Return-Path: <mark@friedenbach.org>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 9EF94AAC
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Wed,  1 Nov 2017 15:08:49 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-pf0-f177.google.com (mail-pf0-f177.google.com
	[209.85.192.177])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id D5A9C4C7
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Wed,  1 Nov 2017 15:08:48 +0000 (UTC)
Received: by mail-pf0-f177.google.com with SMTP id x7so2188614pfa.1
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Wed, 01 Nov 2017 08:08:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=friedenbach-org.20150623.gappssmtp.com; s=20150623;
	h=mime-version:subject:from:in-reply-to:date:cc
	:content-transfer-encoding:message-id:references:to;
	bh=SGvAlvlV27fDrOLxA6WLSQfUyd7mwjqPOqAcBy8AaW0=;
	b=tyyIHg3VJcku+KSAkCMLZw0HQSohq9E3ypPSPfCZkdWpswEggNp/OtuNa+F/IECms0
	95Xx6dljCulENAg4OcANgmD3sOn1Z2RXk/cm+vttlPe1MjUL4uW9ckJo6BBHVtsTiL73
	NFAHV/Pbovjtu/4THWFozm299t5AcJO03BxKKQuQkxinu5kFas9nv6XW2UZ4jIOQIN0J
	r3kYLKToWIRp3GH/ad3wvNyHva0ToFFe+VVXk3mi+qMMAaHplQxQxQ0YwD60VZdrnlIn
	8WLnpaEkrkczVroUJ8j5TGNypX+5Hs9uhYe8QQH8A8DO7m63A99n4FiMtMh9Jrf0c+DH
	bDbw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc
	:content-transfer-encoding:message-id:references:to;
	bh=SGvAlvlV27fDrOLxA6WLSQfUyd7mwjqPOqAcBy8AaW0=;
	b=k35HEy1PkqKnhcIzNTML/LLWVGnrxY6KO1tAXEXMNfLqd+2oU/XgeEq5xIyV8bVVlz
	MoeDNyp6ZghIj2x01c7Elb2+xbFat8NqWz+WLAGdvgsYnW0WYIUCZsiCd/+3A7GP4ROQ
	rt6PyK2OrTXiZUCqf47fN0cGtVlQAk6A1fTzu9pIfl8vTr6lFq9EtHwjXxYOcV0Jiu+t
	1diydUWlMv9cRgdQCqg2wogmnDIFhE+47e7UC+TNq5QTvyKR3cBugmJURc9Z2iPEOzgt
	hGTSFssUOwSfrktqpYaMeXgV/rZbZIS5k0xI3+OTWT4AC6LNFQ555yQ3FgdGa1dLEDto
	JV1A==
X-Gm-Message-State: AMCzsaXM5k2pD5YnGxgnPS8IzangSh+6gGgFf4YFDshHLoo8lBR4K/lV
	dA0+MPdokXozsG8KKYoIIVFD1PbA9cs=
X-Google-Smtp-Source: ABhQp+Tk1MOByTKlC6kTGFA2DrrOHWmVT2UA6ToKhQK7kCNP7p/GsN4WEjukHLWyIpG0oUssBN8+nA==
X-Received: by 10.98.72.198 with SMTP id q67mr241415pfi.110.1509548928025;
	Wed, 01 Nov 2017 08:08:48 -0700 (PDT)
Received: from ?IPv6:2607:fb90:a45b:cc2c:ddb4:9930:9e3d:3dfb?
	([2607:fb90:a45b:cc2c:ddb4:9930:9e3d:3dfb])
	by smtp.gmail.com with ESMTPSA id
	t18sm2082603pfi.98.2017.11.01.08.08.47
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 01 Nov 2017 08:08:47 -0700 (PDT)
Content-Type: text/plain;
	charset=gb2312
Mime-Version: 1.0 (1.0)
From: Mark Friedenbach <mark@friedenbach.org>
X-Mailer: iPhone Mail (15A432)
In-Reply-To: <201711010843.49771.luke@dashjr.org>
Date: Wed, 1 Nov 2017 08:08:46 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <4F328120-94E0-4EFF-A76D-99E6007FA906@friedenbach.org>
References: <5B6756D0-6BEF-4A01-BDB8-52C646916E29@friedenbach.org>
	<3FE16880-868C-40BA-BCC5-954B15478FB2@friedenbach.org>
	<201711010843.49771.luke@dashjr.org>
To: Luke Dashjr <luke@dashjr.org>
X-Spam-Status: No, score=0.5 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	MIME_QP_LONG_LINE, RCVD_IN_DNSWL_NONE,
	RCVD_IN_SORBS_SPAM autolearn=disabled version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Merkle branch verification & tail-call semantics
	for generalized MAST
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Nov 2017 15:08:49 -0000

Yes, if you use a witness script version you can save about 40 witness bytes=
 by templating the MBV script, which I think is equivalent to what you are s=
uggesting. 32 bytes from the saved hash, plus another 8 bytes or so from scr=
ipt templates and more efficient serialization.

I believe the conservatively correct approach is to do this in stages, howev=
er. First roll out MBV and tail call to witness v0. Then once there is exper=
ience with people using it in production, design and deploy a hashing templa=
te for script v1. It might be that we learn more and think of something bett=
er in the meantime.

