📅 Original date posted:2022-01-18
📝 Original message:tl;dr: I don't think CTV is ready yet (but probably close), and in any case
definitely not worth reviving BIP 9 with its known flaws and vulnerability.
My review here is based solely on the BIP, with no outside context (aside from
current consensus rules, of course). In particular, I have _not_ looked at
the CTV code proposed for Bitcoin Core yet.
>Covenants are restrictions on how a coin may be spent beyond key ownership.
nit: Poorly phrased. Even simple scripts can do that already.
>A few examples are described below, which should be the subject of future
non-consensus standardization efforts.
I would ideally like to see fully implemented BIPs for at least one of these
(preferably the claimed CoinJoin improvements) before we move toward
activation.
>Congestion Controlled Transactions
I think this use case hasn't been fully thought through yet. It seems like it
would be desirable for this purpose, to allow any of the recipients to claim
their portion of the payment without footing the fee for every other payment
included in the batch. This is still a covenant-type solution, but one that
BIP 119 cannot support as-is.
(I realise this may be a known and accepted limitation, but I think it should
be addressed in the BIP)
>Payment Channels
Why batch mere channel creation? Seems like the spending transaction should
really be the channel closing.
>CHECKTEMPLATEVERIFY makes it much easier to set up trustless CoinJoins than
previously because participants agree on a single output which pays all
participants, which will be lower fee than before.
I don't see how. They still have to agree in advance on the outputs, and the
total fees will logically be higher than not using CTV...?
>Further Each participant doesn't need to know the totality of the outputs
committed to by that output, they only have to verify their own sub-tree will
pay them.
I don't see any way to do this with the provided implementation.
>Deployment could be done via BIP 9 VersionBits deployed through Speedy Trial.
Hard NACK on this. BIP 9 at this point represents developers attempting to
disregard and impose their will over community consensus, as well as an
attempt to force a miner veto backdoor/vulnerability on deployment. It should
never be used again.
Speedy Trial implemented with BIP 8 made sense* as a possible neutral
compromise between LOT=True and LOT=False (which could be deployed prior to
or in parallel), but using BIP 9 would destroy this.
As with Taproot, any future deployments should use BIP 8 again, until a better
solution is developed. Reverting back to a known flawed and vulnerable
activation method should not be done, and it would be better not to deploy
CTV at all at such an expense.
The fact that certain developers attempted to deploy a BIP 9 alternative
activation for Taproot against community consensus, and that even managed to
get released as "Bitcoin Core", makes it all the more important that the
community firmly rejects any further action to force this regression.
* it is my opinion a BIP 8 ST would be an okay compromise under those
circumstances; others do disagree that ST is acceptable at all
> This ensures that for a given known input, the TXIDs can also be known ahead
of time. Otherwise, CHECKTEMPLATEVERIFY would not be usable for Batched
Channel Creation constructions as the redemption TXID could be malleated and
pre-signed transactions invalidated, unless the channels are built using an
Eltoo-like protocol.
Why is it a problem for them to use an Eltoo-like protocol?
Why not just commit to the txid itself if that's the goal?
>P2SH is incompatible with CHECKTEMPLATEVERIFY
Maybe the CTV opcode should only be defined/enforced within witness scripts?
>nLockTime should generally be fixed to 0 (in the case of a payment tree, only
the *first* lock time is needed to prevent fee-sniping the root)
Your "Congestion Controlled Transactions" example would only make sense with
the spending transaction much later than the "root", and so could benefit
from fee sniping malleability. (In fact, in that example, it would be better
not to commit to locktime at all.)
>In the CHECKTEMPLATEVERIFY approach, the covenants are severely restricted to
simple templates. The structure of CHECKTEMPLATEVERIFY template is such that
the outputs must be known exactly at the time of construction. Based on a
destructuring argument, it is only possible to create templates which expand
in a finite number of steps.
It's not clear to me that this holds if OP_CAT or OP_SHA256STREAM get added.
>For example, a exchange's hot wallet might use an address which can
automatically be moved to a cold storage address after a relative timeout.
Wouldn't it make more sense to just have a UTXO both cold+hot can spend, then
throw away the hot key?
>In contrast to previous forks, OP_CHECKTEMPLATEVERIFY will not make scripts
valid for policy until the new rule is active.
Policy isn't validity, and cannot be dictated by BIPs (or anyone/anything, for
that matter).
