I too think it's a premature idea with an
> insufficient BIP
> and reference implementation, that current lacks compelling use-cases
> clearly
> beneficial to all users.
>
> Remember that Bitcoin is a nearly $1 trillion network with tens of
> millions of
> users that has gotten to that point with careful, conservative engineerin=
g.
> Every change to the protocol poses risks to those users. Previous feature
> upgrades to the Bitcoin protocol have always been done with the intent of
> improving the protocol for everyone: CSV/segwit benefit all users via
> Lightning, because we can reasonably all users to directly take advantage
> of
> those features. We expect _everyone_ to benefit from Taproot via improved
> privacy. I don't think CTV in its current form makes that case
> sufficiently,
> and the technical details are lacking.
>
>
>
> As for some more detailed thoughts, for clarify, I'm referring to:
>
>
> https://github.com/bitcoin/bips/blob/3693cdfd192dacdac89cd742f68cd1bb96bf=
7f7e/bip-0119.mediawiki
>
> https://github.com/JeremyRubin/bitcoin/tree/8f313d292e426a74d9ce28e5130bb=
f0cd48f867e
>
> By no means is this a complete list of issues:
>
> # DoS Attacks
>
> Note how above I cited the git hashes to make it clear what exactly I'm
> referring too: the fact that the reference implementation is listed as
> https://github.com/JeremyRubin/bitcoin/tree/checktemplateverify in the
> BIP is
> an immediate problem, as it's not clear what exactly is the specification=
.
>
> This in turn matters quite a lot, because the BIP itself glosses over the
> quite
> serious DoS attack issues involved in adding more ways that opcodes can
> hash
> txs. Strong resistance to DoS attacks is a _mandatory_ aspect of all
> Bitcoin
> script proposals, so leaving those details to a mostly uncommented
> reference
> implementation without a clear discussion of those trade-offs is
> insufficient.
>
>
> # Use Cases
>
> As Folkson notes, these are barely fleshed out:
>
> ## Congestion Controlled Transactions
>
> While this section appears somewhat fleshed out, with even a simulation, =
it
> completely ignores the numerous practical issues like the need for
> communication channels between wallets to inform them of the existence of
> these
> batches. It also raises an important question: who needs this? On-chain
> transactions are clearly not the future of Bitcoin and this use-case will
> likely impact a small % of users.
>
>
> ## Wallet Vaults
>
> This use-case can be easily tested, even in production, right now with
> additional "oracle" signers that simply verify the CTV rules have been
> followed.
>
>
> ## Payment Channels
>
> These use-cases sound promising. But they all need to be clearly fleshed
> out as
> actually taking advantage of them is quite complex.
>
>
> ## CoinJoin
>
> > because participants agree on a single output which pays all
> participants,
> > which will be lower fee than before
>
> It is not clear how the fee will be lower, given that taking advantage of
> CTV
> means there are more transactions, not less.
>
>
> # Covenant Design Trade-Offs and Risks
>
> > Covenants have historically been controversial given their potential fo=
r
> > fungibility risks -- coins could be minted which have a permanent
> restriction
> > on how they may or may not be spent or required to propagate metadata.
>
> Indeed, this is a significant risk with the potential to harm all Bitcoin
> users.
>
> > In the CHECKTEMPLATEVERIFY approach, the covenants are severely
> restricted to
> > simple templates. The structure of CHECKTEMPLATEVERIFY template is such
> that
> > the outputs must be known exactly at the time of construction. Based on=
a
> > destructuring argument, it is only possible to create templates which
> expand
> > in a finite number of steps. Thus templated transactions are in theory =
as
> > safe as transactions which create all the inputs directly in this regar=
d.
>
> The "finite" number of steps could be millions of transactions -
> "infinitely
> long" for any practical purpose.
>
>
> # Test Vectors
>
> Currently the testing is poorly documented, without clear goals as to wha=
t
> edge
> cases are actually being tested:
>
> https://github.com/JeremyRubin/bitcoin/commit/e026bae28a774d91effc32862d0=
246286c114c24
>
> Also, we really need test _vectors_ rather than a Python test: for
> consenus,
> you want to write down explicitly the *data* in the form of serialized
> transactions that is being fed into the consensus engine, to avoid
> mistakes in
> test coverage due to broken test harnesses.
