1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
|
Return-Path: <alex.schoof@gmail.com>
Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])
by lists.linuxfoundation.org (Postfix) with ESMTP id 3403BC002D
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 11 May 2022 23:32:47 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp2.osuosl.org (Postfix) with ESMTP id 1ABFA4058C
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 11 May 2022 23:32:47 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: smtp2.osuosl.org (amavisd-new);
dkim=pass (2048-bit key) header.d=gmail.com
Received: from smtp2.osuosl.org ([127.0.0.1])
by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id NIdYyMEBF4zG
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 11 May 2022 23:32:45 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.8.0
Received: from mail-il1-x136.google.com (mail-il1-x136.google.com
[IPv6:2607:f8b0:4864:20::136])
by smtp2.osuosl.org (Postfix) with ESMTPS id C9339400B8
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 11 May 2022 23:32:45 +0000 (UTC)
Received: by mail-il1-x136.google.com with SMTP id d3so2463141ilr.10
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 11 May 2022 16:32:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
bh=FklFiYgOZZYr7PKqNbnVzrs6zX3auh+Lf0x+AICIRKg=;
b=O3dcu+64zgnaX478kdfQpR+lhw2mdT9xRQuJyqszXc3V+H7+6EnDygWOpQapPYof32
nj9jcS+TcmmvotrBYWkmdLklRlML+/cuMhGfXUUGLGno50uVYy6cltubVRwsvDA/FZGz
V9WDepu3REQ9mfmiVJHvGY/Pk3rl1f/7/y2KMbZKKsDs7el2cf/JjC2V9L8uNodiNWe6
YbSFa7wG81pqFG33Z5kAL/i0A2ypySnwgKqvVyRVH1AgQbu92SPm2AnEFDzS0ZYhrNfo
alX7xvlCcnnf2PeXbLi/IpFJ1zwHr7WB7qe6k3JtVi4Nc7NVhrBaplkoGvroh18Mt74d
E3aw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to;
bh=FklFiYgOZZYr7PKqNbnVzrs6zX3auh+Lf0x+AICIRKg=;
b=hDcu3BzkaUWDMvtyQZnaIUjfK27sc/cX+l+Q8Dcm0DoYVjVa31UXlINxxiTEOJq3Kh
4aA45hLl+yHqcpl4nUVI0uyBMsFvkGecMuT/7MRHF4duuipPHwlzjskhv4V44NtYjC8w
WQzcy9lV/OFv9xDjbWQIj7lH2gOtxEmVMq14WJ6328K3qMr/OuvmtXDLxVukMCMnxmp6
ujD+R+IvkQ67wa3Fr4Z3r37PSk5dRidncCqWbfPhZSlH+IKGe5nOE0qbRHXVq7eUx0d3
R3SnkglbkiPLgR64qmL5xpQkH3GUuWJSr/ctQYbpqhZ5CQQNULgV998zStBQYXm6uw61
h5tA==
X-Gm-Message-State: AOAM533txSC6eSoVheF1iyo1+Y4i4fD/+TH8xe6m1cw1Gfh3Uu33wbsz
U4ZCy24AXYZF+2rl+TBordFgq0cUvnKJNekLrzrnvvYL
X-Google-Smtp-Source: ABdhPJwTJtAXLQha/N7LDEeKSIhSqDNUW18EygTZTL1GL2snL8Af7hdEpTaf/dOKraUvzs/pbQ0h2eibcofHpicow7s=
X-Received: by 2002:a05:6e02:f52:b0:2ca:95e4:f4b5 with SMTP id
y18-20020a056e020f5200b002ca95e4f4b5mr12472790ilj.240.1652311964717; Wed, 11
May 2022 16:32:44 -0700 (PDT)
MIME-Version: 1.0
References: <87h75xoet1.fsf@rustcorp.com.au>
In-Reply-To: <87h75xoet1.fsf@rustcorp.com.au>
From: Alex Schoof <alex.schoof@gmail.com>
Date: Wed, 11 May 2022 19:32:34 -0400
Message-ID: <CA+2b5C0nJFThN_JV4usx2KQqTbAYwPq_u6RJn+1k5PuLwT1wPA@mail.gmail.com>
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>,
Rusty Russell <rusty@rustcorp.com.au>
Content-Type: multipart/alternative; boundary="000000000000b717d405dec4db12"
X-Mailman-Approved-At: Thu, 12 May 2022 07:57:52 +0000
Subject: Re: [bitcoin-dev] [PROPOSAL] OP_TX: generalized covenants reduced
to OP_CHECKTEMPLATEVERIFY
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 11 May 2022 23:32:47 -0000
--000000000000b717d405dec4db12
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hi Rusty,
One of the common sentiments thats been expressed over the last few months
is that more people want to see experimentation with different applications
using covenants. I really like this proposal because in addition to
offering a cleaner upgrade/extension path than adding =E2=80=9CCTV++=E2=80=
=9D as a new
opcode in a few years, it also seems like it would make it very easy to
create prototype applications to game out new ideas:
If the =E2=80=9Conly this combination of fields are valid, otherwise OP_SUC=
CESS=E2=80=9D
check is just comparing with a list of bitmasks for permissible field
combinations (which right now is a list of length 1), it seems like it
would be *very* easy for people who want to play with other covenant field
sets to just add the relevant bitmasks and then go spin up a signet to
build applications.
