MIME-Version: 1.0
References: <CAMZUoK=pkZuovtifBzdqhoyegzG+9hRTFEc7fG9nZPDK4KbU3w@mail.gmail.com>
 <CAD5xwhhwqJ_AETAb3p_zUZmRX-Dzh8J9G984zwEs=KFsGN8aNQ@mail.gmail.com>
 <CAMZUoKmU1cwUAQaBv5m8oo8H3TWBvgsZ_OkQaMC0n0+3cpFtWg@mail.gmail.com>
 <CAPfvXfLr4n6RsS6VbEZR59=MRwAx41Crx88ko8-qnRXW4nFYGA@mail.gmail.com>
 <CAMZUoKkvoJs0WtN71A_qRSwToP4YnY707WdW3C-KJYGXsmkjSw@mail.gmail.com>
 <CAPfvXfLWtDvgJYwQCaxnww5jyQkqFsi6aG0OUxtp3Okx_ab7Hw@mail.gmail.com>
In-Reply-To: <CAPfvXfLWtDvgJYwQCaxnww5jyQkqFsi6aG0OUxtp3Okx_ab7Hw@mail.gmail.com>
From: "Russell O'Connor" <roconnor@blockstream.com>
Date: Sat, 29 Jan 2022 10:43:13 -0500
Message-ID: <CAMZUoKkqEx5mh9Aq9XFc=7YPKmfObMzEipECFuWm4e3q_tVEEQ@mail.gmail.com>
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="00000000000078758305d6ba6945"
Subject: Re: [bitcoin-dev] TXHASH + CHECKSIGFROMSTACKVERIFY in lieu of CTV
	and ANYPREVOUT
Precedence: list

--00000000000078758305d6ba6945
Content-Type: text/plain; charset="UTF-8"

On Fri, Jan 28, 2022 at 10:14 AM James O'Beirne <james.obeirne@gmail.com>
wrote:

> > Technical debt isn't a measure of weight of transactions.
>
> Sorry, my original sentence was a little unclear. I meant to say that the
> notion that CTV is just a subpar waypoint en route to a more general
> covenant system may not be accurate if it is a more efficient way (in terms
> of chainstate/weight) to express highly useful patterns like vaults. In
> that case, characterizing CTV as technical debt wouldn't be right.
>

It only costs a few more weight units, on the order of 2 or 3, to use
TXHASH in place of CTV.  Notably, the reverse, using CTV in place of
TXHASH, is much more expensive, requiring more than 32 weight units.


> > Our only option here is to be mindful of the long term implications of
> the design choices we are making today.
>
> Your points are well taken - I don't think anyone is arguing against
> thinking hard about consensus changes. But I have yet to see a proposal for
> covenants that is as efficient on-chain and easy to reason about as CTV is.
>
> I also think there's some value in "legging into" covenants by deploying a
> simple, non-recursive construction like CTV that services some very
> important uses, and then taking as much time as necessary to think about
> how to solve more existential problems, like UTXO scalability, that likely
> require a recursive covenant construction.
>
> There doesn't have to be mutual exclusion in the approaches, especially
> when the maintenance burden of CTV seems to be so low. If we end up
> deploying something that requires a wider variety of in-script hashing, it
> seems likely that CTV's hash will be able to "free ride" on whatever more
> general sighash cache structure we come up with.
>

Perhaps there is some misunderstanding.  TXHASH + CSFSV doesn't allow for
complex or recursive covenants.  Typically CAT is needed, at minimum, to
create those sorts of things.  TXHASH still amounts to deploying a
non-recursive covenant construction.

With regards to CTV, in short my primary criticisms are (1) Push semantics
is preferable to verify semantics, because simulating verify semantics from
push is cheap, while simulating push semantics from verify is not
particularly cheap.
And (2) given Push semantics we ought to have parameters to support both
CTV-style hashes and APO-style hashes (which in the presence of CSFSV gives
us APO applications), and, while we are at it, as many other style hashes
as we can reasonably devise so we don't have to go through yet another
soft-fork process every time someone comes up with a new subset of
transaction data they would like to be hashed for their application.

