📅 Original date posted:2018-12-23
📝 Original message:On Sat, Dec 22, 2018 at 02:54:42AM +0800, Johnson Lau wrote:
> The question I would like to ask is: is OP_CODESEPARATOR useful under taproot? Generally speaking, CODESEPARATOR is useful only with conditional opcodes (OP_IF etc), and conditional opcodes are mostly replaced by merklized scripts. I am not sure how much usability is left with CODESEPARATOR
If you don't have conditionals, then I think committing to the (masked)
script gives you everything you could do with codeseparator.
If you don't commit to the (masked) script, don't have conditionals,
and don't have codeseparator, then I don't think you can make a signature
distinguish which alternative script it's intending to sign; but you can
just give each alternative script in the MAST a slight variation of the
key and that seems good enough.
OTOH, I think for (roughly) the example you gave:
DEPTH 3 EQUAL
IF <Bob> CHECKSIGVERIFY HASH160 <H> EQUALVERIFY CODESEP
ELSE <n> CLTV DROP
ENDIF
<Alice> CHECKSIG
then compared to the taproot equivalent:
P = muSig(Alice,Bob)
S1 = <Alice1> CHECKSIGVERIFY <Bob> CHECKSIGVERIFY HASH160 <H> EQUAL
S2 = <Alice2> CHECKSIGVERIFY <n> CLTV
the IF+CODESEP approach is actually cheaper (lighter weight) if you're
mostly (>2/3rds of the time) taking the S1 branch. This is because the
"DEPTH 3 EQUAL IF/ELSE/ENDIF CODESEP <n> CLTV DROP" overhead is less
than the 32B overhead to choose a merkle branch).
(That said, I'm not sure what Alice's signature in the S1 branch actually
achieves in that script; and without that in S1, the taproot approach is
cheaper all the time. Scriptless scripts would be cheaper still)
> If no one needs CODESEPARATOR, we might just disable it, and makes the validation code a bit simpler
Since it only affects the behaviour of the checkdls (checksig) operators,
even if it was disabled, it could be re-enabled fairly easily in a new
script subversion if needed (ie, it could be re-added when upgrading
witness version 1 from script version 0 to 1).
Cheers,
aj
Anthony Towns [ARCHIVE] /
npub17r…x9l2h
2023-06-07 18:15:38
in reply to nevent1q…0n04
Author Public Key
npub17rld56k4365lfphyd8u8kwuejey5xcazdxptserx03wc4jc9g24stx9l2hPublished at
2023-06-07 18:15:38Event JSON
{
"id": "f2b0e0aa0b5d64fdcff99902d8cc3e5db614e81c0790e7f1fe22618d6cae1571",
"pubkey": "f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab",
"created_at": 1686161738,
"kind": 1,
"tags": [
[
"e",
"77c824d861e497590991b7dc940a75787db11a7b2eab6adcf5563d0847a4df18",
"",
"root"
],
[
"e",
"82f6f7f8c1d3b6f390146b6c1a4504aa7fae1c41339d1598bb71d79eb3b5be18",
"",
"reply"
],
[
"p",
"492fa402e838904bdc8eb2c8fafa1aa895df26438bfd998c71b01cb9db550ff7"
]
],
"content": "📅 Original date posted:2018-12-23\n📝 Original message:On Sat, Dec 22, 2018 at 02:54:42AM +0800, Johnson Lau wrote:\n\u003e The question I would like to ask is: is OP_CODESEPARATOR useful under taproot? Generally speaking, CODESEPARATOR is useful only with conditional opcodes (OP_IF etc), and conditional opcodes are mostly replaced by merklized scripts. I am not sure how much usability is left with CODESEPARATOR\n\nIf you don't have conditionals, then I think committing to the (masked)\nscript gives you everything you could do with codeseparator.\n\nIf you don't commit to the (masked) script, don't have conditionals,\nand don't have codeseparator, then I don't think you can make a signature\ndistinguish which alternative script it's intending to sign; but you can\njust give each alternative script in the MAST a slight variation of the\nkey and that seems good enough.\n\nOTOH, I think for (roughly) the example you gave:\n\n DEPTH 3 EQUAL\n IF \u003cBob\u003e CHECKSIGVERIFY HASH160 \u003cH\u003e EQUALVERIFY CODESEP\n ELSE \u003cn\u003e CLTV DROP\n ENDIF\n \u003cAlice\u003e CHECKSIG\n\nthen compared to the taproot equivalent:\n\n P = muSig(Alice,Bob)\n S1 = \u003cAlice1\u003e CHECKSIGVERIFY \u003cBob\u003e CHECKSIGVERIFY HASH160 \u003cH\u003e EQUAL\n S2 = \u003cAlice2\u003e CHECKSIGVERIFY \u003cn\u003e CLTV\n\nthe IF+CODESEP approach is actually cheaper (lighter weight) if you're\nmostly (\u003e2/3rds of the time) taking the S1 branch. This is because the\n\"DEPTH 3 EQUAL IF/ELSE/ENDIF CODESEP \u003cn\u003e CLTV DROP\" overhead is less\nthan the 32B overhead to choose a merkle branch).\n\n(That said, I'm not sure what Alice's signature in the S1 branch actually\nachieves in that script; and without that in S1, the taproot approach is\ncheaper all the time. Scriptless scripts would be cheaper still)\n\n\u003e If no one needs CODESEPARATOR, we might just disable it, and makes the validation code a bit simpler\n\nSince it only affects the behaviour of the checkdls (checksig) operators,\neven if it was disabled, it could be re-enabled fairly easily in a new\nscript subversion if needed (ie, it could be re-added when upgrading\nwitness version 1 from script version 0 to 1).\n\nCheers,\naj",
"sig": "c9d53666e2397bba83feb95d4a7909a81bc21cbad1f27ca89bed6662d6e44010ef172f21023499c4db5be239992d8bf7325003ec48c00d04bec85f0791f8f6bc"
}