Content-Type: text/plain; charset=utf-8
From: vjudeu@gazeta.pl
To: ZmnSCPxj <ZmnSCPxj@protonmail.com>, =?UTF-8?Q?Jorge_Tim=C3=B3n?=
 <jtimon@jtimon.cc>, Bitcoin Protocol Discussion
 <bitcoin-dev@lists.linuxfoundation.org>
In-Reply-To: <1JO1xrnJ9GwGM4TgLH_rL_LpnZgSb1SyeEOJ9Gzc1VMbKUrmxSh-zUXKwFNvp_5wyiDtRviOf-gRJbrfbhOJl-qym1eEHXpoDAgjE9juucw=@protonmail.com>
Message-ID: <629505ec-81ba-013d-43a0-009d61fada23@gazeta.pl>
Content-Transfer-Encoding: quoted-printable
Date: Sat, 07 May 2022 03:52:48 +0000
MIME-Version: 1.0
Subject: Re: [bitcoin-dev] Speedy covenants (OP_CAT2)
Precedence: list

> Re-enabling OP_CAT with the exact same OP would be a hardfork, but =
creating a new OP_CAT2 that does the same would be a softfork.

We have TapScript for that. OP_CAT is defined as OP_SUCCESS, it can be =
re-enabled in a soft-fork way. For now, OP_CAT in TapScript simply means =
"anyone can move those coins", so adding some restrictions is all we need =
to re-enable this opcode. Introducing OP_CAT2 is not needed at all, unless =
it will be totally different, but then it should not be named as OP_CAT2, =
but rather as OP_SOMETHING_ELSE, it depends how different it will be from =
OP_CAT.

> OP_1 OP_DUP OP_CAT OP_DUP OP_CAT OP_DUP OP_CAT OP_DUP OP_CAT =
OP_DUP OP_CAT OP_DUP OP_CAT ...

So we can use OP_SUBSTR instead. Maybe =
even OP_SPLIT will be enough, if data expansion is the only problem, then =
we can focus on getting it smaller. Or better, we could use OP_FIND that =
would return true/false answer if element A is a part of element B, when we=
 do byte-to-byte comparison. In general, we can use many different =
string-based functions to do the same things, we can choose something that =
will not exponentially explode as OP_CAT.

> It was considered unfair that =
the sender is paying for the security of the receiver.

It can be changed by using different sighashes, for example, it is possible=
 to create a "negative fee transaction", where all transaction costs are =
paid by receiver. Using SIGHASH_SINGLE | SIGHASH_ANYONECANPAY with a higher=
 amount in outputs than inputs is enough to do that, see testnet3 =
transaction 495d2007ae8b741c70c3d278c02ce03702223b9675e954ecabbb634c6cd5bf4=
0.

On 2022-05-07 05:06:46 user ZmnSCPxj via bitcoin-dev <bitcoin-dev@lists=
.linuxfoundation.org> wrote:
> Good morning Jorge,

> OP_CAT was removed. If I remember correctly, some speculated that perhaps=
 it was removed because it could allow covenants.I don't remember any =
technical concern about the OP besides enabling covenants.Before it was a =
common opinion that covenants shouldn't be enabled in bitcoin because, =
despite having good use case, there are some nasty attacks that are enabled=
 with them too. These days it seems the opinion of the benefits being worth=
 the dangers is quite generalized. Which is quite understandable given that=
 more use cases have been thought since then.

I think the more accurate =
reason for why it was removed is because the following SCRIPT of N size =
would lead to 2^N memory usage:

    OP_1 OP_DUP OP_CAT OP_DUP OP_CAT =
OP_DUP OP_CAT OP_DUP OP_CAT OP_DUP OP_CAT OP_DUP OP_CAT ...

In particular it was removed at about the same time as `OP_MUL`, which has =
similar behavior (consider that multiplying two 32-bit numbers results in a=
 64-bit number, similar to `OP_CAT`ting a vector to itself).

`OP_CAT` was removed long before covenants were even expressed as a =
possibility.

Covenants were first expressed as a possibility, I believe, =
during discussions around P2SH.
Basically, at the time, the problem was =
this:

* Some receivers wanted to use k-of-n multisignature for improved =
security.
* The only way to implement this, pre-P2SH, was by putting in the=
 `scriptPubKey` all the public keys.
* The sender is the one paying for the=
 size of the `scriptPubKey`.
* It was considered unfair that the sender is =
paying for the security of the receiver.

Thus, `OP_EVAL` and the P2SH =
concept was conceived.
Instead of the `scriptPubKey` containing the k-of-n =
multisignature, you create a separate script containing the public keys, =
then hash it, and the `scriptPubKey` would contain the hash of the script.
By symmetry with the P2PKH template:

    OP_DUP OP_HASH160 =
<hash160(pubkey)> OP_EQUALVERIFY OP_CHECKSIG

The P2SH template would be:

    OP_DUP OP_HASH160 <hash160(redeemScript)> OP_EQUALVERIFY OP_EVAL

`OP_EVAL` would take the stack top vector and treat it as a Bitcoin SCRIPT.

It was then pointed out that `OP_EVAL` could be used to create recursive =
SCRIPTs by quining using `OP_CAT`.
`OP_CAT` was already disabled by then, =
but people were talking about re-enabling it somehow by restricting the =
output size of `OP_CAT` to limit the O(2^N) behavior.

Thus, since then, `OP_CAT` has been associated with ***recursive*** =
covenants (and people are now reluctant to re-enable it even with a limit =
on its output size, because recursive covenants).
In particular, `OP_CAT` =
in combination with `OP_CHECKSIGFROMSTACK` and `OP_CHECKSIG`, you could get=
 a deferred `OP_EVAL` and then use `OP_CAT` too to quine.

Because of those concerns, the modern P2SH is now "just a template" with an=
 implicit `OP_EVAL` of the `redeemScript`, but without any `OP_EVAL` being =
actually enabled.

(`OP_EVAL` cannot replace an `OP_NOP` in a softfork, but=
 it is helpful to remember that P2SH was pretty much what codified the =
difference between softfork and hardfork, and the community at the time was=
 small enough (or so it seemed) that a hardfork might not have been =
disruptive.)

> Re-enabling OP_CAT with the exact same OP would be a =
hardfork, but creating a new OP_CAT2 that does the same would be a softfork=
.

If you are willing to work in Taproot the same OP-code can be enabled in=
 a softfork by using a new Tapscript version.

If you worry about =
quantum-computing-break, a new SegWit version (which is more limited than =
Tapscript versions, unfortunately) can also be used, creating a new P2WSHv2=
 (or whatever version) that enables these opcodes.

> As far a I know, this is the covenants proposal that has been implemented=
 for the longest time, if that's to be used as a selection criteria.And as =
always, this is not incompatible with deploying other convenant proposals =
later.

No, it was `OP_EVAL`, not `OP_CAT`.
In particular if `OP_EVAL` was =
allowed in the `redeemScript` then it would enable covenants as well.
It was just pointed out that `OP_CAT` enables recursive covenenats in =
combination with `OP_EVAL`-in-`redeemScript`.

In particular, in =
combination with `OP_CAT`, `OP_EVAL` not only allows recursive covenants, =
but also recursion *within* a SCRIPT i.e. unbounded SCRIPT execution.
Thus, `OP_EVAL` is simply not going to fly, at all.

> Personally I find the simplicity proposal the best one among all the =
covenant proposals by far, including this one.But I understand that despite=
 the name, the proposal is harder to review and test than other proposals, =
for it wouldn't simply add covenants, but a complete new scripting language=
 that is better in many senses.Speedy covenants, on the other hand, is much=
 simpler and has been implemented for longer, so in principle, it should be=
 easier to deploy in a speedy manner.
>
> What are the main arguments =
against speedy covenants (aka op_cat2) and against deploying simplicity in =
bitcoin respectively?
> Sorry if this was discussed before.

`OP_CAT`, by itself, does not implement any covenants --- instead, it =
creates recursive covenants when combined with almost all covenant opcodes.

Regards,
ZmnSCPxj
_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev