1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
|
Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194]
helo=mx.sourceforge.net)
by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <pete@petertodd.org>) id 1YkT5b-0008Sm-3q
for bitcoin-development@lists.sourceforge.net;
Tue, 21 Apr 2015 07:59:27 +0000
Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of petertodd.org
designates 62.13.149.58 as permitted sender)
client-ip=62.13.149.58; envelope-from=pete@petertodd.org;
helo=outmail149058.authsmtp.co.uk;
Received: from outmail149058.authsmtp.co.uk ([62.13.149.58])
by sog-mx-4.v43.ch3.sourceforge.com with esmtp (Exim 4.76)
id 1YkT5Y-0007Le-VI for bitcoin-development@lists.sourceforge.net;
Tue, 21 Apr 2015 07:59:27 +0000
Received: from mail-c235.authsmtp.com (mail-c235.authsmtp.com [62.13.128.235])
by punt16.authsmtp.com (8.14.2/8.14.2/) with ESMTP id t3L7xHPF017429;
Tue, 21 Apr 2015 08:59:17 +0100 (BST)
Received: from savin.petertodd.org (75-119-251-161.dsl.teksavvy.com
[75.119.251.161]) (authenticated bits=128)
by mail.authsmtp.com (8.14.2/8.14.2/) with ESMTP id t3L7xDYX010068
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO);
Tue, 21 Apr 2015 08:59:16 +0100 (BST)
Date: Tue, 21 Apr 2015 03:59:12 -0400
From: Peter Todd <pete@petertodd.org>
To: Matt Corallo <bitcoin-list@bluematt.me>
Message-ID: <20150421075912.GA25282@savin.petertodd.org>
References: <20141001130826.GM28710@savin.petertodd.org>
<55075795.20904@bluematt.me>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature"; boundary="C7zPtVaVf+AK4Oqc"
Content-Disposition: inline
In-Reply-To: <55075795.20904@bluematt.me>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-Server-Quench: 4ecde619-e7fc-11e4-b396-002590a15da7
X-AuthReport-Spam: If SPAM / abuse - report it at:
http://www.authsmtp.com/abuse
X-AuthRoute: OCd2Yg0TA1ZNQRgX IjsJECJaVQIpKltL GxAVKBZePFsRUQkR
aAdMdAMUGUUGAgsB AmMbW1xeVVR7WGU7 bA9PbARUfEhLXhtr
VklWR1pVCwQmRR99 AVZqO3FydgVGfnY+ Z0RmWXkVWBEpIRN7
Q0dJQGpQNnphaTUb TRJbfgVJcANIexZF O1F6ACIKLwdSbGoL
NQ4vNDcwO3BTJTpY RgYVKF8UXXNDJDM4 TgwDAzhnNm0obAYX
CDcFFn85MXg8CGQc ABNhRlsDezQ2NjM8 V1lXBzdePFAFBkIA
X-Authentic-SMTP: 61633532353630.1023:706
X-AuthFastPath: 0 (Was 255)
X-AuthSMTP-Origin: 75.119.251.161/587
X-AuthVirus-Status: No virus detected - but ensure you scan with your own
anti-virus system.
X-Spam-Score: -1.5 (-)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
-0.0 SPF_PASS SPF: sender matches SPF record
X-Headers-End: 1YkT5Y-0007Le-VI
Cc: bitcoin-development@lists.sourceforge.net
Subject: Re: [Bitcoin-development] Relative CHECKLOCKTIMEVERIFY (was CLTV
proposal)
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Tue, 21 Apr 2015 07:59:27 -0000
--C7zPtVaVf+AK4Oqc
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon, Mar 16, 2015 at 10:22:13PM +0000, Matt Corallo wrote:
> In building some CLTV-based contracts, it is often also useful to have a
> method of requiring, instead of locktime-is-at-least-N,
> locktime-is-at-least-N-plus-the-height-of-my-input. ie you could imagine
> an OP_RELATIVECHECKLOCKTIMEVERIFY that reads (does not pop) the top
> stack element, adds the height of the output being spent and then has
> identical semantics to CLTV.
Depending on what you mean by "identical" this isn't actually reorg
safe. For instance consider this implementation:
nLockTime =3D stack[-1] + prevout.nHeight
if (nLockTime > txTo.nLockTime):
return False
Used with this scriptPubKey:
10 RCLTV DROP <pubkey> CHECKSIG
If I create that output in tx1 which is mined at height 42 I can spend
it in a tx2 at height > 42+10 by setting tx2's nLockTime to >42+10, for
instance 53. However if a reorg happens and tx1 ends up at height 43
after the reorg I'm stuck - tx2's nLockTime is set at 42.
Thus RCTLV is only reorg safe if the height is compared against the
actual block height of the block containing the spending transaction,
not the spending transaction's nLockTime.
> A slightly different API (and different name) was described by maaku at
> http://www.reddit.com/r/Bitcoin/comments/2z2l91/time_to_lobby_bitcoins_co=
re_devs_sf_bitcoin_devs/cpgc154
> which does a better job of saving softfork-available opcode space.
>=20
> There are two major drawbacks to adding such an operation, however.
>=20
> 1) More transaction information is exposed inside the script (prior to
> CLTV we only had the sigchecking operation exposed, with a CLTV and
> RCLTV/OP_CHECK_MATURITY_VERIFY we expose two more functions).
>=20
> 2) Bitcoin Core's mempool invariant of "all transactions in the mempool
> could be thrown into one overside block and aside from block size, it
> would be valid" becomes harder to enforce. Currently, during reorgs,
> coinbase spends need checked (specifically, anything spending THE
> coinbase 100 blocks ago needs checked) and locktime transactions need
> checked. With such a new operation, any script which used this new
> opcode during its execution would need to be re-evaluated during reorgs.
Yup, definitely kinda ugly.
If the above style of RCTLV was used, one possibility might be to make
the relative locktime difference be required to be at least 100 blocks,
same as the coinbase maturity, and just accept that it's probably not
going to cause any problems, but could in an extremely big reorg. But
re-orgs that big might be big enough that we're screwed anyway...
With the 100 block rule, during a sufficiently large reorg that
coinbases become unavailble, simply disconnect entire blocks - all
txouts created by them.
> I think both of these requirements are reasonable and not particularly
> cumbersome, and the value of such an operation is quite nice for some
> protocols (including settings setting up a contest interval in a
> sidechain data validation operation).
So to be clear, right now the minimal interface to script execution is
simply:
int bitcoinconsensus_verify_script(const unsigned char *scriptPubKey, u=
nsigned int scriptPubKeyLen,
const unsigned char *txTo , u=
nsigned int txToLen,
unsigned int nIn, unsigned int flags=
, bitcoinconsensus_error* err);
Where scriptPubKey is derived from the unspent coin in the UTXO set and
txTo is the transaction containing the script that is being executed.
The UTXO set itself currently contains CCoins entries, one for each
transaction with unspent outputs, which basically contain:
nVersion - tx nVersion
nHeight - Height of the block the transaction is contained in.
vout - Unspent CTxOut's of the transaction.
The block nTime isn't directly available through the UTXO set, although
it can be found in the block headers. This does require nodes to have
the block headers, but at 4MB/year growth it's reasonable to assume the
UTXO set will grow faster.
Script execution does not have direct access to the current block
height/block time, however it does have indirect access via nLockTime.
Thus we have a few possibilities:
1) RCLTV against nLockTime
Needs a minimum age > COINBASE_MATURITY to be safe.
2) RCLTV against current block height/time
Completely reorg safe.
3) GET_TXOUT_HEIGHT/TIME <diff> ADD CLTV
To be reorg safe GET_TXOUT_HEIGHT/TIME must fail if minimum age <
COINBASE_MATURITY. This can be implemented by comparing against
nLockTime.
All three possibilities require us to make information about the
prevout's height/time available to VerifyScript(). The only question is
if we want VerifyScript() to also take the current block height/time - I
see no reason why it can't. As for the mempool, keeping track of what
transactions made use of these opcodes so they can be reevaluated if
their prevouts are re-organised seems fine to me.
Absolute CLTV
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
If we are going to make the block height/time available to
VerifyScript() to implement RCLTV, should absolute CLTV should continue
to have the proposed behavior of checking against nLockTime? If we go
with RCLTV against current block height/time, I'm going to vote no,
because doing so needlessly limits it to only being able to compare
against a block height or a block time in a single transaction.
Similarly it can complicate multi-party signatures in some
circumstances, as all parties must agree on a common nLockTime.
Time-based locks
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Do we want to support them at all? May cause incentive issues with
mining, see #bitcoin-wizards discussion, Jul 17th 2013:
https://download.wpsoftware.net/bitcoin/wizards/2013/07/13-07-17.log
--=20
'peter'[:-1]@petertodd.org
0000000000000000015e09479548c5b63b99a62d31b019e6479f195bf0cbd935
--C7zPtVaVf+AK4Oqc
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
-----BEGIN PGP SIGNATURE-----
iQGrBAEBCACVBQJVNgNMXhSAAAAAABUAQGJsb2NraGFzaEBiaXRjb2luLm9yZzAw
MDAwMDAwMDAwMDAwMDAwZjI3MTFlYWY4NjZjOTVlNzc1Yzg0NDEwNDY2NzIwY2Vh
NGI1ZjY1MTYzYTdmODEvFIAAAAAAFQARcGthLWFkZHJlc3NAZ251cGcub3JncGV0
ZUBwZXRlcnRvZC5vcmcACgkQJIFAPaXwkfv+Fwf/ZB7Xw7GwCoM881lW4h1nQaVA
QDxXe/cRte9PGF90nLKP/fHAcj4bNwK+Gn6KYWgnzK/2Dl7lOqFbODeGXaDEDPTl
bFLKzFeSXweatLJSJn1OLlYgvHLWQNyRiZc6dQro6On6qfslGJb4sdxpb8LrU3ik
dEshPwjRnGeqgEAkcCb3UcbV4LcGQFCGxhKFcJMhY/WrDOKlvl26eV39dmETm3pv
3IDj4XTH1410KpbvrHqaXevhvylSGS0/d54HH5jcyf1Jh7ECfHTU6RfE7fdVu75Z
pgPp5Lv06xlKBBZtMxByEZiFhSiiT7hs1ePLa3Iudij06B3qvLR2LJ5QKxmiow==
=e89O
-----END PGP SIGNATURE-----
--C7zPtVaVf+AK4Oqc--
|