1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
|
Return-Path: <ZmnSCPxj@protonmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 6D4981B2B
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 23 Jun 2019 13:11:14 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-40136.protonmail.ch (mail-40136.protonmail.ch
[185.70.40.136])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id EF2F3701
for <bitcoin-dev@lists.linuxfoundation.org>;
Sun, 23 Jun 2019 13:11:12 +0000 (UTC)
Date: Sun, 23 Jun 2019 13:11:03 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
s=default; t=1561295469;
bh=bdT3gDACUfptkcYyH4q4U5RKYLmNWWgTIcWovipgioA=;
h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:
Feedback-ID:From;
b=ujtm4j8MVMhg9gGI+h1ddPtuyLrh78isHdaLnnETzGrK0uvjFbdQA/CQbvcWsXdkl
a7ouK9Kl33+dzU5mjStpwM7I36swV5+I6lzPMKS/dgtZr9O9PxzYF+Ciky6rAecdKg
jNrBoWectzK8lnz1flmshCae6XIq7jFk8V6oY6hE=
To: Jeremy Rubin <jeremy.l.rubin@gmail.com>
From: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Reply-To: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Message-ID: <MsareTP5GB7XCB4dHvikjqCwQZTs1EqMve7dZEciKCtlFTkne3B6xeSjM-kFP113aYGYeTDS35lXTP7PV3fEvGvFYWL0fRJk3WsncndRY10=@protonmail.com>
In-Reply-To: <CAD5xwhj8o8Vbrk2KADBOFGfkD3fW3eMZo5aHJytGAj_5LLhYCg@mail.gmail.com>
References: <CAD5xwhjSj82YYuQHHbwgSLvUNV2RDY0b=yMYeLj-p6j7PpS9-Q@mail.gmail.com>
<20190605093039.xfo7lcylqkhsfncv@erisian.com.au>
<im0q8670MxshmvMLmoJU0dv4rFhwWZNvQeQYv7i4fBWJOx0ghAdH8fYuQSqNxO2z8uxXGV-kurinUDfl0FsLWD0knw_U_h3zVZ0xy7vmn8o=@protonmail.com>
<CAMZUoK=ZB06jwAbuX2D=aN8ztAqr_jSgEXS1z1ABjQYVawKCBQ@mail.gmail.com>
<CAD5xwhj8o8Vbrk2KADBOFGfkD3fW3eMZo5aHJytGAj_5LLhYCg@mail.gmail.com>
Feedback-ID: el4j0RWPRERue64lIQeq9Y2FP-mdB86tFqjmrJyEPR9VAtMovPEo9tvgA0CrTsSHJeeyPXqnoAu6DN-R04uJUg==:Ext:ProtonMail
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-2.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, FROM_LOCAL_NOVOWEL,
RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Sun, 23 Jun 2019 16:34:08 +0000
Cc: Bitcoin development mailing list <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] OP_SECURETHEBAG (supersedes OP_CHECKOUTPUTSVERIFY)
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Jun 2019 13:11:14 -0000
Good morning Jeremy,
While `OP_SECURETHEBAG` commits to the desired output script of the spendin=
g TX, what is being referred to here is the ability to verify the output sc=
ript being spent, i.e. the script that actually contains the `OP_SECURETHEB=
AG`.
By this, we are able to create a contract that ensures that it is paid agai=
n (covenants), which in combination with a little more introspection of TX =
data, allows us to verify the execution of steps of a Turing-complete progr=
am.
It is surprisingly easy to make a language inadvertently Turing-complete, w=
hich is basically the argument here,
That is, with just a little more power and some additional operations that =
would appear reasonable to add by themselves (`OP_CAT`, `OP_LEFT`, `OP_TWEA=
KPUBKEY`) on top of some form of requiring a particular output script, it i=
s possible to validate the execution of Turing-complete programs on the Bit=
coin blockchain.
Thus, with quining (a script which gets the text of its own code as part of=
the static data it has), `OP_TWEAKPUBKEY`, and a `OP_SECURETHEBAG` that ge=
ts its argument from the stack, it will be possible to make Turing-complete=
Bitcoin SCRIPT.
I would mildly suggest that we might very well want to consider creating a =
well-designed way of injecting Turing-completeness into Bitcoin SCRIPT (req=
uiring it to be behind a Taproot, so that bugs in Turing-complete code at l=
east have a chance to be bugfixed by agreement of the Taproot signing set) =
since we might eventually find ourselves introducing it inadvertently later=
in any case.
