1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
|
Return-Path: <roconnor@blockstream.io>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 11588FB3
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 23 May 2019 22:01:13 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-it1-f177.google.com (mail-it1-f177.google.com
[209.85.166.177])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id E074A829
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 23 May 2019 22:01:11 +0000 (UTC)
Received: by mail-it1-f177.google.com with SMTP id m140so10832646itg.2
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 23 May 2019 15:01:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=blockstream.io; s=google;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=ZhDjm/N1dg8ZZq29aVNUJK3cGhI2zF1wDFlwLn3TcNs=;
b=HE+AE5KHXihz1RgSG1y9Q1ECKqGGKTbeQjY+wP6yL1mP22jZlpb/EcZ3YaUxt7FGY5
rhLZUG+E7MngAmt7f8Ccv3PLhTa6eOUZJCoqHAKTv8hC8+C4km2aPpuDyMqtp4T33RzP
ECYrwrW7TSCQmguUcMfXDZnx3eh/Avii8jqPM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=ZhDjm/N1dg8ZZq29aVNUJK3cGhI2zF1wDFlwLn3TcNs=;
b=JjjmvU6ZlG0ueaOe7sGWbTD+pPt+7adQO0GxdkEQJxqm7fK47mPPo9d1lRzFLCf3uh
/Z0H1e6RlK8vjGSofVgQ9gPurPPG4HAgjc5wNBTONJaZEyYtZ2yPAUYOyXBWc3wQXk9M
8IqWBsG6IBcKYOoLALREmQL7n5Eg+dCmacwCrk8vw6hIWNnx/gRpAlaANlunS14GxZIR
xtYj7EhHwQeQjvJO4/meX609OnE9x4YaqBmgGFNupSxwFYi2sXL5ilkyJN7jqXvjZOgy
aPnHSGeqZZOlFx3SWGXkZfXtL/TvdqQBQO/Ts65HLEZn6o3up43fFvlmPO2BsKKSMt08
piTQ==
X-Gm-Message-State: APjAAAW50HBuwKG+U+WxjTDisWl8AFFbhraZeO6anzhS+OQzCfi4exuh
YwdiR9BRklcOhllqoWSNiz+Fn5ryqdWQIsvSz7+WL7u1
X-Google-Smtp-Source: APXvYqzw871B39kZLh2FY1S/RZ5g+WiEZs3epiTq4QisYjJMg8eHZz9Hx02dyMKV1e1kdC4WHEB2caUO/vJqXgh7SkQ=
X-Received: by 2002:a05:660c:50:: with SMTP id
p16mr14578784itk.146.1558648871075;
Thu, 23 May 2019 15:01:11 -0700 (PDT)
MIME-Version: 1.0
References: <CAMZUoK=0YhqxguphmaKsMGZCy_NYVE_i53qGBfPVES=GAYTy1g@mail.gmail.com>
<CAJR7vkqogCzy8_SpCxcAhnEdkS6DRKaDtvJa8Wc-TNGsCcjM5g@mail.gmail.com>
In-Reply-To: <CAJR7vkqogCzy8_SpCxcAhnEdkS6DRKaDtvJa8Wc-TNGsCcjM5g@mail.gmail.com>
From: "Russell O'Connor" <roconnor@blockstream.io>
Date: Thu, 23 May 2019 18:00:59 -0400
Message-ID: <CAMZUoKmMWXO72HWQab4kXPKnbQD49sZdryq-nGWum30h6oGMqA@mail.gmail.com>
To: Jimmy Song <jaejoon@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000004a5be9058995383f"
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, HTML_MESSAGE,
RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Fri, 24 May 2019 14:39:19 +0000
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] An alternative: OP_CAT & OP_CHECKSIGFROMSTACK
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Thu, 23 May 2019 22:01:13 -0000
--0000000000004a5be9058995383f
Content-Type: text/plain; charset="UTF-8"
Hi Jimmy,
The message could really be anything. For example, in discreet log
contracts, AFAIU, you might have a specific public key from a trusted third
party (the Oracle) that is signs the closing price of corn in BTC on
2019-05-23 with a particular nonce dedicated to that product-date pair, in
which case the message would be the price expressed in binary. In the case
of amortized secure multiparty computations, the message is protocol
specific binary data that consists of a counter (or counters), concatenated
with shares of secret data that is used to construct the result of the
multiparty computation. In the case of transaction reflection, the message
would be a duplicate copy of the tapscript signed transaction data (about
244 bytes of data plus a 64 byte prefix).
As you note, the message is likely to constructed from a value computed
from a mix of witness and committed data, though the message might be pure
witness data, as in the discreet log contract example. In that the
discreet log contract example, you'd probably duplicate the integer value
and do further processing (e.g. compare it to some other committed value).
On Thu, May 23, 2019 at 1:36 PM Jimmy Song <jaejoon@gmail.com> wrote:
> Hi Russell,
>
> This is probably a dumb question, but I'd like to get some clarity on your
> proposal.
>
> OP_CHECKSIGFROMSTACKVERIFY would pop off a signature, message and pubkey.
