-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Specify opcodes for MATT #25
Comments
Proposals are very welcome! We're still experimenting with the format, please feel free to provide any feedback :) I'm trying to formalize the exact opcodes for MATT for the purpose of implementing them for bitcoin-inquisition.
The annex has always been devised as a generic mechanism to extend the transaction data fields. So yes passing "arguments"
About
Yeah, on me here to clean and finalize this branch quickly!
I think there is the idea of Staying available to answer Script coding questions on #bitcoin-contracting-primitives-wg :) |
The purpose of those "arguments" depends on the specific contract; basically anything that can be pushed onto the stack would do.
As the design space is rather large (and the ability to do MATT covenants isn't really affected by small changes in the specs), I tried to keep the opcodes minimal, but not unnaturally minimal (hence CAT instead of SHA256CAT).
The reason I went for these 4 is that I could copy them directly from Liquid opcodes; I also tend to prefer more atomic operations, but I'm ok with other options, too. |
Hello, I did some work to formalize the core opcodes, based on the progress in the last few months. The changes are as follows:
Opcodes to access the annex do not seem to be necessary for most use cases, unlike what I thought in the initial post above. I opted to not add a tag to the data tweak (unlike the taptweak that is tagged as per taproot rules); see here for the reasoning, which seems to apply here as well.
|
I edited the order of parameters above so that the |
Not sure if anyone is reading here, but here's a complete implementation following the semantics above: bitcoin-inquisition/bitcoin@24.0...bigspider:bitcoin-inquisition:checkcontractverify I adopted @jamesob's framework for deferred checks from the OP_VAULT PR for a similar semantics on output amounts. Tests are still quite basic, but it should be good enough to play with a relatively stable semantics. |
Changes in the branch (and in the specs drafted above):
Also did some general cleanup of the code, and added one more test. Tests are still insufficient. |
In case anyone still lands here, there are some further updates. The semantics of the
Together with a possible |
Thanks for the responses on X today. Might it be worth combining In typical cases this would save 2 bytes relative to the current design, and it would allow an additional subcategory of contracts involving groups of outputs (e.g. 2-in, 2-out vault spends with partial revault) that could still be batched. What this gives up is the upgradeability of flags, but we can leave behind an upgrade hook for top arguments longer than 3 bytes (and as I mentioned on X probably better to make this a CTV/CHECKSIG-style upgrade where the operation succeeds but does not short circuit execution with longer arguments). The longer argument would be 5 total witness bytes for the upgraded behavior, 1 more than used with a 1-byte index and 1-byte flags in the current design. Now that I've taken the time to wrap my head fully(?) around CCV, I'm enthusiastic about it as an alternative to OP_VAULT that is more general. cc @jamesob The one major hurdle I see in bringing CCV to bitcoin is gaining consensus on the idea that hashrate escrow type contracts are either an inevitability or an acceptable (or even desirable) function for bitcoin. I hope to see this work formalized into a BIP or BIN soon :) |
@reardencode The things I'm building in pymatt are (mostly) agnostic to the exact implementation details, so having more code examples might help the future inevitable bike-shedding (or maybe byte-shedding...). For the same reason, in the short term I prefer to focus on writing more code, rather than championing a BIP/BIN, which is on its own a quite substantial amount of work!
I mostly try to stay out of this discussion at this time (especially on Twitter...). But I'll briefly summarize my opinions, which I hope to find time to write in long form at some point. My take is that (some) MEV is an inevitability, and drivechain-y things are likely enabled by the other covenant proposals as well if one thinks hard enough (how drivechainy is drivechainy enough is, of course, arguable ad infinitum). I think people conflate covenants/introspection opcodes with "adding new features"; but covenants don't add anything fundamentally new to bitcoin - they just make some things trustless when today they can only be built with not fully trustless solutions. Finally, general covenants enable substantially better L2s (and more generally, better 2-way pegs) than drivechains. Therefore, they might even end up decreasing the chance of drivechains adoption, since their only selling point is quite literally the "missing features" of bitcoin. |
I plan on prototyping CCV together with 64-bit math as well, it would be worth thinking about the amounts of the inputs/outputs as part of the arguments also. |
My hunch is that adding this would make CCV slightly more expensive for common use cases that are already covered by the current opcode, while the use cases where you need explicit amount checks tend to be uncooperative branches in smart contracts, for example your work on HTLC output aggregation, or situations of unilateral exit in coinpool-like constructions. As they are uncooperative cases, I'm not sure the byte saving is significant enough to justify more complex/expensive opcodes for CCV, and my plan there would be to use the Anyway, looking forward to review your proposed specs! |
Yeah, this is exactly the question. I am in the camp that making those things trustless does change the mining incentives simply by making them more likely to be adopted, but I am not confident in that. The target audience for drivechainy things are seeming way more comfortable with depending on trust than I expect. Thanks for your thoughts. I'm hoping to have a good long talk with some of the loudest folks concerned about this (cough Shinobi) at some point soon. |
I spent some time this morning trying to design LN-Symmetry contracts for CCV+CSFS, but found myself needing CAT+CTV as well to make it work out nicely. One potentially interesting output of that work was that if CCV was instead CC which left on the stack |
I always assume CAT in the current experiments. CTV is always replaceable with CCV, although of course this comes with a byte cost for usecases where CTV is enough. As this repo is mostly dormant at this point, I created an issue in pymatt repo: Merkleize/pymatt#9. Implementing lightning would be great indeed! Also feel free to create other issues if you have any ideas, questions, etc.
