📅 Original date posted:2022-03-11
📝 Original message:On Tue, Mar 08, 2022 at 03:06:43AM +0000, ZmnSCPxj via bitcoin-dev wrote:
> > > They're radically different approaches and
> > > it's hard to see how they mix. Everything in lisp is completely sandboxed,
> > > and that functionality is important to a lot of things, and it's really
> > > normal to be given a reveal of a scriptpubkey and be able to rely on your
> > > parsing of it.
> > The above prevents combining puzzles/solutions from multiple coin spends,
> > but I don't think that's very attractive in bitcoin's context, the way
> > it is for chia. I don't think it loses much else?
> But cross-input signature aggregation is a nice-to-have we want for Bitcoin, and, to me, cross-input sigagg is not much different from cross-input puzzle/solution compression.
Signature aggregation has a lot more maths and crypto involved than
reversible compression of puzzles/solutions. I was more meaning
cross-transaction relationships rather than cross-input ones though.
> > I /think/ the compression hook would be to allow you to have the puzzles
> > be (re)generated via another lisp program if that was more efficient
> > than just listing them out. But I assume it would be turtles, err,
> > lisp all the way down, no special C functions like with jets.
> Eh, you could use Common LISP or a recent-enough RnRS Scheme to write a cryptocurrency node software, so "special C function" seems to overprivilege C...
Jets are "special" in so far as they are costed differently at the
consensus level than the equivalent pure/jetless simplicity code that
they replace. Whether they're written in C or something else isn't the
important part.
By comparison, generating lisp code with lisp code in chia doesn't get
special treatment.
(You *could* also use jets in a way that doesn't impact consensus just
to make your node software more efficient in the normal case -- perhaps
via a JIT compiler that sees common expressions in the blockchain and
optimises them eg)
On Wed, Mar 09, 2022 at 02:30:34PM +0000, ZmnSCPxj via bitcoin-dev wrote:
> Do note that PTLCs remain more space-efficient though, so forget about HTLCs and just use PTLCs.
Note that PTLCs aren't really Chia-friendly, both because chia doesn't
have secp256k1 operations in the first place, but also because you can't
do a scriptless-script because the information you need to extract
is lost when signatures are non-interactively aggregated via BLS --
so that adds an expensive extra ECC operation rather than reusing an
op you're already paying for (scriptless script PTLCs) or just adding
a cheap hash operation (HTLCs).
(Pretty sure Chia could do (= PTLC (pubkey_for_exp PREIMAGE)) for
preimage reveal of BLS PTLCs, but that wouldn't be compatible with
bitcoin secp256k1 PTLCs. You could sha256 the PTLC to save a few bytes,
but I think given how much a sha256 opcode costs in Chia, that that
would actually be more expensive?)
None of that applies to a bitcoin implementation that doesn't switch to
BLS signatures though.
> > But if they're fully baked into the scriptpubkey then they're opted into by the recipient and there aren't any weird surprises.
> This is really what I kinda object to.
> Yes, "buyer beware", but consider that as the covenant complexity increases, the probability of bugs, intentional or not, sneaking in, increases as well.
> And a bug is really "a weird surprise" --- xref TheDAO incident.
Which is better: a bug in the complicated script code specified for
implementing eltoo in a BOLT; or a bug in the BIP/implementation of a
new sighash feature designed to make it easy to implement eltoo, that's
been soft-forked into consensus?
Seems to me, that it's always better to have the bug be at the wallet
level, since that can be fixed by upgrading individual wallet software.
> This makes me kinda wary of using such covenant features at all, and if stuff like `SIGHASH_ANYPREVOUT` or `OP_CHECKTEMPLATEVERIFY` are not added but must be reimplemented via a covenant feature, I would be saddened, as I now have to contend with the complexity of covenant features and carefully check that `SIGHASH_ANYPREVOUT`/`OP_CHECKTEMPLATEVERIFY` were implemented correctly.
> True I also still have to check the C++ source code if they are implemented directly as opcodes, but I can read C++ better than frikkin Bitcoin SCRIPT.
