public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed

* [bitcoin-dev] CTV Signet Parameters
@ 2022-02-17 21:58 Jeremy Rubin
  2022-02-18 11:13 ` 0x0ff
  2022-04-20  2:31 ` Anthony Towns
  0 siblings, 2 replies; 16+ messages in thread
From: Jeremy Rubin @ 2022-02-17 21:58 UTC (permalink / raw)
  To: Bitcoin development mailing list

[-- Attachment #1: Type: text/plain, Size: 1854 bytes --]

Hi devs,

I have been running a CTV signet for around a year and it's seen little
use. Early on I had some issues syncing new nodes, but I have verified
syncability to this signet using
https://github.com/JeremyRubin/bitcoin/tree/checktemplateverify-signet-23.0-alpha.
Please use this signet!

```
[signet]
signetchallenge=512102946e8ba8eca597194e7ed90377d9bbebc5d17a9609ab3e35e706612ee882759351ae
addnode=50.18.75.225
```

This should be operational. Let me know if there are any issues you
experience (likely with signet itself, but CTV too).

Feel free to also email me an address and I can send you some signet coins
-- if anyone is interested in running an automatic faucet I would love help
with that and will send you a lot of coins.

AJ Wrote (in another thread):

>  I'd much rather see some real
>   third-party experimentation *somewhere* public first, and Jeremy's CTV
>   signet being completely empty seems like a bad sign to me. Maybe that
>   means we should tentatively merge the feature and deploy it on the
>   default global signet though?  Not really sure how best to get more
>   real world testing; but "deploy first, test later" doesn't sit right.

I agree that real experimentation would be great, and think that merging
the code (w/o activation) for signet would likely help users v.s. custom
builds/parameters.

I am unsure that "learning in public" is required -- personally I do
experiments on regtest regularly and on mainnet (using emulators) more
occasionally. I think some of the difficulty is that for setting up signet
stuff you need to wait e.g. 10 minutes for blocks and stuff, source faucet
coins, etc. V.s. regtest you can make tests that run automatically. Maybe
seeing more regtest RPC test samples for regtests would be a sufficient
in-between?


Best,

Jeremy

--
@JeremyRubin <https://twitter.com/JeremyRubin>

[-- Attachment #2: Type: text/html, Size: 4807 bytes --]

^ permalink raw reply	[flat|nested] 16+ messages in thread

• * Re: [bitcoin-dev] CTV Signet Parameters
    2022-02-17 21:58 [bitcoin-dev] CTV Signet Parameters Jeremy Rubin
  @ 2022-02-18 11:13 ` 0x0ff
    2022-02-22  3:19   ` Jeremy Rubin
    2022-04-20  2:31 ` Anthony Towns
    1 sibling, 1 reply; 16+ messages in thread
  From: 0x0ff @ 2022-02-18 11:13 UTC (permalink / raw)
    To: Jeremy Rubin, Bitcoin Protocol Discussion
  
  [-- Attachment #1: Type: text/plain, Size: 2235 bytes --]
  
  Good day,
  
  I've setup the explorer for CTV Signet which is now up and running at [https://explorer.ctvsignet.com](https://explorer.ctvsignet.com/)
  
  Best,
  [@0x0ff](https://twitter.com/0x0ff_)
  
  ------- Original Message -------
  On Thursday, February 17th, 2022 at 9:58 PM, Jeremy Rubin via bitcoin-dev <bitcoin-dev@lists•linuxfoundation.org> wrote:
  
  > Hi devs,
  >
  > I have been running a CTV signet for around a year and it's seen little use. Early on I had some issues syncing new nodes, but I have verified syncability to this signet using https://github.com/JeremyRubin/bitcoin/tree/checktemplateverify-signet-23.0-alpha. Please use this signet!
  >
  > ```
  > [signet]
  > signetchallenge=512102946e8ba8eca597194e7ed90377d9bbebc5d17a9609ab3e35e706612ee882759351ae
  > addnode=50.18.75.225
  > ```
  >
  > This should be operational. Let me know if there are any issues you experience (likely with signet itself, but CTV too).
  >
  > Feel free to also email me an address and I can send you some signet coins -- if anyone is interested in running an automatic faucet I would love help with that and will send you a lot of coins.
  >
  > AJ Wrote (in another thread):
  >
  >> I'd much rather see some real> third-party experimentation *somewhere* public first, and Jeremy's CTV
  >> signet being completely empty seems like a bad sign to me. Maybe that
  >> means we should tentatively merge the feature and deploy it on the
  >> default global signet though? Not really sure how best to get more
  >> real world testing; but "deploy first, test later" doesn't sit right.
  >
  > I agree that real experimentation would be great, and think that merging the code (w/o activation) for signet would likely help users v.s. custom builds/parameters.
  >
  > I am unsure that "learning in public" is required -- personally I do experiments on regtest regularly and on mainnet (using emulators) more occasionally. I think some of the difficulty is that for setting up signet stuff you need to wait e.g. 10 minutes for blocks and stuff, source faucet coins, etc. V.s. regtest you can make tests that run automatically. Maybe seeing more regtest RPC test samples for regtests would be a sufficient in-between?
  >
  > Best,
  >
  > Jeremy
  >
  > --
  > [@JeremyRubin](https://twitter.com/JeremyRubin)
  
  [-- Attachment #2: Type: text/html, Size: 8297 bytes --]
  
  ^ permalink raw reply	[flat|nested] 16+ messages in thread

• • * Re: [bitcoin-dev] CTV Signet Parameters
      2022-02-18 11:13 ` 0x0ff
    @ 2022-02-22  3:19   ` Jeremy Rubin
      0 siblings, 0 replies; 16+ messages in thread
    From: Jeremy Rubin @ 2022-02-22  3:19 UTC (permalink / raw)
      To: 0x0ff; +Cc: Bitcoin Protocol Discussion
    
    [-- Attachment #1: Type: text/plain, Size: 2457 bytes --]
    
    There's also now a faucet:
    
    https://faucet.ctvsignet.com
    
    thanks 0x0ff!
    --
    @JeremyRubin <https://twitter.com/JeremyRubin>
    
    
    On Fri, Feb 18, 2022 at 3:13 AM 0x0ff <0x0ff@onsats•org> wrote:
    
    > Good day,
    >
    > I've setup the explorer for CTV Signet which is now up and running at
    > https://explorer.ctvsignet.com
    >
    > Best,
    > @0x0ff <https://twitter.com/0x0ff_>
    >
    > ------- Original Message -------
    > On Thursday, February 17th, 2022 at 9:58 PM, Jeremy Rubin via bitcoin-dev <
    > bitcoin-dev@lists•linuxfoundation.org> wrote:
    >
    > Hi devs,
    >
    > I have been running a CTV signet for around a year and it's seen little
    > use. Early on I had some issues syncing new nodes, but I have verified
    > syncability to this signet using
    > https://github.com/JeremyRubin/bitcoin/tree/checktemplateverify-signet-23.0-alpha.
    > Please use this signet!
    >
    > ```
    > [signet]
    >
    > signetchallenge=512102946e8ba8eca597194e7ed90377d9bbebc5d17a9609ab3e35e706612ee882759351ae
    > addnode=50.18.75.225
    > ```
    >
    > This should be operational. Let me know if there are any issues you
    > experience (likely with signet itself, but CTV too).
    >
    > Feel free to also email me an address and I can send you some signet coins
    > -- if anyone is interested in running an automatic faucet I would love help
    > with that and will send you a lot of coins.
    >
    > AJ Wrote (in another thread):
    >
    > > I'd much rather see some real
    > > third-party experimentation *somewhere* public first, and Jeremy's CTV
    > > signet being completely empty seems like a bad sign to me. Maybe that
    > > means we should tentatively merge the feature and deploy it on the
    > > default global signet though? Not really sure how best to get more
    > > real world testing; but "deploy first, test later" doesn't sit right.
    >
    > I agree that real experimentation would be great, and think that merging
    > the code (w/o activation) for signet would likely help users v.s. custom
    > builds/parameters.
    >
    > I am unsure that "learning in public" is required -- personally I do
    > experiments on regtest regularly and on mainnet (using emulators) more
    > occasionally. I think some of the difficulty is that for setting up signet
    > stuff you need to wait e.g. 10 minutes for blocks and stuff, source faucet
    > coins, etc. V.s. regtest you can make tests that run automatically. Maybe
    > seeing more regtest RPC test samples for regtests would be a sufficient
    > in-between?
    >
    >
    > Best,
    >
    > Jeremy
    >
    > --
    > @JeremyRubin <https://twitter.com/JeremyRubin>
    >
    >
    >
    
    [-- Attachment #2: Type: text/html, Size: 8531 bytes --]
    
    ^ permalink raw reply	[flat|nested] 16+ messages in thread

• * Re: [bitcoin-dev] CTV Signet Parameters
    2022-02-17 21:58 [bitcoin-dev] CTV Signet Parameters Jeremy Rubin
    2022-02-18 11:13 ` 0x0ff
  @ 2022-04-20  2:31 ` Anthony Towns
    2022-04-20 17:05   ` Nadav Ivgi
    2022-04-28 12:23   ` Jeremy Rubin
    1 sibling, 2 replies; 16+ messages in thread
  From: Anthony Towns @ 2022-04-20  2:31 UTC (permalink / raw)
    To: Bitcoin Protocol Discussion
  
  On Thu, Feb 17, 2022 at 01:58:38PM -0800, Jeremy Rubin via bitcoin-dev wrote:
  > AJ Wrote (in another thread):
  > >   I'd much rather see some real
  > >   third-party experimentation *somewhere* public first, and Jeremy's CTV
  > >   signet being completely empty seems like a bad sign to me. 
  
  There's now been some 2,200 txs on CTV signet, of which (if I haven't
  missed anything) 317 have been CTV spends:
  
   - none have been bare CTV (ie, CTV in scriptPubKey directly, not via
     p2sh/p2wsh/taproot)
  
   - none have been via p2sh
  
   - 3 have been via taproot:
      https://explorer.ctvsignet.com/tx/f73f4671c6ee2bdc8da597f843b2291ca539722a168e8f6b68143b8c157bee20
      https://explorer.ctvsignet.com/tx/7e4ade977db94117f2d7a71541d87724ccdad91fa710264206bb87ae1314c796
      https://explorer.ctvsignet.com/tx/e05d828bf716effc65b00ae8b826213706c216b930aff194f1fb2fca045f7f11
  
     The first two of these had alternative merkle paths, the last didn't.
  
   - 314 have been via p2wsh
      https://explorer.ctvsignet.com/tx/62292138c2f55713c3c161bd7ab36c7212362b648cf3f054315853a081f5808e
     (don't think there's any meaningfully different examples?)
  
  As far as I can see, all the scripts take the form:
  
    [PUSH 32 bytes] [OP_NOP4] [OP_DROP] [OP_1]
  
  (I didn't think DROP/1 is necessary here? Doesn't leaving the 32 byte
  hash on the stack evaluate as true? I guess that means everyone's using
  sapio to construct the txs?)
  
  I don't think there's any demos of jamesob's simple-ctv-vault [0], which
  I think uses a p2wsh of "IF n CSV DROP hotkey CHECKSIG ELSE lockcoldtx CTV
  ENDIF", rather than taproot branches.
  
  [0] https://github.com/jamesob/simple-ctv-vault
  
  Likewise I don't think there's any examples of "this CTV immediately;
  or if fees are too high, this other CTV that pays more fees after X
  days", though potentially they could be hidden in the untaken taproot
  merkle branches.
  
  I don't think there's any examples of two CTV outputs being combined
  and spent in a single transaction.
  
  I don't see any txs with nSequence set meaningfully; though most (all?)
  of the CTV spends seem to set nSequence to 0x00400000 which I think
  doesn't have a different effect from 0xfffffffe?
  
  That looks to me like there's still not much practical (vs theoretical)
  exploration of CTV going on; but perhaps it's an indication that CTV
  could be substantially simplified and still get all the benefits that
  people are particularly eager for.
  
  > I am unsure that "learning in public" is required --
  
  For a consensus system, part of the learning is "this doesn't seem that
  interesting to me; is it actually valuable enough to others that the
  change is worth the risk it imposes on me?" and that's not something
  you can do purely in private.
  
  One challenge with building a soft fork is that people don't want to
  commit to spending time building something that relies on consensus
  features and run the risk that they might never get deployed. But the
  reverse of that is also a concern: you don't want to deploy consensus
  changes and run the risk that they won't actually turn out to be useful.
  