I understand why CTV was designed with verify semantics: it would like to
be NOP compatible.  That certainly made sense pre-tapscript.  I just
haven't (yet) found the use cases for that compatibility to be compelling
in a post-tapscript world.

--00000000000078758305d6ba6945
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail=
_attr">On Fri, Jan 28, 2022 at 10:14 AM James O&#39;Beirne &lt;<a href=3D"m=
ailto:james.obeirne@gmail.com">james.obeirne@gmail.com</a>&gt; wrote:<br></=
div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bor=
der-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div=
 dir=3D"ltr">&gt; Technical debt isn&#39;t a measure of weight of transacti=
ons. <br></div><div dir=3D"ltr"><br></div><div>Sorry, my original sentence =
was a little unclear. I meant to say that the notion that CTV is just a sub=
par waypoint en route to a more general covenant system may not be accurate=
 if it is a more efficient way (in terms of chainstate/weight) to express h=
ighly useful patterns like vaults. In that case, characterizing CTV as tech=
nical debt wouldn&#39;t be right.<br></div></div></blockquote><div><br></di=
v><div>It only costs a few more weight units, on the order of 2 or 3, to us=
e TXHASH in place of CTV.=C2=A0 Notably, the reverse, using CTV in place of=
 TXHASH, is much more expensive, requiring more than 32 weight units.<br></=
div><div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px =
0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div=
 dir=3D"ltr"><div></div><div>&gt; Our only option here is to be mindful of =
the long term implications of the design choices we are making today.</div>=
<div><br></div><div>Your points are well taken - I don&#39;t think anyone i=
s arguing against thinking hard about consensus changes. But I have yet to =
see a proposal for covenants that is as efficient on-chain and easy to reas=
on about as CTV is. <br></div><div><br></div><div>I also think there&#39;s =
some value in &quot;legging into&quot; covenants by deploying a simple, non=
-recursive construction like CTV that services some very important uses, an=
d then taking as much time as necessary to think about how to solve more ex=
istential problems, like UTXO scalability, that likely require a recursive =
covenant construction. </div><div><br></div><div>There doesn&#39;t have to =
be mutual exclusion in the approaches, especially when the maintenance burd=
en of CTV seems to be so low. If we end up deploying something that require=
s a wider variety of in-script hashing, it seems likely that CTV&#39;s hash=
 will be able to &quot;free ride&quot; on whatever more general sighash cac=
he structure we come up with.<br></div></div></blockquote><div><br></div><d=
iv>Perhaps there is some misunderstanding.=C2=A0 TXHASH=C2=A0+ CSFSV doesn&=
#39;t allow for complex or recursive covenants.=C2=A0 Typically CAT is need=
ed, at minimum, to create those sorts of things.=C2=A0 TXHASH still amounts=
 to deploying a non-recursive covenant construction.<br></div><div><br></di=
v><div>With regards to CTV, in short my primary criticisms are (1) Push sem=
antics is preferable to verify semantics, because simulating verify semanti=
cs from push is cheap, while simulating push semantics from verify is not p=
articularly cheap.</div><div>And (2) given Push semantics we ought to have =
parameters to support both CTV-style hashes and APO-style hashes (which in =
the presence of CSFSV gives us APO applications), and, while we are at it, =
as many other style hashes as we can reasonably devise so we don&#39;t have=
 to go through yet another soft-fork process every time someone comes up wi=
th a new subset of transaction data they would like to be hashed for their =
application.<br></div><div><br></div><div>I understand why CTV was designed=
 with verify semantics: it would like to be NOP compatible.=C2=A0 That cert=
ainly made sense pre-tapscript.=C2=A0 I just haven&#39;t (yet) found the us=
e cases for that compatibility to be compelling in a post-tapscript world.<=
br></div></div></div>

--00000000000078758305d6ba6945--