Return-Path: Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 41B9EC000E for ; Tue, 6 Jul 2021 18:21:47 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 2138140111 for ; Tue, 6 Jul 2021 18:21:47 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: smtp2.osuosl.org (amavisd-new); dkim=pass (2048-bit key) header.d=blockstream-com.20150623.gappssmtp.com Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ferPn_fSUqtu for ; Tue, 6 Jul 2021 18:21:45 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from mail-qk1-x731.google.com (mail-qk1-x731.google.com [IPv6:2607:f8b0:4864:20::731]) by smtp2.osuosl.org (Postfix) with ESMTPS id A40774010D for ; Tue, 6 Jul 2021 18:21:45 +0000 (UTC) Received: by mail-qk1-x731.google.com with SMTP id s4so2463259qkm.13 for ; Tue, 06 Jul 2021 11:21:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=blockstream-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=7IDfU9QQjZIkJtaDXza29WWuVXEeRAsenSaF5MDBg+E=; b=zAQ3SzpOZOZy6EFIUjzSbzfnkbABNluYMNHYGq2i18p5q4tjtA2o/pIz4nXJRY+CGB 6QC6dLkk8Y7iUeUcaXMXoisddkbw8jjhkGVvJgKMwDZIq8Fj7xqqCn/UdoQ8MOoCjfVn EQB7kb39mEOR/vnMYkGwqV9OKXE5jA66cBJcyN7J0NpdPYHXs+SA4q5ANoaS5xB9P8Vz 5PG8onXRGN/kJVpVINdC+GzOhvzM8ufv8EJr81V/2UcI2clZTobSMOJZVnOiTavfs3aS RDY0nA/gcFIGUVlWAI2bYd3GFXkwZ8XUq9qNHO81GYnT1q+0GAouz8H65Q8Wiu9BKaF/ GKAw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=7IDfU9QQjZIkJtaDXza29WWuVXEeRAsenSaF5MDBg+E=; b=mCdf5Efm8gS4r3VhFsNUCirZisLgZztGpEZLmH7Ig0Ai2mq9q7znxSNoxBsknk6mHK 1gDmU6P6XLtxGrRg43jep97TV0nOjDyYgvDspco7d94yUveTu6V/EQJ8CgiMIdX0TIit bcHmmGdLqfgxy5UwuKdG9BTRrg9ctxuvT4yve5fV1/TEETermO+Ii4qu/78aRvStjLOn hzRnDfO8Zzex+UcxRnkGSLDf9zL8eVQduhlukGEiBsLwOLw33u1MBbgC62DfQNeZhb2W Kz93jbuL2goQBcvt3GqktyUUhqxOdbxDDxlGEkpOsVo6YP0reffsqhSWtomF7any2JVx iKjg== X-Gm-Message-State: AOAM533Gj5N7oaZ6SbnAU1WVQE67Bf0/tWmJbOWeDHuKT7Nt4uM+uxeB n7bV/naf7Akqufc02zxHsoBkWSxOm5R/mdb+ulEtEA== X-Google-Smtp-Source: ABdhPJzgR4T0V9UnSIC0JmsuNUiS43t7MkZN0mXtcr3P+rsJDqKEt3z+3Sh+fVmJZ69459ZJHvBSwaisM6r2mFPXhXY= X-Received: by 2002:a37:4685:: with SMTP id t127mr21227488qka.384.1625595704477; Tue, 06 Jul 2021 11:21:44 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: "Russell O'Connor" Date: Tue, 6 Jul 2021 14:21:33 -0400 Message-ID: To: Jeremy , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="000000000000839d3c05c6787eab" Subject: Re: [bitcoin-dev] CHECKSIGFROMSTACK/{Verify} BIP for Bitcoin X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jul 2021 18:21:47 -0000 --000000000000839d3c05c6787eab Content-Type: text/plain; charset="UTF-8" If the main outstanding issue is whether to split R or S, I think as far as Elements goes, I am inclined to go with the CAT option regardless of whether Bitcoin chooses to split R/S or not (not that I'm necessarily a decision maker here). The issue here is that (a) Elements already has CAT, and (b) updating CHECKSIGFROMSTACK is effectively a blocking issue for deploying Taproot on Elements. I don't think we will be holding up CHECKSIGFROMSTACK for this issue even if it risks being incompatible with an eventual Bitcoin CHECKSIGFROMSTACK. To be clear, I don't mean to prejudice this discussion by this statement. This just happens to be what makes sense for the Elements project at this time, and what makes sense for Elements may not necessarily make sense for Bitcoin. Of course, I think we should just go for CAT compatibility. Otherwise we are just going to have a proliferation of trusted CAT oracles paid for with lightning by people wanting to perform CAT operations. On Tue, Jul 6, 2021 at 1:55 PM Jeremy via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > Re-threading Sanket's comment on split R value: > > I also am in general support of the `OP_CHECKSIGFROMSTACK` opcode. We >> would need to update the suggestion to BIP340, and add it to sigops budget. >> I have no strong preference for splitting R and s values or variable-length >> messages. >> > > Back to my comment: > > > I see a few options: > > 1) Making a new 64 byte PK standard which is (R, PK) > 2) Splitting (R,S) > 3) Different opcodes > 4) CAT > > The drawback of option 1 is that it's designed to support only very > specific use cases. The main drawback of splitting via option 2 is that you > entail an extra push byte for every use. Option 3 wastes opcodes. CAT has > the general drawbacks of CAT, but worth noting that CAT will likely > eventually land making the splitting feature redundant. > > > Before getting too in the weeds, it might be worth listing out interesting > script fragments that people are aware of with split R/S so we can see how > useful it might be? > > Use a specific R Value > - || SWAP CSFS > > Reuse arbitrary R for a specific M (pay to leak key) > - || DUP2 EQUAL NOT VERIFY 2 PICK SWAP DUP TOALTSTACK > CSFSV FROMALTSTACK CSFS > > Verify 2 different messages reuse the same R. > - || 2 PICK EQUAL NOT VERIFY 3 PICK DUP > TOALTSTACK CSFSV FROMALTSTACK CSFS > > Use a R Value signed by an oracle: > - || DUP TOALTSTACK CSFSV > FROMALTSTACK SWAP CSFS > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --000000000000839d3c05c6787eab Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
If the main outstanding issue is whether to split R o= r S, I think as far as Elements goes, I am inclined to go with the CAT opti= on regardless of whether Bitcoin chooses to split R/S or not (not that I= 9;m necessarily a decision maker here).

The is= sue here is that (a) Elements already has CAT, and (b) updating CHECKSIGFRO= MSTACK is effectively a blocking issue for deploying Taproot on Elements.= =C2=A0 I don't think we will be holding up CHECKSIGFROMSTACK for this i= ssue even if it risks being incompatible with an eventual Bitcoin CHECKSIGF= ROMSTACK.

To be clear, I don't mean to prejudi= ce this discussion by this statement.=C2=A0 This just happens to be what ma= kes sense for the Elements project at this time, and what makes sense for E= lements may not necessarily make sense for Bitcoin.

Of course, I think we should just go for CAT compatibility.=C2=A0 Otherwi= se we are just going to have a proliferation of trusted CAT oracles paid fo= r with lightning by people wanting to perform CAT operations.

=
On Tue, Ju= l 6, 2021 at 1:55 PM Jeremy via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org>= wrote:
Re-threading Sanket's comment on = split R value:

I also am in general support of=C2=A0the `OP_C= HECKSIGFROMSTACK` opcode. We=20 would need to update the suggestion to BIP340, and add it to sigops=20 budget. I have no strong preference for splitting R and s values or=20 variable-length messages.=C2=A0

Back to my comment:

=C2=A0
I see a few options:

1) Making= a new 64 byte PK standard which is (R, PK)
2) Splitting (= R,S)
3) Different opcodes
4) CAT

The drawback of option 1 is that it'= s designed to support only very specific use cases. The main drawback of sp= litting via option 2 is that you entail an extra push byte for every use. O= ption 3 wastes opcodes. CAT has the general drawbacks of CAT, but worth not= ing that CAT will likely eventually land making the splitting feature redun= dant.


Before g= etting too in the weeds, it might be worth listing out interesting script f= ragments that people are aware of with split R/S so we can see how useful i= t might be?

Use a specific R Value
- <S> <M> || <R> SWAP <PK> CSFS=

Reuse arbitrary R for a specific M = (pay to leak key)
-=C2=A0 <R> <S1> <S2= >=C2=A0 ||=C2=A0 DUP2 EQUAL NOT VERIFY 2 PICK SWAP <M> DUP TOALTST= ACK CSFSV FROMALTSTACK CSFS

Veri= fy 2 different messages reuse the same R.
- <S1>= <R> <M1> <S2> <M2> ||=C2=A0 2 PICK EQUAL NOT VERIF= Y 3 PICK <PK> DUP TOALTSTACK CSFSV FROMALTSTACK CSFS

Use a R Value signed by an oracle:
- <S> <M> <S_oracle> <R_oracle> <R> || DUP = TOALTSTACK <PK_oracle> CSFSV FROMALTSTACK SWAP <PK> CSFS

_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
--000000000000839d3c05c6787eab--