If OP_CHECKTEMPLATEVERIFY (etc) is implemented as a consensus update, you
probably want to review the C++ code even if you're not going to use it,
just to make sure consensus doesn't end up broken as a result. Whereas if
it's only used by other people's wallets, you might be able to ignore it
entirely (at least until it becomes so common that any bugs might allow
a significant fraction of BTC to be stolen/lost and indirectly cause a
systemic risk).
> Not to mention that I now have to review both the (more complicated due to more general) covenant feature implementation, *and* the implementation of `SIGHASH_ANYPREVOUT`/`OP_CHECKTEMPLATEVERIFY` in terms of the covenant feature.
I'm not sure that a "covenant language implementation" would necessarily
be "that" complicated. And if so, having a DSL for covenants could,
at least in theory, make for a much simpler implementation of
ANYPREVOUT/CTV/TLUV/EVICT/etc than doing it directly in C++, which
might mean those things are less likely to have "weird surprises" rather
than more.
Cheers,
aj
Anthony Towns [ARCHIVE] /
npub17r…x9l2h
2023-06-07 23:05:18
in reply to nevent1q…78jr
Author Public Key
npub17rld56k4365lfphyd8u8kwuejey5xcazdxptserx03wc4jc9g24stx9l2hSeen on
wss://relay.noswhere.comPublished at
2023-06-07 23:05:18Event JSON
{
"id": "96bb263639cf9fcd2984c6fc7bc7d22c1c55db075c00cbbef3805c01d281e180",
"pubkey": "f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab",
"created_at": 1686179118,
"kind": 1,
"tags": [
[
"e",
"17a237ce59197bc5ffad96769beec5209b19830977cb935d9412190ad411e7e9",
"",
"root"
],
[
"e",
"c1cbfd6c3fcd4ebb48f8d6fdfd5f0c2f9af68fca7fa5a92b19d14d5e04276d75",
"",
"reply"
],
[
"p",
"4505072744a9d3e490af9262bfe38e6ee5338a77177b565b6b37730b63a7b861"
]
],
"content": "📅 Original date posted:2022-03-11\n📝 Original message:On Tue, Mar 08, 2022 at 03:06:43AM +0000, ZmnSCPxj via bitcoin-dev wrote:\n\u003e \u003e \u003e They're radically different approaches and\n\u003e \u003e \u003e it's hard to see how they mix. Everything in lisp is completely sandboxed,\n\u003e \u003e \u003e and that functionality is important to a lot of things, and it's really\n\u003e \u003e \u003e normal to be given a reveal of a scriptpubkey and be able to rely on your\n\u003e \u003e \u003e parsing of it.\n\u003e \u003e The above prevents combining puzzles/solutions from multiple coin spends,\n\u003e \u003e but I don't think that's very attractive in bitcoin's context, the way\n\u003e \u003e it is for chia. I don't think it loses much else?\n\u003e But cross-input signature aggregation is a nice-to-have we want for Bitcoin, and, to me, cross-input sigagg is not much different from cross-input puzzle/solution compression.\n\nSignature aggregation has a lot more maths and crypto involved than\nreversible compression of puzzles/solutions. I was more meaning\ncross-transaction relationships rather than cross-input ones though.\n\n\u003e \u003e I /think/ the compression hook would be to allow you to have the puzzles\n\u003e \u003e be (re)generated via another lisp program if that was more efficient\n\u003e \u003e than just listing them out. But I assume it would be turtles, err,\n\u003e \u003e lisp all the way down, no special C functions like with jets.\n\u003e Eh, you could use Common LISP or a recent-enough RnRS Scheme to write a cryptocurrency node software, so \"special C function\" seems to overprivilege C...\n\nJets are \"special\" in so far as they are costed differently at the\nconsensus level than the equivalent pure/jetless simplicity code that\nthey replace. Whether they're written in C or something else isn't the\nimportant part.\n\nBy comparison, generating lisp code with lisp code in chia doesn't get\nspecial treatment.\n\n(You *could* also use jets in a way that doesn't impact consensus just\nto make your node software more efficient in the normal case -- perhaps\nvia a JIT compiler that sees common expressions in the blockchain and\noptimises them eg)\n\nOn Wed, Mar 09, 2022 at 02:30:34PM +0000, ZmnSCPxj via bitcoin-dev wrote:\n\u003e Do note that PTLCs remain more space-efficient though, so forget about HTLCs and just use PTLCs.\n\nNote that PTLCs aren't really Chia-friendly, both because chia doesn't\nhave secp256k1 operations in the first place, but also because you can't\ndo a scriptless-script because the information you need to extract\nis lost when signatures are non-interactively aggregated via BLS --\nso that adds an expensive extra ECC operation rather than reusing an\nop you're already paying for (scriptless script PTLCs) or just adding\na cheap hash operation (HTLCs).\n\n(Pretty sure Chia could do (= PTLC (pubkey_for_exp PREIMAGE)) for\npreimage reveal of BLS PTLCs, but that wouldn't be compatible with\nbitcoin secp256k1 PTLCs. You could sha256 the PTLC to save a few bytes,\nbut I think given how much a sha256 opcode costs in Chia, that that\nwould actually be more expensive?)\n\nNone of that applies to a bitcoin implementation that doesn't switch to\nBLS signatures though.\n\n\u003e \u003e But if they're fully baked into the scriptpubkey then they're opted into by the recipient and there aren't any weird surprises.\n\u003e This is really what I kinda object to.\n\u003e Yes, \"buyer beware\", but consider that as the covenant complexity increases, the probability of bugs, intentional or not, sneaking in, increases as well.\n\u003e And a bug is really \"a weird surprise\" --- xref TheDAO incident.\n\nWhich is better: a bug in the complicated script code specified for\nimplementing eltoo in a BOLT; or a bug in the BIP/implementation of a\nnew sighash feature designed to make it easy to implement eltoo, that's\nbeen soft-forked into consensus?\n\nSeems to me, that it's always better to have the bug be at the wallet\nlevel, since that can be fixed by upgrading individual wallet software.\n\n\u003e This makes me kinda wary of using such covenant features at all, and if stuff like `SIGHASH_ANYPREVOUT` or `OP_CHECKTEMPLATEVERIFY` are not added but must be reimplemented via a covenant feature, I would be saddened, as I now have to contend with the complexity of covenant features and carefully check that `SIGHASH_ANYPREVOUT`/`OP_CHECKTEMPLATEVERIFY` were implemented correctly.\n\u003e True I also still have to check the C++ source code if they are implemented directly as opcodes, but I can read C++ better than frikkin Bitcoin SCRIPT.\n\nIf OP_CHECKTEMPLATEVERIFY (etc) is implemented as a consensus update, you\nprobably want to review the C++ code even if you're not going to use it,\njust to make sure consensus doesn't end up broken as a result. Whereas if\nit's only used by other people's wallets, you might be able to ignore it\nentirely (at least until it becomes so common that any bugs might allow\na significant fraction of BTC to be stolen/lost and indirectly cause a\nsystemic risk).\n\n\u003e Not to mention that I now have to review both the (more complicated due to more general) covenant feature implementation, *and* the implementation of `SIGHASH_ANYPREVOUT`/`OP_CHECKTEMPLATEVERIFY` in terms of the covenant feature.\n\nI'm not sure that a \"covenant language implementation\" would necessarily\nbe \"that\" complicated. And if so, having a DSL for covenants could,\nat least in theory, make for a much simpler implementation of\nANYPREVOUT/CTV/TLUV/EVICT/etc than doing it directly in C++, which\nmight mean those things are less likely to have \"weird surprises\" rather\nthan more.\n\nCheers,\naj",
"sig": "2222305849d2ece21131dbfff69767a36b5684c3f92a4a02491a81ea50082ce2d881bec4330b6d8942e94f0eceaab472030a4692735ee8b32a6c7e958261764f"
}