  Or, perhaps, to "meme-ify" it -- part of the "proof of work" for deploying
  a consensus change is actually proving that it's going to be useful.
  Like sha256 hashing, that does require real work, and it might turn out
  to be wasteful.
  
  Cheers,
  aj
  
  
  
  ^ permalink raw reply	[flat|nested] 16+ messages in thread

• • * Re: [bitcoin-dev] CTV Signet Parameters
      2022-04-20  2:31 ` Anthony Towns
    @ 2022-04-20 17:05   ` Nadav Ivgi
      2022-04-21  2:36     ` Anthony Towns
      2022-04-28 12:23   ` Jeremy Rubin
      1 sibling, 1 reply; 16+ messages in thread
    From: Nadav Ivgi @ 2022-04-20 17:05 UTC (permalink / raw)
      To: Anthony Towns, Bitcoin Protocol Discussion
    
    [-- Attachment #1: Type: text/plain, Size: 4110 bytes --]
    
    > I didn't think DROP/1 is necessary here? Doesn't leaving the 32 byte hash
    on the stack evaluate as true?
    
    Not with Taproot's CLEANSTACK rule. It can make sense to always use `DROP
    OP_1` even outside of Taproot, just to keep things consistent and to avoid
    potential errors when switching from non-Taproot to Taproot. FWIW that's
    what I found myself doing when playing with CTV in P2WSH
    
    On Wed, Apr 20, 2022 at 5:31 AM Anthony Towns via bitcoin-dev <
    bitcoin-dev@lists•linuxfoundation.org> wrote:
    
    > On Thu, Feb 17, 2022 at 01:58:38PM -0800, Jeremy Rubin via bitcoin-dev
    > wrote:
    > > AJ Wrote (in another thread):
    > > >   I'd much rather see some real
    > > >   third-party experimentation *somewhere* public first, and Jeremy's
    > CTV
    > > >   signet being completely empty seems like a bad sign to me.
    >
    > There's now been some 2,200 txs on CTV signet, of which (if I haven't
    > missed anything) 317 have been CTV spends:
    >
    >  - none have been bare CTV (ie, CTV in scriptPubKey directly, not via
    >    p2sh/p2wsh/taproot)
    >
    >  - none have been via p2sh
    >
    >  - 3 have been via taproot:
    >
    > https://explorer.ctvsignet.com/tx/f73f4671c6ee2bdc8da597f843b2291ca539722a168e8f6b68143b8c157bee20
    >
    > https://explorer.ctvsignet.com/tx/7e4ade977db94117f2d7a71541d87724ccdad91fa710264206bb87ae1314c796
    >
    > https://explorer.ctvsignet.com/tx/e05d828bf716effc65b00ae8b826213706c216b930aff194f1fb2fca045f7f11
    >
    >    The first two of these had alternative merkle paths, the last didn't.
    >
    >  - 314 have been via p2wsh
    >
    > https://explorer.ctvsignet.com/tx/62292138c2f55713c3c161bd7ab36c7212362b648cf3f054315853a081f5808e
    >    (don't think there's any meaningfully different examples?)
    >
    > As far as I can see, all the scripts take the form:
    >
    >   [PUSH 32 bytes] [OP_NOP4] [OP_DROP] [OP_1]
    >
    > (I didn't think DROP/1 is necessary here? Doesn't leaving the 32 byte
    > hash on the stack evaluate as true? I guess that means everyone's using
    > sapio to construct the txs?)
    >
    > I don't think there's any demos of jamesob's simple-ctv-vault [0], which
    > I think uses a p2wsh of "IF n CSV DROP hotkey CHECKSIG ELSE lockcoldtx CTV
    > ENDIF", rather than taproot branches.
    >
    > [0] https://github.com/jamesob/simple-ctv-vault
    >
    > Likewise I don't think there's any examples of "this CTV immediately;
    > or if fees are too high, this other CTV that pays more fees after X
    > days", though potentially they could be hidden in the untaken taproot
    > merkle branches.
    >
    > I don't think there's any examples of two CTV outputs being combined
    > and spent in a single transaction.
    >
    > I don't see any txs with nSequence set meaningfully; though most (all?)
    > of the CTV spends seem to set nSequence to 0x00400000 which I think
    > doesn't have a different effect from 0xfffffffe?
    >
    > That looks to me like there's still not much practical (vs theoretical)
    > exploration of CTV going on; but perhaps it's an indication that CTV
    > could be substantially simplified and still get all the benefits that
    > people are particularly eager for.
    >
    > > I am unsure that "learning in public" is required --
    >
    > For a consensus system, part of the learning is "this doesn't seem that
    > interesting to me; is it actually valuable enough to others that the
    > change is worth the risk it imposes on me?" and that's not something
    > you can do purely in private.
    >
    > One challenge with building a soft fork is that people don't want to
    > commit to spending time building something that relies on consensus
    > features and run the risk that they might never get deployed. But the
    > reverse of that is also a concern: you don't want to deploy consensus
    > changes and run the risk that they won't actually turn out to be useful.
    >
    > Or, perhaps, to "meme-ify" it -- part of the "proof of work" for deploying
    > a consensus change is actually proving that it's going to be useful.
    > Like sha256 hashing, that does require real work, and it might turn out
    > to be wasteful.
    >
    > Cheers,
    > aj
    >
    > _______________________________________________
    > bitcoin-dev mailing list
    > bitcoin-dev@lists•linuxfoundation.org
    > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
    >
    