>
> --
> https://petertodd.org 'peter'[:-1]@petertodd.org
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
--000000000000017f8105d54640dc
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div class=3D"gmail_default" style=3D"font-family:arial,he=
lvetica,sans-serif;font-size:small;color:#000000">Hi Peter,</div><div class=
=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif;font-siz=
e:small;color:#000000"><br></div><div class=3D"gmail_default" style=3D"font=
-family:arial,helvetica,sans-serif;font-size:small;color:#000000">Thank you=
for your review and feedback.</div><div class=3D"gmail_default" style=3D"f=
ont-family:arial,helvetica,sans-serif;font-size:small;color:#000000"><br></=
div><div class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-=
serif;font-size:small;color:#000000">Apologies for the difficulties in revi=
ewing. The branch linked from the BIP is not the latest, the branch in the =
PR is what should be considered=C2=A0<a href=3D"https://github.com/bitcoin/=
bitcoin/pull/21702" target=3D"_blank">https://github.com/bitcoin/bitcoin/pu=
ll/21702</a> for review and has more thorough well documented tests and tes=
t vectors. The version you reviewed should still be compatible with the cur=
rent branch as there have not been any spec changes, though.</div><div clas=
s=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif;font-si=
ze:small;color:#000000"><br></div>I'm not sure what best practice is w.=
r.t. linking to BIPs and implementations given need to rebase and respond t=
o feedback with changes. Appreciate any pointers on how to better solve thi=
s. For the time being, I will suggest an edit to point it to the PR, althou=
gh I recognize this is not ideal. I understand your preference for a commit=
hash and can do one<span class=3D"gmail_default" style=3D"font-family:aria=
l,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)"> if it helps. For =
what it's worth, the taproot BIPs do not link to a reference implementa=
tion of Taproot so I'm not sure what best practice is considered these =
days.</span><div><br></div><div><div class=3D"gmail_default" style=3D"font-=
family:arial,helvetica,sans-serif;font-size:small;color:#000000">One note t=
hat is unfortunate in your review is that there is a discrepancy=C2=A0betwe=
en the BIP and the implementation (the original reference or the current PR=
either) in that caching and DoS is not addressed. This was an explicit des=
ign goal of CTV and for it not to be mentioned in the BIP (and just the ref=
erence) is an oversight on my part to not aid reviewers more explicitly. Co=
mpounding this, I accepted a third-party PR to make the BIP more clear as t=
o what is required to implement it that does not have caching (functional c=
orrectness), that exposes the issue if implemented by the BIP directly and =
not by the reference implementation. I have explained this in a <a href=3D"=
https://github.com/bitcoin/bitcoin/pull/21702#discussion_r616853690" target=
=3D"_blank">review last year to pyskell</a> on the PR that caching is requi=
red for non-DoS. I will add a note to the BIP about the importance of cachi=
ng to avoid DoS as that should make third party implementers aware of the i=
ssue.</div><div class=3D"gmail_default" style=3D"font-family:arial,helvetic=
a,sans-serif;font-size:small;color:#000000"><br></div><div class=3D"gmail_d=
efault" style=3D"font-family:arial,helvetica,sans-serif;font-size:small;col=
or:#000000">That said, this is not a mis-considered=C2=A0part of CTV. The r=
eference implementation is specifically designed to not have quadratic hash=
ing and CTV is designed to be friendly to caching to avoid denial of servic=
e. It's just a part of the BIP that can be more clear. I will make a PR=
to more clearly describe how that should happen.</div><div class=3D"gmail_=
default" style=3D"font-family:arial,helvetica,sans-serif;font-size:small;co=
lor:#000000"><br></div><div class=3D"gmail_default" style=3D"font-family:ar=
ial,helvetica,sans-serif;font-size:small;color:#000000">------</div><div cl=
ass=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif;font-=
