Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 957E09C for ; Mon, 2 Oct 2017 00:47:05 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from zinan.dashjr.org (zinan.dashjr.org [192.3.11.21]) by smtp1.linuxfoundation.org (Postfix) with ESMTP id EBAFEFC for ; Mon, 2 Oct 2017 00:47:04 +0000 (UTC) Received: from ishibashi.localnet (unknown [IPv6:2001:470:5:265:a45d:823b:2d27:961c]) (Authenticated sender: luke-jr) by zinan.dashjr.org (Postfix) with ESMTPSA id 13F0F38A006A; Mon, 2 Oct 2017 00:45:36 +0000 (UTC) X-Hashcash: 1:25:171002:jl2012@xbt.hk::ZVfRVpHYZqfhU2cj:Gw6W X-Hashcash: 1:25:171002:bitcoin-dev@lists.linuxfoundation.org::TVL6ZbpPeoSgeNVE:eFiA1 X-Hashcash: 1:25:171002:mark@friedenbach.org::aEcFRoXPvytzCVTP:jgtg X-Hashcash: 1:25:171002:roconnor@blockstream.io::h845iZekWpVTJ7cm:c+H1P From: Luke Dashjr To: Johnson Lau Date: Mon, 2 Oct 2017 00:45:22 +0000 User-Agent: KMail/1.13.7 (Linux/4.12.5-gentoo; KDE/4.14.34; x86_64; ; ) References: <201710010113.30518.luke@dashjr.org> <30B31B43-B603-4793-BDFB-B7E25FD96D1B@xbt.hk> In-Reply-To: <30B31B43-B603-4793-BDFB-B7E25FD96D1B@xbt.hk> X-PGP-Key-Fingerprint: E463 A93F 5F31 17EE DE6C 7316 BD02 9424 21F4 889F X-PGP-Key-ID: BD02942421F4889F X-PGP-Keyserver: hkp://pgp.mit.edu MIME-Version: 1.0 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <201710020045.30259.luke@dashjr.org> X-Spam-Status: No, score=-2.3 required=5.0 tests=RCVD_IN_DNSWL_MED, RP_MATCHES_RCVD autolearn=disabled version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: bitcoin-dev Subject: Re: [bitcoin-dev] Version 1 witness programs (first draft) X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Oct 2017 00:47:05 -0000 On Sunday 01 October 2017 9:32:56 PM Johnson Lau wrote: > 1. How do we allow further upgrade within v1 witness? Here are some > options: a. Minor version in witness. (Johnson / Luke) I prefer this way, > but we may end up with many minor versions. b. OP_RETURNTRUE (Luke). I > proposed this in an earlier version of BIP114 but now I think it doesn=E2= =80=99t > interact well with signature aggregation, and I worry that it would have > some other unexpected effects. c. Generalised NOP method: user has to > provide the returned value, so even VERIFY-type code could do anything I like (A) and (B). Use B when practical, and (A) when more fundamental=20 changes are needed. SigAgg is a concern, but there are ways to adapt it. (C) is harmless, but I think unnecessary with (A) and/or (B). > 2. Do we want to allow signature-time commitment of extra scripts? > I think all proposals allow this, just with different way > a. Tail-call semantics with CHECKSIGFROMSTACK (Mark). I think this is too > rigid as it works only with specially designed scriptPubKey b. > scriptWitCode: extra scripts are put in some fixed location in witness > (Johnson). This makes sure static analysability. c. Extra-data as script > in OP_CHECKSIG (Luke) Note that my BIP draft supports both (A) and (C). > 3. Do we want to allow static analysis of sigop? > BIP114 and the related proposals are specifically designed to allow static > analysis of sigop. I think this was one of the main reason of OP_EVAL not > being accepted. This was also the main reason of Ethereum failing to do a > DAO hacker softfork, leading to the ETH/ETC split. I=E2=80=99m not sure i= f we > really want to give up this property. Once we do it, we have to support it > forever. It seems inevitable at this point. Maybe we could add a separate "executabl= e- witness" array (in the same manner as the current witness was softforked in= ),=20 and require tail-call and condition scripts to merely reference these by ha= sh,=20 but I'm not sure it's worth the effort? Thinking further, we could avoid adding a separate executable-witness=20 commitment by either: A) Define that all the witness elements in v1 are type-tagged (put the minor witness version on them all, and redefine minor 0 as a stack item?); or B) Use an empty element as a delimiter between stack and executable items. To avoid witness malleability, the executable items can be required to be=20 sorted in some manner. The downside of these approaches is that we now need an addition 20 or 32=20 bytes per script reference... which IMO may possibly be worse than losing=20 static analysis. I wonder if there's a way to avoid that overhead? Luke