π
Original date posted:2022-08-10
π Original message:> Backward compatibility. If we don't have OP_CHECKDATASIG, then it has to be somehow introduced to make it compatible with "Bitcoin Message".
I suppose in the case of legacy P2PKH signing, a hypothetical OP_CHECKDATASIG can take <signature> <pubkeyhash> off the stack and perform an ECDSA public key recovery, followed by SHA256/RIPEMD160, kind of like a hybrid between OP_DUP/OP_HASH160/OP_EQUALVERIFY and OP_CHECKSIG.
But the implementations would have to decode the Base58 address into "0x00" plus the address hash. As the only supported invoice type for the Legacy signing methods, this should be straight forward to do.
> And we have opcodes like OP_RESERVED, that can be wrapped in OP_IF, then it is "conditionally valid transaction".
I'm not sure how an OP_RESERVED in an unexcuted OP_IF is going to help implement an ECDSA pubkey recovery + DUP/HASH160/EQUALVERIFY hybrid instruction.
- Ali
On Wed, 10 Aug 2022 04:59:46 +0200, vjudeu at gazeta.pl wrote:
> > I'm not sure what is to be gained from adding an opcode
>
> Backward compatibility. If we don't have OP_CHECKDATASIG, then it has to be somehow introduced to make it compatible with "Bitcoin Message". And we have opcodes like OP_RESERVED, that can be wrapped in OP_IF, then it is "conditionally valid transaction". It is also possible to assign some unused opcode, but then it will be more complex, because in Script, those opcodes make transaction invalid, but inside TapScript, those opcodes are defined as OP_SUCCESS, and make things automatically valid.
>
>
> On 2022-08-09 22:53:34 user Ali Sherief via bitcoin-dev <bitcoin-dev at lists.linuxfoundation.org> wrote:
> > Although there is a Github issue/PR at https://github.com/bitcoin/bips/pull/1347 for addressing all the TODO items of BIP322, I decided to throw it in the mailing list again to see if anyone else has suggestions for dealing with them.
>
> So in an older copy of the draft at https://github.com/bitcoin/bips/blob/b6b0126e2d04793ba52a40f05d24538fa3f2c9ad/bip-0322.mediawiki , I found the some TODO items, and I will copy-paste the ones in the Specification section (for full proofs) here:
>
> > TODO: How does this interact with as-of-yet-unspecified "Silent Transactions"?
> > TODO: Some invalid opcode to allow only in various proof types?
> > TODO: A way for the initial signer to delegate to another scriptPubKey; needed for better privacy and CoinJoin/Lightning compatibility
>
> So to start with, I believe it will be very helpful to limit what opcodes scriptPubKeys to be elligible to sign from them. The specification already does so to a point, but in order for these to be recognizable, it's my opinion that one of the NOPs should be placed at the beginning of the script to activate proof parsing mode.
>
> Of course, an opcode is not necessary at all, if the program is able to infer from context where the proof is coming from. After all, since they cannot be broadcasted, they can't be mined in blocks, so will never be encountered in a full node's usual verifier. I'm not sure what is to be gained from adding an opcode - the only source for real transactions is from P2P-obtained blocks, so when a human inputs a signature to be verified, it can check that a real transaction is not being inserted by looking for the invalid input.
>
> For Silent Transactions, I have already given my suggestion in the PR, that some subsection can be made saying that it can operate with them by using its scriptPubKey (and other stuff that may be necessary - I am not excatly sure what goes inside the Witness stack of message_signature).
>
> In the case of the last TODO, related to delegation to another scriptPubKey, I am not quite sure at the moment what to do about it - perhaps you guys can place a MAST (two Merkle branches, to be specific) - the first branch has the original signer's scriptPubKey, the second branch contains the delegated signer's scriptPubKey.