> Presumably, the message would then have to get constructed as part of the
> Script execution. What would such a message look like? What, in other
> words, would you be signing and would that be similar to what signatures
> sign now? Would it be a single blob that incorporates all the input/output
> information in some hashed manner (like BIP143)? Or would you need separate
> signatures for different parts of the transaction? Or is it something more
> complicated like aggregating multiple signatures over different parts of
> the transaction?
>
> Best,
>
> Jimmy
>
> On Thu, May 23, 2019 at 8:35 AM Russell O'Connor via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> Recently there have been some tapscript proposals, SIGHASH_ANYPREVOUT and
>> OP_CHECKOUTPUTHASHVERIFY, that aim to enable particular new features for
>> Bitcoin via new Script operations. However, I think that these proposals
>> miss the mark when it comes to how they approach Bitcoin Script and
>> language features.
>>
>> Bitcoin Script appears designed to be a flexible programmable system that
>> provides generic features to be composed to achieve various purposes.
>> Thus, when we design new language features for Script, we should be
>> striving, as much as possible, to similarly build general purpose tools
>> which can in turn be used for a variety of purposes.
>>
>> I feel the SIGHASH_ANYPREVOUT and OP_CHECKOUTPUTHASHVERIFY proposals fail
>> to achieve these design goals. They are both are designed with very narrow
>> applications in mind, while also going out of their way to extend the
>> semantic domain of the interpretation of Bitcoin operations in new ways
>> that complicate their specification. In the case of SIGHASH_ANYPREVOUT,
>> the semantic domain is extended by adding new counters to track the use of
>> various v0 and v2 signature types. In the case of
>> OP_CHECKOUTPUTHASHVERIFY, it employs a new context-sensitive operation that
>> peeks at the value of surrounding opcodes.
>>
>> Instead, I propose that, for the time being, we simply implement OP_CAT
>> and OP_CHECKSIGFROMSTACKVERIFY. OP_CAT pops two byte arrays off the stack
>> and pushes their concatenation back onto the stack.
>> OP_CHECKSIGFROMSTACKVERIFY pops a signature, message, and pubkey off the
>> stack and performs a bip-schnorr verification on the SHA256 hash of the
>> message.
>>
>> In concert, these two operations enable:
>>
>> * Oracle signature verification, including discrete log contracts.
>> * Amortized secure multiparty computations (see "Amortizing Secure
>> Computation with Penalties" by Kumaresan and Bentov).
>> * Transaction introspection including:
>> + Simulated SIGHASH_ANYPREVOUT, which are necessarily chaperoned simply
>> by the nature of the construction.
>> + Decide if a transaction has exactly one input or not. (etc.)
>> + Weak covenants, which can verify output scripts to see if they are
>> among a set of predefined values or verify the output hash.
>>
>> and presumably more applications as well.
>>
>> For better or for worse, without an OP_PUBKEYTWEEK operation available,
>> the more interesting recursive-covenants remain largely out of reach, with
>> the exception of a recursive covenant that is only able to send back to its
>> own address, possibly abusing its own TXO value as a state variable.
>>
>> All this is accomplished by two straightforward opcodes whose semantics
>> are pure computational operations on stack values. The only semantic
>> side-effect is that OP_CHECKSIGFROMSTACKVERIFY would count towards the
>> existing 'sigops_passed' count. Moreover, I feel that adding these
>> operations does not preclude adding more specialized opcodes in the future
>> as an optimization for whatever popular constructions come up, once we know
>> what those are.
>>
>> I feel that this style of generic building blocks truly embodies what is
>> meant by "programmable money".
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>
--0000000000004a5be9058995383f
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div>Hi Jimmy,<br></div><div><br></div><div>The message co=
uld really be anything.=C2=A0 For example, in discreet log contracts, AFAIU=
, you might have a specific public key from a trusted third party (the Orac=
le) that is signs the closing price of corn in BTC on 2019-05-23 with a par=
ticular nonce dedicated to that product-date pair, in which case the messag=
e would be the price expressed in binary.=C2=A0 In the case of amortized se=
cure multiparty computations, the message is protocol specific binary data =
that consists of a counter (or counters), concatenated with shares of secre=
t data that is used to construct the result of the multiparty computation.=
=C2=A0 In the case of transaction reflection, the message would be a duplic=
ate copy of the tapscript signed transaction data (about 244 bytes of data =
plus a 64 byte prefix).<br></div><div><br></div><div>As you note, the messa=
ge is likely to constructed from a value computed from a mix of witness and=
committed data, though the message might be pure witness data, as in the d=
iscreet log contract example.=C2=A0 In that the discreet log contract examp=
le, you'd probably duplicate the integer value and do further processin=
g (e.g. compare it to some other committed value).<br></div><div><br></div>=
<div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Thu, Ma=
y 23, 2019 at 1:36 PM Jimmy Song <<a href=3D"mailto:jaejoon@gmail.com" t=