size:small;color:#000000">use cases</div><div class=3D"gmail_default" style=
=3D"font-family:arial,helvetica,sans-serif;font-size:small;color:#000000">-=
-----</div><div class=3D"gmail_default" style=3D"font-family:arial,helvetic=
a,sans-serif;font-size:small;color:#000000"><br></div><div class=3D"gmail_d=
efault" style=3D"font-family:arial,helvetica,sans-serif;font-size:small;col=
or:#000000">One thing that's not clear to me is the amount of work a BI=
P needs to do within itself to fully describe all applications and use case=
s. I don't think it's appropriate for most BIPs to do so,=C2=A0but =
in some cases it is a good idea. However, for CTV the applications actually=
are relatively fleshed out, just outside the BIP. Further, the availabilit=
y of generic tooling through Sapio and it's examples has demonstrated h=
ow one might build a variety of applications. See <a href=3D"http://rubin.i=
o/advent21" target=3D"_blank">rubin.io/advent21</a> for numerous worked exa=
mples.</div><div class=3D"gmail_default" style=3D"font-family:arial,helveti=
ca,sans-serif;font-size:small;color:#000000"><br></div><div class=3D"gmail_=
default" style=3D"font-family:arial,helvetica,sans-serif;font-size:small;co=
lor:#000000"><br></div><div class=3D"gmail_default" style=3D"font-size:smal=
l"><span style=3D"color:rgb(34,34,34);font-family:Arial,Helvetica,sans-seri=
f">## Congestion Controlled Transactions</span><br></div><div class=3D"gmai=
l_default" style=3D"font-size:small"><span style=3D"color:rgb(34,34,34);fon=
t-family:Arial,Helvetica,sans-serif"><br></span></div><div class=3D"gmail_d=
efault" style=3D"font-size:small">Generally, the existence of these transac=
tions can be tracked using existing wallets if the transaction is seen in t=
he mempool, it will be marked as "mine" and can even be marked as=
"trusted". See <a href=3D"https://utxos.org/analysis/taxes/" tar=
get=3D"_blank">https://utxos.org/analysis/taxes/</a> which covers the legal=
obligations of senders with respect to payees under congestion control. Ge=
nerally, a legally identifiable party such as an exchange sending a congest=
ion control payment must retain and serve it to the user to prove that they=
made payment to the user. Users of said exchanges can either download a li=
st of their transactions at the time of withdrawal or they can wait to see =
it e.g. in the mempool. This was also discussed at=C2=A0<a href=3D"https://=
diyhpl.us/wiki/transcripts/ctv-bip-review-workshop/">https://diyhpl.us/wiki=
/transcripts/ctv-bip-review-workshop/</a> where you can see notes/videos of=
what was discussed if the notes are hard to parse.</div><div class=3D"gmai=
l_default" style=3D"font-size:small"><br></div><div class=3D"gmail_default"=
style=3D"font-size:small">Lightning specific wallets such as Muun and LND =
particularly plan to use CTV to batch-open a multitude of channels for user=
s, using both congestion control and non-interactive batching. Channels hav=
e to be opened on-chain and if channels are to be the future so will on-cha=
in opening of them. These wallets can be built out to track and receive the=
se opening proofs.</div><div class=3D"gmail_default" style=3D"font-size:sma=
ll"><br style=3D"color:rgb(34,34,34);font-family:Arial,Helvetica,sans-serif=
"><span style=3D"color:rgb(34,34,34);font-family:Arial,Helvetica,sans-serif=
">## Wallet Vaults</span><br style=3D"color:rgb(34,34,34);font-family:Arial=
,Helvetica,sans-serif"><br style=3D"color:rgb(34,34,34);font-family:Arial,H=
elvetica,sans-serif">There exists at least 3 implementations of Vaults usin=
g CTV (one by=C2=A0me in C++, one by me in Sapio, another by Bryan Bishop i=
n python), and there exist oracles as you mention for emulating it.<br styl=
e=3D"color:rgb(34,34,34);font-family:Arial,Helvetica,sans-serif"><br style=
=3D"color:rgb(34,34,34);font-family:Arial,Helvetica,sans-serif"><span style=
=3D"color:rgb(34,34,34);font-family:Arial,Helvetica,sans-serif">## Payment =
Channels</span><br style=3D"color:rgb(34,34,34);font-family:Arial,Helvetica=
,sans-serif"><br style=3D"color:rgb(34,34,34);font-family:Arial,Helvetica,s=
ans-serif">Actually taking advantage of them is quite simple and has been d=