Being able to make a very targeted change like that to enable
experimentation is super cool. Thanks for sharing!
Alex
On Tue, May 10, 2022 at 6:37 AM Rusty Russell via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> Hi all,
>
> TL;DR: a v1 tapscript opcode for generic covenants, but
> OP_SUCCESS unless it's used a-la OP_CHECKTEMPLATEVERIFY. This gives an
> obvious use case, with clean future expansion. OP_NOP4 can be
> repurposed in future as a shortcut, if experience shows that to be a
> useful optimization.
>
> (This proposal builds on Russell O'Connor's TXHASH[1], with Anthony
> Towns' modification via extending the opcode[2]; I also notice on
> re-reading that James Lu had a similar restriction idea[3]).
>
> Details
> -------
>
> OP_TX, when inside v1 tapscript, is followed by 4 bytes of flags.
> Unknown flag patterns are OP_SUCCESS, though for thoroughness some future
> potential uses are documented here. Note that pushing more than 1000
> elements on the stack or an element more than 512 bytes will hit the
> BIP-342 resource limits and fail.
>
> Defined bits
> ------------
>
> (Only those marked with * have to be defined for this soft fork; the
> others can have semantics later).
>
> OPTX_SEPARATELY: treat fields separately (vs concatenating)
> OPTX_UNHASHED: push on the stack without hashing (vs SHA256 before push)
>
> - The first nicely sidesteps the lack of OP_CAT, and the latter allows
> OP_TXHASH semantics (and avoid stack element limits).
>
> OPTX_SELECT_VERSION*: version
> OPTX_SELECT_LOCKTIME*: nLocktime
> OPTX_SELECT_INPUTNUM*: current input number
> OPTX_SELECT_INPUTCOUNT*: number of inputs
> OPTX_SELECT_OUTPUTCOUNT*: number of outputs
>
> OPTX_INPUT_SINGLE: if set, pop input number off stack to apply to
> OPTX_SELECT_INPUT_*, otherwise iterate through all.
> OPTX_SELECT_INPUT_TXID: txid
> OPTX_SELECT_INPUT_OUTNUM: txout index
> OPTX_SELECT_INPUT_NSEQUENCE*: sequence number
> OPTX_SELECT_INPUT_AMOUNT32x2: sats in, as a high-low u31 pair
> OPTX_SELECT_INPUT_SCRIPT*: input scriptsig
> OPTX_SELECT_INPUT_TAPBRANCH: ?
> OPTX_SELECT_INPUT_TAPLEAF: ?
>
> OPTX_OUTPUT_SINGLE: if set, pop input number off stack to apply to
> OPTX_SELECT_OUTPUT_*, otherwise iterate through all.
> OPTX_SELECT_OUTPUT_AMOUNT32x2*: sats out, as a high-low u31 pair
> OPTX_SELECT_OUTPUT_SCRIPTPUBKEY*: output scriptpubkey
>
> OPTX_SELECT_19...OPTX_SELECT_31: future expansion.
>
> OP_CHECKTEMPLATEVERIFY is approximated by the following flags:
> OPTX_SELECT_VERSION
> OPTX_SELECT_LOCKTIME
> OPTX_SELECT_INPUTCOUNT
> OPTX_SELECT_INPUT_SCRIPT
> OPTX_SELECT_INPUT_NSEQUENCE
> OPTX_SELECT_OUTPUTCOUNT
> OPTX_SELECT_OUTPUT_AMOUNT32x2
> OPTX_SELECT_OUTPUT_SCRIPTPUBKEY
> OPTX_SELECT_INPUTNUM
>
> All other flag combinations result in OP_SUCCESS.
