From apoelstra at wpsoftware.net Wed Oct 9 16:56:51 2019 From: apoelstra at wpsoftware.net (Andrew Poelstra) Date: Wed, 9 Oct 2019 16:56:51 +0000 Subject: [Lightning-dev] OP_CAT was Re: [bitcoin-dev] Continuing the discussion about noinput / anyprevout In-Reply-To: References: <87wodp7w9f.fsf@gmail.com> <20191001155929.e2yznsetqesx2jxo@erisian.com.au> Message-ID: <20191009165651.GN13224@boulet> On Thu, Oct 03, 2019 at 11:05:52AM -0400, Ethan Heilman wrote: > To avoid derailing the NO_INPUT conversation, I have changed the > subject to OP_CAT. > > Responding to: > """ > * `SIGHASH` flags attached to signatures are a misdesign, sadly > retained from the original BitCoin 0.1.0 Alpha for Windows design, on > par with: > [..] > * `OP_CAT` and `OP_MULT` and `OP_ADD` and friends > [..] > """ > > OP_CAT is an extremely valuable op code. I understand why it was > removed as the situation at the time with scripts was dire. However > most of the protocols I've wanted to build on Bitcoin run into the > limitation that stack values can not be concatenated. For instance > TumbleBit would have far smaller transaction sizes if OP_CAT was > supported in Bitcoin. If it happens to me as a researcher it is > probably holding other people back as well. If I could wave a magic > wand and turn on one of the disabled op codes it would be OP_CAT. Of > course with the change that size of each concatenated value must be 64 > Bytes or less. > Just throwing my two cents in here - as others have noted, OP_CAT lets you create Merkle trees (allowing e.g. log-sized accountable threshold sigs, at least in a post-Schnorr future). It also allows manipulating signatures - e.g. forcing the revelation of discrete logs by requiring the user use the (1/2) point as a nonce (this starts with 11 zero bytes, which no other computationally accessible point does), or by requiring two sigs with the same nonce. It also lets you do proof-of-work-like computations on hashes or curvepoints; or enforce that EC points come from a hash and have no known discrete log. You can also switch on hashes, something currently impossible because of the 4-byte limitation on numeric opcodes. I don't have specific application of these in mind but definitely have cut off many lines of inquiry because they were impossible. You could build a crappy Lamport signature, though the key would be so big that you'd never do this pre-MAST :P. -- Andrew Poelstra Director of Research, Blockstream Email: apoelstra at wpsoftware.net Web: https://www.wpsoftware.net/andrew The sun is always shining in space -Justin Lewis-Webster -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 488 bytes Desc: not available URL: