📅 Original date posted:2023-05-30
🗒️ Summary of this message: The proposal for coin pools achieves the first part of removing data from the merkle tree, but removal of a public key from the taproot internal key is out of scope. Falling back to "old style multisig" can provide some benefits. There may be reasonable CoinPools designs without additional opcodes.
📝 Original message:I should clarify: the current proposal already achieves the first part
needed for coin pools: removing some data from the merkle tree (I was
indeed referring to the embedded data, not the taptree).
The thing that is missing is removal of a public key from the taproot
internal key, but as mentioned I do agree that this is out of scope
for this proposal.
I believe you can get many of the benefits by falling back to "old
style multisig" in case someone exits the pool, by having a tap leaf
defining a multisig check amongst the remaining pubkeys.
Cheers,
Johan
> It seems likely that efficient use of the taproot internal pubkey with
> "dynamic key aggregation" is not possible with the current semantics
> (unless one ventures into the fraud proof machinery, which seems
> overkill!).
>
> However, in constructions with MATT opcodes, I would never expect the
> need for data to be stored in the taptree. In particular, for the case
> of CoinPools, the pubkeys of the members could also be stored in the
> embedded data, having a single "unilateral withdrawal" tapleaf.
> Removing a key would then amount to replacing it with a fixed NUMS key
> and computing the new root (re-using the same Merkle proof).
> Note that this is not a lot costlier than using a tapleaf per user:
> instead of paying the cost for the Merkle proof in the control block,
> you pay for it explicitly in the Script witness.
>
> Therefore, I would expect there to be reasonable CoinPools designs
> without additional opcodes − but I am only moderately confident as
> this is beyond the level of sophistication I've been exploring so far.
On Sun, May 28, 2023 at 12:24 PM Salvatore Ingala
<salvatore.ingala at gmail.com> wrote:
>
> Hi Johan,
>
> Exciting to finally see some merkleization, which was only confined
> within the meme, up to this point!
>
> > A simpler way IMO, would be to make OP_CICV and OP_COCV symmetrical:
> > Have OP_CICV take an optional taproot and do the same check as is
> > done for the output: Q == tweak(tweak(X,D), T).
>
> I think that's an excellent suggestion, which I was already exploring
> for a different purpose: bringing externally signed data onto the
> stack. My goal there was to allow eltoo-style replacement.
>
> Until recently, I thought that a clean/efficient version of eltoo
> would require OP_CHECKSIGFROMSTACK or ANYPREVOUT. However, extending
> OP_CHECKINPUTCONTRACTVERIFY to enable introspection of other inputs
> allows a reasonable workaround: producing a separate UTXO signed with
> ANYONECANPAY, with the required data embedded as usual. Spending that
> UTXO together with the channel's UTXO allows one to get that data
> on the stack (with its signature already checked by consensus rules).
> I drafted this idea in a gist [1].
>
> Remark: it still seems easier (and probably slightly more efficient)
> to build eltoo replacement with CSFS or APO in addition to MATT
> opcodes.
>
> A possible semantics for OP_CHECKINPUTCONTRACTVERIFY could then be
> exactly symmetrical to that of OP_CHECKOUTPUTCONTRACTVERIFY, with
> the exception that the special input index -1 would represent the
> current input.
>
> Pushing this further, another option that could be be worth exploring
> is to have a single OP_CHECK_IN_OUT_CONTRACT_VERIFY opcode, with the
> same semantics as OP_CHECKOUTPUTCONTRACTVERIFY from [2], but with an
> additional `flags` argument, which is a bitmap where:
> - the lowest-significant bit determines if the index refers to inputs
> or outputs (where input index -1 refers to the current input)
> - the second bit specifies if amounts should be preserved with
> deferred checks as described in [2] (only applicable to outputs)
> - other bits are OP_SUCCESS and reserved for future behaviors.
>
> This would make the opcodes 1-2 bytes larger, but might allow greater
> flexibility, and keep some room for future extensions.
>
> > 2.To make fully functioning CoinPools, one would need functionality
> > similar to OP_MERKLESUB[4]: remove some data from the merkle tree,
> > and remove a key from the aggregated internal key.
>
> It seems likely that efficient use of the taproot internal pubkey with
> "dynamic key aggregation" is not possible with the current semantics
> (unless one ventures into the fraud proof machinery, which seems
> overkill!).
>
> However, in constructions with MATT opcodes, I would never expect the
> need for data to be stored in the taptree. In particular, for the case
> of CoinPools, the pubkeys of the members could also be stored in the
> embedded data, having a single "unilateral withdrawal" tapleaf.
> Removing a key would then amount to replacing it with a fixed NUMS key
> and computing the new root (re-using the same Merkle proof).
> Note that this is not a lot costlier than using a tapleaf per user:
> instead of paying the cost for the Merkle proof in the control block,
> you pay for it explicitly in the Script witness.
>
> Therefore, I would expect there to be reasonable CoinPools designs
> without additional opcodes − but I am only moderately confident as
> this is beyond the level of sophistication I've been exploring so far.
>
> Best,
> Salvatore
>
> [1] - https://gist.github.com/bigspider/041ebd0842c0dcc74d8af087c1783b63
> [2] - https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2023-April/021588.html
Johan Torås Halseth [ARCHIVE] /
npub1pp…hs2fw
2023-06-07 23:21:09
in reply to nevent1q…tz9j
Author Public Key
npub1ppn2nhlfdzkw9gw0ytljpef5dpyzsxzw8ffcyykamt32hw6pge0smhs2fwPublished at
2023-06-07 23:21:09Event JSON
{
"id": "07e5d02479bb53881f7e49cecc75a9881f0aa05f2888768bde87d0d4361f5069",
"pubkey": "0866a9dfe968ace2a1cf22ff20e534684828184e3a538212dddae2abbb41465f",
"created_at": 1686180069,
"kind": 1,
"tags": [
[
"e",
"500d1583685224e78093a7b1e94b55fe48ea9754e88e656744e0fa5e949018f0",
"",
"root"
],
[
"e",
"b04f341162f193e2895302a5a29399aa289f32ad3b9466f0886420a37d531f75",
"",
"reply"
],
[
"p",
"f86db307ea15ecf745ec5b45e86abbf9755adbc7a6508dca12443cedf6718084"
]
],
"content": "📅 Original date posted:2023-05-30\n🗒️ Summary of this message: The proposal for coin pools achieves the first part of removing data from the merkle tree, but removal of a public key from the taproot internal key is out of scope. Falling back to \"old style multisig\" can provide some benefits. There may be reasonable CoinPools designs without additional opcodes.\n📝 Original message:I should clarify: the current proposal already achieves the first part\nneeded for coin pools: removing some data from the merkle tree (I was\nindeed referring to the embedded data, not the taptree).\n\nThe thing that is missing is removal of a public key from the taproot\ninternal key, but as mentioned I do agree that this is out of scope\nfor this proposal.\n\nI believe you can get many of the benefits by falling back to \"old\nstyle multisig\" in case someone exits the pool, by having a tap leaf\ndefining a multisig check amongst the remaining pubkeys.\n\nCheers,\nJohan\n\n\u003e It seems likely that efficient use of the taproot internal pubkey with\n\u003e \"dynamic key aggregation\" is not possible with the current semantics\n\u003e (unless one ventures into the fraud proof machinery, which seems\n\u003e overkill!).\n\u003e\n\u003e However, in constructions with MATT opcodes, I would never expect the\n\u003e need for data to be stored in the taptree. In particular, for the case\n\u003e of CoinPools, the pubkeys of the members could also be stored in the\n\u003e embedded data, having a single \"unilateral withdrawal\" tapleaf.\n\u003e Removing a key would then amount to replacing it with a fixed NUMS key\n\u003e and computing the new root (re-using the same Merkle proof).\n\u003e Note that this is not a lot costlier than using a tapleaf per user:\n\u003e instead of paying the cost for the Merkle proof in the control block,\n\u003e you pay for it explicitly in the Script witness.\n\u003e\n\u003e Therefore, I would expect there to be reasonable CoinPools designs\n\u003e without additional opcodes − but I am only moderately confident as\n\u003e this is beyond the level of sophistication I've been exploring so far.\n\n\nOn Sun, May 28, 2023 at 12:24 PM Salvatore Ingala\n\u003csalvatore.ingala at gmail.com\u003e wrote:\n\u003e\n\u003e Hi Johan,\n\u003e\n\u003e Exciting to finally see some merkleization, which was only confined\n\u003e within the meme, up to this point!\n\u003e\n\u003e \u003e A simpler way IMO, would be to make OP_CICV and OP_COCV symmetrical:\n\u003e \u003e Have OP_CICV take an optional taproot and do the same check as is\n\u003e \u003e done for the output: Q == tweak(tweak(X,D), T).\n\u003e\n\u003e I think that's an excellent suggestion, which I was already exploring\n\u003e for a different purpose: bringing externally signed data onto the\n\u003e stack. My goal there was to allow eltoo-style replacement.\n\u003e\n\u003e Until recently, I thought that a clean/efficient version of eltoo\n\u003e would require OP_CHECKSIGFROMSTACK or ANYPREVOUT. However, extending\n\u003e OP_CHECKINPUTCONTRACTVERIFY to enable introspection of other inputs\n\u003e allows a reasonable workaround: producing a separate UTXO signed with\n\u003e ANYONECANPAY, with the required data embedded as usual. Spending that\n\u003e UTXO together with the channel's UTXO allows one to get that data\n\u003e on the stack (with its signature already checked by consensus rules).\n\u003e I drafted this idea in a gist [1].\n\u003e\n\u003e Remark: it still seems easier (and probably slightly more efficient)\n\u003e to build eltoo replacement with CSFS or APO in addition to MATT\n\u003e opcodes.\n\u003e\n\u003e A possible semantics for OP_CHECKINPUTCONTRACTVERIFY could then be\n\u003e exactly symmetrical to that of OP_CHECKOUTPUTCONTRACTVERIFY, with\n\u003e the exception that the special input index -1 would represent the\n\u003e current input.\n\u003e\n\u003e Pushing this further, another option that could be be worth exploring\n\u003e is to have a single OP_CHECK_IN_OUT_CONTRACT_VERIFY opcode, with the\n\u003e same semantics as OP_CHECKOUTPUTCONTRACTVERIFY from [2], but with an\n\u003e additional `flags` argument, which is a bitmap where:\n\u003e - the lowest-significant bit determines if the index refers to inputs\n\u003e or outputs (where input index -1 refers to the current input)\n\u003e - the second bit specifies if amounts should be preserved with\n\u003e deferred checks as described in [2] (only applicable to outputs)\n\u003e - other bits are OP_SUCCESS and reserved for future behaviors.\n\u003e\n\u003e This would make the opcodes 1-2 bytes larger, but might allow greater\n\u003e flexibility, and keep some room for future extensions.\n\u003e\n\u003e \u003e 2.To make fully functioning CoinPools, one would need functionality\n\u003e \u003e similar to OP_MERKLESUB[4]: remove some data from the merkle tree,\n\u003e \u003e and remove a key from the aggregated internal key.\n\u003e\n\u003e It seems likely that efficient use of the taproot internal pubkey with\n\u003e \"dynamic key aggregation\" is not possible with the current semantics\n\u003e (unless one ventures into the fraud proof machinery, which seems\n\u003e overkill!).\n\u003e\n\u003e However, in constructions with MATT opcodes, I would never expect the\n\u003e need for data to be stored in the taptree. In particular, for the case\n\u003e of CoinPools, the pubkeys of the members could also be stored in the\n\u003e embedded data, having a single \"unilateral withdrawal\" tapleaf.\n\u003e Removing a key would then amount to replacing it with a fixed NUMS key\n\u003e and computing the new root (re-using the same Merkle proof).\n\u003e Note that this is not a lot costlier than using a tapleaf per user:\n\u003e instead of paying the cost for the Merkle proof in the control block,\n\u003e you pay for it explicitly in the Script witness.\n\u003e\n\u003e Therefore, I would expect there to be reasonable CoinPools designs\n\u003e without additional opcodes − but I am only moderately confident as\n\u003e this is beyond the level of sophistication I've been exploring so far.\n\u003e\n\u003e Best,\n\u003e Salvatore\n\u003e\n\u003e [1] - https://gist.github.com/bigspider/041ebd0842c0dcc74d8af087c1783b63\n\u003e [2] - https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2023-April/021588.html",
"sig": "bbbb53cd47cc8022215e172f47e3d9847ce3b8f1bace7a1a4063cb1e703e344f246026ccd1bffeec367debf1ef4f12d03dd7f7bc464c797bdbf4dc5565b6fc30"
}