1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
|
Return-Path: <jeremy.l.rubin@gmail.com>
Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])
by lists.linuxfoundation.org (Postfix) with ESMTP id 8D2CEC000B
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 8 Mar 2022 17:10:13 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp4.osuosl.org (Postfix) with ESMTP id 7C62540438
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 8 Mar 2022 17:10:13 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: smtp4.osuosl.org (amavisd-new);
dkim=pass (2048-bit key) header.d=gmail.com
Received: from smtp4.osuosl.org ([127.0.0.1])
by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id MplYEjmGWmnt
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 8 Mar 2022 17:10:12 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.8.0
Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com
[IPv6:2a00:1450:4864:20::12a])
by smtp4.osuosl.org (Postfix) with ESMTPS id 1FBD540304
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 8 Mar 2022 17:10:12 +0000 (UTC)
Received: by mail-lf1-x12a.google.com with SMTP id bu29so33518551lfb.0
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 08 Mar 2022 09:10:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
h=mime-version:from:date:message-id:subject:to;
bh=g1RzaOU1c/H4NV2MfnxCrRS9We8aCFk+qUeSYsPRp7o=;
b=BJmto2nHDGo4RgRLGqCi0UZe/L4pgrgvaPvMvOTUBGqMu9kXHCjWbO4RmIC6qIj113
LC567+sh6PHeeu0z7T4JUuWEWFJoPgWqztE5JVkX1u9GaK/ZfhdSfyhm8X2E5+Pi9Y/N
dnqzTd4LG9AQmBYGDqZ2DnYCxJ3Eu4DTwaKm9oNxKLHobyV4Vs9ozT3tz/sMWdrtm++a
IhVas4kY9hSSc2BfODt2hatGuqrQc2iRWb6eHWbROwTe5/SgdNB3CTHIBt80gZyNDxJQ
Riii+DptSHnhx74++GMv3Tc4/V6zLruS3fWF72MVZM6ZMjKHgjlCd9OxdXg73F+AIMZo
r7sA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
bh=g1RzaOU1c/H4NV2MfnxCrRS9We8aCFk+qUeSYsPRp7o=;
b=kU//5jVcuofwYV0yJLcPxESwcYloUGU9bpVUr1NSqQbI3ocgEpbYWQE8l0dr6gsaXX
D+sb8tnme7uDGARkZ2jQeqqG8cdSUHB1pYMQU1yiwirf7vmJsdlkxzZWLwAK4lf6Vp2R
r3oWQ8IjVmfYOHTs8gIuq9Rrg9u9gZP1HRKXnUxpamiOdrBAc/6X+tQDNpFzqfOqQzoH
fXjCqIukRs4w06DhU2acCFaZQw4SrVBTi0RyvieXCUqSGmQuFgCd3G34T2oK6GVd/B1b
ceoKt3arppKUelX/XLK4umZ7gfLaNfSy7f2xSWMf/OC1qV+Vprj7pcgH5yQcYtqhHxwh
IwDw==
X-Gm-Message-State: AOAM531N+lvzJ0iiX6o9SdfCmml3BP1MUi06aakbbF+no1qPG0T93gOW
az33Rdvq0y6Y8BEofEfKx7pDOc2qCwW5xRpoJOg1tK1JOWA=
X-Google-Smtp-Source: ABdhPJwahSNTTBHc2sJUoyjsIjz/yOlgxaT7jJy6Tm8irOMjViez/FatFJzRQcyEsku5ynDOgg+Du6YXKPctTN2hygo=
X-Received: by 2002:a05:6512:1288:b0:443:f15d:6a2e with SMTP id
u8-20020a056512128800b00443f15d6a2emr11433010lfs.363.1646759409595; Tue, 08
Mar 2022 09:10:09 -0800 (PST)
MIME-Version: 1.0
From: Jeremy Rubin <jeremy.l.rubin@gmail.com>
Date: Tue, 8 Mar 2022 09:09:58 -0800
Message-ID: <CAD5xwhgYyR0dK_Fm0ikHi+JSoJcsczrfxrO6p5oa1cRVD_DTaw@mail.gmail.com>
To: Bitcoin development mailing list <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="000000000000a3b90105d9b80d87"
Subject: [bitcoin-dev] OP_AMOUNT Discussion
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Mar 2022 17:10:13 -0000
--000000000000a3b90105d9b80d87
Content-Type: text/plain; charset="UTF-8"
Hi Devs,
Recently, I've been getting a lot of questions about OP_AMOUNT. It's also
come up in the context of "CTV is unsafe because it can't handle differing
amounts". Just sharing some preliminary thinking on it:
It could come in many variants:
OP_PUSHAMOUNT
OP_AMOUNTVERIFY
OP_PUSHAMOUNTSPLIT
OP_SPLITAMOUNTVERIFY
If we want to do a NOP upgrade, we may prefer the *VERIFY formats. If we
want to do a SUCCESSX upgrade, we could do the PUSH format.