arget=3D"_blank">jaejoon@gmail.com</a>> wrote:<br></div><blockquote clas=
s=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid r=
gb(204,204,204);padding-left:1ex"><div dir=3D"ltr">Hi Russell,<div><br></di=
v><div>This is probably a dumb question, but I'd like to get some clari=
ty on your proposal.</div><div><br></div><div>OP_CHECKSIGFROMSTACKVERIFY wo=
uld pop off a signature, message and pubkey. Presumably, the message would =
then have to get constructed as part of the Script execution. What would su=
ch a message look like? What, in other words, would you be signing and woul=
d that be similar to what signatures sign now? Would it be a single blob th=
at incorporates all the input/output information in some hashed manner (lik=
e BIP143)? Or would you need separate signatures for different parts of the=
transaction? Or is it something more complicated like aggregating multiple=
signatures over different parts of the transaction?</div><div><br></div><d=
iv>Best,</div><div><br></div><div>Jimmy</div></div><br><div class=3D"gmail_=
quote"><div dir=3D"ltr" class=3D"gmail_attr">On Thu, May 23, 2019 at 8:35 A=
M Russell O'Connor via bitcoin-dev <<a href=3D"mailto:bitcoin-dev@li=
sts.linuxfoundation.org" target=3D"_blank">bitcoin-dev@lists.linuxfoundatio=
n.org</a>> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"ma=
rgin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:=
1ex"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><d=
iv dir=3D"ltr"><div>Recently there have been some tapscript proposals, SIGH=
ASH_ANYPREVOUT and OP_CHECKOUTPUTHASHVERIFY, that aim to enable particular =
new features for Bitcoin via new Script operations.=C2=A0 However, I think =
that these proposals miss the mark when it comes to how they approach Bitco=
in Script and language features.</div><div><br></div><div>Bitcoin Script ap=
pears designed to be a flexible programmable system that provides generic f=
eatures to be composed to achieve various purposes.=C2=A0 Thus, when we des=
ign new language features for Script, we should be striving, as much as pos=
sible, to similarly build general purpose tools which can in turn be used =
for a variety of purposes.</div><div><br></div><div>I feel the SIGHASH_ANYP=
REVOUT and OP_CHECKOUTPUTHASHVERIFY proposals fail to achieve these design =
goals.=C2=A0 They are both are designed with very narrow applications in mi=
nd, while also going out of their way to extend the semantic domain of the =
interpretation of Bitcoin operations in new ways that complicate their spec=
ification.=C2=A0 In the case of SIGHASH_ANYPREVOUT, the semantic domain is =
extended by adding new counters to track the use of various v0 and v2 signa=
ture types.=C2=A0 In the case of OP_CHECKOUTPUTHASHVERIFY, it employs a new=
context-sensitive operation that peeks at the value of surrounding opcodes=
.</div><div><br></div><div>Instead, I propose that, for the time being, we =
simply implement OP_CAT and OP_CHECKSIGFROMSTACKVERIFY.=C2=A0 OP_CAT pops t=
wo byte arrays off the stack and pushes their concatenation back onto the s=
tack.=C2=A0 OP_CHECKSIGFROMSTACKVERIFY pops a signature, message, and pubke=
y off the stack and performs a bip-schnorr verification on the SHA256 hash =
of the message.<br></div><div><br></div><div>In concert, these two operatio=
ns enable:</div><div><br></div><div>* Oracle signature verification, includ=
ing discrete log contracts.</div><div>* Amortized secure multiparty computa=
tions (see "Amortizing Secure Computation with Penalties" by Kuma=
resan and Bentov).</div><div>* Transaction introspection including:<br></di=
v><div><a class=3D"gmail_plusreply" id=3D"m_3320865696344070878gmail-m_8055=
559268591041453gmail-m_-496123689612879534gmail-plusReplyChip-0">+</a>=C2=
=A0Simulated SIGHASH_ANYPREVOUT, which are necessarily chaperoned simply by=
the nature of the construction.<br></div><div><a class=3D"gmail_plusreply"=
id=3D"m_3320865696344070878gmail-m_8055559268591041453gmail-m_-49612368961=
2879534gmail-plusReplyChip-1">+</a> Decide if a transaction has exactly one=
input or not. (etc.)</div><div>+ Weak covenants, which can verify output s=
cripts to see if they are among a set of predefined values or verify the ou=
tput hash.<br></div><div><br></div><div>and presumably more applications as=
well.<br></div><div><br></div><div>For better or for worse, without an OP_=
PUBKEYTWEEK operation available, the more interesting recursive-covenants r=
emain largely out of reach, with the exception of a recursive covenant that=
is only able to send back to its own address, possibly abusing its own TXO=
value as a state variable.</div><div><br></div><div>All this is accomplish=
ed by two straightforward opcodes whose semantics are pure computational op=
erations on stack values.=C2=A0 The only semantic side-effect is that OP_CH=
ECKSIGFROMSTACKVERIFY would count towards the existing 'sigops_passed&#=
39; count.=C2=A0 Moreover, I feel that adding these operations does not pre=
clude adding more specialized opcodes in the future as an optimization for =
whatever popular constructions come up, once we know what those are.<br></d=
iv><div><br></div><div>I feel that this style of generic building blocks tr=
uly embodies what is meant by "programmable money".<br></div></di=
v></div></div></div></div>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div>
</blockquote></div></div>
--0000000000004a5be9058995383f--
|