iscussed and reviewed with a number of independent lightning developers.=C2=
=A0<br style=3D"color:rgb(34,34,34);font-family:Arial,Helvetica,sans-serif"=
><br>You can see here a rudimentary implementation and description of how i=
t can work=C2=A0<a href=3D"https://rubin.io/bitcoin/2021/12/11/advent-14/" =
target=3D"_blank">https://rubin.io/bitcoin/2021/12/11/advent-14/</a>.</div>=
<div class=3D"gmail_default" style=3D"font-size:small"><br></div><div class=
=3D"gmail_default" style=3D"font-size:small">This is composable with any `i=
mpl Revokable` channel update specification so generalizes to Lightning.</d=
iv><div class=3D"gmail_default" style=3D"font-size:small"><br></div><div cl=
ass=3D"gmail_default" style=3D"font-size:small">Of course, making it produc=
tion grade requires a lot of work, but the concept is sound.</div><div clas=
s=3D"gmail_default" style=3D"font-size:small"><br></div><div class=3D"gmail=
_default" style=3D"font-size:small"><br style=3D"color:rgb(34,34,34);font-f=
amily:Arial,Helvetica,sans-serif"><span style=3D"color:rgb(34,34,34);font-f=
amily:Arial,Helvetica,sans-serif">## CoinJoin</span><br style=3D"color:rgb(=
34,34,34);font-family:Arial,Helvetica,sans-serif"><br></div><div class=3D"g=
mail_default" style=3D"font-size:small"><br></div><div class=3D"gmail_defau=
lt" style=3D"font-size:small">CTV trees may mean more transactions, not les=
s, but if feerates are not monotonic and CTV allows you to defer the utiliz=
ation of chainspace.</div><div class=3D"gmail_default" style=3D"font-size:s=
mall"><br></div><div class=3D"gmail_default" style=3D"font-size:small">CTV =
CoinJoins also open the opportunity to cooperation through payment pools (w=
hich can be opened via a coinjoin), which saves further space.</div><div cl=
ass=3D"gmail_default" style=3D"font-size:small"><br></div><div class=3D"gma=
il_default" style=3D"font-size:small">The opportunity to use embedded non-i=
nteractive channels (technically, this is a part of payment pools) also fur=
ther decreases the urgency of getting a UTXO out.</div><div class=3D"gmail_=
default" style=3D"font-size:small"><br></div><div class=3D"gmail_default" s=
tyle=3D"font-size:small">Lastly, while it is a slight privacy leak, CTV als=
o allows coin-joiners of different fee-priority levels to batch together wh=
ere previously they would not have incentive to (see <a href=3D"https://utx=
os.org/analysis/batching_sim/" target=3D"_blank">https://utxos.org/analysis=
/batching_sim/</a>). This does use overall less chainspace total=C2=A0than =
if it is not incentive compatible to batch together. While this is a slight=
privacy leak, it is not that large since the batches would otherwise be un=
able to join together (worse) and priority is still unlinked from the input=
s. Further, priority already leaks through the observability of coins being=
spent anyways.=C2=A0</div><div class=3D"gmail_default" style=3D"font-size:=
small"><br style=3D"color:rgb(34,34,34);font-family:Arial,Helvetica,sans-se=
rif"><br style=3D"color:rgb(34,34,34);font-family:Arial,Helvetica,sans-seri=
f"><span style=3D"color:rgb(34,34,34);font-family:Arial,Helvetica,sans-seri=
f"># Covenant Design Trade-Offs and Risks</span><br style=3D"color:rgb(34,3=
4,34);font-family:Arial,Helvetica,sans-serif"><br style=3D"color:rgb(34,34,=
34);font-family:Arial,Helvetica,sans-serif">The important part is the the c=
ovenant -- regardless of its length -- must be entirely known in advance. C=
TV is a fully enumerated non-recursive validation-only non-dynamic state co=
venant. This limits the types of issues that can arise.</div><div class=3D"=
gmail_default" style=3D"font-size:small"><br></div><div class=3D"gmail_defa=
ult" style=3D"font-size:small">Useful links:</div><div class=3D"gmail_defau=
lt" style=3D"font-size:small"><a href=3D"https://medium.com/block-digest-me=
mpool/my-worries-about-too-generalized-covenants-5eff33affbb6" target=3D"_b=
lank">https://medium.com/block-digest-mempool/my-worries-about-too-generali=
zed-covenants-5eff33affbb6</a><br></div><div class=3D"gmail_default" style=
