From: Johnson Lau <jl2012@xbt.hk>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Message-Id: <7009A9E5-BC68-4830-991B-36C3837618D6@xbt.hk>
Date: Fri, 8 Sep 2017 17:49:46 +0800
To: bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org>
Subject: [bitcoin-dev] BIP114 Merklized Script update and 5 BIPs for new
	script functions
Precedence: list

I have rewritten and simplified BIP114, and renamed it to =E2=80=9CMerkliz=
ed Script=E2=80=9D, as a more accurate description after consulting the =
original proposers of MAST. It could be considered as a special case of =
MAST, but has basically the same functions and scaling properties of =
MAST.

Compared with Friedenbach=E2=80=99s latest tail-call execution semantics =
proposal, I think the most notable difference is BIP114 focuses on =
maintaining the static analysability, which was a reason of OP_EVAL =
(BIP12) being rejected. Currently we could count the number of sigOp =
without executing the script, and this remains true with BIP114. Since =
sigOp is a block-level limit, any OP_EVAL-like operation means block =
validity will depend on the precise outcome of script execution (instead =
of just pass or fail), which is a layer violation.

Link to the revised BIP114: =
https://github.com/jl2012/bips/blob/vault/bip-0114.mediawiki

On top of BIP114, new script functions are defined with 5 BIPs:

VVV: Pay-to-witness-public-key: =
https://github.com/jl2012/bips/blob/vault/bip-0VVV.mediawiki
WWW: String and Bitwise Operations in Merklized Script Version 0: =
https://github.com/jl2012/bips/blob/vault/bip-0WWW.mediawiki
XXX: Numeric Operations in Merklized Script Version 0: =
https://github.com/jl2012/bips/blob/vault/bip-0XXX.mediawiki
YYY: ECDSA signature operations in Merklized Script Version 0: =
https://github.com/jl2012/bips/blob/vault/bip-0YYY.mediawiki
ZZZ: OP_PUSHTXDATA: =
https://github.com/jl2012/bips/blob/vault/bip-0ZZZ.mediawiki

As a summary, these BIPs have the following major features:

1. Merklized Script: a special case of MAST, allows users to hide =
unexecuted branches in their scripts (BIP114)
2. Delegation: key holder(s) may delegate the right of spending to other =
keys (scripts), with or without additional conditions such as locktime. =
(BIP114, VVV)
3. Enabling all OP codes disabled by Satoshi (based on Elements project =
with modification. BIPWWW and XXX)
4. New SIGHASH definition with very high flexibility (BIPYYY)
5. Covenant (BIPZZZ)
6. OP_CHECKSIGFROMSTACK, modified from Elements project (BIPYYY)
7. Replace ~72 byte DER sig with fixed size 64 byte compact sig. =
(BIPYYY)

All of these features are modular and no need to be deployed at once. =
The very basic BIP114 (merklized script only, no delegation) could be =
done quite easily. BIP114 has its own versioning system which makes =
introducing new functions very easy.

Things I=E2=80=99d like to have:

1. BIP114 now uses SHA256, but I=E2=80=99m open to other hash design
2. Using Schnorr or similar signature scheme, instead of ECDSA, in =
BIPYYY.

Reference implementation: =
https://github.com/jl2012/bitcoin/commits/vault=