📅 Original date posted:2022-05-11
📝 Original message:Hi Rusty,
One of the common sentiments thats been expressed over the last few months
is that more people want to see experimentation with different applications
using covenants. I really like this proposal because in addition to
offering a cleaner upgrade/extension path than adding “CTV++” as a new
opcode in a few years, it also seems like it would make it very easy to
create prototype applications to game out new ideas:
If the “only this combination of fields are valid, otherwise OP_SUCCESS”
check is just comparing with a list of bitmasks for permissible field
combinations (which right now is a list of length 1), it seems like it
would be *very* easy for people who want to play with other covenant field
sets to just add the relevant bitmasks and then go spin up a signet to
build applications.
Being able to make a very targeted change like that to enable
experimentation is super cool. Thanks for sharing!
Alex
On Tue, May 10, 2022 at 6:37 AM Rusty Russell via bitcoin-dev <
bitcoin-dev at lists.linuxfoundation.org> wrote:
> Hi all,
>
> TL;DR: a v1 tapscript opcode for generic covenants, but
> OP_SUCCESS unless it's used a-la OP_CHECKTEMPLATEVERIFY. This gives an
> obvious use case, with clean future expansion. OP_NOP4 can be
> repurposed in future as a shortcut, if experience shows that to be a
> useful optimization.
>
> (This proposal builds on Russell O'Connor's TXHASH[1], with Anthony
> Towns' modification via extending the opcode[2]; I also notice on
> re-reading that James Lu had a similar restriction idea[3]).
>
> Details
> -------
>
> OP_TX, when inside v1 tapscript, is followed by 4 bytes of flags.
> Unknown flag patterns are OP_SUCCESS, though for thoroughness some future
> potential uses are documented here. Note that pushing more than 1000
> elements on the stack or an element more than 512 bytes will hit the
> BIP-342 resource limits and fail.
>
> Defined bits
> ------------
>
> (Only those marked with * have to be defined for this soft fork; the
> others can have semantics later).
>
> OPTX_SEPARATELY: treat fields separately (vs concatenating)
> OPTX_UNHASHED: push on the stack without hashing (vs SHA256 before push)
>
> - The first nicely sidesteps the lack of OP_CAT, and the latter allows
> OP_TXHASH semantics (and avoid stack element limits).
>
> OPTX_SELECT_VERSION*: version
> OPTX_SELECT_LOCKTIME*: nLocktime
> OPTX_SELECT_INPUTNUM*: current input number
> OPTX_SELECT_INPUTCOUNT*: number of inputs
> OPTX_SELECT_OUTPUTCOUNT*: number of outputs
>
> OPTX_INPUT_SINGLE: if set, pop input number off stack to apply to
> OPTX_SELECT_INPUT_*, otherwise iterate through all.
> OPTX_SELECT_INPUT_TXID: txid
> OPTX_SELECT_INPUT_OUTNUM: txout index
> OPTX_SELECT_INPUT_NSEQUENCE*: sequence number
> OPTX_SELECT_INPUT_AMOUNT32x2: sats in, as a high-low u31 pair
> OPTX_SELECT_INPUT_SCRIPT*: input scriptsig
> OPTX_SELECT_INPUT_TAPBRANCH: ?
> OPTX_SELECT_INPUT_TAPLEAF: ?
>
> OPTX_OUTPUT_SINGLE: if set, pop input number off stack to apply to
> OPTX_SELECT_OUTPUT_*, otherwise iterate through all.
> OPTX_SELECT_OUTPUT_AMOUNT32x2*: sats out, as a high-low u31 pair
> OPTX_SELECT_OUTPUT_SCRIPTPUBKEY*: output scriptpubkey
>
> OPTX_SELECT_19...OPTX_SELECT_31: future expansion.
>
> OP_CHECKTEMPLATEVERIFY is approximated by the following flags:
> OPTX_SELECT_VERSION
> OPTX_SELECT_LOCKTIME
> OPTX_SELECT_INPUTCOUNT
> OPTX_SELECT_INPUT_SCRIPT
> OPTX_SELECT_INPUT_NSEQUENCE
> OPTX_SELECT_OUTPUTCOUNT
> OPTX_SELECT_OUTPUT_AMOUNT32x2
> OPTX_SELECT_OUTPUT_SCRIPTPUBKEY
> OPTX_SELECT_INPUTNUM
>
> All other flag combinations result in OP_SUCCESS.
>
> Discussion
> ----------
>
> By enumerating exactly what can be committed to, it's absolutely clear
> what is and isn't committed (and what you need to think about!).