=3D"font-size:small"><a href=3D"https://rubin.io/bitcoin/2021/12/04/advent-=
7/" target=3D"_blank">https://rubin.io/bitcoin/2021/12/04/advent-7/</a><br>=
</div><div class=3D"gmail_default" style=3D"font-family:arial,helvetica,san=
s-serif;font-size:small;color:#000000"><br></div><div><div dir=3D"ltr" data=
-smartmail=3D"gmail_signature"><div dir=3D"ltr">--<br><a href=3D"https://tw=
itter.com/JeremyRubin" target=3D"_blank">@JeremyRubin</a><a href=3D"https:/=
/twitter.com/JeremyRubin" target=3D"_blank"></a></div></div></div><br></div=
></div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr"=
>On Mon, Jan 10, 2022 at 10:31 AM Peter Todd via bitcoin-dev <<a href=3D=
"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">bitcoin-de=
v@lists.linuxfoundation.org</a>> wrote:<br></div><blockquote class=3D"gm=
ail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left-width:1px;border-l=
eft-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">On Mon=
, Jan 03, 2022 at 02:05:20AM +0000, Michael Folkson via bitcoin-dev wrote:<=
br>
> There have been a number of =E2=80=9Csoft signals=E2=80=9D, many expre=
ssing enthusiasm for the speculated use cases of OP_CTV. Personally I share=
that enthusiasm like I do with the prospect of curing cancer. But these so=
ft signals seem as if they are going to be used to attempt to justify an im=
minent contentious soft fork attempt. The devil is in the details both with=
regards to wording like =E2=80=9Creasonable parameters=E2=80=9D and the ut=
ility and safety of a new opcode. Indeed if you share my concerns that ther=
e has not been sufficient scrutiny and research on the long implications of=
this proposal I encourage you to register a soft signal of =E2=80=9CNo=E2=
=80=9D on the site like I have. You can always change it to =E2=80=9CYes=E2=
=80=9D if and when you support an imminent soft fork activation attempt con=
taining exclusively OP_CTV. Enabling covenants on Bitcoin is a big step cha=
nge with barely any existing research on the topic and attempting to rush i=
t through by the back door so soon after Taproot activation should be resis=
ted. To look at the ~200 lines of code for the opcode exclusively (of cours=
e this should be done too) in a vacuum without considering the broader impl=
ications is also incredibly shortsighted. The only thing stopping a descent=
into Ethereum style seat of our pants consensus changes is community vigil=
ance. If we ever lose that we lose the foundation of this industry.<br>
<br>
I have to second your objections.<br>
<br>
I spent a bit of time over the past week looking at the current state of<br=
>
OP_CTV/BIP-0119, and I too think it's a premature idea with an insuffic=
ient BIP<br>
and reference implementation, that current lacks compelling use-cases clear=
ly<br>
beneficial to all users.<br>
<br>
Remember that Bitcoin is a nearly $1 trillion network with tens of millions=
of<br>
users that has gotten to that point with careful, conservative engineering.=
<br>
Every change to the protocol poses risks to those users. Previous feature<b=
r>
upgrades to the Bitcoin protocol have always been done with the intent of<b=
r>
improving the protocol for everyone: CSV/segwit benefit all users via<br>
Lightning, because we can reasonably all users to directly take advantage o=
f<br>
those features. We expect _everyone_ to benefit from Taproot via improved<b=
r>
privacy. I don't think CTV in its current form makes that case sufficie=
ntly,<br>
and the technical details are lacking.<br>
<br>
<br>
<br>
As for some more detailed thoughts, for clarify, I'm referring to:<br>
<br>
<a href=3D"https://github.com/bitcoin/bips/blob/3693cdfd192dacdac89cd742f68=
cd1bb96bf7f7e/bip-0119.mediawiki" rel=3D"noreferrer" target=3D"_blank">http=
s://github.com/bitcoin/bips/blob/3693cdfd192dacdac89cd742f68cd1bb96bf7f7e/b=
ip-0119.mediawiki</a><br>
<a href=3D"https://github.com/JeremyRubin/bitcoin/tree/8f313d292e426a74d9ce=
28e5130bbf0cd48f867e" rel=3D"noreferrer" target=3D"_blank">https://github.c=
om/JeremyRubin/bitcoin/tree/8f313d292e426a74d9ce28e5130bbf0cd48f867e</a><br=
>
<br>
By no means is this a complete list of issues:<br>
<br>
# DoS Attacks<br>
<br>