>
> Discussion
> ----------
>
> By enumerating exactly what can be committed to, it's absolutely clear
> what is and isn't committed (and what you need to think about!).
>
> The bits which separate concatenation and hashing provide a simple
> mechanism for template-style (i.e. CTV-style) commitments, or for
> programatic treatment of individual elements (e.g. amounts, though the
> two s31 style is awkward: a 64-bit push flag could be added in future).
>
> The lack of double-hashing of scriptsigs and other fields means we
> cannot simply re-use hashing done for SIGHASH_ALL.
>
> The OP_SUCCESS semantic is only valid in tapscript v1, so this does not
> allow covenants for v0 segwit or pre-segwit inputs. If covenants prove
> useful, dedicated opcodes can be provided for those cases (a-la
> OP_CHECKTEMPLATEVERIFY).
>
> Cheers,
> Rusty.
>
> [1]
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-January/0198=
13.html
> [2]
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-January/0198=
19.html
> [3]
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-January/0198=
16.html
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
--=20
Alex Schoof
--000000000000b717d405dec4db12
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"auto">Hi Rusty,</div><div dir=3D"auto"><br></div><div dir=3D"au=
to">One of the common sentiments thats been expressed over the last few mon=
ths is that more people want to see experimentation with different applicat=
ions using covenants. I really like this proposal because in addition to of=
fering a cleaner upgrade/extension path than adding =E2=80=9CCTV++=E2=80=9D=
as a new opcode in a few years, it also seems like it would make it very e=
asy to create prototype applications to game out new ideas:=C2=A0</div><div=
dir=3D"auto">If the =E2=80=9Conly this combination of fields are valid, ot=
herwise OP_SUCCESS=E2=80=9D check is just comparing with a list of bitmasks=
for permissible field combinations (which right now is a list of length 1)=
, it seems like it would be *very* easy for people who want to play with ot=
her covenant field sets to just add the relevant bitmasks and then go spin =
up a signet to build applications.=C2=A0</div><div dir=3D"auto"><br></div><=
div dir=3D"auto">Being able to make a very targeted change like that to ena=
ble experimentation is super cool. Thanks for sharing!</div><div dir=3D"aut=
o"><br></div><div dir=3D"auto">Alex</div><div dir=3D"auto"><br></div><div d=
ir=3D"auto">On Tue, May 10, 2022 at 6:37 AM Rusty Russell via bitcoin-dev &=
lt;<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lis=
ts.linuxfoundation.org</a>> wrote:<br></div><div><div class=3D"gmail_quo=
te"><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bor=
der-left-width:1px;border-left-style:solid;padding-left:1ex;border-left-col=
or:rgb(204,204,204)">Hi all,<br>
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 TL;DR: a v1 tapscript opcode for generic covena=
nts, but<br>
OP_SUCCESS unless it's used a-la OP_CHECKTEMPLATEVERIFY.=C2=A0 This giv=
es an<br>
obvious use case, with clean future expansion.=C2=A0 OP_NOP4 can be<br>
repurposed in future as a shortcut, if experience shows that to be a<br>
useful optimization.<br>
<br>
(This proposal builds on Russell O'Connor's TXHASH[1], with Anthony=
<br>
Towns' modification via extending the opcode[2]; I also notice on<br>
re-reading that James Lu had a similar restriction idea[3]).<br>
<br>
Details<br>
-------<br>
<br>
OP_TX, when inside v1 tapscript, is followed by 4 bytes of flags.<br>
Unknown flag patterns are OP_SUCCESS, though for thoroughness some future<b=
r>
potential uses are documented here.=C2=A0 Note that pushing more than 1000<=
br>
elements on the stack or an element more than 512 bytes will hit the<br>
BIP-342 resource limits and fail.<br>
<br>
Defined bits<br>
------------<br>
<br>
(Only those marked with * have to be defined for this soft fork; the<br>
=C2=A0others can have semantics later).<br>
<br>