>
> The bits which separate concatenation and hashing provide a simple
> mechanism for template-style (i.e. CTV-style) commitments, or for
> programatic treatment of individual elements (e.g. amounts, though the
> two s31 style is awkward: a 64-bit push flag could be added in future).
>
> The lack of double-hashing of scriptsigs and other fields means we
> cannot simply re-use hashing done for SIGHASH_ALL.
>
> The OP_SUCCESS semantic is only valid in tapscript v1, so this does not
> allow covenants for v0 segwit or pre-segwit inputs. If covenants prove
> useful, dedicated opcodes can be provided for those cases (a-la
> OP_CHECKTEMPLATEVERIFY).
>
> Cheers,
> Rusty.
>
> [1]
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-January/019813.html
> [2]
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-January/019819.html
> [3]
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-January/019816.html
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev at lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
--
Alex Schoof
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20220511/03fcb3bf/attachment.html>;
Alex Schoof [ARCHIVE] /
npub1l2…t6swn
2023-06-07 23:09:30
in reply to nevent1q…gfqz
Author Public Key
npub1l2nulj0wpjdkjj2t6ajqcsxjvm8u4c42qzdgnsa7x6p9hzgqan7q9t6swnPublished at
2023-06-07 23:09:30Event JSON
{
"id": "7fe37f9ba3459b6aacf3114fc79e8c2673a61f18b583e3d18ca63f5f262d093d",
"pubkey": "faa7cfc9ee0c9b69494bd7640c40d266cfcae2aa009a89c3be36825b8900ecfc",
"created_at": 1686179370,
"kind": 1,
"tags": [
[
"e",
"e0e6f622353d1c9392041bfc5f849e80f7646fd3d4cf097d7f0ccc707556ab8c",
"",
"root"
],
[
"e",
"9b4f7d3074f154f48e79692f80d10e410851879ef7c1156f0563a266a4d48b42",
"",
"reply"
],
[
"p",
"59909c5ada0189425f58f43a87eeb09131d41d33298de94a994852fa43c25afd"
]
],
"content": "📅 Original date posted:2022-05-11\n📝 Original message:Hi Rusty,\n\nOne of the common sentiments thats been expressed over the last few months\nis that more people want to see experimentation with different applications\nusing covenants. I really like this proposal because in addition to\noffering a cleaner upgrade/extension path than adding “CTV++” as a new\nopcode in a few years, it also seems like it would make it very easy to\ncreate prototype applications to game out new ideas:\nIf the “only this combination of fields are valid, otherwise OP_SUCCESS”\ncheck is just comparing with a list of bitmasks for permissible field\ncombinations (which right now is a list of length 1), it seems like it\nwould be *very* easy for people who want to play with other covenant field\nsets to just add the relevant bitmasks and then go spin up a signet to\nbuild applications.\n\nBeing able to make a very targeted change like that to enable\nexperimentation is super cool. Thanks for sharing!\n\nAlex\n\nOn Tue, May 10, 2022 at 6:37 AM Rusty Russell via bitcoin-dev \u003c\nbitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\n\u003e Hi all,\n\u003e\n\u003e TL;DR: a v1 tapscript opcode for generic covenants, but\n\u003e OP_SUCCESS unless it's used a-la OP_CHECKTEMPLATEVERIFY. This gives an\n\u003e obvious use case, with clean future expansion. OP_NOP4 can be\n\u003e repurposed in future as a shortcut, if experience shows that to be a\n\u003e useful optimization.\n\u003e\n\u003e (This proposal builds on Russell O'Connor's TXHASH[1], with Anthony\n\u003e Towns' modification via extending the opcode[2]; I also notice on\n\u003e re-reading that James Lu had a similar restriction idea[3]).\n\u003e\n\u003e Details\n\u003e -------\n\u003e\n\u003e OP_TX, when inside v1 tapscript, is followed by 4 bytes of flags.\n\u003e Unknown flag patterns are OP_SUCCESS, though for thoroughness some future\n\u003e potential uses are documented here. Note that pushing more than 1000\n\u003e elements on the stack or an element more than 512 bytes will hit the\n\u003e BIP-342 resource limits and fail.