Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id B61B5CD1 for ; Mon, 24 Jun 2019 18:07:38 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 865397FB for ; Mon, 24 Jun 2019 18:07:37 +0000 (UTC) Received: from mail-ed1-f42.google.com (mail-ed1-f42.google.com [209.85.208.42]) (authenticated bits=0) (User authenticated as jlrubin@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x5OI7YFv013037 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT) for ; Mon, 24 Jun 2019 14:07:35 -0400 Received: by mail-ed1-f42.google.com with SMTP id a14so22991052edv.12 for ; Mon, 24 Jun 2019 11:07:35 -0700 (PDT) X-Gm-Message-State: APjAAAVrPmlBJ4sTp3JN50vknQe3Ltu13vVvnnSkaVVlskDZK0FBcNAD 9ZQDYF77Y4LiMdib/UZNKER7L7uw2jnd48pqQR0= X-Google-Smtp-Source: APXvYqzxWCRhg7cHAbLkhMuXDoYzUGnlHfP79Ar7/m8mYELpRYdVpU84shg9B0rDyMbtiNsMjrGau5GBstJ1ZefgKDM= X-Received: by 2002:a50:a5e7:: with SMTP id b36mr139329678edc.301.1561399654191; Mon, 24 Jun 2019 11:07:34 -0700 (PDT) MIME-Version: 1.0 References: <20190605093039.xfo7lcylqkhsfncv@erisian.com.au> In-Reply-To: From: Jeremy Date: Mon, 24 Jun 2019 11:07:20 -0700 X-Gmail-Original-Message-ID: Message-ID: To: "Russell O'Connor" Content-Type: multipart/alternative; boundary="000000000000bd959f058c15afb1" X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,HTML_MESSAGE, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Tue, 25 Jun 2019 17:26:58 +0000 Cc: Bitcoin development mailing list Subject: Re: [bitcoin-dev] OP_SECURETHEBAG (supersedes OP_CHECKOUTPUTSVERIFY) X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jun 2019 18:07:38 -0000 --000000000000bd959f058c15afb1 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Do you think the following hypothesis is more or less true: H: There is no set of pure extensions* to script E such that enabling E and OP_SECURETHEBAG as proposed enables recursive covenants, but E alone does not enable recursive covenants? * Of course there are things that specifically are specifically designed to switch on if OP_SECURETHEBAG, so pure means normal things like OP_CAT that are a function of the arguments on the stack or hashed txn data. This is the main draw of the design I proposed, it should be highly improbable or impossible to accidentally introduce more behavior than intended with a new opcode. I think that given that H is not true for the stack reading version of the opcode, we should avoid doing it unless strongly motivated, so as to permit more flexibility for which opcodes we can add in the future without introducing recursion unless it is explicitly intended. On Mon, Jun 24, 2019, 7:35 AM Russell O'Connor wrote: > OP_SECURETHEBAG doesn't include the script being executed (i.e the > scriptPubKey specified in the output that is redeemed by this input) in i= ts > hash like ordinary signatures do > . > Of course, this ScriptPubKey is indirectly committed to through the input= 's > prevoutpoint. However Script isn't able to reconstruct this script being > executed from the prevoutpoint in tapscript without an implementation of > public key tweeking in Bitcoin Script. > > On Sun, Jun 23, 2019 at 2:41 AM Jeremy Rubin > wrote: > >> Can you clarify this comment? >> >> We do in fact commit to the script and scriptsig itself (not the witness >> stack) in OP_SECURETHEBAG (unless I'm missing what you meant)? >> >> On Thu, Jun 20, 2019, 10:59 AM Russell O'Connor via bitcoin-dev < >> bitcoin-dev@lists.linuxfoundation.org> wrote: >> >>> Just to be clear, while OP_CHECKTXDIGESTVERIFY would enable this style >>> of covenants if it pulled data from the stack, the OP_SECURETHEBAG >>> probably cannot create covenants even if it were to pull the data from = the >>> stack unless some OP_TWEEKPUBKEY operation is added to Script because t= he >>> "commitment of the script itself" isn't part of the OP_SECURETHEBAG. >>> >>> So with regards to OP_SECURETHEBAG, I am also "not really seeing any >>> reason to complicate the spec to ensure the digest is precommitted as p= art >>> of the opcode." >>> >>> On Thu, Jun 6, 2019 at 3:33 AM ZmnSCPxj via bitcoin-dev < >>> bitcoin-dev@lists.linuxfoundation.org> wrote: >>> >>>> Good morning aj, >>>> >>>> >>>> Sent with ProtonMail Secure Email. >>>> >>>> =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Origin= al Message =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 >>>> On Wednesday, June 5, 2019 5:30 PM, Anthony Towns via bitcoin-dev < >>>> bitcoin-dev@lists.linuxfoundation.org> wrote: >>>> >>>> > On Fri, May 31, 2019 at 10:35:45PM -0700, Jeremy via bitcoin-dev >>>> wrote: >>>> > >>>> > > OP_CHECKOUTPUTSHASHVERIFY is retracted in favor of OP_SECURETHEBAG= *. >>>> > >>>> > I think you could generalise that slightly and make it fit in >>>> > with the existing opcode naming by calling it something like >>>> > "OP_CHECKTXDIGESTVERIFY" and pull a 33-byte value from the stack, >>>> > consisting of a sha256 hash and a sighash-byte, and adding a new >>>> sighash >>>> > value corresponding to the set of info you want to include in the >>>> hash, >>>> > which I think sounds a bit like "SIGHASH_EXACTLY_ONE_INPUT | >>>> SIGHASH_ALL" >>>> > >>>> > FWIW, I'm not really seeing any reason to complicate the spec to >>>> ensure >>>> > the digest is precommitted as part of the opcode. >>>> > >>>> >>>> I believe in combination with `OP_LEFT` and `OP_CAT` this allows >>>> Turing-complete smart contracts, in much the same way as >>>> `OP_CHECKSIGFROMSTACK`? >>>> >>>> Pass in the spent transaction (serialised for txid) and the spending >>>> transaction (serialised for sighash) as part of the witness of the spe= nding >>>> transaction. >>>> >>>> Script verifies that the spending transaction witness value is indeed >>>> the spending transaction by `OP_SHA256 OP_SWAP OP_CAT >>>> OP_CHECKTXDIGESTVERIFY`. >>>> Script verifies the spent transaction witness value is indeed the spen= t >>>> transaction by hashing it, then splitting up the hash with `OP_LEFT` i= nto >>>> bytes, and comparing the bytes to the bytes in the input of the spendi= ng >>>> transaction witness value (txid being the bytes in reversed order). >>>> >>>> Then the Script can extract a commitment of itself by extracting the >>>> output of the spent transaction. >>>> This lets the Script check that the spending transaction also pays to >>>> the same script. >>>> >>>> The Script can then access a state value, for example from an >>>> `OP_RETURN` output of the spent transaction, and enforce that a correc= t >>>> next-state is used in the spending transaction. >>>> If the state is too large to fit in a standard `OP_RETURN`, then the >>>> current state can be passed in as a witness and validated against a ha= sh >>>> commitment in an `OP_RETURN` output. >>>> >>>> I believe this is the primary reason against not pulling data from the >>>> stack. >>>> >>>> Regards, >>>> ZmnSCPxj >>>> _______________________________________________ >>>> bitcoin-dev mailing list >>>> bitcoin-dev@lists.linuxfoundation.org >>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >>>> >>> _______________________________________________ >>> bitcoin-dev mailing list >>> bitcoin-dev@lists.linuxfoundation.org >>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >>> >> --000000000000bd959f058c15afb1 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Do you think the following hypothesis i= s more or less true:

