Return-Path: Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) by lists.linuxfoundation.org (Postfix) with ESMTP id B6FF7C002D for ; Fri, 29 Apr 2022 05:08:46 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 8DD5B41C1C for ; Fri, 29 Apr 2022 05:08:46 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: 0.278 X-Spam-Level: X-Spam-Status: No, score=0.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, PDS_OTHER_BAD_TLD=1.975, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no Authentication-Results: smtp4.osuosl.org (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=shesek.info Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rXGJrGKpAUrD for ; Fri, 29 Apr 2022 05:08:45 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from mail-il1-x131.google.com (mail-il1-x131.google.com [IPv6:2607:f8b0:4864:20::131]) by smtp4.osuosl.org (Postfix) with ESMTPS id EB69D41C1A for ; Fri, 29 Apr 2022 05:08:44 +0000 (UTC) Received: by mail-il1-x131.google.com with SMTP id k12so3318488ilv.3 for ; Thu, 28 Apr 2022 22:08:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shesek.info; s=shesek; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=nsBpfrouY+RFMrtv/sXQU0XQPn1ga9TEmJx3XsvQZLU=; b=JvK1kYmAxuLBFfa+sxewSfO9+//xpdcClKDtF/4iTauvLecdjogTl6pufvs3QkN/Fa a8ZzwQUE3akqwJwyTw5Hj5kWOP0fVMiOwpT9G4ymtVs11lizh4Cl/DK85HhzUzAuUefX jpSdvRz+Kg7Irgu/vnACSBIvL7X0zRyEQLWJw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=nsBpfrouY+RFMrtv/sXQU0XQPn1ga9TEmJx3XsvQZLU=; b=14PZg9R0NNrX6nYdksDPX5VCuvUa6oghr8HFeOdHrBJBdD1t/hAOxok/lQqHtK45fr DIyY0HnyRBBAvbUg0QDqGxJHaPbsQzThNEelStR6jPEx4dQH1sWpP1NmkAH4/Ze4e6yD AOBQ4UEJWwO7lX4k1b1hSxfsyNlx19cWZveaXJzcWA0H+SsPSsg3uTe3I7cNe3ZA0k3B LHD0YZLWprRt9HnIwASuISojxbkICNSMiC3++52SoTL5Pn5sFtJt6rANnNkpz2SCpXeD OVXt3LVL4XVXOGX+oIyD/eUaFw5IPhCgPlSHAvJGdivqlg+gXto5tQsywKxNDMY24xri UlZw== X-Gm-Message-State: AOAM531P28HwFUF5v8tegcNHcr9U1VyXVlyQl0zmEh0lziO0yVO6IYr9 175C/A9C+FkoUhpFyP8MVnrGqlNPWeCTvfrWeAh9Jg== X-Google-Smtp-Source: ABdhPJxyx9frHi23MTGcHP/AkTM0wrZzSXjizlJMfRp4lv1nk4Es6gqvRnOuTtEPKsYpRcsexvRtl2Rk8VIf7uxbTC0= X-Received: by 2002:a05:6e02:1cad:b0:2cb:f94c:2eab with SMTP id x13-20020a056e021cad00b002cbf94c2eabmr13705682ill.259.1651208923618; Thu, 28 Apr 2022 22:08:43 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Nadav Ivgi Date: Fri, 29 Apr 2022 08:08:32 +0300 Message-ID: To: darosior , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="00000000000057b74305ddc409de" X-Mailman-Approved-At: Fri, 29 Apr 2022 07:13:13 +0000 Subject: Re: [bitcoin-dev] ANYPREVOUT in place of CTV X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Apr 2022 05:08:46 -0000 --00000000000057b74305ddc409de Content-Type: text/plain; charset="UTF-8" Here's a summary of the trade-offs I see for using APO as a CTV alternative: 1. The resulting txids are not stable. CTV commits to enough tx information such that given the txid:vout of the covenant-encumbered output, you can predict the txid of the spending tx permitted by CTV (and of the entire transaction graph descending from it). This property could be important for some of the proposed CTV use-cases, like channel factories. 2. APO will only be available on Taproot, which some people might prefer to avoid for long-term multi-decade vault storage due to QC concerns. (also see my previous post on this thread [0]) 3. Higher witness satisfaction cost of roughly 3x vbytes vs CTV-in-Taproot (plus 33 extra vbytes vs CTV-in-segwitv0 *in the case of a single CTV branch*, for the taproot control block. with more branches CTV-in-taproot eventually becomes preferable). 4. Higher network-wide full-node validation costs (checking a signature is quite more expensive than hashing, and the hashing is done in both cases). 5. As APO is currently spec'd, it would suffer from the half-spend problem: if you have multiple outputs encumbered under an APO covenant that requires the same tx sigmsg hash, it becomes possible to spend all of them together as multiple inputs in a single transaction and burn the extra to mining fees. If I'm not mistaken, I believe this makes the simple-apo-vault implementation [1] vulnerable to spending multiple vaulted outputs of the same denomination together and burning all but the first one. I asked the author for a more definitive answer on twitter [2]. Fixing this requires amending BIP 118 with some new sigmsg flags (making the ANYONECANPAY behaviour optional, as mentioned in the OP). This is definitely possible but also means that APO as-is isn't a CTV-replacement candidate, without first going through some more design and review iterations. shesek [0] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-April/020326.html [1] https://github.com/darosior/simple-anyprevout-vault [2] https://twitter.com/shesek/status/1519874493434544128 On Fri, Apr 22, 2022 at 2:23 PM darosior via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > I would like to know people's sentiment about doing (a very slightly > tweaked version of) BIP118 in place of > (or before doing) BIP119. > > SIGHASH_ANYPREVOUT and its precedent iterations have been discussed for > over 6 years. It presents proven and > implemented usecases, that are demanded and (please someone correct me if > i'm wrong) more widely accepted than > CTV's. > > SIGHASH_ANYPREVOUTANYSCRIPT, if its "ANYONECANPAY" behaviour is made > optional [0], can emulate CTV just fine. > Sure then you can't have bare or Segwit v0 CTV, and it's a bit more > expensive to use. But we can consider CTV > an optimization of APO-AS covenants. > > CTV advocates have been presenting vaults as the flagship usecase. > Although as someone who've been trying to > implement practical vaults for the past 2 years i doubt CTV is necessary > nor sufficient for this (but still > useful!), using APO-AS covers it. And it's not a couple dozen more virtual > bytes that are going to matter for > a potential vault user. > > If after some time all of us who are currently dubious about CTV's stated > usecases are proven wrong by onchain > usage of a less efficient construction to achieve the same goal, we could > roll-out CTV as an optimization. In > the meantime others will have been able to deploy new applications > leveraging ANYPREVOUT (Eltoo, blind > statechains, etc..[1]). > > > Given the interest in, and demand for, both simple covenants and better > offchain protocols it seems to me that > BIP118 is a soft fork candidate that could benefit more (if not most of) > Bitcoin users. > Actually i'd also be interested in knowing if people would oppose the > APO-AS part of BIP118, since it enables > CTV's features, for the same reason they'd oppose BIP119. > > > [0] That is, to not commit to the other inputs of the transaction (via > `sha_sequences` and maybe also > `sha_amounts`). Cf > https://github.com/bitcoin/bips/blob/master/bip-0118.mediawiki#signature-message > . > > [1] https://anyprevout.xyz/ "Use Cases" section > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --00000000000057b74305ddc409de Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Here's a summary of the trade-offs I see for usin= g APO as a CTV alternative:

1. The resu= lting txids are not stable.

CTV commits to enough = tx information such that given the txid:vout of the covenant-encumbered out= put, you can predict the txid of the spending tx permitted by CTV (and of t= he entire transaction graph descending from it).

This property could be important for some of the proposed CTV use-cases,= like channel factories.

2. A= PO will only be available on Taproot, which some people might prefer to avoid for long-term multi-decade vault storage due to QC concerns. (als= o see my previous post on this thread [0])

3. = Higher witness satisfaction cost of roughly 3x vbytes vs CTV-in-Taproot (pl= us 33 extra vbytes vs CTV-in-segwitv0 in the case of a single CTV branch= , for the taproot control block. with more branches CTV-in-taproot even= tually becomes preferable).

4. Higher network-= wide full-node validation costs (checking a signature is quite more expensi= ve than hashing, and the hashing is done in both cases).

5. As APO is currently spec'd, it would suffer = from the half-spend problem: if you=20 have multiple outputs encumbered under an APO covenant that requires the same tx sigmsg hash, it becomes possible to spend all of them together=20 as multiple inputs in a single transaction and burn the extra to mining=20 fees.

If I'm not=20 mistaken, I believe this makes the simple-apo-vault implementation [1]=20 vulnerable to spending multiple vaulted outputs of the same denomination together and burning all but the first one. I asked the author for a=20 more definitive answer on twitter [2].

Fixing this= requires amending BIP 118 with some new sigmsg flags (making the ANYONECAN= PAY behaviour optional, as mentioned in the OP).

T= his is definitely possible but also means that APO as-is isn't a CTV-re= placement candidate, without first going through some more design and revie= w iterations.

shesek



On Fri, Apr 22, 2= 022 at 2:23 PM darosior via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wro= te:
I would like= to know people's sentiment about doing (a very slightly tweaked versio= n of) BIP118 in place of
(or before doing) BIP119.

SIGHASH_ANYPREVOUT and its precedent iterations have been discussed for ove= r 6 years. It presents proven and
implemented usecases, that are demanded and (please someone correct me if i= 'm wrong) more widely accepted than
CTV's.

SIGHASH_ANYPREVOUTANYSCRIPT, if its "ANYONECANPAY" behaviour is m= ade optional [0], can emulate CTV just fine.
Sure then you can't have bare or Segwit v0 CTV, and it's a bit more= expensive to use. But we can consider CTV
an optimization of APO-AS covenants.

CTV advocates have been presenting vaults as the flagship usecase. Although= as someone who've been trying to
implement practical vaults for the past 2 years i doubt CTV is necessary no= r sufficient for this (but still
useful!), using APO-AS covers it. And it's not a couple dozen more virt= ual bytes that are going to matter for
a potential vault user.

If after some time all of us who are currently dubious about CTV's stat= ed usecases are proven wrong by onchain
usage of a less efficient construction to achieve the same goal, we could r= oll-out CTV as an optimization.=C2=A0 In
the meantime others will have been able to deploy new applications leveragi= ng ANYPREVOUT (Eltoo, blind
statechains, etc..[1]).


Given the interest in, and demand for, both simple covenants and better off= chain protocols it seems to me that
BIP118 is a soft fork candidate that could benefit more (if not most of) Bi= tcoin users.
Actually i'd also be interested in knowing if people would oppose the A= PO-AS part of BIP118, since it enables
CTV's features, for the same reason they'd oppose BIP119.


[0] That is, to not commit to the other inputs of the transaction (via `sha= _sequences` and maybe also
`sha_amounts`). Cf h= ttps://github.com/bitcoin/bips/blob/master/bip-0118.mediawiki#signature-mes= sage.

[1] https://anyprevout.xyz/ "Use Cases" section
_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
--00000000000057b74305ddc409de--