\n\u003e\n\u003e Defined bits\n\u003e ------------\n\u003e\n\u003e (Only those marked with * have to be defined for this soft fork; the\n\u003e others can have semantics later).\n\u003e\n\u003e OPTX_SEPARATELY: treat fields separately (vs concatenating)\n\u003e OPTX_UNHASHED: push on the stack without hashing (vs SHA256 before push)\n\u003e\n\u003e - The first nicely sidesteps the lack of OP_CAT, and the latter allows\n\u003e OP_TXHASH semantics (and avoid stack element limits).\n\u003e\n\u003e OPTX_SELECT_VERSION*: version\n\u003e OPTX_SELECT_LOCKTIME*: nLocktime\n\u003e OPTX_SELECT_INPUTNUM*: current input number\n\u003e OPTX_SELECT_INPUTCOUNT*: number of inputs\n\u003e OPTX_SELECT_OUTPUTCOUNT*: number of outputs\n\u003e\n\u003e OPTX_INPUT_SINGLE: if set, pop input number off stack to apply to\n\u003e OPTX_SELECT_INPUT_*, otherwise iterate through all.\n\u003e OPTX_SELECT_INPUT_TXID: txid\n\u003e OPTX_SELECT_INPUT_OUTNUM: txout index\n\u003e OPTX_SELECT_INPUT_NSEQUENCE*: sequence number\n\u003e OPTX_SELECT_INPUT_AMOUNT32x2: sats in, as a high-low u31 pair\n\u003e OPTX_SELECT_INPUT_SCRIPT*: input scriptsig\n\u003e OPTX_SELECT_INPUT_TAPBRANCH: ?\n\u003e OPTX_SELECT_INPUT_TAPLEAF: ?\n\u003e\n\u003e OPTX_OUTPUT_SINGLE: if set, pop input number off stack to apply to\n\u003e OPTX_SELECT_OUTPUT_*, otherwise iterate through all.\n\u003e OPTX_SELECT_OUTPUT_AMOUNT32x2*: sats out, as a high-low u31 pair\n\u003e OPTX_SELECT_OUTPUT_SCRIPTPUBKEY*: output scriptpubkey\n\u003e\n\u003e OPTX_SELECT_19...OPTX_SELECT_31: future expansion.\n\u003e\n\u003e OP_CHECKTEMPLATEVERIFY is approximated by the following flags:\n\u003e OPTX_SELECT_VERSION\n\u003e OPTX_SELECT_LOCKTIME\n\u003e OPTX_SELECT_INPUTCOUNT\n\u003e OPTX_SELECT_INPUT_SCRIPT\n\u003e OPTX_SELECT_INPUT_NSEQUENCE\n\u003e OPTX_SELECT_OUTPUTCOUNT\n\u003e OPTX_SELECT_OUTPUT_AMOUNT32x2\n\u003e OPTX_SELECT_OUTPUT_SCRIPTPUBKEY\n\u003e OPTX_SELECT_INPUTNUM\n\u003e\n\u003e All other flag combinations result in OP_SUCCESS.\n\u003e\n\u003e Discussion\n\u003e ----------\n\u003e\n\u003e By enumerating exactly what can be committed to, it's absolutely clear\n\u003e what is and isn't committed (and what you need to think about!).\n\u003e\n\u003e The bits which separate concatenation and hashing provide a simple\n\u003e mechanism for template-style (i.e. CTV-style) commitments, or for\n\u003e programatic treatment of individual elements (e.g. amounts, though the\n\u003e two s31 style is awkward: a 64-bit push flag could be added in future).\n\u003e\n\u003e The lack of double-hashing of scriptsigs and other fields means we\n\u003e cannot simply re-use hashing done for SIGHASH_ALL.\n\u003e\n\u003e The OP_SUCCESS semantic is only valid in tapscript v1, so this does not\n\u003e allow covenants for v0 segwit or pre-segwit inputs. If covenants prove\n\u003e useful, dedicated opcodes can be provided for those cases (a-la\n\u003e OP_CHECKTEMPLATEVERIFY).\n\u003e\n\u003e Cheers,\n\u003e Rusty.\n\u003e\n\u003e [1]\n\u003e https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-January/019813.html\n\u003e [2]\n\u003e https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-January/019819.html\n\u003e [3]\n\u003e https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-January/019816.html\n\u003e _______________________________________________\n\u003e bitcoin-dev mailing list\n\u003e bitcoin-dev at lists.linuxfoundation.org\n\u003e https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev\n\u003e\n-- \n\n\nAlex Schoof\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20220511/03fcb3bf/attachment.html\u003e",
"sig": "ff0ec6dfe3a30ee5060d8c567da4e518569cd84d1ac9546f4f368e644d0b5c3607e55a6e2b9f804f535998f28ba3b77f4f883329dee09afd64d529a8f15b05fb"
}