Luke
Luke Dashjr [ARCHIVE] /
npub1tf…rfq0n
2023-06-07 23:02:30
in reply to nevent1q…nk9d
Author Public Key
npub1tfk373zg9dnmtvxnpnq7s2dkdgj37rwfj3yrwld7830qltmv8qps8rfq0nPublished at
2023-06-07 23:02:30Event JSON
{
"id": "6437ef9ba5c948359bbb777a558ee3bbcaa1c0c1785c66fdf47ff160013a205e",
"pubkey": "5a6d1f44482b67b5b0d30cc1e829b66a251f0dc99448377dbe3c5e0faf6c3803",
"created_at": 1686178950,
"kind": 1,
"tags": [
[
"e",
"03da030e3b313ae60c6ce63f7e2349e6c30d49bd45d38ae242a67e28557d2786",
"",
"reply"
],
[
"p",
"a23dbf6c6cc83e14cc3df4e56cc71845f611908084cfe620e83e40c06ccdd3d0"
]
],
"content": "📅 Original date posted:2022-01-18\n📝 Original message:tl;dr: I don't think CTV is ready yet (but probably close), and in any case \ndefinitely not worth reviving BIP 9 with its known flaws and vulnerability.\n\nMy review here is based solely on the BIP, with no outside context (aside from \ncurrent consensus rules, of course). In particular, I have _not_ looked at \nthe CTV code proposed for Bitcoin Core yet.\n\n\u003eCovenants are restrictions on how a coin may be spent beyond key ownership. \n\nnit: Poorly phrased. Even simple scripts can do that already.\n\n\u003eA few examples are described below, which should be the subject of future \nnon-consensus standardization efforts.\n\nI would ideally like to see fully implemented BIPs for at least one of these \n(preferably the claimed CoinJoin improvements) before we move toward \nactivation.\n\n\u003eCongestion Controlled Transactions\n\nI think this use case hasn't been fully thought through yet. It seems like it \nwould be desirable for this purpose, to allow any of the recipients to claim \ntheir portion of the payment without footing the fee for every other payment \nincluded in the batch. This is still a covenant-type solution, but one that \nBIP 119 cannot support as-is.\n\n(I realise this may be a known and accepted limitation, but I think it should \nbe addressed in the BIP)\n\n\u003ePayment Channels\n\nWhy batch mere channel creation? Seems like the spending transaction should \nreally be the channel closing.\n\n\u003eCHECKTEMPLATEVERIFY makes it much easier to set up trustless CoinJoins than \npreviously because participants agree on a single output which pays all \nparticipants, which will be lower fee than before.\n\nI don't see how. They still have to agree in advance on the outputs, and the \ntotal fees will logically be higher than not using CTV...?\n\n\u003eFurther Each participant doesn't need to know the totality of the outputs \ncommitted to by that output, they only have to verify their own sub-tree will \npay them.\n\nI don't see any way to do this with the provided implementation.\n\n\u003eDeployment could be done via BIP 9 VersionBits deployed through Speedy Trial.\n\nHard NACK on this. BIP 9 at this point represents developers attempting to \ndisregard and impose their will over community consensus, as well as an \nattempt to force a miner veto backdoor/vulnerability on deployment. It should \nnever be used again.\n\nSpeedy Trial implemented with BIP 8 made sense* as a possible neutral \ncompromise between LOT=True and LOT=False (which could be deployed prior to \nor in parallel), but using BIP 9 would destroy this.\n\nAs with Taproot, any future deployments should use BIP 8 again, until a better \nsolution is developed. Reverting back to a known flawed and vulnerable \nactivation method should not be done, and it would be better not to deploy \nCTV at all at such an expense.\n\nThe fact that certain developers attempted to deploy a BIP 9 alternative \nactivation for Taproot against community consensus, and that even managed to \nget released as \"Bitcoin Core\", makes it all the more important that the \ncommunity firmly rejects any further action to force this regression.\n\n* it is my opinion a BIP 8 ST would be an okay compromise under those \ncircumstances; others do disagree that ST is acceptable at all\n\n\u003e This ensures that for a given known input, the TXIDs can also be known ahead \nof time. Otherwise, CHECKTEMPLATEVERIFY would not be usable for Batched \nChannel Creation constructions as the redemption TXID could be malleated and \npre-signed transactions invalidated, unless the channels are built using an \nEltoo-like protocol.\n\nWhy is it a problem for them to use an Eltoo-like protocol?\n\nWhy not just commit to the txid itself if that's the goal?\n\n\u003eP2SH is incompatible with CHECKTEMPLATEVERIFY \n\nMaybe the CTV opcode should only be defined/enforced within witness scripts?\n\n\u003enLockTime should generally be fixed to 0 (in the case of a payment tree, only \nthe *first* lock time is needed to prevent fee-sniping the root)\n\nYour \"Congestion Controlled Transactions\" example would only make sense with \nthe spending transaction much later than the \"root\", and so could benefit \nfrom fee sniping malleability. (In fact, in that example, it would be better \nnot to commit to locktime at all.)\n\n\u003eIn the CHECKTEMPLATEVERIFY approach, the covenants are severely restricted to \nsimple templates. The structure of CHECKTEMPLATEVERIFY template is such that \nthe outputs must be known exactly at the time of construction. Based on a \ndestructuring argument, it is only possible to create templates which expand \nin a finite number of steps.\n\nIt's not clear to me that this holds if OP_CAT or OP_SHA256STREAM get added.\n\n\u003eFor example, a exchange's hot wallet might use an address which can \nautomatically be moved to a cold storage address after a relative timeout.\n\nWouldn't it make more sense to just have a UTXO both cold+hot can spend, then \nthrow away the hot key?\n\n\u003eIn contrast to previous forks, OP_CHECKTEMPLATEVERIFY will not make scripts \nvalid for policy until the new rule is active.\n\nPolicy isn't validity, and cannot be dictated by BIPs (or anyone/anything, for \nthat matter).\n\nLuke",
"sig": "a3d3450b5b10445b7d0b7448f5ae140604091ff5fe89399c0621af52a9b60e84b75ff8a452fce681e44230eb4471e8ace575c725fcd8d5be29e8505f050afa4d"
}