📅 Original date posted:2015-12-10
📝 Original message:It seems the current consensus is to implement Segregated Witness. SW
opens many new possibilities but we need a balance between new features
and deployment time frame. I'm listing by my priority:
1-2 are about scalability and have highest priority
1. Witness size limit: with SW we should allow a bigger overall block
size. It seems 2MB is considered to be safe for many people. However,
the exact size and growth of block size should be determined based on
testing and reasonable projection.
2. Deployment time frame: I prefer as soon as possible, even if none of
the following new features are implemented. This is not only a technical
issue but also a response to the community which has been waiting for a
scaling solution for years
3-6 promote safety and reduce level of trust (higher priority)
3. SIGHASH_WITHINPUTVALUE [1]: there are many SIGHASH proposals but this
one has the highest priority as it makes offline signing much easier.
4. Sum of fee, sigopcount, size etc as part of the witness hash tree:
for compact proof of violations in these parameters. I prefer to have
this feature in SWv1. Otherwise, that would become an ugly softfork in
SWv2 as we need to maintain one more hash tree
5. Height and position of an input as part of witness will allow compact
proof of non-existing UTXO. We need this eventually. If it is not done
in SWv1, we could softfork it nicely in SWv2. I prefer this earlier as
this is the last puzzle for compact fraud proof.
6. BIP62 and OP_IF malleability fix [2] as standardness rules:
involuntary malleability may still be a problem in the relay network and
may make the relay less efficient (need more research)
7-15 are new features and long-term goals (lower priority)
7. Enable OP_CAT etc:
OP_CAT will allow tree signatures described by [3]. Even without Schnorr
signature, m-of-n multisig will become more efficient if m < n.
OP_SUBSTR/OP_LEFT/OP_RIGHT will allow people to shorten a payment
address, while sacrificing security.
I'm not sure how those disabled bitwise logic codes could be useful
Multiplication and division may still considered to be risky and not
very useful?
8. Schnorr signature: for very efficient multisig [3] but could be
introduced later.
9. Per-input lock-time and relative lock-time: define lock-time and
relative lock-time in witness, and signed by user. BIP68 is not a very
ideal solution due to limited lock time length and resolution
10. OP_PUSHLOCKTIME and OP_PUSHRELATIVELOCKTIME: push the lock-time and
relative lock-time to stack. Will allow more flexibility than OP_CLTV
and OP_CSV
11. OP_RETURNTURE which allows softfork of any new OP codes [4]. It is
not really necessary with the version byte design but with OP_RETURNTURE
we don't need to pump the version byte too frequently.
12. OP_EVAL (BIP12), which enables Merkleized Abstract Syntax Trees
(MAST) with OP_CAT [5]. This will also obsolete BIP16. Further
restrictions should be made to make it safe [6]:
a) We may allow at most one OP_EVAL in the scriptPubKey
b) Not allow any OP_EVAL in the serialized script, nor anywhere else in
the witness (therefore not Turing-complete)
c) In order to maintain the ability to statically analyze scripts, the
serialized script must be the last push of the witness (or script
fails), and OP_EVAL must be the last OP code in the scriptPubKey
13. Combo OP codes for more compact scripts, for example:
OP_MERKLEHASH160, if executed, is equivalent to OP_SWAP OP_IF OP_SWAP
OP_ENDIF OP_CAT OP_HASH160 [3]. Allowing more compact tree-signature and
MAST scripts.
OP_DUPTOALTSTACK, OP_DUPFROMALTSTACK: copy to / from alt stack without
removing the item
14. UTXO commitment: good but not in near future
15. Starting as a softfork, moving to a hardfork? SW Softfork is a quick
but dirty solution. I believe a hardfork is unavoidable in the future,
as the 1MB limit has to be increased someday. If we could plan it ahead,
we could have a much cleaner SW hardfork in the future, with codes
pre-announced for 2 years.