Note how above I cited the git hashes to make it clear what exactly I'm=
<br>
referring too: the fact that the reference implementation is listed as<br>
<a href=3D"https://github.com/JeremyRubin/bitcoin/tree/checktemplateverify"=
rel=3D"noreferrer" target=3D"_blank">https://github.com/JeremyRubin/bitcoi=
n/tree/checktemplateverify</a> in the BIP is<br>
an immediate problem, as it's not clear what exactly is the specificati=
on.<br>
<br>
This in turn matters quite a lot, because the BIP itself glosses over the q=
uite<br>
serious DoS attack issues involved in adding more ways that opcodes can has=
h<br>
txs. Strong resistance to DoS attacks is a _mandatory_ aspect of all Bitcoi=
n<br>
script proposals, so leaving those details to a mostly uncommented referenc=
e<br>
implementation without a clear discussion of those trade-offs is insufficie=
nt.<br>
<br>
<br>
# Use Cases<br>
<br>
As Folkson notes, these are barely fleshed out:<br>
<br>
## Congestion Controlled Transactions<br>
<br>
While this section appears somewhat fleshed out, with even a simulation, it=
<br>
completely ignores the numerous practical issues like the need for<br>
communication channels between wallets to inform them of the existence of t=
hese<br>
batches. It also raises an important question: who needs this? On-chain<br>
transactions are clearly not the future of Bitcoin and this use-case will<b=
r>
likely impact a small % of users.<br>
<br>
<br>
## Wallet Vaults<br>
<br>
This use-case can be easily tested, even in production, right now with<br>
additional "oracle" signers that simply verify the CTV rules have=
been<br>
followed.<br>
<br>
<br>
## Payment Channels<br>
<br>
These use-cases sound promising. But they all need to be clearly fleshed ou=
t as<br>
actually taking advantage of them is quite complex.<br>
<br>
<br>
## CoinJoin<br>
<br>
> because participants agree on a single output which pays all participa=
nts,<br>
> which will be lower fee than before<br>
<br>
It is not clear how the fee will be lower, given that taking advantage of C=
TV<br>
means there are more transactions, not less.<br>
<br>
<br>
# Covenant Design Trade-Offs and Risks<br>
<br>
> Covenants have historically been controversial given their potential f=
or<br>
> fungibility risks -- coins could be minted which have a permanent rest=
riction<br>
> on how they may or may not be spent or required to propagate metadata.=
<br>
<br>
Indeed, this is a significant risk with the potential to harm all Bitcoin<b=
r>
users.<br>
<br>
> In the CHECKTEMPLATEVERIFY approach, the covenants are severely restri=
cted to<br>
> simple templates. The structure of CHECKTEMPLATEVERIFY template is suc=
h that<br>
> the outputs must be known exactly at the time of construction. Based o=
n a<br>
> destructuring argument, it is only possible to create templates which =
expand<br>
> in a finite number of steps. Thus templated transactions are in theory=
as<br>
> safe as transactions which create all the inputs directly in this rega=
rd.<br>
<br>
The "finite" number of steps could be millions of transactions - =
"infinitely<br>
long" for any practical purpose.<br>
<br>
<br>
# Test Vectors<br>
<br>
Currently the testing is poorly documented, without clear goals as to what =
edge<br>
cases are actually being tested:<br>
<a href=3D"https://github.com/JeremyRubin/bitcoin/commit/e026bae28a774d91ef=
fc32862d0246286c114c24" rel=3D"noreferrer" target=3D"_blank">https://github=
.com/JeremyRubin/bitcoin/commit/e026bae28a774d91effc32862d0246286c114c24</a=
><br>
<br>
Also, we really need test _vectors_ rather than a Python test: for consenus=
,<br>
you want to write down explicitly the *data* in the form of serialized<br>
transactions that is being fed into the consensus engine, to avoid mistakes=
in<br>
test coverage due to broken test harnesses.<br>
<br>
-- <br>
<a href=3D"https://petertodd.org" rel=3D"noreferrer" target=3D"_blank">http=
s://petertodd.org</a> 'peter'[:-1]@<a href=3D"http://petertodd.org"=
rel=3D"noreferrer" target=3D"_blank">petertodd.org</a><br>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div>
--000000000000017f8105d54640dc--
|