H: = There is no set of pure extensions* to script E such that enabling E and OP= _SECURETHEBAG as proposed enables recursive covenants, but E alone does not= enable recursive covenants?
=C2=A0
* Of course= there are things that specifically are specifically designed to switch on = if OP_SECURETHEBAG, so pure means normal things like OP_CAT that are a func= tion of the arguments on the stack or hashed txn data.=C2=A0

This is the main draw of the design I propos= ed, it should be highly improbable or impossible to accidentally introduce = more behavior than intended with a new opcode.

<= /div>
I think that given that H is not true for the stack = reading version of the opcode, we should avoid doing it unless strongly mot= ivated, so as to permit more flexibility for which opcodes we can add in th= e future without introducing recursion unless it is explicitly intended.=C2= =A0



On Mon,= Jun 24, 2019, 7:35 AM Russell O'Connor <roconnor@blockstream.io> wrote:
OP_SECURETHEBAG = doesn't include the script being executed (i.e the scriptPubKey specifi= ed in the output that is redeemed by this input) in its hash like ordinary signatures do.= =C2=A0 Of course, this ScriptPubKey is indirectly committed to through the = input's prevoutpoint.=C2=A0 However Script isn't able to reconstruc= t this script being executed from the prevoutpoint in tapscript withou= t an implementation of public key tweeking in Bitcoin Script.

On Sun, Jun 23, 2019 at 2:41 AM Jeremy Rubin <j= eremy.l.rubin@gmail.com> wrote:
Can you clar= ify this comment?

We do in fact commit= to the script and scriptsig itself (not the witness stack) in OP_SECURETHE= BAG (unless I'm missing what you meant)?

On Thu, Jun 20, 2019, 10:59 AM = Russell O'Connor via bitcoin-dev <bitcoin-dev@lis= ts.linuxfoundation.org> wrote:
Just to be clear, while OP_CHECKTXDIGESTVERIFY would enable this s= tyle of covenants if it pulled data from the stack, the OP_SECURETHEBAG probably cannot create covenants even = if it were to pull the data from the stack unless some OP_TWEEKPUBKEY opera= tion is added to Script because the "commitment of the script itself&q= uot; isn't part of the OP_SECURETHEBAG.
So with regards to OP_SECURETHEBAG, I am al= so "not really seeing any reas= on to complicate the spec to ensure the digest is precommitted as part of t= he opcode."

On= Thu, Jun 6, 2019 at 3:33 AM ZmnSCPxj via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
=
Good morning aj,


Sent with ProtonMail Secure Email.

=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original Me= ssage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90
On Wednesday, June 5, 2019 5:30 PM, Anthony Towns via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrot= e:

> On Fri, May 31, 2019 at 10:35:45PM -0700, Jeremy via bitcoin-dev wrote= :
>
> > OP_CHECKOUTPUTSHASHVERIFY is retracted in favor of OP_SECURETHEBA= G*.
>
> I think you could generalise that slightly and make it fit in
> with the existing opcode naming by calling it something like
> "OP_CHECKTXDIGESTVERIFY" and pull a 33-byte value from the s= tack,
> consisting of a sha256 hash and a sighash-byte, and adding a new sigha= sh
> value corresponding to the set of info you want to include in the hash= ,
> which I think sounds a bit like "SIGHASH_EXACTLY_ONE_INPUT | SIGH= ASH_ALL"
>
> FWIW, I'm not really seeing any reason to complicate the spec to e= nsure
> the digest is precommitted as part of the opcode.
>

I believe in combination with `OP_LEFT` and `OP_CAT` this allows Turing-com= plete smart contracts, in much the same way as `OP_CHECKSIGFROMSTACK`?

Pass in the spent transaction (serialised for txid) and the spending transa= ction (serialised for sighash) as part of the witness of the spending trans= action.

Script verifies that the spending transaction witness value is indeed the s= pending transaction by `OP_SHA256 <SIGHASH_ALL> OP_SWAP OP_CAT OP_CHE= CKTXDIGESTVERIFY`.
Script verifies the spent transaction witness value is indeed the spent tra= nsaction by hashing it, then splitting up the hash with `OP_LEFT` into byte= s, and comparing the bytes to the bytes in the input of the spending transa= ction witness value (txid being the bytes in reversed order).

Then the Script can extract a commitment of itself by extracting the output= of the spent transaction.
This lets the Script check that the spending transaction also pays to the s= ame script.

The Script can then access a state value, for example from an `OP_RETURN` o= utput of the spent transaction, and enforce that a correct next-state is us= ed in the spending transaction.
If the state is too large to fit in a standard `OP_RETURN`, then the curren= t state can be passed in as a witness and validated against a hash commitme= nt in an `OP_RETURN` output.

I believe this is the primary reason against not pulling data from the stac= k.

Regards,
ZmnSCPxj
_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.li= nuxfoundation.org/mailman/listinfo/bitcoin-dev
_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.li= nuxfoundation.org/mailman/listinfo/bitcoin-dev
--000000000000bd959f058c15afb1--