> On Nov 1, 2017, at 1:43 AM, Luke Dashjr <luke@dashjr.org> wrote:
>=20
> Mark,
>=20
> I think I have found an improvement that can be made.
>=20
> As you recall, a downside to this approach is that one must make two=20
> commitments: first, to the particular "membership-checking script"; and th=
en=20
> in that script, to the particular merkle root of possible scripts.
>=20
> Would there be any harm in, instead of checking membership, *calculating* t=
he=20
> root? If not, then we could define that instead of the witness program=20
> committing to H(membership-check script), it rather commits to H(membershi=
p-
> calculation script | data added by an OP_ADDTOSCRIPTHASH). This would, I=20=

> believe, securely reduce the commitment of both to a single hash.
>=20
> It also doesn't reduce flexibility, since one could omit OP_ADDTOSCRIPTHAS=
H=20
> from their "membership-calculation" script to get the previous membership-=

> check behaviour, and use <hash> OP_EQUAL in its place.
>=20
> What do you think?
>=20
> Luke
>=20
>=20
>> On Saturday 28 October 2017 4:40:01 AM Mark Friedenbach wrote:
>> I have completed updating the three BIPs with all the feedback that I hav=
e
>> received so far. In short summary, here is an incomplete list of the
>> changes that were made:
>>=20
>> * Modified the hashing function fast-SHA256 so that an internal node cann=
ot
>> be interpreted simultaneously as a leaf. * Changed MERKLEBRANCHVERIFY to
>> verify a configurable number of elements from the tree, instead of just
>> one. * Changed MERKLEBRANCHVERIFY to have two modes: one where the inputs=

>> are assumed to be hashes, and one where they are run through double-SHA25=
6
>> first. * Made tail-call eval compatible with BIP141=A1=AFs CLEANSTACK con=
sensus
>> rule by allowing parameters to be passed on the alt-stack. * Restricted
>> tail-call eval to segwit scripts only, so that checking sigop and opcode
>> limits of the policy script would not be necessary.
>>=20
>> There were a bunch of other small modifications, typo fixes, and
>> optimizations that were made as well.
>>=20
>> I am now ready to submit these BIPs as a PR against the bitcoin/bips repo=
,
>> and I request that the BIP editor assign numbers.
>>=20
>> Thank you,
>> Mark Friedenbach
>>=20
>>> On Sep 6, 2017, at 5:38 PM, Mark Friedenbach <mark@friedenbach.org>
>>> wrote:
>>>=20
>>> I would like to propose two new script features to be added to the
>>> bitcoin protocol by means of soft-fork activation. These features are
>>> a new opcode, MERKLE-BRANCH-VERIFY (MBV) and tail-call execution
>>> semantics.
>>>=20
>>> In brief summary, MERKLE-BRANCH-VERIFY allows script authors to force
>>> redemption to use values selected from a pre-determined set committed
>>> to in the scriptPubKey, but without requiring revelation of unused
>>> elements in the set for both enhanced privacy and smaller script
>>> sizes. Tail-call execution semantics allows a single level of
>>> recursion into a subscript, providing properties similar to P2SH while
>>> at the same time more flexible.
>>>=20
>>> These two features together are enough to enable a range of
>>> applications such as tree signatures (minus Schnorr aggregation) as
>>> described by Pieter Wuille [1], and a generalized MAST useful for
>>> constructing private smart contracts. It also brings privacy and
>>> fungibility improvements to users of counter-signing wallet/vault
>>> services as unique redemption policies need only be revealed if/when
>>> exceptional circumstances demand it, leaving most transactions looking
>>> the same as any other MAST-enabled multi-sig script.
>>>=20
>>> I believe that the implementation of these features is simple enough,
>>> and the use cases compelling enough that we could BIP 8/9 rollout of
>>> these features in relatively short order, perhaps before the end of
>>> the year.
>>>=20
>>> I have written three BIPs to describe these features, and their
>>> associated implementation, for which I now invite public review and
>>> discussion:
>>>=20
>>> Fast Merkle Trees
>>> BIP: https://gist.github.com/maaku/41b0054de0731321d23e9da90ba4ee0a
>>> Code: https://github.com/maaku/bitcoin/tree/fast-merkle-tree
>>>=20
>>> MERKLEBRANCHVERIFY
>>> BIP: https://gist.github.com/maaku/bcf63a208880bbf8135e453994c0e431
>>> Code: https://github.com/maaku/bitcoin/tree/merkle-branch-verify
>>>=20
>>> Tail-call execution semantics
>>> BIP: https://gist.github.com/maaku/f7b2e710c53f601279549aa74eeb5368
>>> Code: https://github.com/maaku/bitcoin/tree/tail-call-semantics
>>>=20
>>> Note: I have circulated this idea privately among a few people, and I
>>> will note that there is one piece of feedback which I agree with but
>>> is not incorporated yet: there should be a multi-element MBV opcode
>>> that allows verifying multiple items are extracted from a single
>>> tree. It is not obvious how MBV could be modified to support this
>>> without sacrificing important properties, or whether should be a
>>> separate multi-MBV opcode instead.
>>>=20
>>> Kind regards,
>>> Mark Friedenbach