Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 775AD927 for ; Thu, 21 Sep 2017 04:12:45 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from zinan.dashjr.org (zinan.dashjr.org [192.3.11.21]) by smtp1.linuxfoundation.org (Postfix) with ESMTP id E2AA9469 for ; Thu, 21 Sep 2017 04:12:44 +0000 (UTC) Received: from ishibashi.localnet (unknown [IPv6:2001:470:5:265:a45d:823b:2d27:961c]) (Authenticated sender: luke-jr) by zinan.dashjr.org (Postfix) with ESMTPSA id B404038A0087; Thu, 21 Sep 2017 04:11:51 +0000 (UTC) X-Hashcash: 1:25:170921:jl2012@xbt.hk::zuUH7Ji3YUIwErOZ:bJSzQ X-Hashcash: 1:25:170921:bitcoin-dev@lists.linuxfoundation.org::4WLi+LDhpnqgmR4U:RsDj X-Hashcash: 1:25:170921:mark@friedenbach.org::XUx35fpmyldTJncc:b/Krn From: Luke Dashjr To: Johnson Lau Date: Thu, 21 Sep 2017 04:11:49 +0000 User-Agent: KMail/1.13.7 (Linux/4.12.5-gentoo; KDE/4.14.34; x86_64; ; ) References: <5B6756D0-6BEF-4A01-BDB8-52C646916E29@friedenbach.org> <201709190309.08669.luke@dashjr.org> In-Reply-To: X-PGP-Key-Fingerprint: E463 A93F 5F31 17EE DE6C 7316 BD02 9424 21F4 889F X-PGP-Key-ID: BD02942421F4889F X-PGP-Keyserver: hkp://pgp.mit.edu MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Message-Id: <201709210411.50642.luke@dashjr.org> X-Spam-Status: No, score=1.3 required=5.0 tests=RCVD_IN_DNSWL_MED, RCVD_IN_SBL_CSS,RP_MATCHES_RCVD autolearn=disabled version=3.3.1 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: bitcoin-dev Subject: Re: [bitcoin-dev] cleanstack alt stack & softfork improvements (Was: Merkle branch verification & tail-call semantics for generalized MAST) X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Sep 2017 04:12:45 -0000 On Wednesday 20 September 2017 5:13:04 AM Johnson Lau wrote: > 2. OP_RETURNTRUE does not work well with signature aggregation. Signature > aggregation will collect (pubkey, message) pairs in a tx, combine them, > and verify with one signature. However, consider the following case: > > OP_RETURNTRUE OP_IF OP_CHECKSIGVERIFY OP_ENDIF OP_TRUE > > For old nodes, the script terminates at OP_RETURNTRUE, and it will not > collect the (pubkey, message) pair. > > If we use a softfork to transform OP_RETURNTRUE into OP_17 (pushing the > number 17 to the stack), new nodes will collect the (pubkey, message) pair > and try to aggregate with other pairs. This becomes a hardfork. This seems like a problem for signature aggregation to address, not a problem for OP_RETURNTRUE... In any case, I don't think it's insurmountable. Signature aggregation can simply be setup upfront, and have the Script verify inclusion of keys in the aggregation? > Technically, we could create ANY op code with an OP_NOP. For example, if we > want OP_MUL, we could have OP_MULVERIFY, which verifies if the 3rd stack > item is the product of the top 2 stack items. Therefore, OP_MULVERIFY > OP_2DROP is functionally same as OP_MUL, which removes the top 2 items and > returns the product. The problem is it takes more witness space. This is another approach, and one that seems like a good idea in general. I'm not sure it actually needs to take more witness space - in theory, such stack items could be implied if the Script engine is designed for it upfront. Then it would behave as if it were non-verify, while retaining backward compatibility. Luke