📅 Original date posted:2023-01-16
🗒️ Summary of this message: Proposal for Bitcoin vaults raises concerns about address reuse and privacy. Implementation may require unique recovery scripts to avoid reuse. Limit usage to tapscripts for simpler implementation.
📝 Original message:Hi James,
This seems like a promising proposal, but I noticed have a few issues
regarding batching and privacy.
It seems like this proposal will encourage address reuse for vaults, at
least in some parts. It seems like it would not be difficult to ensure
that each vault address was unique through the use of key derivation.
The recovery and unvault scripts could be produced from ranged
descriptors and so there would each vault address would be unique as
each recovery and unvault script is unique. It would not be hard to have
descriptors for vaults, which would then allow for usage of other
descriptors and miniscript into the recovery and unvault scripts.
However the current construction makes it impossible to spend these
vaults together. Since OP_VAULT requires the recovery script of the
unvault output to match what's provided in the input, if there are
multiple inputs with different recovery scripts, then the transaction
will fail. I'm not sure how this could be solved though.
But from my reading of the code, it looks like the unvault scripts can
be unique, so at least address reuse can be avoided here. It just means
that the recovery scripts must be the same, and this would leave an
identifying mark on chain for every unvault. An observer would be able
to correlate unvault transactions by the hashes of the recovery scripts,
and I think this would be rather detrimental to user privacy, not to
mention that sweeping to recovery would also reveal all of your coins too.
On the topic of address reuse, the implemented optional re-vault output
explicitly requires address reuse, as well as breaking the batched
unvaulting of scripts that have different unvault scripts. It's
currently implemented as requiring the unvault script to exactly match
the prevout script of the inputs being spent. This means that all inputs
must have the same script. I think it would be sufficient to do the same
check as the OP_UNVAULT script and just require that the recovery script
and the delay are the same, with the hash of the trigger script being
provided in the input in the same way the target hash is provided for
OP_UNVAULT. This would break the address reuse requirement.
I'm also not convinced that OP_VAULT and OP_UNVAULT should be allowed
for bare and P2WSH outputs. It seems like it would make sense to just
limit their usage to tapscripts as this would simply their implementation.
Andrew
On 01/09/2023 11:07 AM, James O'Beirne via bitcoin-dev wrote:
> For the last few years, I've been interested in vaults as a way to
> substantially derisk custodying Bitcoin, both at personal and commercial
> scales. Instead of abating with familiarity, as enthusiasm sometimes
> does, my conviction that vaults are an almost necessary part of bitcoin's
> viability has only grown over the years.
>
> Since people first started discussing vaults, it's been pretty clear that
> some kind of covenant-enabling consensus functionality is necessary to
> provide the feature set necessary to make vault use practical.
>
> Earlier last year I experimented with using OP_CTV[1], a limited covenant
> mechanism, to implement a "minimum-viable" vault design. I found that the
> inherent limitations of a precomputed covenant scheme left the resulting
> vault implementation wanting, even though it was an improvement over
> existing strategies that rely on presigned transactions and (hopefully)
> ephemeral keys.
>
> But I also found proposed "general" covenant schemes to be
> unsuitable for this use. The bloated scriptPubKeys, both in size and
> complexity, that would result when implementing something like a vault
> weren't encouraging. Also importantly, the social-consensus quagmire
> regarding which covenant proposal to actually deploy feels at times
> intractable.
>
> As a result, I wanted to explore a middle way: a design solely concerned
> with making the best vault use possible, with covenant functionality as a
> secondary consideration. In other words, a proposal that would deliver
> the safety benefits of vaults to users without getting hung up on
> trying to solve the general problem of covenants.
>
> At first this design, OP_VAULT, was just sort of a pipe dream. But as I
> did more thinking (and eventually implementing) I became more convinced
> that, even if it isn't considered for soft-fork, it is a worthwhile
> device to serve as a standard benchmark against which other proposals
> might be judged.
>
> I wrote a paper that summarizes my findings and the resulting proposal:
> https://jameso.be/vaults.pdf
>
> along with an accompanying draft implementation:
> https://github.com/bitcoin/bitcoin/pull/26857
>
> I might work on a BIP if there's interest.
>
> James
>
> [1]: https://github.com/jamesob/simple-ctv-vault
Andrew Chow [ARCHIVE] /
npub1fg…xak44
2023-06-07 23:18:21
in reply to nevent1q…edun
Author Public Key
npub1fgnnmg7f4wzup9hct8nv5pnd9l07wcjqdjku9ax432n4g69v4rgq7xak44Published at
2023-06-07 23:18:21Event JSON
{
"id": "1f12153d105cd9eb0d59b6a94c395396caba34488087349c8953445280103474",
"pubkey": "4a273da3c9ab85c096f859e6ca066d2fdfe762406cadc2f4d58aa75468aca8d0",
"created_at": 1686179901,
"kind": 1,
"tags": [
[
"e",
"a84542afe0efb7efffac7c1bbcfb71ebcb322bb4dd5fb2586b4f66533f300f6e",
"",
"root"
],
[
"e",
"fed48d113919005880729927848e27c2ff0ca487e0fb847aebc36b5ff2032cad",
"",
"reply"
],
[
"p",
"685a977aa1f8b6f8ec48fd9b94063704f408148948329ed2d729f63e54b31a3d"
]
],
"content": "📅 Original date posted:2023-01-16\n🗒️ Summary of this message: Proposal for Bitcoin vaults raises concerns about address reuse and privacy. Implementation may require unique recovery scripts to avoid reuse. Limit usage to tapscripts for simpler implementation.\n📝 Original message:Hi James,\n\nThis seems like a promising proposal, but I noticed have a few issues\nregarding batching and privacy.\n\nIt seems like this proposal will encourage address reuse for vaults, at\nleast in some parts. It seems like it would not be difficult to ensure\nthat each vault address was unique through the use of key derivation.\nThe recovery and unvault scripts could be produced from ranged\ndescriptors and so there would each vault address would be unique as\neach recovery and unvault script is unique. It would not be hard to have\ndescriptors for vaults, which would then allow for usage of other\ndescriptors and miniscript into the recovery and unvault scripts.\n\nHowever the current construction makes it impossible to spend these\nvaults together. Since OP_VAULT requires the recovery script of the\nunvault output to match what's provided in the input, if there are\nmultiple inputs with different recovery scripts, then the transaction\nwill fail. I'm not sure how this could be solved though.\n\nBut from my reading of the code, it looks like the unvault scripts can\nbe unique, so at least address reuse can be avoided here. It just means\nthat the recovery scripts must be the same, and this would leave an\nidentifying mark on chain for every unvault. An observer would be able\nto correlate unvault transactions by the hashes of the recovery scripts,\nand I think this would be rather detrimental to user privacy, not to\nmention that sweeping to recovery would also reveal all of your coins too.\n\nOn the topic of address reuse, the implemented optional re-vault output\nexplicitly requires address reuse, as well as breaking the batched\nunvaulting of scripts that have different unvault scripts. It's\ncurrently implemented as requiring the unvault script to exactly match\nthe prevout script of the inputs being spent. This means that all inputs\nmust have the same script. I think it would be sufficient to do the same\ncheck as the OP_UNVAULT script and just require that the recovery script\nand the delay are the same, with the hash of the trigger script being\nprovided in the input in the same way the target hash is provided for\nOP_UNVAULT. This would break the address reuse requirement.\n\nI'm also not convinced that OP_VAULT and OP_UNVAULT should be allowed\nfor bare and P2WSH outputs. It seems like it would make sense to just\nlimit their usage to tapscripts as this would simply their implementation.\n\n\nAndrew\n\nOn 01/09/2023 11:07 AM, James O'Beirne via bitcoin-dev wrote:\n\u003e For the last few years, I've been interested in vaults as a way to\n\u003e substantially derisk custodying Bitcoin, both at personal and commercial\n\u003e scales. Instead of abating with familiarity, as enthusiasm sometimes\n\u003e does, my conviction that vaults are an almost necessary part of bitcoin's\n\u003e viability has only grown over the years.\n\u003e\n\u003e Since people first started discussing vaults, it's been pretty clear that\n\u003e some kind of covenant-enabling consensus functionality is necessary to\n\u003e provide the feature set necessary to make vault use practical.\n\u003e\n\u003e Earlier last year I experimented with using OP_CTV[1], a limited covenant\n\u003e mechanism, to implement a \"minimum-viable\" vault design. I found that the\n\u003e inherent limitations of a precomputed covenant scheme left the resulting\n\u003e vault implementation wanting, even though it was an improvement over\n\u003e existing strategies that rely on presigned transactions and (hopefully)\n\u003e ephemeral keys.\n\u003e\n\u003e But I also found proposed \"general\" covenant schemes to be\n\u003e unsuitable for this use. The bloated scriptPubKeys, both in size and\n\u003e complexity, that would result when implementing something like a vault\n\u003e weren't encouraging. Also importantly, the social-consensus quagmire\n\u003e regarding which covenant proposal to actually deploy feels at times\n\u003e intractable.\n\u003e\n\u003e As a result, I wanted to explore a middle way: a design solely concerned\n\u003e with making the best vault use possible, with covenant functionality as a\n\u003e secondary consideration. In other words, a proposal that would deliver\n\u003e the safety benefits of vaults to users without getting hung up on\n\u003e trying to solve the general problem of covenants.\n\u003e\n\u003e At first this design, OP_VAULT, was just sort of a pipe dream. But as I\n\u003e did more thinking (and eventually implementing) I became more convinced\n\u003e that, even if it isn't considered for soft-fork, it is a worthwhile\n\u003e device to serve as a standard benchmark against which other proposals\n\u003e might be judged.\n\u003e\n\u003e I wrote a paper that summarizes my findings and the resulting proposal:\n\u003e https://jameso.be/vaults.pdf\n\u003e\n\u003e along with an accompanying draft implementation:\n\u003e https://github.com/bitcoin/bitcoin/pull/26857\n\u003e\n\u003e I might work on a BIP if there's interest.\n\u003e\n\u003e James\n\u003e\n\u003e [1]: https://github.com/jamesob/simple-ctv-vault",
"sig": "6c48a85811623edfe49887a695407733532982fb60f37c1e03f4a0fffeb166fea12c5b13c0460c33de2af109eac23c5921f5235f88961c09e8ca0e317f0d0c64"
}