    [-- Attachment #2: Type: text/html, Size: 5805 bytes --]
    
    ^ permalink raw reply	[flat|nested] 16+ messages in thread

  • • * Re: [bitcoin-dev] CTV Signet Parameters
        2022-04-20 17:05   ` Nadav Ivgi
      @ 2022-04-21  2:36     ` Anthony Towns
        0 siblings, 0 replies; 16+ messages in thread
      From: Anthony Towns @ 2022-04-21  2:36 UTC (permalink / raw)
        To: Nadav Ivgi, Bitcoin Protocol Discussion
      
      On Wed, Apr 20, 2022 at 08:05:36PM +0300, Nadav Ivgi via bitcoin-dev wrote:
      > > I didn't think DROP/1 is necessary here? Doesn't leaving the 32 byte hash
      > on the stack evaluate as true?
      > Not with Taproot's CLEANSTACK rule. 
      
      The CLEANSTACK rule is the same for segwit and tapscript though? 
      
      For p2wsh/BIP 141 it's "The script must not fail, and result in exactly
      a single TRUE on the stack." and for tapscript/BIP 342, it's "If the
      execution results in anything but exactly one element on the stack which
      evaluates to true with CastToBool(), fail."
      
      CastToBool/TRUE is anything that's not false, false is zero (ie, any
      string of 0x00 bytes) or negative zero (a string of 0x00 bytes but with
      the high byte being 0x80).
      
      Taproot has the MINIMALIF rule that means you have to use exactly 1 or 0
      as the input to IF, but I don't think that's relevant for CTV.
      
      Cheers,
      aj
      
      
      
      ^ permalink raw reply	[flat|nested] 16+ messages in thread

  • * Re: [bitcoin-dev] CTV Signet Parameters
      2022-04-20  2:31 ` Anthony Towns
      2022-04-20 17:05   ` Nadav Ivgi
    @ 2022-04-28 12:23   ` Jeremy Rubin
      1 sibling, 0 replies; 16+ messages in thread
    From: Jeremy Rubin @ 2022-04-28 12:23 UTC (permalink / raw)
      To: Anthony Towns; +Cc: Bitcoin Protocol Discussion
    
    [-- Attachment #1: Type: text/plain, Size: 924 bytes --]
    
    Sorry I didn't see this snippet fully earlier, but I caught it in Optech
    (cc harding)
    
    
    > *(I didn't think DROP/1 is necessary here? Doesn't leaving the 32 byte*
    > *hash on the stack evaluate as true? I guess that means everyone's using**sapio to
    > construct the txs?)*
    
    
    Not quite: it would mean that everyone is using *sapio-miniscript**, *which
    may or may not be in Sapio, or they are using a different miniscript
    implementation that is compatible with sapio-miniscript's CTV fragment
    (which is sort of the most obvious way to implement it), or they are hand
    writing the script and are still using that fragment.
    
    E.g., you can see
    https://min.sc/nextc/#gist=001cf1fcb0e24ca9f3614c4db9bfe57d:2 or
    https://min.sc/nextc/#gist=001cf1fcb0e24ca9f3614c4db9bfe57d:0 both of these
    might "look" like sapio, but are built using minsc.
    
    The underlying point might still stand, but using miniscript seems
    different than using Sapio.
    
    [-- Attachment #2: Type: text/html, Size: 2632 bytes --]
    
    ^ permalink raw reply	[flat|nested] 16+ messages in thread

* Re: [bitcoin-dev] CTV Signet Parameters
@ 2022-04-20 17:13 Buck O Perley
  2022-04-21  5:03 ` Anthony Towns
  0 siblings, 1 reply; 16+ messages in thread
From: Buck O Perley @ 2022-04-20 17:13 UTC (permalink / raw)
  To: bitcoin-dev


[-- Attachment #1.1.1: Type: text/plain, Size: 10396 bytes --]

Hi AJ,
Long time listener first time caller here.
All merits (or lack thereof depending on your view) of CTV aside, I find this topic around decision making both interesting and important. While I think I sympathize with the high level concern about making sure there are use cases, interest, and sufficient testing of a particular proposal before soft forking it into consensus code, it does feel like the attempt to attribute hard numbers in this way is somewhat arbitrary.
For example, I think it could be reasonable to paint the list of examples you provided where CTV has been used on signet in a positive light. 317 CTV spends “out in the wild” before there’s a known activation date is quite a lot (more than taproot had afaik). If we don’t think it is enough, then what number of unique spends and use cases should we expect to see of a new proposal before it’s been sufficiently tested?
Perhaps this is simply a case of the Justice Stewart view on pornography where “you know it when you see it”[1], but then if that’s the case than it really doesn’t seem productive to use these numbers to evaluate the readiness and eagerness to use CTV since they are effectively arbitrary and could be used to make the argument in either direction.
So perhaps it just *felt* like there was more need and ready-to-use applications of taproot, and perhaps this feeling is broadly shared and that’s fine, and it doesn’t *feel* that way for CTV, but by the measures you laid out were there as many uses in the wild of taproot spends before it was brought to Speedy Trial? As far as I’m aware there seemed to be more broken [2], premature Taproot spends then actual practical uses of it on a test network before it was fully activated (I might be wrong about this though). Meanwhile the primary tooling necessary to really make it useful (PTLCs, Musig2, FROST) weren’t even fully specced out yet let alone actively being used on a test network and the list of proposed applications on the bitcoin wiki [3] (last updated April 2021) is similarly sparse and not quite up to the standards you’ve set for CTV to be the next soft fork (this is to say nothing of the fact that many prefer to develop, build, and test on regtest than signet at this stage).
Maybe this is similarly an argument for Taproot being activated too early and that may be a fair argument (not one I share to be clear). If that’s the case, I think it’s reasonable to put all cards on the table and we should be explicit that Taproot activation was premature for [X] reasons, here’s the new standard we want to have new proposals hit (a signet, expected level of activity, etc.). Then whether it’s CTV or TLUV or ANYPREVOUT, that’s what we as a community, the developers maintaining the proposals, and the developers/companies that plan to build on top of the new proposal should strive to achieve.
In absence of the above, the risk of a constantly moving bar means the possibility of either insufficiently reviewed proposals getting activated because we’re complacent and just placing trust in a small cadre of experts (nothing malicious in this, just seems worth avoiding) or personal and subjective reasoning allowing for premature ossification and blocking of upgrades that could otherwise be considered safe, useful, and perhaps even necessary on a long enough time horizon.
There’s also the other risk which you point out:

> One challenge with building a soft fork is that people don't want tocommit to spending time building something that relies on consensusfeatures and run the risk that they might never get deployed. But thereverse of that is also a concern: you don't want to deploy consensuschanges and run the risk that they won't actually turn out to be useful.


