--- Log opened Wed Mar 04 00:00:12 2020
01:04 -!- jonatack [~jon@2a01:e0a:53c:a200:bb54:3be5:c3d0:9ce5] has joined ##taproot-bip-review
01:09 -!- jonatack [~jon@2a01:e0a:53c:a200:bb54:3be5:c3d0:9ce5] has quit [Ping timeout: 272 seconds]
01:10 -!- jonatack [~jon@37.171.110.92] has joined ##taproot-bip-review
01:59 -!- jonatack_ [~jon@37.167.199.192] has joined ##taproot-bip-review
02:03 -!- jonatack [~jon@37.171.110.92] has quit [Ping timeout: 258 seconds]
03:03 -!- jonatack_ [~jon@37.167.199.192] has quit [Ping timeout: 265 seconds]
03:03 -!- jonatack_ [~jon@213.152.161.25] has joined ##taproot-bip-review
03:54 -!- belcher [~belcher@unaffiliated/belcher] has joined ##taproot-bip-review
04:20 -!- jonatack_ [~jon@213.152.161.25] has quit [Ping timeout: 256 seconds]
04:22 -!- jonatack_ [~jon@37.167.220.16] has joined ##taproot-bip-review
04:54 -!- arik__ [sid402902@gateway/web/irccloud.com/x-evhbfsozdxtfdipd] has quit [Ping timeout: 252 seconds]
04:55 -!- arik__ [sid402902@gateway/web/irccloud.com/x-aoehrcvgeqodfrcf] has joined ##taproot-bip-review
05:23 -!- arik__ [sid402902@gateway/web/irccloud.com/x-aoehrcvgeqodfrcf] has quit [Ping timeout: 240 seconds]
05:23 -!- arik__ [sid402902@gateway/web/irccloud.com/x-smlrwlozrxhsmqmw] has joined ##taproot-bip-review
07:21 -!- pinheadmz [~matthewzi@45.83.89.68] has quit [Quit: pinheadmz]
07:51 -!- jonatack_ [~jon@37.167.220.16] has quit [Quit: jonatack_]
07:51 -!- jonatack [~jon@37.167.220.16] has joined ##taproot-bip-review
09:32 -!- michaelfolkson [~textual@2a00:23c5:be01:b201:55fc:f43c:fed0:4fc6] has joined ##taproot-bip-review
12:06 -!- jonatack [~jon@37.167.220.16] has quit [Read error: Connection reset by peer]
12:11 -!- jonatack [~jon@2a01:e0a:53c:a200:bb54:3be5:c3d0:9ce5] has joined ##taproot-bip-review
12:44 -!- ncantu [~ncantu@37.170.175.201] has joined ##taproot-bip-review
14:00 < instagibbs> idea roconner and I were discussing: Why not have sighash commit to the fact that all inputs are segwit spends(or not)? This makes signing protocols a bit easier when you don't necessarily have access to the full previous transaction or utxo set
14:01 < instagibbs> First thing to do is figure out if that actually solves anything in protocols that have to check this fact e.g., PayJoin(BustaPay?), LN(?)
14:02 < instagibbs> or is making signing "safe" for this fact not enough and there's just more validation to be done
14:05 < sipa> How would it interact with SIGHASH_NONE or SIGHASH_SINGLE?
14:08 < instagibbs> I guess the simplest answer is this is only enforced or only valid with SIGHASH_ALL?
14:08 < instagibbs> just like input values
14:09 < instagibbs> maybe not though, something eltoo-ish may want it
14:14 -!- roconnor [~roconnor@host-104-157-187-25.dyn.295.ca] has joined ##taproot-bip-review
14:15 < instagibbs> roconner suspects it's only useful with sighash_all (told him to get on IRC :P )
14:16 < sipa> the downside of it being a separate sighash flag (="this signature is only valid when all inputs are segwit") is that it revels you're interested in that property; implicitly always committing to it in all signatures does not have that problem
14:21 < roconnor> I don't have a strong preference here.  I think having a "this input is or isn't segwit" flag on every input is also reasonable.
14:21 < roconnor> technically there is a few unused bits in the outpoints index value.
14:21 < roconnor> you could create new fields.
14:21 < roconnor> so many options.
14:22 < sipa> changing the outpoints index value is a hard fork
14:22 < roconnor> I just mean changing it in the sigdata.
14:23 < sipa> oh, sure
14:31 < roconnor> I don't know.  Maybe I'd just add a byte after sha_sequences with a boolean flag for all inputs are segwit.
14:59 < aj> would the "this input is segwit" flag apply for p2sh-encoded-segwit?
15:00 < sipa> aj: i think the context is being able to reason about tzid malleability, so yes
15:23 -!- michaelfolkson [~textual@2a00:23c5:be01:b201:55fc:f43c:fed0:4fc6] has quit [Quit: Sleep mode]
15:44 < aj> tzid malleability is horrible, ban daylight savings
15:46 < aj> sipa: for p2sh-encoded you need to know more about the other input than what's available on chain before you can sign for your input, seems slightly weird and gives extra ordering requirements (all the p2sh-segwit inputs get processed/signed before the taproot inputs get signed), but at least it's not an extra round of interaction since there's no p2sh-taproot
15:47 < sipa> aj: i don't follow
15:48 < aj> sipa: input A is p2sh-p2wpkh, input B is taproot. i want to sign B via key path. i have to wait for whoever holds the key for A to reveal the script before I know whether to set the "all-segwit" flag or not, because i can't deduce that from on-chain info
15:49 < sipa> aj: ah, right
15:49 < aj> sipa: (if we had p2sh-taproot, and both A and B were p2sh-taproot; neither A nor B could sign until the other had revealed their script)
15:49 < sipa> though PSBT will have that information
15:50 < aj> currently you can fill out PSBT enough to sign your own input just from on-chain info though?
15:50 < sipa> yup
15:50 < sipa> yeah, this is a concern
15:51 < sipa> and arguably, if this introduces difficulties for signers that cause extra interaction steps... those interaction steps could equally be used to just verify out of band that all inputs are segwit
15:51 < aj> right, revealing the p2sh script and knowing the inputs is sufficient to know if everything's segwit
15:54 < sipa> FWIW, tzid malleability is about preventing one or more 1-character spelling changes in tranzaxions that don't affect the meaning of the word
15:59 < sipa> an alternative that doesn't have this property is a SIGHASH_MUST_BE_ALL_SEGWIT flag instead
15:59 < sipa> which you would just set always in protocols that require it
15:59 < sipa> but that has the downside that it reveals this is something you care about in the first place
16:17 < aj> itym "mallyability", and "tranzaxions" isn't a 1-char change :)
16:19 < aj> sipa: but if you set SIGHASH_MUST_BE_ALL_SEGWIT, that just means you have 0% chance of successful spend if some input is malleable, rather than x% where x is whatever the chance of malleation actually occuring is? is that actually helpful?
16:20 < sipa> aj: "one or more"
16:20 < aj> "ct"->"x" isn't a 1-char change though?
16:21 < aj> tranzaxxions maybe?
16:21 < aj> god that sounds cool
16:22 < sipa> i like it.
16:24 < aj> (hmm. if you prove that a theorem is equivalent to some axiom (ie {A,B,C} -> T, but {A,B,T} -> C also), does that make the theorem a trans-axiom?)
16:39 < aj> so i think the idea is, we have confirmed inputs A,B,..; I'm signing A with taproot, creating T which spends A,B,.., and I want to create a child tx S which spends T:0, but I can't do that safely if one of the inputs A,B,.. was non-segwit, because it's sig could change turning T into T' with a different txid.
16:40 < aj> but... if that's the case, I don't know what T's txid is in the first place until I see an initial signature for the non-segwit input (or the p2sh input even if it is segwit!) and once i've seen the signed tx to calculate the txid T, i'll know if those signatures were segwit or not
16:42 < roconnor> Usually you'd create T, create S, sign S, sign input A on T.
16:42 < aj> but i at least need all the p2sh scripts for T to be revealed before i can create S
16:43 < aj> (at which point i can observe whether T is all segwit or not, and abort if i'm unhappy)
16:44 -!- pinheadmz [~matthewzi@45.83.89.68] has joined ##taproot-bip-review
16:44 < roconnor> for p2sh inputs yes.  It's a good observation that the txid of T is creating committing to the sigscripts.
16:46 < roconnor> you can tell if thos sigscripts are of the empty shape or p2sh shape, but neither one of those facts commits to the UTXO being segwit or not.
16:46 < roconnor> *scriptsigs
16:47 < roconnor> I can never remember the terminology.
16:49 < aj> you only have to validate the p2sh hash not the full scriptsig (ie signature checking or actual logic) to check if things are segwit or not
16:50 < aj> (you need the scriptpubkey to validate against, but we commit to those anyway so you should have them)
16:52 < roconnor> AFAIU the concern is we don't have the scriptpubkeys.
16:53 < roconnor> (but maybe I'm wrong)
16:54 < roconnor> Isn't proving a scriptpubkey is belongs to an outpoint is tedious?
16:54 < aj> ah, you're right
16:57 < aj> i was thinking it was committed to directly via sha_prevouts/etc, but it's not
16:57 < roconnor> I mean, we could do that...
16:57 < sipa> in taproot sighash we commit to the sPK
16:57 < aj> our sPK, not the other sPKs
16:58 < sipa> but only the one being spent
16:58 < sipa> right
16:59 -!- pinheadmz [~matthewzi@45.83.89.68] has quit [Quit: pinheadmz]
17:00 < sipa> that's... not crazy
17:00 < sipa> we already commit to all input amounts
17:00 < sipa> we could as well commit to the entire utxos
17:01 < roconnor> hash each scriptpubkey and hash those hashes?
17:01 < sipa> just turn the hash-of-all-input-amounts-concatenated to hash-of-all-CTxOuts-being-spent-concatenated
17:02 < roconnor> oh right
17:02 < roconnor> well, that makes fee calculation kinda annoying.
17:02 < sipa> how so?
17:02 < roconnor> having to process all these scripts in the way.
17:03 < sipa> they don't affect fee calculation?
17:03 < roconnor> well the do affect verify that the hash commits to the alledged values.
17:03 < aj> if you just care about the fees, having to deal with a raw pay2multisig script as well as the 8 byte value could be obnoxious?
17:04 < sipa> roconnor: i don't understand how any of this is related to fee calculation
17:05 < aj> it's the fee commitment, not the calculation per se?
17:05 < roconnor> Today in taproot, to compute the fees you are signing you need to add up all the outputs and then have someone tell you all the input values, and then concatenate all the inputs values and compute the hash.
17:05 < sipa> ah
17:05 < roconnor> in your proposal you have to have someone tell you all the input values and all the script pubkeys, which are arbitrary long, and concatenate them all together and compute the hash.
17:06 < sipa> and you mean this would force signers to be told all prevout sPKs
17:06 < sipa> i see
17:07 < sipa> intermediary hashing may help
17:07 < roconnor> the hash of hashes lets you even check one scriptpubkey instead of all of them.
17:07 < roconnor> Although it seems in most cases you'd want to check all of them or none of them.
17:08 < aj> clearly this calls for a merkle sum tree of ctxouts-being-spent
17:09 < aj> (hmm, does everyone use "clearly" for "the following isn't clear at all", or was that unique to some random maths book i read back in the day?)
17:10 < roconnor> I use it that way.
17:10 < sipa> i think "Hence, ..." is clearer (pun intended)
17:11 < roconnor> I always thought it was a math joke from reading "clearly" in math proofs that are not clear at all.
17:11 < roconnor> so maybe it is a math thing?
17:11 < aj> math things are the best things
17:15 < sipa> how to find the mathematician in the room?
17:16 < sipa> yell out loud "Let epsilon be an arbitrary number smaller than 0"
17:16 < sipa> i'm sure you can find alternatives for other math domains
17:17 < roconnor> What are the current rules around p2sh-wrapped-segwit-Vn?  They are non-malleable but anyone can spend?
17:17 < sipa> by non-malleable you mean "txid does not commit to the witness" ?
17:17 < sipa> that's a vacuous statement i think if anyone can spend them :p
17:18 < roconnor> I mean that the scriptsig must be fixed but anyone can spend by submitting any witness value.
17:18 < sipa> correct
17:18 < sipa> also non-standard
17:18 < sipa> but valid with any witness by consensus (bip 341 does not affect their validity at all)
17:19 < roconnor> AFAICT signing the scriptpubkeys gives enough information to check if the txid is malleable or not.  I mean, it is a bit of a pain to check, but not signifcantly worse than other checks.
17:20 < roconnor> like the fee check.
17:23 < roconnor> assuming you have the p2sh scriptsigs, which are needed to compute the txid that you are trying to determine if it is malleable or not.
17:23 < instagibbs> roconnor, sorry if replaying the convo, but you'd still need things like redeemscripts
17:23 < instagibbs> ok
17:23 < instagibbs> jynx
17:25 -!- pinheadmz [~matthewzi@45.83.89.68] has joined ##taproot-bip-review
17:26 < instagibbs> it makes checking for native segwit outputs really easy, at least, if you're requiring that
17:31 < roconnor> segwit scriptpubkeys are all bounded in size, so you can immediately reject anyone trying to fill the scriptpubkeys with nonsense for those who are checking this malleability condition.
17:37 < instagibbs> wallets could reject as needed as well. PSBTs already carry all this info
18:14 -!- pinheadmz [~matthewzi@45.83.89.68] has quit [Quit: pinheadmz]
18:29 -!- pinheadmz [~matthewzi@45.83.89.68] has joined ##taproot-bip-review
18:40 -!- belcher [~belcher@unaffiliated/belcher] has quit [Quit: Leaving]
18:40 -!- pinheadmz [~matthewzi@45.83.89.68] has quit [Quit: pinheadmz]
20:25 -!- sipa [~pw@gateway/tor-sasl/sipa1024] has quit [Remote host closed the connection]
20:30 -!- sipa [~pw@gateway/tor-sasl/sipa1024] has joined ##taproot-bip-review
21:09 -!- ncantu [~ncantu@37.170.175.201] has quit [Ping timeout: 268 seconds]
21:10 -!- ncantu [~ncantu@212.129.39.4] has joined ##taproot-bip-review
21:16 -!- pinheadmz [~matthewzi@45.83.89.68] has joined ##taproot-bip-review
21:59 -!- soju [uid403160@gateway/web/irccloud.com/x-dsbyvqasqhkaetyq] has joined ##taproot-bip-review
22:06 -!- pinheadmz [~matthewzi@45.83.89.68] has quit [Quit: pinheadmz]
22:36 -!- ncantu [~ncantu@212.129.39.4] has quit [Ping timeout: 240 seconds]
22:36 -!- ncantu [~ncantu@37.165.58.31] has joined ##taproot-bip-review
--- Log closed Thu Mar 05 00:00:12 2020