Interesting, I didn't consider that semantic, but it seems intuitively useful (also, a number of contracts I implemented do indeed need a final What is the use case you have in mind? |
If anyone wants to grab the bitcoin contracting primitives wg to roll it forward, please do so ! No time to maintain it anymore. |
Yeah, I tend to lean towards having amount checks be done by a separate opcode, that would make it generally usable without cluttering the CCV arguments further. |
Edit: Obsolete, see below for the latest attempt.
Hello, I hope it's fine if I slightly abuse this space to get feedback on my specific proposal - please let me know if this is not appreciated and I'll find a different venue.
I'm trying to formalize the exact opcodes for MATT for the purpose of implementing them for bitcoin-inquisition.
One thing that was left unspecified in the initial sketch (h/t @darosior for pointing that out) is that a way is needed to make "arguments" passed to the covenant non-malleable, if they are passed via the witness.
Building on top of Antoine Riard's PR on the annex format, I think using the annex for this purpose is the best course of action.
I would love if someone more experienced with bitcoin-core would like to help with putting together a good PR.
MATT needs your help! :)
This is what I'm planning right now for an (almost) complete set of opcodes - please let me know if you have any comments or suggestions.
MATT tentative specs
Covenant opcodes: verify or commit to data in the taproot internal key of an input/output
OP_CHECKINPUTCOVENANTVERIFY
: letx
,d
be the two top elements of the stack; fail if any ofx
andd
is not exactly 32 bytes; otherwise, check that thex
is a valid x-only pubkey, and the internal pubkeyP
of the current input is indeed obtained by tweakinglift_x(x)
withd
.OP_CHECKOUTPUTCOVENANTVERIFY
: given a numberout_i
and three 32-byte hash elementsx
,d
andtaptree
on top of the stack, verifies that theout_i
-th output is a P2TR output with the taproot internal key computed as above, and tweaked withtaptree
. Fail if if any ofx
,d
ortaptree
is not exactly 32 bytes.Data manipulation:
OP_CAT
: pop the top two stack elements, push their concatenation; fail if the concatenation is longer than a predefined limit (256 bytes?).Additional introspection (compulsory):
OP_PUSH_ANNEX_RECORD
: details TBD; push an annex record onto the stack. To build on top of Always Look On The Bright Side of the Annex bitcoin-inquisition/bitcoin#9.Additional introspection (optional): one can probably do some interesting things without, but these would allow concepts like "pay to a contract" or "withdraw from a contract", where the contract is a covenant-encumbered UTXO.
OP_INSPECTNUMINPUTS
andOP_INSPECTNUMOUTPUTS
: push to the stack the number of inputs/outputs.OP_INSPECTINPUTVALUE
andOP_INSPECTOUTPUTVALUE
: given an indexi
popped from the top of the stack, push to the stack the amount in sats of a certain input/output.Still unresolved: as pointed out by Anthony Towns, amounts do not fit in 32-bytes; therefore, some way of enabling 64-bit maths would be desirable. It's a technicality, so it might safely be left for later.
Comments
OP_CHECKINPUTCOVENANTVERIFY
andOP_CHECKOUTPUTCOVENANTVERIFY
could be replaced with more general opcodes to inspect input/output scriptPubKey, and do some elliptic curve maths. Those are already available in Liquid, see here.The text was updated successfully, but these errors were encountered: