MIME-Version: 1.0
References: <CAHUJnBBFsS597ZRdAtwONMAz1r7gQbrXULzdNtEVxOPENx+tDg@mail.gmail.com>
 <CAGpPWDYvvtCJLsr1SqghugfntnmnKw+GOtufp07d8sN-5vKa0w@mail.gmail.com>
 <CAHUJnBAfnmfs2nY3HFRhzNL6ztpZT3dgqe5wCxuO3qpk0OsgRg@mail.gmail.com>
 <CAGpPWDabAbY3nS-1QATrzLj+O4dxfs4Fo0EuYFftNdjw_gwRPw@mail.gmail.com>
 <CAHUJnBAFV6qFDjYkO_ByfDOp1rwz4S1xQc9hSJj5Jpsb7DdVwQ@mail.gmail.com>
 <YeoY12X1skxA8Lcy@petertodd.org>
 <CAGpPWDYOJFkOdzkoq6XMB0Z9SEEP4nmdmcZDEZckWQL+BzPOZw@mail.gmail.com>
In-Reply-To: <CAGpPWDYOJFkOdzkoq6XMB0Z9SEEP4nmdmcZDEZckWQL+BzPOZw@mail.gmail.com>
From: Bram Cohen <bram@chia.net>
Date: Fri, 21 Jan 2022 16:19:07 -0800
Message-ID: <CAHUJnBCy4Jbm+oJjGknCVEGzTqSshjgtf86egVX9D5TPxGDs=w@mail.gmail.com>
To: Billy Tetrud <billy.tetrud@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000b73e9805d620af9c"
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Covenants and capabilities in the UTXO model
Precedence: list

--000000000000b73e9805d620af9c
Content-Type: text/plain; charset="UTF-8"

On Fri, Jan 21, 2022 at 9:32 AM Billy Tetrud <billy.tetrud@gmail.com> wrote:

> > Bitcoin doesn't have a strong single concept of a 'parent'
>
> I'm using the term "parent" loosely in context here to mean a relationship
> where an input has constraints applied to an output (or outputs).
>

Yes and I'm using it more specifically to mean a single parent because the
tricks for implementing capabilities I'm talking about don't work if you
don't have a way of talking about 'my parent' as an unambiguously defined
single UTXO.


>
> >   verify the secure hash chain from its parent to itself so that it
> knows what the parent looked like
>
> I guess I just don't understand why you would want to do it this way.
>

The idea here is to optimize for adding as little to the UXTO model as
possible and doing everything with Bitcoin script additions. Some optional
mappings of inputs to outputs in a transaction seem to be necessary but
beyond that the current model can remain unchanged.


> If you send to an address that has such a reverse-looking script, you
> could brick funds that came from the wrong parent. With the reverse
> mechanism, the transaction creating the child, you can prevent this from
> happening by defining the transaction creating such a child as invalid
> unless the child matches the covenant in the parent.
>

If you want to pay to a singleton you don't do it by paying to some
scriptpubkey which represents that singleton, you pay to a scriptpubkey
which says 'I can be spent in any transaction which includes singleton X'
and it does the validation of that other UTXO being the current incarnation
of the singleton using the capabilities validation tricks I mentioned
before.


>
> > "you can only point back so far" leads to transactions becoming invalid,
> which is something we've always strictly avoided because it can result in
> huge problems during reorgs
>
> I'm surprised to hear you say that. I have tried to learn why valid
> transactions that can become invalid is seen as such a problem. I've been
> unsuccessful in finding much information about this. I tried to document
> the full extent of my understanding in my proposal here
> <https://github.com/fresheneesz/bip-efficient-bitcoin-vaults/blob/main/bbv/bip-beforeblockverify.md#reorg-safety> where
> I actually have a quote from you where you said you don't think this is a
> valid concern. Did something change your mind? Or did I misinterpret you?
> What am I missing from that section I linked to?
>

It can be made so that if it goes past the time when the backpointer works
then the transaction is still valid but its vbytes goes up because the
referenced string needs to be repeated on the chain.

I too am a bit on the fence about whether strict transaction
monotinicity is absolutely necessary. The most plausible violation of it to
add would be some kind of max height/age condition to go with the current
min height/age restrictions. What scares me about that isn't so much the
ability to replay reorgs getting messed up (those can be derailed by double
spends anyway) but that either an intentional DOS or just a spike in
transaction fees could cause a deadline to be passed and something to be
bricked for completely technical reasons having nothing to do with its
intended logic. The same type of functionality can be hacked by having an
allowed spend whose only condition is a min height/age so that if the time
has passed as long as someone isn't asleep at the wheel the transaction
will switch to a new state which disallows whatever it is that was supposed
to be disallowed at that time.

Since there isn't any compelling bit of functionality which needs to
violate monotinicity to be implemented I don't see any need to call for an
end to it as a principle. It certainly makes mempool logic a lot simpler
and more reliable.