Regards,
ZmnSCPxj
Sent with ProtonMail Secure Email.
=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original Me=
ssage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90
On Sunday, June 23, 2019 6:41 AM, Jeremy Rubin <jeremy.l.rubin@gmail.com> w=
rote:
> Can you clarify this comment?
>
> We do in fact commit to the script and scriptsig itself (not the witness =
stack) in OP_SECURETHEBAG (unless I'm missing what you meant)?
>
> On Thu, Jun 20, 2019, 10:59 AM Russell O'Connor via bitcoin-dev <bitcoin-=
dev@lists.linuxfoundation.org> wrote:
>
> > Just to be clear, while OP_CHECKTXDIGESTVERIFY would enable this style =
of covenants if it pulled data from the stack, the OP_SECURETHEBAG probably=
cannot create covenants even if it were to pull the data from the stack un=
less some OP_TWEEKPUBKEY operation is added to Script because the "commitme=
nt of the script itself" isn't part of the OP_SECURETHEBAG.
> >
> > So with regards to OP_SECURETHEBAG, I am also "not really seeing any re=
ason to complicate the spec to ensure the digest is precommitted as part of=
the opcode."
> >
> > On Thu, Jun 6, 2019 at 3:33 AM ZmnSCPxj via bitcoin-dev <bitcoin-dev@li=
sts.linuxfoundation.org> wrote:
> >
> > > Good morning aj,
> > >
> > > Sent with ProtonMail Secure Email.
> > >
> > > =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Origi=
nal Message =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=
=90
> > > On Wednesday, June 5, 2019 5:30 PM, Anthony Towns via bitcoin-dev <bi=
tcoin-dev@lists.linuxfoundation.org> wrote:
> > >
> > > > On Fri, May 31, 2019 at 10:35:45PM -0700, Jeremy via bitcoin-dev wr=
ote:
> > > >
> > > > > OP_CHECKOUTPUTSHASHVERIFY is retracted in favor of OP_SECURETHEBA=
G*.
> > > >
> > > > I think you could generalise that slightly and make it fit in
> > > > with the existing opcode naming by calling it something like
> > > > "OP_CHECKTXDIGESTVERIFY" and pull a 33-byte value from the stack,
> > > > consisting of a sha256 hash and a sighash-byte, and adding a new si=
ghash
> > > > value corresponding to the set of info you want to include in the h=
ash,
> > > > which I think sounds a bit like "SIGHASH_EXACTLY_ONE_INPUT | SIGHAS=
H_ALL"
> > > >
> > > > FWIW, I'm not really seeing any reason to complicate the spec to en=
sure
> > > > the digest is precommitted as part of the opcode.
> > > >
> > >
> > > I believe in combination with `OP_LEFT` and `OP_CAT` this allows Turi=
ng-complete smart contracts, in much the same way as `OP_CHECKSIGFROMSTACK`=
?
> > >
> > > Pass in the spent transaction (serialised for txid) and the spending =
transaction (serialised for sighash) as part of the witness of the spending=
transaction.
> > >
> > > Script verifies that the spending transaction witness value is indeed=
the spending transaction by `OP_SHA256 <SIGHASH_ALL> OP_SWAP OP_CAT OP_CHE=
CKTXDIGESTVERIFY`.
> > > Script verifies the spent transaction witness value is indeed the spe=
nt transaction by hashing it, then splitting up the hash with `OP_LEFT` int=
o bytes, and comparing the bytes to the bytes in the input of the spending =
transaction witness value (txid being the bytes in reversed order).
> > >
> > > Then the Script can extract a commitment of itself by extracting the =
output of the spent transaction.
> > > This lets the Script check that the spending transaction also pays to=
the same script.
> > >
> > > The Script can then access a state value, for example from an `OP_RET=
URN` output of the spent transaction, and enforce that a correct next-state=
is used in the spending transaction.
> > > If the state is too large to fit in a standard `OP_RETURN`, then the =
current state can be passed in as a witness and validated against a hash co=
mmitment in an `OP_RETURN` output.
> > >
> > > I believe this is the primary reason against not pulling data from th=
e stack.
> > >
> > > Regards,
> > > ZmnSCPxj
> > > _______________________________________________
> > > bitcoin-dev mailing list
> > > bitcoin-dev@lists.linuxfoundation.org
> > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> >
> > _______________________________________________
> > bitcoin-dev mailing list
> > bitcoin-dev@lists.linuxfoundation.org
> > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
|