>
> - Ali
Ali Sherief [ARCHIVE] /
npub1xqβ¦q2u5f
2023-06-07 23:12:37
in reply to nevent1qβ¦ckat
Author Public Key
npub1xq96jnxfzrdq4zgre20yqjrjsd29vcw8ymypl4v59cg6q6p66cts8q2u5fPublished at
2023-06-07 23:12:37Event JSON
{
"id": "8b2ea26b47250707cbc6304e0660bb29d744e7fcea2bca88c5efb585047837df",
"pubkey": "300ba94cc910da0a8903ca9e40487283545661c726c81fd5942e11a0683ad617",
"created_at": 1686179557,
"kind": 1,
"tags": [
[
"e",
"7911c55f95e735ed41026f38b07f1268ccff18d71d8415399db75a1d32939c97",
"",
"root"
],
[
"e",
"e07e669938e422067011af382b0a319ecba526b8526e1125316d148dc7216a3c",
"",
"reply"
],
[
"p",
"8d3cf7eba921036409f1fec074cf8cfd8925bc7cb18e35d358b1ccc89752ee32"
]
],
"content": "π
Original date posted:2022-08-10\nπ Original message:\u003e Backward compatibility. If we don't have OP_CHECKDATASIG, then it has to be somehow introduced to make it compatible with \"Bitcoin Message\".\n\nI suppose in the case of legacy P2PKH signing, a hypothetical OP_CHECKDATASIG can take \u003csignature\u003e \u003cpubkeyhash\u003e off the stack and perform an ECDSA public key recovery, followed by SHA256/RIPEMD160, kind of like a hybrid between OP_DUP/OP_HASH160/OP_EQUALVERIFY and OP_CHECKSIG.\n\nBut the implementations would have to decode the Base58 address into \"0x00\" plus the address hash. As the only supported invoice type for the Legacy signing methods, this should be straight forward to do.\n\n\u003e And we have opcodes like OP_RESERVED, that can be wrapped in OP_IF, then it is \"conditionally valid transaction\".\n\nI'm not sure how an OP_RESERVED in an unexcuted OP_IF is going to help implement an ECDSA pubkey recovery + DUP/HASH160/EQUALVERIFY hybrid instruction.\n\n- Ali\n\nOn Wed, 10 Aug 2022 04:59:46 +0200, vjudeu at gazeta.pl wrote:\n\u003e \u003e I'm not sure what is to be gained from adding an opcode\n\u003e\n\u003e Backward compatibility. If we don't have OP_CHECKDATASIG, then it has to be somehow introduced to make it compatible with \"Bitcoin Message\". And we have opcodes like OP_RESERVED, that can be wrapped in OP_IF, then it is \"conditionally valid transaction\". It is also possible to assign some unused opcode, but then it will be more complex, because in Script, those opcodes make transaction invalid, but inside TapScript, those opcodes are defined as OP_SUCCESS, and make things automatically valid.\n\u003e\n\u003e\n\u003e On 2022-08-09 22:53:34 user Ali Sherief via bitcoin-dev \u003cbitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\u003e \u003e Although there is a Github issue/PR at https://github.com/bitcoin/bips/pull/1347 for addressing all the TODO items of BIP322, I decided to throw it in the mailing list again to see if anyone else has suggestions for dealing with them.\n\u003e\n\u003e So in an older copy of the draft at https://github.com/bitcoin/bips/blob/b6b0126e2d04793ba52a40f05d24538fa3f2c9ad/bip-0322.mediawiki , I found the some TODO items, and I will copy-paste the ones in the Specification section (for full proofs) here:\n\u003e\n\u003e \u003e TODO: How does this interact with as-of-yet-unspecified \"Silent Transactions\"?\n\u003e \u003e TODO: Some invalid opcode to allow only in various proof types?\n\u003e \u003e TODO: A way for the initial signer to delegate to another scriptPubKey; needed for better privacy and CoinJoin/Lightning compatibility\n\u003e\n\u003e So to start with, I believe it will be very helpful to limit what opcodes scriptPubKeys to be elligible to sign from them. The specification already does so to a point, but in order for these to be recognizable, it's my opinion that one of the NOPs should be placed at the beginning of the script to activate proof parsing mode.\n\u003e\n\u003e Of course, an opcode is not necessary at all, if the program is able to infer from context where the proof is coming from. After all, since they cannot be broadcasted, they can't be mined in blocks, so will never be encountered in a full node's usual verifier. I'm not sure what is to be gained from adding an opcode - the only source for real transactions is from P2P-obtained blocks, so when a human inputs a signature to be verified, it can check that a real transaction is not being inserted by looking for the invalid input.\n\u003e\n\u003e For Silent Transactions, I have already given my suggestion in the PR, that some subsection can be made saying that it can operate with them by using its scriptPubKey (and other stuff that may be necessary - I am not excatly sure what goes inside the Witness stack of message_signature).\n\u003e\n\u003e In the case of the last TODO, related to delegation to another scriptPubKey, I am not quite sure at the moment what to do about it - perhaps you guys can place a MAST (two Merkle branches, to be specific) - the first branch has the original signer's scriptPubKey, the second branch contains the delegated signer's scriptPubKey.\n\u003e\n\u003e - Ali",
"sig": "3d98be013d47c332b0fd44c24b78eefe92b624d5858d0212d7b9d54ae40c3904a42a0afb112a7d7532106c3443801845d489197de0220937d5978365b13d55e7"
}