--000000000000b73e9805d620af9c
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">On Fri, Jan 21, 2022 at 9:32 AM Billy Tet=
rud &lt;<a href=3D"mailto:billy.tetrud@gmail.com">billy.tetrud@gmail.com</a=
>&gt; wrote:<br></div><div class=3D"gmail_quote"><blockquote class=3D"gmail=
_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204=
,204);padding-left:1ex"><div dir=3D"ltr"><div>&gt; Bitcoin doesn&#39;t have=
 a strong single concept of a &#39;parent&#39;</div><div><br></div><div>I&#=
39;m using the term &quot;parent&quot; loosely in context=C2=A0here to mean=
 a relationship where an input has constraints applied to an output (or out=
puts).</div></div></blockquote><div><br></div><div>Yes and I&#39;m using it=
 more specifically to mean a single parent because the tricks for implement=
ing capabilities I&#39;m talking about don&#39;t work if you don&#39;t have=
 a way of talking about &#39;my parent&#39; as an unambiguously defined sin=
gle UTXO.</div><div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"=
margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-lef=
t:1ex"><div dir=3D"ltr"><div><br></div>&gt;=C2=A0=C2=A0

verify the secure hash chain from its parent to itself so that it knows wha=
t the parent looked like<br><div><br></div><div>I guess I just don&#39;t un=
derstand why you would want to do it this way.</div></div></blockquote><div=
><br></div><div>The idea here is to optimize for adding as little to the UX=
TO model as possible and doing everything with Bitcoin script additions. So=
me optional mappings of inputs to outputs in a transaction seem to be neces=
sary but beyond that the current model can remain unchanged.</div><div>=C2=
=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8e=
x;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"=
><div> If you send to an address that has such a reverse-looking script, yo=
u could brick funds that came from the wrong parent. With the reverse mecha=
nism, the transaction creating the child, you can prevent this from happeni=
ng by defining the transaction creating such a child as invalid unless the =
child matches the covenant in the parent.=C2=A0</div></div></blockquote><di=
v><br></div><div>If you want to pay to a singleton you don&#39;t do it by p=
aying to some scriptpubkey which represents that singleton, you pay to a sc=
riptpubkey which says &#39;I can be spent in any transaction which includes=
 singleton X&#39; and it does the validation of that other UTXO being the c=
urrent incarnation of the singleton using the capabilities validation trick=
s I mentioned before.</div><div>=C2=A0</div><blockquote class=3D"gmail_quot=
e" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204)=
;padding-left:1ex"><div dir=3D"ltr"><div><br></div><div>&gt; &quot;you can =
only point back so far&quot; leads to transactions becoming invalid, which =
is something we&#39;ve always strictly avoided because it can result in hug=
e problems during reorgs</div><div><br></div><div>I&#39;m surprised to hear=
 you say that. I have tried to learn why valid transactions that can become=
 invalid is seen as such a problem. I&#39;ve been unsuccessful in finding m=
uch information about this. I tried to document the full extent of my under=
standing in <a href=3D"https://github.com/fresheneesz/bip-efficient-bitcoin=
-vaults/blob/main/bbv/bip-beforeblockverify.md#reorg-safety" target=3D"_bla=
nk">my proposal here</a>=C2=A0where I actually have a quote from you where =
you said you don&#39;t think this is a valid concern. Did something change =
your mind? Or did I misinterpret you? What am I missing from that section I=
 linked to?</div></div></blockquote><div><br></div><div>It can be made so t=
hat if it goes past the time when the backpointer works then the transactio=
n is still valid but its vbytes goes up because the referenced string needs=
 to be repeated on the chain.</div><div><br></div><div>I too am a bit on th=
e fence about whether strict transaction monotinicity=C2=A0is absolutely ne=
cessary. The most plausible violation of it to add would be some kind of ma=
x height/age condition to go with the current min height/age restrictions. =
What scares me about that isn&#39;t so much the ability to replay reorgs ge=
tting messed up (those can be derailed by double spends anyway) but that ei=
ther an intentional DOS or just a spike in transaction fees could cause a d=
eadline to be passed and something to be bricked for completely technical r=
easons having nothing to do with its intended logic. The same type of funct=
ionality can be hacked by having an allowed spend whose only condition is a=
 min height/age so that if the time has passed as long as someone isn&#39;t=
 asleep at the wheel the transaction will switch to a new state which disal=
lows whatever it is that was supposed to be disallowed at that time.</div><=
div><br></div><div>Since there isn&#39;t any compelling bit of functionalit=
y which needs to violate monotinicity to be implemented I don&#39;t see any=
 need to call for an end to it as a principle. It certainly makes mempool l=
ogic a lot simpler and more reliable.</div><div><br></div></div></div>

--000000000000b73e9805d620af9c--