andytoshi changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | This channel is logged. | For logs and more information, visit https://bitcoin.ninja
belcher_ has joined #bitcoin-wizards
belcher has quit [Ping timeout: 260 seconds]
mauz555 has joined #bitcoin-wizards
belcher_ is now known as belcher
mauz555 has quit [Ping timeout: 250 seconds]
AaronvanW has joined #bitcoin-wizards
proofofkeags_ has quit [Ping timeout: 260 seconds]
<yanmaani>
jeremyrubin: so would this be a replacement for P2pool?
luke-jr has joined #bitcoin-wizards
<jeremyrubin>
alternative
<jeremyrubin>
it's different
AaronvanW has quit [Ping timeout: 246 seconds]
proofofkeags_ has quit [Ping timeout: 252 seconds]
proofofkeags has joined #bitcoin-wizards
jadi has joined #bitcoin-wizards
jadi has quit [Remote host closed the connection]
jadi has joined #bitcoin-wizards
jadi has quit [Remote host closed the connection]
justan0theruser has quit [Ping timeout: 245 seconds]
sanket1729 has joined #bitcoin-wizards
sanketcell has joined #bitcoin-wizards
sanket1729 has quit [Remote host closed the connection]
sanketcell has quit [Remote host closed the connection]
sanketcell has joined #bitcoin-wizards
sanket1729 has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
Thor95 has quit [Quit: Connection closed]
jadi has joined #bitcoin-wizards
jadi has quit [Remote host closed the connection]
AaronvanW has quit [Ping timeout: 252 seconds]
AaronvanW has joined #bitcoin-wizards
jadi has joined #bitcoin-wizards
jadi has quit [Remote host closed the connection]
smartineng has quit [Quit: smartineng]
jadi has joined #bitcoin-wizards
jadi has quit [Ping timeout: 268 seconds]
CryptOprah has joined #bitcoin-wizards
<CryptOprah>
H
<CryptOprah>
Is this dead?
CryptOprah has quit [Client Quit]
<sipa>
yes
<jeremyrubin>
sipa: i think you mean no?
<jeremyrubin>
but also they left the server
<sipa>
jeremyrubin: i'm awarr
rhyslindmark has joined #bitcoin-wizards
rhyslindmark has quit [Client Quit]
robert_spigler has joined #bitcoin-wizards
Guyver2 has quit [Quit: Going offline, see ya! (www.adiirc.com)]
yanmaani has quit [Ping timeout: 240 seconds]
yanmaani has joined #bitcoin-wizards
<darosior>
Since SIGHASH_ANYPREVOUTANYSCRIPT does not commit to the witness script, it still allows to have a covenant by stuffing a signature in the previous output's script right? I remember Bob McElrath told me that ANYPREVOUT made this impossible contrary to NOINPUT, but it seems that ANYPREVOUTANYSCRIPT still has this property?
laptop has quit [Ping timeout: 268 seconds]
TheoStorm has quit [Quit: Leaving]
<jeremyrubin>
AFAIU this is correct
<jeremyrubin>
There still exists 2 differences I could tell from what CTV enables, and that is the ability to commit to all sequences and the ability to commit to all scriptsigs
<jeremyrubin>
If you were to do ANYPREVOUTANYSCRIPT | SINGLE | ALL (unclear if this is a valid combo???) it would permit single input CTV equivalent covenants
<jeremyrubin>
err not SINGLE, just ALL
<darosior>
SINGLE | ALL can't work i think
<darosior>
right
<jeremyrubin>
Then I *think* you'd get a nonmalleable TXID
<darosior>
Interesting, why CTV over sighash-based covenants then? Seems way more flexible. (sorry if you rehashed already, a link to a previous convo is welcome too :p)
<darosior>
Hmm for multi-inputs CTVs ? Otherwise it's malleable if you have >1 transaction down the chain
<jeremyrubin>
BTW i'm not sure ANYPREVOUT has a reference client
<jeremyrubin>
and i can't figure out if it's compatible with SIGHASH_ALL from aj's BIP draft?
<jeremyrubin>
Well it's just not defined in BIP118 if SIGHASH_ANYPREVOUTANYSCRIPT | SIGHASH_ALL is a valid signature mode
<darosior>
I don't think it would make sense ? It is for single to discard the other inputs, but ALL is completely contrary to APV ? What could it enable?
<jeremyrubin>
It's unclear to me that SIGHASH_ALL | SIGHASH_ANYPREVOUTANYSCRIPT is a valid combo
<darosior>
Haha, no, same. But conceptually i don't think their feature can "intersect", i may be wrong
<jeremyrubin>
What do you mean "intersect"
<jeremyrubin>
like you can't have both?
<jeremyrubin>
So the sighash flags IMO are confusing -- I think it helps to not think of them as flags, but as versions.
<jeremyrubin>
We have 256 versions, each can have a different exact spec
<jeremyrubin>
(in fact we should probably rearchitect the code to not use flags since it's confusing that there can be invalid combos)
<jeremyrubin>
Oh also, it's not clear this sighash mode will be available outside of taproot
<jeremyrubin>
and there are some use cases for bare script CTV
<jeremyrubin>
a last reason I'll give you -- which is highly highly debatable -- is that CTV exists in "RTM" state , pending review of code
<darosior>
Yes, i mean all their features are opposite. ALL is including all available information, APV is removing some. What could be a mix of both? With SINGLE it's different as features can "intersect", ie you can have both "void the other inputs" and "void the witness script and prevout for this input i'm signing"
<jeremyrubin>
I don't think there's a concrete code object for Anyprevout yet?
<jeremyrubin>
darosior: sure, I'll agree that as flags it wouldn't make sense
<jeremyrubin>
but as "versions", it would be definable as each 1 of 256 has some meaning
<darosior>
Re sighash mode outside of Taproot, no. I think the authors wanted to have a very minimal change and it's actually defined for Tapscript OPs
<darosior>
Yes, with versions we should get rid of the names too then :)
<jeremyrubin>
well I think each version could just have a name
<jeremyrubin>
"35" is not a good name, but "ALLOUTPUTSMYINPUT" is ~ok
<jeremyrubin>
darosior: speaking of pending review, I would highly appreciate one on the CTV pr :)
<darosior>
hehe, i'm still trying to get my head around what's best conceptually first. Sorry if you went through this for the past years already, but i'm not yet in a "i'm sure it's the right way let's review the implementation" state yet
<jeremyrubin>
if there's no SIGHASH_ALL | ANYPREVOUTANYSCRIPT mode then you can't guarantee TXID non malleability with ANYPREVOUT
<jeremyrubin>
altho I would consider that you might not need txid nonmaleability if you have anyprevout, it does rule out certain classes of covenant design that use traditional presigned txs
<darosior>
How would ALL | APVAS (much acronyms) would differ from APVAS only ?
<darosior>
You have excellent documentation, btw
<jeremyrubin>
y thank u
<jeremyrubin>
ok so trying to come up with more differences...
<jeremyrubin>
amount (8): value of the previous output spent by this input.
<jeremyrubin>
by comitting to the amount spent, CTV covenants have to know the *exact* amount spent into the address, or it will fail.
<jeremyrubin>
I omitted this from CTV intentionally, figuring exact amount commitments are useful, but should be a separate opcode/check
<jeremyrubin>
This is because if we expect our covenant to require 1BTC and we receive 1.00001 btc, we don't want to get bricked
<jeremyrubin>
However, Anyprevout also hashes the annex
<jeremyrubin>
This might be useful, however it means that the annexes must be known in advance for Anyprevout covenants
<darosior>
Oh, i just remembered why it's not possible
<jeremyrubin>
This prevents the annex being used for anything useful that is not known ahead of time
<darosior>
BIP340 makes the pubkey part of the signature digest iirc
<darosior>
To mitigate the concerns re HD wallets
<jeremyrubin>
I think this was worked around by andytoshi
<jeremyrubin>
It would appear that BIP340 puts the nail in the coffin of this style of covenant: P shows up explicitly in the signature hash, so no matter what crazy future sighashing schemes might get included in Bitcoin, this circularity will remain and we are stuck. In fact, this inclusion of P means that BIP340 signatures aren't just signatures, but "signatures of knowledge". This is a term of art which means, roughly, that you are not
<jeremyrubin>
able to run these signatures backward in any sense. For a long time, I thought this meant that I couldn't abuse BIP340 signatures to get non-signature behavior out of them.
bildramer1 has joined #bitcoin-wizards
<jeremyrubin>
it's more complex but not a show stopper I think as you just need to make compilation like 256 times slower for contracts
<darosior>
Nice. You need CAT though
<jeremyrubin>
right
<jeremyrubin>
I'm not sure actually...
bildramer has quit [Ping timeout: 260 seconds]
<jeremyrubin>
why can't the script just be <G> CHECKSIG <s> CHECKEQUAL?
jadi has joined #bitcoin-wizards
<darosior>
I think andytoshi here is trying to reproduce what's hashed in BIP340 (R || P || m) on the stack
<jeremyrubin>
no that's not quite it
<darosior>
So he needs to concatenate them to use OP_SHA256?
