📅 Original date posted:2023-03-07
🗒️ Summary of this message: A proposal to introduce the concept of "forwarding" input amounts to specified outputs with various restrictions on output scripts using new opcodes.
📝 Original message:On Mon, Mar 06, 2023 at 10:25:38AM -0500, James O'Beirne via bitcoin-dev wrote:
> What Greg is proposing above is to in essence TLUV-ify this proposal.
FWIW, the way I'm thinking about this is that the "OP_VAULT" concept is
introducing two things:
a) the concept of "forwarding" the input amount to specified
outputs in a way that elegantly allows merging/splitting
b) various restrictions on the form of the output scripts
These concepts go together well, because restricting an output script is
only an interesting thing to do if you're moving value from this input
into it. And then it's just a matter of figuring out a nice way to pick
opcodes that combine those two concepts in interesting ways.
This is different from TLUV, in that TLUV only did part (b), and
assumed you'd do part (a) manually somehow, eg via "OP_IN_OUT_AMOUNT"
and arithmetic opcodes. The advantage of this new approach over that
one is that it makes it really easy to get the logic right (I often
forgot to include the IN_OUT_AMOUNT checks at all, for instance), and
also makes spending multiple inputs to a single output really simple,
something that would otherwise require kind-of gnarly logic.
I think there are perhaps four opcodes that are interesting in this class:
idx sPK OP_FORWARD_TARGET
-- sends the value to a particular output (given by idx), and
requires that output have a particular scriptPubKey (given
by sPK).
idx [...] n script OP_FORWARD_LEAF_UPDATE
-- sends the value to a particular output (given by idx), and
requires that output to have almost the same scriptPubKey as this
input, _except_ that the current leaf is replaced by "script",
with that script prefixed by "n" pushes (of values given by [...])
idx OP_FORWARD_SELF
-- sends the value to a particular output (given by idx), and
requires that output to have the same scriptPubKey as this input
amt OP_FORWARD_PARTIAL
-- modifies the next OP_FORWARD_* opcode to only affect "amt",
rather than the entire balance. opcodes after that affect the
remaining balance, after "amt" has been subtracted. if "amt" is
0, the next OP_FORWARD_* becomes a no-op.
Then each time you see OP_FORWARD_TARGET or OP_FORWARD_LEAF_UPDATE, you
accumulate the value that's expected to be forwarded to the output by
each input, and verify that the amount for that output is greater-or-equal
to the accumulated value.
> ## Required opcodes
> - OP_VAULT: spent to trigger withdrawal
> - OP_VAULT_RECOVER: spent to recover
Naming here is OP_VAULT ~= OP_FORWARD_LEAF_UPDATE; OP_VAULT_RECOVER ~=
OP_FORWARD_TARGET.
> For each vault, vaulted coins are spent to an output with the taproot
> structure
>
> taproot(internal_key, {$recovery_leaf, $trigger_leaf, ...})
>
> where
>
> $trigger_leaf =
> <trigger> <auth> <script> <spend-delay> OP_VAULT
With the opcodes above, the trigger_leaf (for spending some of the
vaulted funds via your hot wallet) script might look like:
OP_FORWARD_PARTIAL OP_FORWARD_SELF
1 "288 OP_CSV OP_DROP OP_CTV" OP_FORWARD_LEAF_UPDATE
key CHECKSIG
So if you have 2.0 BTC in a vault utxo, you might spend 0.4 BTC by
supplying the witness data:
160000000 (1.6BTC in sats)
0 (output 0 puts 1.6BTC goes back into the vault)
<ctvhash> (the outputs where you want the remaining 0.4 BTC to end up)
1 (the output idx that will be spend via the CTV path once the CSV
delay is done)
<sig> (a signature of this transaction via the hot wallet "key")
That is, the script becomes:
160000000 FORWARD_PARTIAL
0 FORWARD_SELF
1 <ctvhash> 1 "288 CSV DROP CTV" FORWARD_LEAF_UPDATE
sig key CHECKSIG
Output 1 would then have a tapscript of "<ctvhash> 288 OP_CSV OP_DROP
OP_CTV", satisfied with an empty witness stack (along with the recovery
path, etc).
Output 0 is just 1.6BTC back in your vault, and immediately available
for use.
Other inputs/outputs (for fees etc) would still be committed to by <sig>,
so nothing here is malleable. The script here is about 45 bytes (compared
to 34 for a simple "key CHECKSIG") and the witness data is about 105 bytes
(compared to 65 bytes for just a signature), which seems pretty nice.
> ... =
> other (optional) leaves in the taptree
This would allow you to have multiple hot wallets (if any of them are
compromised you can still use the recovery path to avoid loss of funds;
but if some hot wallet becomes temporarily *inaccessible* you can still
easily spend the funds via one of the alternative hot wallets), or,
if you have multiple watchtowers validating your spends and recovering
funds to your cold wallet on a violation, you could have multiple recovery
paths to provide some auditability for who triggered the recovery.
> Happens via script-path spend to $expr_withdraw, i.e. a timelocked
> OP_CTV.
Note that if you calculated the OP_CTV incorrectly (eg, you don't set a
correct nSequence timelock, so that any tx that passes OP_CTV won't pass
the OP_CSV check, and vice-versa) then this spend path becomes invalid,
and the funds can only be reclaimed via some other path (key path spend,
recovery tapscript, potentially an alternative hotwallet script path).
OP_FORWARD_LEAF_UPDATE is equivalent to a very specific form of TLUV,
namely "FALSE <h> 2 TLUV", where "<h>" is calculated by building the
script, prefixing the pushes, then doing the Hash_TapLeaf calculation.
Not being able to tweak the internal public key ("FALSE" rather than
"<x>") means this can't be used to build a coinpool with unilateral
exit -- you can't remove your key from the key path, which screws over
everyone who's still in the coinpool.
On the other hand, not tweaking the internal public key avoids introducing
all the x-only pubkey complications, and keeps it relatively simple,
which is nice, and keeping things simple and targeted now means there's
still plenty of OP_SUCCESS opcodes available later for something more
general, if that turns out to be desirable.
Cheers,
aj
Anthony Towns [ARCHIVE] /
npub17r…x9l2h
2023-06-07 23:20:00
in reply to nevent1q…yaks
Author Public Key
npub17rld56k4365lfphyd8u8kwuejey5xcazdxptserx03wc4jc9g24stx9l2hPublished at
2023-06-07 23:20:00Event JSON
{
"id": "f90d1d8762bbf40e992249a6e7ca3a1e9628b3da9b63f62404dc588a5eed8cbf",
"pubkey": "f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab",
"created_at": 1686180000,
"kind": 1,
"tags": [
[
"e",
"647fc7db9ce6599535c0921f7a07494f1213a0b3b646951b297e97e004c8718e",
"",
"root"
],
[
"e",
"3187d3ab2979fa771e1d9533ba12eae03e71b4731835939264f4033c91b6ca5d",
"",
"reply"
],
[
"p",
"937f10fc4f78d8676348562d9d886843fbb351d99d6c96423fe9970819962e19"
]
],
"content": "📅 Original date posted:2023-03-07\n🗒️ Summary of this message: A proposal to introduce the concept of \"forwarding\" input amounts to specified outputs with various restrictions on output scripts using new opcodes.\n📝 Original message:On Mon, Mar 06, 2023 at 10:25:38AM -0500, James O'Beirne via bitcoin-dev wrote:\n\u003e What Greg is proposing above is to in essence TLUV-ify this proposal.\n\nFWIW, the way I'm thinking about this is that the \"OP_VAULT\" concept is\nintroducing two things:\n\n a) the concept of \"forwarding\" the input amount to specified\n outputs in a way that elegantly allows merging/splitting\n\n b) various restrictions on the form of the output scripts\n\nThese concepts go together well, because restricting an output script is\nonly an interesting thing to do if you're moving value from this input\ninto it. And then it's just a matter of figuring out a nice way to pick\nopcodes that combine those two concepts in interesting ways.\n\nThis is different from TLUV, in that TLUV only did part (b), and\nassumed you'd do part (a) manually somehow, eg via \"OP_IN_OUT_AMOUNT\"\nand arithmetic opcodes. The advantage of this new approach over that\none is that it makes it really easy to get the logic right (I often\nforgot to include the IN_OUT_AMOUNT checks at all, for instance), and\nalso makes spending multiple inputs to a single output really simple,\nsomething that would otherwise require kind-of gnarly logic.\n\nI think there are perhaps four opcodes that are interesting in this class:\n\n idx sPK OP_FORWARD_TARGET\n -- sends the value to a particular output (given by idx), and\n requires that output have a particular scriptPubKey (given\n by sPK).\n\n idx [...] n script OP_FORWARD_LEAF_UPDATE\n -- sends the value to a particular output (given by idx), and\n\trequires that output to have almost the same scriptPubKey as this\n\tinput, _except_ that the current leaf is replaced by \"script\",\n\twith that script prefixed by \"n\" pushes (of values given by [...])\n\n idx OP_FORWARD_SELF\n -- sends the value to a particular output (given by idx), and\n requires that output to have the same scriptPubKey as this input\n\n amt OP_FORWARD_PARTIAL\n -- modifies the next OP_FORWARD_* opcode to only affect \"amt\",\n rather than the entire balance. opcodes after that affect the\n\tremaining balance, after \"amt\" has been subtracted. if \"amt\" is\n\t0, the next OP_FORWARD_* becomes a no-op.\n\nThen each time you see OP_FORWARD_TARGET or OP_FORWARD_LEAF_UPDATE, you\naccumulate the value that's expected to be forwarded to the output by\neach input, and verify that the amount for that output is greater-or-equal\nto the accumulated value.\n\n\u003e ## Required opcodes\n\u003e - OP_VAULT: spent to trigger withdrawal\n\u003e - OP_VAULT_RECOVER: spent to recover\n\nNaming here is OP_VAULT ~= OP_FORWARD_LEAF_UPDATE; OP_VAULT_RECOVER ~=\nOP_FORWARD_TARGET.\n\n\u003e For each vault, vaulted coins are spent to an output with the taproot\n\u003e structure\n\u003e \n\u003e taproot(internal_key, {$recovery_leaf, $trigger_leaf, ...})\n\u003e \n\u003e where\n\u003e \n\u003e $trigger_leaf =\n\u003e \u003ctrigger\u003e \u003cauth\u003e \u003cscript\u003e \u003cspend-delay\u003e OP_VAULT\n\nWith the opcodes above, the trigger_leaf (for spending some of the\nvaulted funds via your hot wallet) script might look like:\n\n OP_FORWARD_PARTIAL OP_FORWARD_SELF\n 1 \"288 OP_CSV OP_DROP OP_CTV\" OP_FORWARD_LEAF_UPDATE\n key CHECKSIG\n\nSo if you have 2.0 BTC in a vault utxo, you might spend 0.4 BTC by\nsupplying the witness data:\n\n 160000000 (1.6BTC in sats)\n 0 (output 0 puts 1.6BTC goes back into the vault)\n \u003cctvhash\u003e (the outputs where you want the remaining 0.4 BTC to end up)\n 1 (the output idx that will be spend via the CTV path once the CSV\n delay is done)\n \u003csig\u003e (a signature of this transaction via the hot wallet \"key\")\n\nThat is, the script becomes:\n\n 160000000 FORWARD_PARTIAL\n 0 FORWARD_SELF\n 1 \u003cctvhash\u003e 1 \"288 CSV DROP CTV\" FORWARD_LEAF_UPDATE\n sig key CHECKSIG\n\nOutput 1 would then have a tapscript of \"\u003cctvhash\u003e 288 OP_CSV OP_DROP\nOP_CTV\", satisfied with an empty witness stack (along with the recovery\npath, etc).\n\nOutput 0 is just 1.6BTC back in your vault, and immediately available \nfor use.\n\nOther inputs/outputs (for fees etc) would still be committed to by \u003csig\u003e,\nso nothing here is malleable. The script here is about 45 bytes (compared\nto 34 for a simple \"key CHECKSIG\") and the witness data is about 105 bytes\n(compared to 65 bytes for just a signature), which seems pretty nice.\n\n\u003e ... =\n\u003e other (optional) leaves in the taptree\n\nThis would allow you to have multiple hot wallets (if any of them are\ncompromised you can still use the recovery path to avoid loss of funds;\nbut if some hot wallet becomes temporarily *inaccessible* you can still\neasily spend the funds via one of the alternative hot wallets), or,\nif you have multiple watchtowers validating your spends and recovering\nfunds to your cold wallet on a violation, you could have multiple recovery\npaths to provide some auditability for who triggered the recovery.\n\n\u003e Happens via script-path spend to $expr_withdraw, i.e. a timelocked\n\u003e OP_CTV.\n\nNote that if you calculated the OP_CTV incorrectly (eg, you don't set a\ncorrect nSequence timelock, so that any tx that passes OP_CTV won't pass\nthe OP_CSV check, and vice-versa) then this spend path becomes invalid,\nand the funds can only be reclaimed via some other path (key path spend,\nrecovery tapscript, potentially an alternative hotwallet script path).\n\nOP_FORWARD_LEAF_UPDATE is equivalent to a very specific form of TLUV,\nnamely \"FALSE \u003ch\u003e 2 TLUV\", where \"\u003ch\u003e\" is calculated by building the\nscript, prefixing the pushes, then doing the Hash_TapLeaf calculation.\n\nNot being able to tweak the internal public key (\"FALSE\" rather than\n\"\u003cx\u003e\") means this can't be used to build a coinpool with unilateral\nexit -- you can't remove your key from the key path, which screws over\neveryone who's still in the coinpool.\n\nOn the other hand, not tweaking the internal public key avoids introducing\nall the x-only pubkey complications, and keeps it relatively simple,\nwhich is nice, and keeping things simple and targeted now means there's\nstill plenty of OP_SUCCESS opcodes available later for something more\ngeneral, if that turns out to be desirable.\n\nCheers,\naj",
"sig": "d0fb227171da61c9ffcd6d8b65df1b38e0c110cae391135508ec96029f25da77e4afed9737ab7a5d14a791312aa892960041d7b8b1a71012958b6fa03d484532"
}