The SplitAmount format is required because amounts are > 5 bytes (51 bits
needed max), unless we also do some sort of OP_UPGRADEMATH semantic whereby
presence of an Amount opcode enables 64 bit (or 256 bit?) math opcodes.
And could be applied to the cross product of:
The Transaction
An Input
An Output
The fees total
The fees this input - this output
This Input
"This" Output
A lot of choices! The simplest version of it just being just this input,
and no other (all that is required for many useful cases, e.g. single sig
if less than 1 btc).
A while back I designed some logic for a split amount verifying opcode
here: (I don't love it, so hadn't shared it widely).
https://gist.github.com/JeremyRubin/d9f146475f53673cd03c26ab46492504
There are some decent use cases for amount checking.
For instance, one could create a non-recursive covenant that there must be
an output which exactly matches the sats in the input at the same index.
This could be used for colored coins, statechains, TLUV/EVICT based payment
pools, etc.
Another use case could be to make a static address / descriptor that
disables low security spends if more coins are the input.
Yet another could be to enable pay-what-you-want options, where depending
on how much gets paid into an address different behaviors are permitted.
Lastly, as noted in BIP-119, you can make a belt-and-suspenders value check
in CTV contracts to enable a backup withdrawal should you send the wrong
amount to a vault.
Overall, I think the most straightforward path would be to work on this
only for tapscript, no legacy, and then spec out upgraded math operations,
and then OP_PUSHAMOUNT is pretty straightforward & low technical risk.
Unfortunately, the upgraded math and exact semantics are highly
bikesheddable... If anyone is interested in working on this, I'd be happy
to review/advise on it. Otherwise, I would likely start working on this
sometime after I'm spending less effort on CTV.
Blockstream liquid has some work in this regard that may be copyable for
the math part, but likely not the amount opcode:
https://github.com/ElementsProject/elements/blob/master/doc/tapscript_opcodes.md
However, they chose to do only 64 bit arithmetic and I personally think
that the community might prefer wider operations, the difficulty being in
not incidentally enabling OP_CAT as a size, bitshift, and add fragment (or
proving that OP_CAT is OK?).
see also: https://rubin.io/bitcoin/2021/12/05/advent-8/#OP_AMOUNT
Cheers,
Jeremy
--
@JeremyRubin <https://twitter.com/JeremyRubin>
--000000000000a3b90105d9b80d87
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div class=3D"gmail_default" style=3D"font-family:arial,he=
lvetica,sans-serif;font-size:small;color:#000000">Hi Devs,</div><div class=
=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif;font-siz=
e:small;color:#000000"><br></div><div class=3D"gmail_default" style=3D"font=
-family:arial,helvetica,sans-serif;font-size:small;color:#000000">Recently,=
I've been getting a lot of questions about OP_AMOUNT. It's also co=
me up in the context of "CTV is unsafe because it can't handle dif=
fering amounts". Just sharing some preliminary thinking on it:</div><d=
iv class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif;=
font-size:small;color:#000000"><br></div><div class=3D"gmail_default" style=
=3D"font-family:arial,helvetica,sans-serif;font-size:small;color:#000000">I=
t could come in many variants:</div><div class=3D"gmail_default" style=3D"f=
ont-family:arial,helvetica,sans-serif;font-size:small;color:#000000"><br></=
div><div class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-=
serif;font-size:small;color:#000000">OP_PUSHAMOUNT</div><div class=3D"gmail=
_default" style=3D"font-family:arial,helvetica,sans-serif;font-size:small;c=
olor:#000000">OP_AMOUNTVERIFY</div><div class=3D"gmail_default" style=3D"fo=
nt-family:arial,helvetica,sans-serif;font-size:small;color:#000000">OP_PUSH=
AMOUNTSPLIT</div><div class=3D"gmail_default" style=3D"font-family:arial,he=
lvetica,sans-serif;font-size:small;color:#000000">OP_SPLITAMOUNTVERIFY</div=
><div class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-ser=
if;font-size:small;color:#000000"><br></div><div class=3D"gmail_default" st=
yle=3D"font-family:arial,helvetica,sans-serif;font-size:small;color:#000000=
"><div class=3D"gmail_default">If we want to do a NOP upgrade, we may prefe=
r the *VERIFY formats. If we want to do a SUCCESSX upgrade, we could do the=
PUSH format.</div></div><div class=3D"gmail_default" style=3D"font-family:=
arial,helvetica,sans-serif;font-size:small;color:#000000"><br></div><div cl=
ass=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif;font-=
size:small;color:#000000"><div class=3D"gmail_default">The SplitAmount form=
at is required because amounts are > 5 bytes (51 bits needed max), unles=
s we also do some sort of OP_UPGRADEMATH semantic whereby presence of an Am=
ount opcode enables 64 bit (or 256 bit?) math opcodes.</div><br class=3D"gm=
ail-Apple-interchange-newline"></div><div class=3D"gmail_default" style=3D"=
font-family:arial,helvetica,sans-serif;font-size:small;color:#000000">And c=
ould be applied to the cross product of:</div><div class=3D"gmail_default" =
style=3D"font-family:arial,helvetica,sans-serif;font-size:small;color:#0000=
00"><br></div><div class=3D"gmail_default" style=3D"font-family:arial,helve=
tica,sans-serif;font-size:small;color:#000000">The Transaction</div><div cl=
ass=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif;font-=
size:small;color:#000000">An Input</div><div class=3D"gmail_default" style=
=3D"font-family:arial,helvetica,sans-serif;font-size:small;color:#000000">A=
n Output</div><div class=3D"gmail_default" style=3D"font-family:arial,helve=
tica,sans-serif;font-size:small;color:#000000">The fees total</div><div cla=
ss=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif;font-s=
ize:small;color:#000000">The fees this input - this output</div><div class=
=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif;font-siz=
e:small;color:#000000">This Input</div><div class=3D"gmail_default" style=
=3D"font-family:arial,helvetica,sans-serif;font-size:small;color:#000000">&=
quot;This" Output</div><div class=3D"gmail_default" style=3D"font-fami=
ly:arial,helvetica,sans-serif;font-size:small;color:#000000"><br></div><div=
class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif;fo=
nt-size:small;color:#000000">A lot of choices! The simplest version of it j=
ust being just this input, and no other (all that is required for many usef=
ul cases, e.g. single sig if less than 1 btc).</div><div class=3D"gmail_def=
ault" style=3D"font-family:arial,helvetica,sans-serif;font-size:small;color=
:#000000"><br></div><div class=3D"gmail_default" style=3D"font-family:arial=
,helvetica,sans-serif;font-size:small;color:#000000"><br></div><div class=
=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif;font-siz=
e:small;color:#000000">A while back I designed some logic for a split amoun=
t verifying opcode here: (I don't love it, so hadn't shared it wide=
ly). <a href=3D"https://gist.github.com/JeremyRubin/d9f146475f53673cd03c26a=
b46492504">https://gist.github.com/JeremyRubin/d9f146475f53673cd03c26ab4649=
2504</a></div><div class=3D"gmail_default" style=3D"font-family:arial,helve=
tica,sans-serif;font-size:small;color:#000000"><br></div><div class=3D"gmai=
l_default" style=3D"font-family:arial,helvetica,sans-serif;font-size:small;=
color:#000000">There are some decent use cases for amount checking.</div><d=
iv class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif;=
font-size:small;color:#000000"><br></div><div class=3D"gmail_default" style=
=3D"font-family:arial,helvetica,sans-serif;font-size:small;color:#000000">F=
or instance, one could create a non-recursive covenant that there must be a=
n output which exactly matches the sats in the input at the same index. Thi=
s could be used for colored coins, statechains, TLUV/EVICT based payment po=
ols, etc.</div><div class=3D"gmail_default" style=3D"font-family:arial,helv=
etica,sans-serif;font-size:small;color:#000000"><br></div><div class=3D"gma=
il_default" style=3D"font-family:arial,helvetica,sans-serif;font-size:small=
;color:#000000">Another use case could be to make a static address / descri=
ptor that disables low security spends if more coins are the input.</div><d=
iv class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif;=
font-size:small;color:#000000"><br></div><div class=3D"gmail_default" style=
=3D"font-family:arial,helvetica,sans-serif;font-size:small;color:#000000">Y=
et another could be to enable pay-what-you-want options, where depending on=
how much gets paid into an address different behaviors are permitted.</div=
><div class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-ser=
if;font-size:small;color:#000000"><br></div><div class=3D"gmail_default" st=
yle=3D"font-family:arial,helvetica,sans-serif;font-size:small;color:#000000=
">Lastly, as noted in BIP-119, you can make a belt-and-suspenders value che=
ck in CTV contracts to enable a backup withdrawal should you send the wrong=
amount to a vault.</div><div class=3D"gmail_default" style=3D"font-family:=
arial,helvetica,sans-serif;font-size:small;color:#000000"><br></div><div cl=
ass=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif;font-=
size:small;color:#000000">Overall, I think the most straightforward path wo=
uld be to work on this only for tapscript, no legacy, and then spec out upg=
raded math operations, and then OP_PUSHAMOUNT is pretty straightforward &am=
p; low technical risk. Unfortunately, the upgraded math and exact semantics=
are highly bikesheddable... If anyone is interested in working on this, I&=
#39;d be happy to review/advise on it. Otherwise, I would likely start work=
ing on this sometime after I'm spending less effort on CTV.</div><div c=
lass=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif;font=
-size:small;color:#000000"><br></div><div class=3D"gmail_default" style=3D"=
font-family:arial,helvetica,sans-serif;font-size:small;color:#000000">Block=
stream liquid has some work in this regard that may be copyable for the mat=
h part, but likely not the amount opcode: <a href=3D"https://github.com/Ele=
mentsProject/elements/blob/master/doc/tapscript_opcodes.md">https://github.=
com/ElementsProject/elements/blob/master/doc/tapscript_opcodes.md</a> =C2=
=A0However, they chose to do only 64 bit arithmetic and I personally think =
that the community might prefer wider operations, the difficulty being in n=
ot incidentally enabling OP_CAT as a size, bitshift, and add fragment (or p=
roving that OP_CAT is OK?).</div><div class=3D"gmail_default" style=3D"font=
-family:arial,helvetica,sans-serif;font-size:small;color:#000000"><br></div=
><div class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-ser=
if;font-size:small;color:#000000">see also:=C2=A0<a href=3D"https://rubin.i=
o/bitcoin/2021/12/05/advent-8/#OP_AMOUNT">https://rubin.io/bitcoin/2021/12/=
05/advent-8/#OP_AMOUNT</a></div><div class=3D"gmail_default" style=3D"font-=
family:arial,helvetica,sans-serif;font-size:small;color:#000000"><br></div>=
<div class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-seri=
f;font-size:small;color:#000000">Cheers,</div><div class=3D"gmail_default" =
style=3D"font-family:arial,helvetica,sans-serif;font-size:small;color:#0000=
00"><br></div><div class=3D"gmail_default" style=3D"font-family:arial,helve=
tica,sans-serif;font-size:small;color:#000000">Jeremy</div><br clear=3D"all=
"><div><div dir=3D"ltr" class=3D"gmail_signature" data-smartmail=3D"gmail_s=
ignature"><div dir=3D"ltr">--<br><a href=3D"https://twitter.com/JeremyRubin=
" target=3D"_blank">@JeremyRubin</a><br></div></div></div></div>
--000000000000a3b90105d9b80d87--
|