CHECKSIGFROMSTACK(VERIFY/ADD)
221 views
Skip to first unread message
Brandon Black
Nov 14, 2024, 6:06:27 PMNov 14
to bitco...@googlegroups.com
Hi list,
As we're working toward numbering and merge for the CHECKSIGFROMSTACK
(CSFS) BIP, there are 2 open questions[1] that may be worth resolving
before it is merged as a draft:
* Should CHECKSIGFROMSTACKVERIFY (CSFSV) be added to pre-tapscript?
The proposed opcode always evaluates BIP340 Schnorr signatures
regardless of script version, so making it available in earlier script
versions makes Schnorr signatures available on those script versions for
certain use cases.
My personal thinking in initially including CSFSV in earlier script
versions was basically that it's compatible with NOP forking, so why
not. Because LNHANCE includes CTV which is designed as a NOP compatible
upgrade, also including CSFSV fits well with CTV.
The other side of the argument is that we shouldn't include
compatibility with earlier script versions unless there's a concrete
benefit to doing so. For CTV, the possibility of bare CTV is a
compelling reason to add it to earlier script versions, but there's not
a similarly compelling reason to include CSFSV.
Using a scarce NOP to provide Schnorr signed commitments to earlier
scripts may not be worthwhile.
* Should we include CHECKSIGFROMSTACKADD?
Obviously, if script multisig is going to be a common use case for
checking signatures on stack data CHECKSIGFROMSTACKADD simplifies the
corresponding scripts by a few WU per key. As MuSig2 and FROST are
progressing in standardization and implementation, I do not expect
script multisig to be a dominant use for these opcodes, so I did not
include CSFSA initially.
Here the argument is somewhat the inverse of CSFSV on legacy: We have
many OP_SUCCESSes available, so the cost of allocating one for CSFSA is
low, and the benefit is that making script multisigs with CSFSA (such as
those produced by miniscript) is simpler and less error prone.
--
I would love to hear thoughts about both of these questions from the
list, and will update the BIP and implementations of CSFS(V/A) based on
your feedback.
Thanks much!
--Brandon
[1]: https://github.com/bitcoin/bips/pull/1535#issuecomment-2111195930
As we're working toward numbering and merge for the CHECKSIGFROMSTACK
(CSFS) BIP, there are 2 open questions[1] that may be worth resolving
before it is merged as a draft:
* Should CHECKSIGFROMSTACKVERIFY (CSFSV) be added to pre-tapscript?
The proposed opcode always evaluates BIP340 Schnorr signatures
regardless of script version, so making it available in earlier script
versions makes Schnorr signatures available on those script versions for
certain use cases.
My personal thinking in initially including CSFSV in earlier script
versions was basically that it's compatible with NOP forking, so why
not. Because LNHANCE includes CTV which is designed as a NOP compatible
upgrade, also including CSFSV fits well with CTV.
The other side of the argument is that we shouldn't include
compatibility with earlier script versions unless there's a concrete
benefit to doing so. For CTV, the possibility of bare CTV is a
compelling reason to add it to earlier script versions, but there's not
a similarly compelling reason to include CSFSV.
Using a scarce NOP to provide Schnorr signed commitments to earlier
scripts may not be worthwhile.
* Should we include CHECKSIGFROMSTACKADD?
Obviously, if script multisig is going to be a common use case for
checking signatures on stack data CHECKSIGFROMSTACKADD simplifies the
corresponding scripts by a few WU per key. As MuSig2 and FROST are
progressing in standardization and implementation, I do not expect
script multisig to be a dominant use for these opcodes, so I did not
include CSFSA initially.
Here the argument is somewhat the inverse of CSFSV on legacy: We have
many OP_SUCCESSes available, so the cost of allocating one for CSFSA is
low, and the benefit is that making script multisigs with CSFSA (such as
those produced by miniscript) is simpler and less error prone.
--
I would love to hear thoughts about both of these questions from the
list, and will update the BIP and implementations of CSFS(V/A) based on
your feedback.
Thanks much!
--Brandon
[1]: https://github.com/bitcoin/bips/pull/1535#issuecomment-2111195930
moonsettler
Nov 15, 2024, 5:36:01 AMNov 15
to Brandon Black, bitco...@googlegroups.com
Hi Brandon,
For what it's worth, I also think signature aggregation will be the dominant
form of CSFS use. LNhance at it's core is CTV + CSFS, and so it makes sense
to have both of those available in pre-tapscript.
No strong opinion on CHECKSIGFROMSTACKADD, agree with the general reasoning.
It's a bit weird to backport Schnorr this way, and the NOP upgrade path
leaving 3 elements on the stack is also unfortunate. On the other hand,
reverting CSFSV to use ECDSA in pre-tapscript would force us to consider
implementing script multisig, to do anything really worthwhile there.
BR,
moonsettler
Sent with Proton Mail secure email.
> --
> You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/ZzZziZOy4IrTNbNG%40console.
For what it's worth, I also think signature aggregation will be the dominant
form of CSFS use. LNhance at it's core is CTV + CSFS, and so it makes sense
to have both of those available in pre-tapscript.
No strong opinion on CHECKSIGFROMSTACKADD, agree with the general reasoning.
It's a bit weird to backport Schnorr this way, and the NOP upgrade path
leaving 3 elements on the stack is also unfortunate. On the other hand,
reverting CSFSV to use ECDSA in pre-tapscript would force us to consider
implementing script multisig, to do anything really worthwhile there.
BR,
moonsettler
Sent with Proton Mail secure email.
> You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/ZzZziZOy4IrTNbNG%40console.
Murch
Nov 15, 2024, 10:13:29 AMNov 15
to bitco...@googlegroups.com
Hi everyone,
On 2024-11-14 17:02, Brandon Black wrote:
> * Should CHECKSIGFROMSTACKVERIFY (CSFSV) be added to pre-tapscript
> […]
On 2024-11-14 17:02, Brandon Black wrote:
> * Should we include CHECKSIGFROMSTACKADD?
I feel similar about this. If there is currently no demand for this, and future demand also seems unlikely, I would prefer a smaller, more focused set of changes.
Cheers,
Murch
On 2024-11-14 17:02, Brandon Black wrote:
> * Should CHECKSIGFROMSTACKVERIFY (CSFSV) be added to pre-tapscript
> My personal thinking in initially including CSFSV in earlier script versions was basically that it's compatible with NOP forking, so why not.
If there is no compelling use case or concrete benefit, I don’t think "it’s compatible, why not" is convincing motivation, especially at the cost of a NOP.
On 2024-11-14 17:02, Brandon Black wrote:
> * Should we include CHECKSIGFROMSTACKADD?
Cheers,
Murch
Antoine Poinsot
Nov 15, 2024, 12:51:31 PMNov 15
to Murch, bitco...@googlegroups.com
To add to Murch's point, from my experience working with Script in general and
trying to estimate the cost of validation of legacy script as part of the
consensus cleanup in particular, i think we should refrain from modifying legacy
Script and further complicate reasoning about the worst case unless strictly
necessary.
Best,
Antoine
trying to estimate the cost of validation of legacy script as part of the
consensus cleanup in particular, i think we should refrain from modifying legacy
Script and further complicate reasoning about the worst case unless strictly
necessary.
Best,
Antoine
> --
> You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/c91269ac-e579-4089-bf9a-fdc076e34727%40murch.one.
> You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+...@googlegroups.com.
moonsettler
Nov 23, 2024, 2:48:30 PMNov 23
to Antoine Poinsot, Murch, bitco...@googlegroups.com
Dear List,
Can anyone think of a reason to keep OP_CHECKSIGFROMSTACKVERIFY as NOP5 available
in legacy script?
Currently Brandon and I are leaning towards simply removing CSFSV from LNhance and
from the CSFS BIP.
Reasoning:
* CSFS is more likely to be used in Symmetry
* In case where CSFSV is desired OP_CSFS OP_VERIFY is perfectly workable.
* Simplifies code
* Don't have an actual use case for CSFSV in legacy rn
* Upgradeable NOPs are scarce
* Backporting tapscript would bring all functionality to legacy
BR,
moonsettler
Sent with Proton Mail secure email.
> To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/nRFLHRhwXER56TrZy50tJ2HmvipjteXzPfz6mEs_VmyZ5sXDNVUIUniPppSphF5SOVCQmpRZSjmBN8_eIMZEbdFgl3vJn-8XSEmpAFmj5SM%3D%40protonmail.com.
Can anyone think of a reason to keep OP_CHECKSIGFROMSTACKVERIFY as NOP5 available
in legacy script?
Currently Brandon and I are leaning towards simply removing CSFSV from LNhance and
from the CSFS BIP.
Reasoning:
* CSFS is more likely to be used in Symmetry
* In case where CSFSV is desired OP_CSFS OP_VERIFY is perfectly workable.
* Simplifies code
* Don't have an actual use case for CSFSV in legacy rn
* Upgradeable NOPs are scarce
* Backporting tapscript would bring all functionality to legacy
BR,
moonsettler
Sent with Proton Mail secure email.
Reply all
Reply to author
Forward
0 new messages