OPTX_SEPARATELY: treat fields separately (vs concatenating)<br>
OPTX_UNHASHED: push on the stack without hashing (vs SHA256 before push)<br=
>
<br>
- The first nicely sidesteps the lack of OP_CAT, and the latter allows<br>
=C2=A0 OP_TXHASH semantics (and avoid stack element limits).<br>
<br>
OPTX_SELECT_VERSION*: version<br>
OPTX_SELECT_LOCKTIME*: nLocktime<br>
OPTX_SELECT_INPUTNUM*: current input number<br>
OPTX_SELECT_INPUTCOUNT*: number of inputs<br>
OPTX_SELECT_OUTPUTCOUNT*: number of outputs<br>
<br>
OPTX_INPUT_SINGLE: if set, pop input number off stack to apply to<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 OPTX_SELECT_INPUT_*=
, otherwise iterate through all.<br>
OPTX_SELECT_INPUT_TXID: txid<br>
OPTX_SELECT_INPUT_OUTNUM: txout index<br>
OPTX_SELECT_INPUT_NSEQUENCE*: sequence number<br>
OPTX_SELECT_INPUT_AMOUNT32x2: sats in, as a high-low u31 pair<br>
OPTX_SELECT_INPUT_SCRIPT*: input scriptsig<br>
OPTX_SELECT_INPUT_TAPBRANCH: ?<br>
OPTX_SELECT_INPUT_TAPLEAF: ?<br>
<br>
OPTX_OUTPUT_SINGLE: if set, pop input number off stack to apply to<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 OPTX_SELECT_OUTPUT_=
*, otherwise iterate through all.<br>
OPTX_SELECT_OUTPUT_AMOUNT32x2*: sats out, as a high-low u31 pair<br>
OPTX_SELECT_OUTPUT_SCRIPTPUBKEY*: output scriptpubkey<br>
<br>
OPTX_SELECT_19...OPTX_SELECT_31: future expansion.<br>
<br>
OP_CHECKTEMPLATEVERIFY is approximated by the following flags:<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 OPTX_SELECT_VERSION<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 OPTX_SELECT_LOCKTIME<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 OPTX_SELECT_INPUTCOUNT<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 OPTX_SELECT_INPUT_SCRIPT<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 OPTX_SELECT_INPUT_NSEQUENCE<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 OPTX_SELECT_OUTPUTCOUNT<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 OPTX_SELECT_OUTPUT_AMOUNT32x2<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 OPTX_SELECT_OUTPUT_SCRIPTPUBKEY<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 OPTX_SELECT_INPUTNUM<br>
<br>
All other flag combinations result in OP_SUCCESS.<br>
<br>
Discussion<br>
----------<br>
<br>
By enumerating exactly what can be committed to, it's absolutely clear<=
br>
what is and isn't committed (and what you need to think about!).<br>
<br>
The bits which separate concatenation and hashing provide a simple<br>
mechanism for template-style (i.e. CTV-style) commitments, or for<br>
programatic treatment of individual elements (e.g. amounts, though the<br>
two s31 style is awkward: a 64-bit push flag could be added in future).<br>
<br>
The lack of double-hashing of scriptsigs and other fields means we<br>
cannot simply re-use hashing done for SIGHASH_ALL.<br>
<br>
The OP_SUCCESS semantic is only valid in tapscript v1, so this does not<br>
allow covenants for v0 segwit or pre-segwit inputs.=C2=A0 If covenants prov=
e<br>
useful, dedicated opcodes can be provided for those cases (a-la<br>
OP_CHECKTEMPLATEVERIFY).<br>
<br>
Cheers,<br>
Rusty.<br>
<br>
[1] <a href=3D"https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022=
-January/019813.html" rel=3D"noreferrer" target=3D"_blank">https://lists.li=
nuxfoundation.org/pipermail/bitcoin-dev/2022-January/019813.html</a><br>
[2] <a href=3D"https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022=
-January/019819.html" rel=3D"noreferrer" target=3D"_blank">https://lists.li=
nuxfoundation.org/pipermail/bitcoin-dev/2022-January/019819.html</a><br>
[3] <a href=3D"https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022=
-January/019816.html" rel=3D"noreferrer" target=3D"_blank">https://lists.li=
nuxfoundation.org/pipermail/bitcoin-dev/2022-January/019816.html</a><br>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div></div>-- <br><div dir=3D"ltr" class=3D"gmail_signature" =
data-smartmail=3D"gmail_signature"><br><br>Alex Schoof</div>
--000000000000b717d405dec4db12--
|
