📅 Original date posted:2023-08-18
🗒️ Summary of this message: Antoine expressed concerns about the potential risks of cross-input inspection, but the response emphasized the importance of experimentation. Cross-input introspection has potential use cases, such as implementing eltoo-style replacement for lightning. The idea of using flags or tags to encode subset of introspected inputs/outputs was discussed, but further clarification is needed. The potential efficiency of this framework in terms of witness space consumed is still an open question.
📝 Original message:
Hi Antoine,
Thanks for your comments and insights.
On Mon, 14 Aug 2023 at 05:01, Antoine Riard <antoine.riard at gmail.com> wrote:
> I think cross-input inspection (not cross-input signature
> aggregation which is different) is opening a pandora box in terms of
> "malicious" off-chain contracts than one could design. E.g miners bribing
> contracts to censor the confirmation of time-sensitive lightning channel
> transactions, where the bribes are paid on the hashrate distribution of
> miners during the previous difficulty period, thanks to the coinbase pubkey.
>
At this time, my goal is to facilitate maximum experimentation; it's safe
to open Pandora's box in a sandbox, as that's the only way to know if it's
empty.
Concerns will of course need to be answered when a soft-fork proposal is
made, and restrictions can be added if necessary.
Cross-input introspection seems very likely to have use cases; for example,
I drafted some notes on how it could be used to implement eltoo-style
replacement for lightning (or arbitrary state channels) when combined with
ANYONECANPAY:
https://gist.github.com/bigspider/041ebd0842c0dcc74d8af087c1783b63
<https://gist.github.com/bigspider/041ebd0842c0dcc74d8af087c1783b63>;.
Although, it would be much easier with CCV+CHECKSIGFROMSTACK, and in that
case cross-input introspection is not needed.
Similarly, some people raised concerns with recursivity of covenant
opcodes; that also could be artificially limited in CCV if desired, but it
would prevent some use cases.
I have some thoughts on why the fear of covenants might generally be
unjustified, which I hope to write in long form at some point.
More than a binary flag like a matrix could be introduced to encode subset
> of introspected inputs /outputs to enable sighash_group-like semantic:
>
> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-July/019243.html
>
The flags alter the semantic behavior of the opcode; perhaps you rather
refer to generalizing the index parameter so that it can refer to a group
of inputs/outputs, instead?
I'm not aware of the use cases at this time, feel free to expand further.
> Or even beyond a matrix, it could be a set of "tags". There could be a
> generalized tag for unstructured data, and another one for bitcoin
> transaction / script data types (e.g scriptpubkey, amount, nsequence,
> merkle branch) that could be fetched from the taproot annex.
>
How would these "tags" interact with CHECKCONTRACTVERIFY? I don't quite
understand the use case.
I think this generic framework is interesting for joinpool / coinpool /
> payment pool, as you can check that any withdrawal output can be committed
> as part of the input scriptpubkey, and spend it on
> blessed-with-one-participant-sig script. There is still a big open question
> if it's efficient in terms of witness space consumed.
>
More generic introspection might not fit well within the semantics of CCV,
but it could (and probably should) be added with separate opcodes.
That said, I still think you would need at least ANYPREVOUT and more
> malleability for the amount transfer validation as laid out above.
>
I personally find OP_CHECKSIGFROMSTACK more natural when thinking about
constructions with CCV; but most likely either would work here.
Looking on the `DeferredCheck` framework commit, one obvious low-level
> concern is the DoS risk for full-nodes participating in transaction-relay,
> and that maybe policy rules should be introduced to keep the worst-CPU
> input in the ranges of current transaction spend allowed to propagate on
> the network today.
>
Of course, care needs to be taken in general when designing new deferred
checks, to avoid any sort of quadratic validation cost.
The DeferredChecks added specifically for CCV has negligible cost, as it's
just O(n_outputs + n_ccv_out) where n_ccv_out is the number of executed
OP_CHECKCONTRACTVERIFY opcodes (transaction-wide) that check the output
amount.
Best,
Salvatore
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20230818/e7955d4b/attachment.html>;
Salvatore Ingala [ARCHIVE] /
npub1lp…c74n4
2023-08-21 11:55:29
in reply to nevent1q…x4vl
Author Public Key
npub1lpkmxpl2zhk0w30vtdz7s64ml9644k785eggmjsjgs7wman3szzqac74n4Published at
2023-08-21 11:55:29Event JSON
{
"id": "99a510cc5cc4814b3af7167595f0dad1ccc8b27cd4deaabbe4c40ef0db53f38c",
"pubkey": "f86db307ea15ecf745ec5b45e86abbf9755adbc7a6508dca12443cedf6718084",
"created_at": 1692611729,
"kind": 1,
"tags": [
[
"e",
"86649676ae3ff05a6e718ccf3b301e4e0e000c38b8f97ecfab084b85db23c5a3",
"",
"root"
],
[
"e",
"30da1888450985e63f5c6d589c855af071c561666a06c85c98005356e4462567",
"",
"reply"
],
[
"p",
"6485bc56963b51c9043d0855cca9f78fcbd0ce135a195c3f969e18ca54a0d551"
]
],
"content": "📅 Original date posted:2023-08-18\n🗒️ Summary of this message: Antoine expressed concerns about the potential risks of cross-input inspection, but the response emphasized the importance of experimentation. Cross-input introspection has potential use cases, such as implementing eltoo-style replacement for lightning. The idea of using flags or tags to encode subset of introspected inputs/outputs was discussed, but further clarification is needed. The potential efficiency of this framework in terms of witness space consumed is still an open question.\n📝 Original message:\nHi Antoine,\n\nThanks for your comments and insights.\n\nOn Mon, 14 Aug 2023 at 05:01, Antoine Riard \u003cantoine.riard at gmail.com\u003e wrote:\n\n\u003e I think cross-input inspection (not cross-input signature\n\u003e aggregation which is different) is opening a pandora box in terms of\n\u003e \"malicious\" off-chain contracts than one could design. E.g miners bribing\n\u003e contracts to censor the confirmation of time-sensitive lightning channel\n\u003e transactions, where the bribes are paid on the hashrate distribution of\n\u003e miners during the previous difficulty period, thanks to the coinbase pubkey.\n\u003e\n\nAt this time, my goal is to facilitate maximum experimentation; it's safe\nto open Pandora's box in a sandbox, as that's the only way to know if it's\nempty.\nConcerns will of course need to be answered when a soft-fork proposal is\nmade, and restrictions can be added if necessary.\n\nCross-input introspection seems very likely to have use cases; for example,\nI drafted some notes on how it could be used to implement eltoo-style\nreplacement for lightning (or arbitrary state channels) when combined with\nANYONECANPAY:\n https://gist.github.com/bigspider/041ebd0842c0dcc74d8af087c1783b63\n\u003chttps://gist.github.com/bigspider/041ebd0842c0dcc74d8af087c1783b63\u003e.\nAlthough, it would be much easier with CCV+CHECKSIGFROMSTACK, and in that\ncase cross-input introspection is not needed.\n\nSimilarly, some people raised concerns with recursivity of covenant\nopcodes; that also could be artificially limited in CCV if desired, but it\nwould prevent some use cases.\n\nI have some thoughts on why the fear of covenants might generally be\nunjustified, which I hope to write in long form at some point.\n\nMore than a binary flag like a matrix could be introduced to encode subset\n\u003e of introspected inputs /outputs to enable sighash_group-like semantic:\n\u003e\n\u003e https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-July/019243.html\n\u003e\n\nThe flags alter the semantic behavior of the opcode; perhaps you rather\nrefer to generalizing the index parameter so that it can refer to a group\nof inputs/outputs, instead?\nI'm not aware of the use cases at this time, feel free to expand further.\n\n\n\u003e Or even beyond a matrix, it could be a set of \"tags\". There could be a\n\u003e generalized tag for unstructured data, and another one for bitcoin\n\u003e transaction / script data types (e.g scriptpubkey, amount, nsequence,\n\u003e merkle branch) that could be fetched from the taproot annex.\n\u003e\n\nHow would these \"tags\" interact with CHECKCONTRACTVERIFY? I don't quite\nunderstand the use case.\n\nI think this generic framework is interesting for joinpool / coinpool /\n\u003e payment pool, as you can check that any withdrawal output can be committed\n\u003e as part of the input scriptpubkey, and spend it on\n\u003e blessed-with-one-participant-sig script. There is still a big open question\n\u003e if it's efficient in terms of witness space consumed.\n\u003e\n\nMore generic introspection might not fit well within the semantics of CCV,\nbut it could (and probably should) be added with separate opcodes.\n\nThat said, I still think you would need at least ANYPREVOUT and more\n\u003e malleability for the amount transfer validation as laid out above.\n\u003e\n\nI personally find OP_CHECKSIGFROMSTACK more natural when thinking about\nconstructions with CCV; but most likely either would work here.\n\nLooking on the `DeferredCheck` framework commit, one obvious low-level\n\u003e concern is the DoS risk for full-nodes participating in transaction-relay,\n\u003e and that maybe policy rules should be introduced to keep the worst-CPU\n\u003e input in the ranges of current transaction spend allowed to propagate on\n\u003e the network today.\n\u003e\n\nOf course, care needs to be taken in general when designing new deferred\nchecks, to avoid any sort of quadratic validation cost.\nThe DeferredChecks added specifically for CCV has negligible cost, as it's\njust O(n_outputs + n_ccv_out) where n_ccv_out is the number of executed\nOP_CHECKCONTRACTVERIFY opcodes (transaction-wide) that check the output\namount.\n\nBest,\nSalvatore\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20230818/e7955d4b/attachment.html\u003e",
"sig": "41b9f918826129092a4f525fd2715260303972b6d2af970f9c430e9b15d8b0749f8c148d9c12793290b3004bee8dcbbe07e4c4b8fa6b6496047b691018b5346d"
}