Return-Path: <ZmnSCPxj@protonmail.com>
Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 48B10C002D
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Thu, 12 May 2022 03:07:54 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp1.osuosl.org (Postfix) with ESMTP id 229FF82ECF
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Thu, 12 May 2022 03:07:54 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -1.601
X-Spam-Level: 
X-Spam-Status: No, score=-1.601 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 FROM_LOCAL_NOVOWEL=0.5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
 autolearn=ham autolearn_force=no
Authentication-Results: smtp1.osuosl.org (amavisd-new);
 dkim=pass (2048-bit key) header.d=protonmail.com
Received: from smtp1.osuosl.org ([127.0.0.1])
 by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id ln0eE2fr4UyF
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Thu, 12 May 2022 03:07:50 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0
Received: from mail-4325.protonmail.ch (mail-4325.protonmail.ch [185.70.43.25])
 by smtp1.osuosl.org (Postfix) with ESMTPS id 6B93282EC7
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Thu, 12 May 2022 03:07:50 +0000 (UTC)
Date: Thu, 12 May 2022 03:07:45 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
 s=protonmail2; t=1652324867;
 bh=vjHy6oRMX7nr0vKs9+PAdTSn0ZAW9DV5fQtMYDFqKSI=;
 h=Date:To:From:Cc:Reply-To:Subject:Message-ID:In-Reply-To:
 References:Feedback-ID:From:To:Cc:Date:Subject:Reply-To:
 Feedback-ID:Message-ID;
 b=G/pqaZqdyTGzJj8vkrcpdFdowHIeqPgV5pQAoFs+l/OHodwYjCc/8t+0qW7GQBbcl
 WOwZiFIsxxrZj2qobyvGhe/l+l+sNmZyz6OnaWDhfCyRPaCoGIZX1CCPoeaJPUx2lG
 XN346JqlX6W7xwYu+oDt2p30m3hNAmanZIJvgb8obcftezBKSFdjGArbz1wohp5Mr7
 MrE5Dm2sHWpvF2GI+KHHRLghg/29QIiflKKKWzzK11vocKGSvY9ypLOMYLkSvAA4nJ
 c48bGJPdpdl6iJkCLOb2IoCIaH4azfqcT+fwq1vzXzP0Buod4Fw8IirgmsS4/6Sgb0
 GmkzbULPm5X4g==
To: Russell O'Connor <roconnor@blockstream.com>
From: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Reply-To: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Message-ID: <fkMEju1kNN5OJPoI1d2K99sV0bhr7qeAnhVbv-99K_UL48YQyHp-rbqEfQ81crx-thaA8JuUY4-eFlYUskvFC_8h6DIhdF0Wj-v-4DNnlcI=@protonmail.com>
In-Reply-To: <CAMZUoKnzjcYDM-mOhT00P7YO18YmjxRkYsfO6QFtYFn0mEtLQw@mail.gmail.com>
References: <161946014-482cdec305e2bd7a2c3fc4774c70239d@pmq1v.m5r2.onet>
 <M80pb4TxcE1yCMCW4IboyTtx8MSvp8m9tphXe2EYvIvcrcf2Wzsn4ManJw8EP_ri-ohqtIOPrEaw7XkUcTO3lfVSLN4WMUwpromwzLm15Kc=@protonmail.com>
 <CAMZUoKnzjcYDM-mOhT00P7YO18YmjxRkYsfO6QFtYFn0mEtLQw@mail.gmail.com>
Feedback-ID: 2872618:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Speedy covenants (OP_CAT2)
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Thu, 12 May 2022 03:07:54 -0000

Good morning Russell,

> On Wed, May 11, 2022 at 7:42 AM ZmnSCPxj via bitcoin-dev <bitcoin-dev@lis=
ts.linuxfoundation.org> wrote:
>
> > REMEMBER: `OP_CAT` BY ITSELF DOES NOT ENABLE COVENANTS, WHETHER RECURSI=
VE OR NOT.
>
>
> I think the state of the art has advanced to the point where we can say "=
OP_CAT in tapscript enables non recursive covenants and it is unknown wheth=
er OP_CAT can enable recursive covenants or not".
>
> A. Poelstra in https://www.wpsoftware.net/andrew/blog/cat-and-schnorr-tri=
cks-i.html show how to use CAT to use the schnorr verification opcode to ge=
t the sighash value + 1 onto the stack, and then through some grinding and =
some more CAT, get the actual sighash value on the stack. From there we can=
 use SHA256 to get the signed transaction data onto the stack and apply int=
rospect (using CAT) to build functionality similar to OP_CTV.
>
> The missing bits for enabling recursive covenants comes down to needing t=
o transform a scriptpubkey into an taproot address, which involves some twe=
aking. Poelstra has suggested that it might be possible to hijack the ECDSA=
 checksig operation from a parallel, legacy input, in order to perform the =
calculations for this tweaking. But as far as I know no one has yet been ab=
le to achieve this feat.

Hmm, I do not suppose it would have worked in ECDSA?
Seems like this exploits linearity in the Schnorr.
For the ECDSA case it seems that the trick in that link leads to `s =3D e +=
 G[x]` where `G[x]` is the x-coordinate of `G`.
(I am not a mathist, so I probably am not making sense; in particular, ther=
e may be an operation to add two SECP256K1 scalars that I am not aware of)

In that case, since Schnorr was added later, I get away by a technicality, =
since it is not *just* `OP_CAT` which enabled this style of covenant, it wa=
s `OP_CAT` + BIP340 v(^^);;;;;

Also holy shit math is scary.

Seems this also works with `OP_SUBSTR`, simply by inverting it into "valida=
te that the concatenation is correct" rather than "concatenate it ourselves=
".




So really: are recursive covenants good or...?
Because if recursive covenants are good, what we should really work on is m=
aking them cheap (in CPU load/bandwidth load terms) and private, to avoid c=
entralization and censoring.

Regards,
ZmnSCPxj