[1] https://bitcointalk.org/index.php?topic=181734.0
[2]
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-November/011679.html
[3] https://blockstream.com/2015/08/24/treesignatures/
[4] https://bitcointalk.org/index.php?topic=1106586.0
[5]
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-September/010977.html
[6] https://bitcointalk.org/index.php?topic=58579.msg690093#msg690093
jl2012 at xbt.hk [ARCHIVE] /
npub1kc…wjfw4
2023-06-07 19:46:07
in reply to nevent1q…7gys
Author Public Key
npub1kc0zulxt7j4a0ayhzhrz7jk84y7tm4026qcky7w97hlfkxxap24qnwjfw4Published at
2023-06-07 19:46:07Event JSON
{
"id": "cf6630dc12b8f832925b9675ed86e20202eaed9569706414c318d8f1d23628b1",
"pubkey": "b61e2e7ccbf4abd7f49715c62f4ac7a93cbdd5ead0316279c5f5fe9b18dd0aaa",
"created_at": 1686159967,
"kind": 1,
"tags": [
[
"e",
"12a84dc161497f5ec3fbb3e9fb726708fb1bb0268a8834c07e1f631c1bbca295",
"",
"reply"
],
[
"p",
"a23dbf6c6cc83e14cc3df4e56cc71845f611908084cfe620e83e40c06ccdd3d0"
]
],
"content": "📅 Original date posted:2015-12-10\n📝 Original message:It seems the current consensus is to implement Segregated Witness. SW \nopens many new possibilities but we need a balance between new features \nand deployment time frame. I'm listing by my priority:\n\n1-2 are about scalability and have highest priority\n\n1. Witness size limit: with SW we should allow a bigger overall block \nsize. It seems 2MB is considered to be safe for many people. However, \nthe exact size and growth of block size should be determined based on \ntesting and reasonable projection.\n\n2. Deployment time frame: I prefer as soon as possible, even if none of \nthe following new features are implemented. This is not only a technical \nissue but also a response to the community which has been waiting for a \nscaling solution for years\n\n3-6 promote safety and reduce level of trust (higher priority)\n\n3. SIGHASH_WITHINPUTVALUE [1]: there are many SIGHASH proposals but this \none has the highest priority as it makes offline signing much easier.\n\n4. Sum of fee, sigopcount, size etc as part of the witness hash tree: \nfor compact proof of violations in these parameters. I prefer to have \nthis feature in SWv1. Otherwise, that would become an ugly softfork in \nSWv2 as we need to maintain one more hash tree\n\n5. Height and position of an input as part of witness will allow compact \nproof of non-existing UTXO. We need this eventually. If it is not done \nin SWv1, we could softfork it nicely in SWv2. I prefer this earlier as \nthis is the last puzzle for compact fraud proof.\n\n6. BIP62 and OP_IF malleability fix [2] as standardness rules: \ninvoluntary malleability may still be a problem in the relay network and \nmay make the relay less efficient (need more research)\n\n7-15 are new features and long-term goals (lower priority)\n\n7. Enable OP_CAT etc:\nOP_CAT will allow tree signatures described by [3]. Even without Schnorr \nsignature, m-of-n multisig will become more efficient if m \u003c n.\n\nOP_SUBSTR/OP_LEFT/OP_RIGHT will allow people to shorten a payment \naddress, while sacrificing security.\n\nI'm not sure how those disabled bitwise logic codes could be useful\n\nMultiplication and division may still considered to be risky and not \nvery useful?\n\n8. Schnorr signature: for very efficient multisig [3] but could be \nintroduced later.\n\n9. Per-input lock-time and relative lock-time: define lock-time and \nrelative lock-time in witness, and signed by user. BIP68 is not a very \nideal solution due to limited lock time length and resolution\n\n10. OP_PUSHLOCKTIME and OP_PUSHRELATIVELOCKTIME: push the lock-time and \nrelative lock-time to stack. Will allow more flexibility than OP_CLTV \nand OP_CSV\n\n11. OP_RETURNTURE which allows softfork of any new OP codes [4]. It is \nnot really necessary with the version byte design but with OP_RETURNTURE \nwe don't need to pump the version byte too frequently.\n\n12. OP_EVAL (BIP12), which enables Merkleized Abstract Syntax Trees \n(MAST) with OP_CAT [5]. This will also obsolete BIP16. Further \nrestrictions should be made to make it safe [6]:\na) We may allow at most one OP_EVAL in the scriptPubKey\nb) Not allow any OP_EVAL in the serialized script, nor anywhere else in \nthe witness (therefore not Turing-complete)\nc) In order to maintain the ability to statically analyze scripts, the \nserialized script must be the last push of the witness (or script \nfails), and OP_EVAL must be the last OP code in the scriptPubKey\n\n13. Combo OP codes for more compact scripts, for example:\n\nOP_MERKLEHASH160, if executed, is equivalent to OP_SWAP OP_IF OP_SWAP \nOP_ENDIF OP_CAT OP_HASH160 [3]. Allowing more compact tree-signature and \nMAST scripts.\n\nOP_DUPTOALTSTACK, OP_DUPFROMALTSTACK: copy to / from alt stack without \nremoving the item\n\n14. UTXO commitment: good but not in near future\n\n15. Starting as a softfork, moving to a hardfork? SW Softfork is a quick \nbut dirty solution. I believe a hardfork is unavoidable in the future, \nas the 1MB limit has to be increased someday. If we could plan it ahead, \nwe could have a much cleaner SW hardfork in the future, with codes \npre-announced for 2 years.\n\n\n[1] https://bitcointalk.org/index.php?topic=181734.0\n[2] \nhttps://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-November/011679.html\n[3] https://blockstream.com/2015/08/24/treesignatures/\n[4] https://bitcointalk.org/index.php?topic=1106586.0\n[5] \nhttps://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-September/010977.html\n[6] https://bitcointalk.org/index.php?topic=58579.msg690093#msg690093",
"sig": "cd8927e4dabfb020b439aa2af6ce2fd4caaeb348f541b36d02f23900dc9c70f1726190c06a1a5631d34b1052892d91b9d1dd92269b6cb76a04d0f4e6e3c46f37"
}