Return-Path: Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) by lists.linuxfoundation.org (Postfix) with ESMTP id AB5E5C002D for ; Tue, 3 May 2022 15:51:35 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 8B6F54176F for ; Tue, 3 May 2022 15:51:35 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -0.123 X-Spam-Level: X-Spam-Status: No, score=-0.123 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, PDS_OTHER_BAD_TLD=1.975, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no Authentication-Results: smtp4.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R_4eFar247yy for ; Tue, 3 May 2022 15:51:34 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) by smtp4.osuosl.org (Postfix) with ESMTPS id C79F64176E for ; Tue, 3 May 2022 15:51:33 +0000 (UTC) Received: by mail-lf1-x12d.google.com with SMTP id x17so31009899lfa.10 for ; Tue, 03 May 2022 08:51:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=pFRTlepR1a7pfpLsY9MFYym0/VtK2PRT/37BoXtfMC0=; b=jbpcoyZPotujSoNkzXcNHBhQgka4rmW+u7xzyuw60uC2Fm4CwL+WEQi5WJTtGBQ3YW jwcJOFBx/U9ina1CP5wS2mN/1WXxfGPtMTM6ryX8AkoqxwmVN6uXKtpEnFEF58OaOkfY RMdfiR1gZa4grRtjdLnnIFGWP9vIKyyiUEPeQ/b7p1a5ZAMuy+oND4JleAOX8YeP+PNc sxofskiS3ESV3p8LzKf3/HLlNUz+hxGC3sZo/kgy8/bR6M9ODctTU7xbP4e7VS/rE6/a YaKt7G0bdU/4s3Q64j7QEElUYqWO1B6sExGr/HdTNfdvGj3p9X9lgA1iMr+OCfjp3C8o hTyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=pFRTlepR1a7pfpLsY9MFYym0/VtK2PRT/37BoXtfMC0=; b=JsonWY+kIwuHjiGE4xSp7HfjhVHtIxXoaofPzVQ3OAjoqo7tplnCZDQEOTK7i6cgBr AtGQzbMfAkGDDEEzSRqZ6ErLvWeBhxKYoojnEKtHxXTYFiprojmj+SY9Oe47+5wKoiIy vYOjpLEX0Rx5IYqs+cBXCGbOYxo6SFaKjvZpHutlAT7778SDHiGKJy05c5pbaDAkqfL5 6R321H7tVT9eOhi1Y1OungmH10qDhLPoqs+j9saB7EJo2WrCdTVGsKLayuvniYK6paXt eBAYMbnVlMIjhPlUqQ7x7RXThsqJh8VEnXMR6Sckfi3mNZURlhi+mR9U+wvKsvj35/Vj 8z7g== X-Gm-Message-State: AOAM531P80/QgRn6iUEfFwGLNWFRSOckTQBOZLZIvz7NSJQUMr9DUlsg cgJpRQ28+lpWPAXTLmMfuX08S0iKr3QdVf1Ko3Q= X-Google-Smtp-Source: ABdhPJw8EdoV9/BKytujcR5RaJXN+RywXM60AbD9ghj3DN76Mv9z3BP7TYkiZK6JBhnEzXWYufcMm54sZBpmLxH/rp0= X-Received: by 2002:ac2:5ecc:0:b0:472:3c01:9a2e with SMTP id d12-20020ac25ecc000000b004723c019a2emr11076330lfq.245.1651593091494; Tue, 03 May 2022 08:51:31 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Jeremy Rubin Date: Tue, 3 May 2022 08:51:18 -0700 Message-ID: To: darosior , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="00000000000088368905de1d7bad" Subject: Re: [bitcoin-dev] ANYPREVOUT in place of CTV X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 May 2022 15:51:35 -0000 --00000000000088368905de1d7bad Content-Type: text/plain; charset="UTF-8" Antoine, One high level reason to not prefer APO is that it gets 'dangerously close' to fully recursive covenants. E.g., just by tweaking APO to use a Schnorr signature without PK commitment, Pubkey Recovery would be possible, and fully recursive covenants could be done. Short of that type of modification, you can still do a "trusted setup" key deletion covenant with APO and have a fully recursive covenant set up. E.g. <1 || N-N MuSig> APO where the N-N MuSig pregenerates a signature of a transaction that commits to an output with itself, e.g., using SIGHASH_SINGLE. By itself, this is not super useful, but does create the type of thing that people might worry about with a recursive covenant since after initialization it is autonomous. One use case for this might be, for example, a spacechain backbone that infinitely iterates, so it isn't entirely useless. If other opcodes are added, such as OP_IN_OUT_AMOUNT, then you can get all sorts of recursive covenant interesting stuff on top of that, since you could pre-sign e.g. for a quanitzed vault a number of different deposit/withdraw programs as well as increasing balances depending on timeout waited. Therefore, I think reasonable people might discriminate the "complexity class" of the design space available with just CTV v.s. APO. In contrast, the approach of smaller independent steps: 1) Adding CTV 2) Adding CSFS (enables APO-like behavior, sufficient for Eltoo) 3) Adding flags to CTV, similar to TXHASH, or just adding TXHASH (enables full covenants) 4) Ergonomic OPCodes for covenants like TLUV, EcTweak, MAST building, etc (enables efficient covenants) is a much more granular path where we are able to cleanly 'level up' into each covenant complexity class only if we deem it to be safe. comment about timelines to produce a modified APO Best, Jeremy -- @JeremyRubin On Fri, Apr 22, 2022 at 4:23 AM darosior via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > I would like to know people's sentiment about doing (a very slightly > tweaked version of) BIP118 in place of > (or before doing) BIP119. > > SIGHASH_ANYPREVOUT and its precedent iterations have been discussed for > over 6 years. It presents proven and > implemented usecases, that are demanded and (please someone correct me if > i'm wrong) more widely accepted than > CTV's. > > SIGHASH_ANYPREVOUTANYSCRIPT, if its "ANYONECANPAY" behaviour is made > optional [0], can emulate CTV just fine. > Sure then you can't have bare or Segwit v0 CTV, and it's a bit more > expensive to use. But we can consider CTV > an optimization of APO-AS covenants. > > CTV advocates have been presenting vaults as the flagship usecase. > Although as someone who've been trying to > implement practical vaults for the past 2 years i doubt CTV is necessary > nor sufficient for this (but still > useful!), using APO-AS covers it. And it's not a couple dozen more virtual > bytes that are going to matter for > a potential vault user. > > If after some time all of us who are currently dubious about CTV's stated > usecases are proven wrong by onchain > usage of a less efficient construction to achieve the same goal, we could > roll-out CTV as an optimization. In > the meantime others will have been able to deploy new applications > leveraging ANYPREVOUT (Eltoo, blind > statechains, etc..[1]). > > > Given the interest in, and demand for, both simple covenants and better > offchain protocols it seems to me that > BIP118 is a soft fork candidate that could benefit more (if not most of) > Bitcoin users. > Actually i'd also be interested in knowing if people would oppose the > APO-AS part of BIP118, since it enables > CTV's features, for the same reason they'd oppose BIP119. > > > [0] That is, to not commit to the other inputs of the transaction (via > `sha_sequences` and maybe also > `sha_amounts`). Cf > https://github.com/bitcoin/bips/blob/master/bip-0118.mediawiki#signature-message > . > > [1] https://anyprevout.xyz/ "Use Cases" section > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --00000000000088368905de1d7bad Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Antoine,

One high = level reason to not prefer APO is that it gets 'dangerously close' = to fully recursive covenants.

E.g., just by tweaking APO to use a Sch= norr signature without PK commitment, Pubkey Recovery would be possible, an= d fully recursive covenants could be done.

Short of that type of modi= fication, you can still do a "trusted setup" key deletion covenan= t with APO and have a fully recursive covenant set up. E.g.

<1 || = N-N MuSig> APO

where the N-N MuSig pregenerates a signature of a t= ransaction that commits to an output with itself, e.g., using SIGHASH_SINGL= E.

By itself, this is not super useful, but does create the type of t= hing that people might worry about with a recursive covenant since after in= itialization it is autonomous.

One use case for this might be, for ex= ample, a spacechain backbone that infinitely iterates, so it isn't enti= rely useless.

If other opcodes are added, such as OP_IN_OUT_AMOUNT, t= hen you can get all sorts of recursive covenant interesting stuff on top of= that, since you could pre-sign e.g. for a quanitzed vault a number of diff= erent deposit/withdraw programs as well as increasing balances depending on= timeout waited.


Therefore= , I think reasonable people might discriminate the "complexity class&q= uot; of the design space available with just CTV v.s. APO.

In con= trast, the approach of smaller independent steps:

1) Adding CTV
=
2) Adding CSFS (enables APO-like behavior,= sufficient for Eltoo)
3) Adding flag= s to CTV, similar to TXHASH, or just adding TXHASH (enables full covenants)=
4) Ergonomic OPCodes for covenants l= ike TLUV, EcTweak, MAST building, etc (enables efficient covenants)

i= s a much more granular path where we are able to cleanly 'level up'= into each covenant complexity class only if we deem it to be safe.

&= lt;redacted>comment about timelines to produce a modified APO</redact= ed>

Best,

Jeremy


On Fri, Apr 22, 2022 at 4:23 AM darosio= r via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:<= br>
I would like to know people's sentiment about= doing (a very slightly tweaked version of) BIP118 in place of
(or before doing) BIP119.

SIGHASH_ANYPREVOUT and its precedent iterations have been discussed for ove= r 6 years. It presents proven and
implemented usecases, that are demanded and (please someone correct me if i= 'm wrong) more widely accepted than
CTV's.

SIGHASH_ANYPREVOUTANYSCRIPT, if its "ANYONECANPAY" behaviour is m= ade optional [0], can emulate CTV just fine.
Sure then you can't have bare or Segwit v0 CTV, and it's a bit more= expensive to use. But we can consider CTV
an optimization of APO-AS covenants.

CTV advocates have been presenting vaults as the flagship usecase. Although= as someone who've been trying to
implement practical vaults for the past 2 years i doubt CTV is necessary no= r sufficient for this (but still
useful!), using APO-AS covers it. And it's not a couple dozen more virt= ual bytes that are going to matter for
a potential vault user.

If after some time all of us who are currently dubious about CTV's stat= ed usecases are proven wrong by onchain
usage of a less efficient construction to achieve the same goal, we could r= oll-out CTV as an optimization.=C2=A0 In
the meantime others will have been able to deploy new applications leveragi= ng ANYPREVOUT (Eltoo, blind
statechains, etc..[1]).


Given the interest in, and demand for, both simple covenants and better off= chain protocols it seems to me that
BIP118 is a soft fork candidate that could benefit more (if not most of) Bi= tcoin users.
Actually i'd also be interested in knowing if people would oppose the A= PO-AS part of BIP118, since it enables
CTV's features, for the same reason they'd oppose BIP119.


[0] That is, to not commit to the other inputs of the transaction (via `sha= _sequences` and maybe also
`sha_amounts`). Cf h= ttps://github.com/bitcoin/bips/blob/master/bip-0118.mediawiki#signature-mes= sage.

[1] https://anyprevout.xyz/ "Use Cases" section
_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
--00000000000088368905de1d7bad--