<jeremyrubin>
Anyways... maybe andytoshi can comment on if OP_CAT is actually needed
<jeremyrubin>
But the reason why SIGHASH_ANYPREVOUTANYSCRIPT doesn't commit to the same info as CTV single script is that you need to commit to 1) sequences 2) not having more than 1 input
<jeremyrubin>
and I don't see anything that prevents you from adding inputs after the fact
<jeremyrubin>
and not being able to commit to the sequence (remember, CSV is only lower bounding not exact value) means that TXIDs can't be made immaleable
<jeremyrubin>
Therefore *any* signatures you're doing for presigned in a covenant must be using anyprevoutanyscript
jadi has quit [Remote host closed the connection]
<jeremyrubin>
which is a pretty annoying design constraint
<jeremyrubin>
it means keys used in covenants really can't be reused
<darosior>
Oh, good point (unrelatedly to the current discussion) for the lower bounding + nSequence committing. I think i overlooked that in my "Revault with APV + CTV design"
<jeremyrubin>
I obviously think that Revault can tweak it's design *slightly* and run on Sapio today :)
<darosior>
Hmm but BIP118 still commits to the nSequence for both
<jeremyrubin>
nope I don't think so?
<darosior>
The sighash flag has been renamed from "NOINPUT" to "ANYPREVOUT" to reflect that while any prevout may potentially be used with the signature, some aspects of the input are still committed to, namely the input nSequence value, and (optionally) the spending conditions and amount.
<andytoshi>
22:33 < jeremyrubin> why can't the script just be <G> CHECKSIG <s> CHECKEQUAL?
<darosior>
^ this was a quote
<andytoshi>
how can <G> possibly be a valid sig?
<jeremyrubin>
err isn't <G> the pubkey there?
<andytoshi>
oh right, yeah
<jeremyrubin>
`s <G>s <G> CHECKSIG`
<jeremyrubin>
so if I had
<darosior>
jeremyrubin: what do you mean by *slightly* ? :) if Sapio is emulating CTV, then no any modification to Revault to include CTV would largely change the behaviour
<jeremyrubin>
How so?
<jeremyrubin>
so if spk = `<G> CHECKSIGVERIFY <s> CHECKEQUAL`
<jeremyrubin>
can't I then pass in <s> <G|s> to satisfy?
<jeremyrubin>
darosior: let's move the revault sapio convo
<andytoshi>
you can't put <s> in the scriptpubkey, you don't know what <s> is
<jeremyrubin>
to #sapio
<andytoshi>
when you are constructing the spk
<jeremyrubin>
he s that our script leaves on the stack is actually a SHA256 hash of our transaction data, prefixed by a couple copies of G (and a couple copies of SHA256("BIP0340") because BIP340 loves itself).
<jeremyrubin>
^ quote you
<andytoshi>
yes....and "our transaction data" includes the spk
<jeremyrubin>
so if it's just the hash of the txdata, and we have APAS, why not?
<jeremyrubin>
APAS = ANYPREVOUTANYSCRIPT
<andytoshi>
oh i missed that
<andytoshi>
yeah i could believe that it works, thuogh i'm then really doubtful about its securit
<andytoshi>
but i haven't worked through that
<jeremyrubin>
nSequence is *only* hashed for ANYPREVOUT
<jeremyrubin>
not ANYPREVOUTANYSCRIPT
<jeremyrubin>
Err wait
<jeremyrubin>
Not it is hashed for ANYPREVOUTANYSCRIPT
* jeremyrubin
*shakes fist at AJ* make your bip more readable, man!
instagibbs has joined #bitcoin-wizards
<jeremyrubin>
andytoshi: I mean I think it should be secure... if you pass in anything except <s> <G|s> then it should fail to validate... but TBH that this is possible at all makes me doubtful that there aren't other things that wouldn't occur to me
<jeremyrubin>
i think it still doesn't make a good argument against CTV, given that <s> <G|s> <G> CHECKSIG <s> CHECKEQUAL is what like 5x the data