Perhaps if we had clear metrics of what would make the work worth it, if we knew what we were working towards, we’d be more likely to get that proof of work. To use your meme, miners know precisely what they’re mining for and what a metric of success looks like which makes the risk/costs of attempting the PoW worth it (or conversely sometimes resulting the decision for miners to be decommissioned). In addition to the examples listed above, even Taproot which most agree had relatively broad consensus didn’t have much work happening on top of it until it was activated. Suredbits as far as I’m aware didn’t want to build DLCs on top of lightning until taproot AND PTLCs were in use (in contrast we already have a DLC implementation that uses CTV[4]). We also have new ideas that only started coming up after Taproot activation (TLUV and Taro for example), so there’s also the unknown of what we could have once it becomes clear that it’s worth devoting mental energy and financial resources towards research.
One last wrinkle with regards to using countable metrics to determine a feature’s “worth” is that not all features are the same. Many of the use cases that people are excited to use CTV for ([5], [6]) are very long term in nature and targeted for long term store of value in contrast to medium of exchange. Metrics for measuring value of a store of value upgrade are fundamentally different than those measuring value of MoE. It’s like people pointing to transaction volume on other cryptocurrency systems to show that their chain is more valuable. You can build a CTV vault in signet, but you’ll only really see a lot of people using it when it’s to store real value on a time scale measured in decades not minutes or days like you might find for lightning testing and experimentation. This doesn’t make one more or less desirable or valuable imo, just that the evaluation metrics should be treated totally differently.
Anyway, I guess that’s a (very) long way of saying, are these constructive ways to evaluate an upgrade and if they are can we maybe have an idea of what a success vs. a failure metric looks like (and in the interest of retrospection and iterative improvement, it would be useful to know if in retrospect Taproot didn’t reach these metrics and maybe was activated prematurely as a result). To put another way and leave CTV out of it completely, what should an outside, unbiased observer that doesn’t spend much time on Twitter expect to be able to see to evaluate the readiness or acceptability of ANYPREVOUT, TLUV, or any other possible future soft forks? If nothing else, nailing this down would seem to help make the lives of key bitcoin core maintainers much easier by removing politics from decisions that should otherwise be as technical in nature as possible.
[1](http://cbldf.org/about-us/case-files/obscenity-case-files/obscenity-case-files-jacobellis-v-ohio-i-know-it-when-i-see-it/)
[2](https://suredbits.com/taproot-funds-burned-on-the-bitcoin-blockchain/)
[3](https://en.bitcoin.it/wiki/Taproot_Uses)
[4](https://github.com/sapio-lang/sapio/blob/master/sapio-contrib/src/contracts/derivatives/dlc.rs)
[5](https://github.com/kanzure/python-vaults/blob/master/vaults/bip119_ctv.py)
[6](https://github.com/jamesob/simple-ctv-vault)


> On Thu, Feb 17, 2022 at 01:58:38PM -0800, Jeremy Rubin via bitcoin-dev wrote:AJ Wrote (in another thread): I'd much rather see some real third-party experimentation *somewhere* public first, and Jeremy's CTV signet being completely empty seems like a bad sign to me.
> There's now been some 2,200 txs on CTV signet, of which (if I haven'tmissed anything) 317 have been CTV spends:
> - none have been bare CTV (ie, CTV in scriptPubKey directly, not via  p2sh/p2wsh/taproot)
> - none have been via p2sh
> - 3 have been via taproot:  https://explorer.ctvsignet.com/tx/f73f4671c6ee2bdc8da597f843b2291ca539722a168e8f6b68143b8c157bee20  https://explorer.ctvsignet.com/tx/7e4ade977db94117f2d7a71541d87724ccdad91fa710264206bb87ae1314c796  https://explorer.ctvsignet.com/tx/e05d828bf716effc65b00ae8b826213706c216b930aff194f1fb2fca045f7f11
>   The first two of these had alternative merkle paths, the last didn't.
> - 314 have been via p2wsh  https://explorer.ctvsignet.com/tx/62292138c2f55713c3c161bd7ab36c7212362b648cf3f054315853a081f5808e  (don't think there's any meaningfully different examples?)
> As far as I can see, all the scripts take the form:
>  [PUSH 32 bytes] [OP_NOP4] [OP_DROP] [OP_1]
> (I didn't think DROP/1 is necessary here? Doesn't leaving the 32 bytehash on the stack evaluate as true? I guess that means everyone's usingsapio to construct the txs?)
> I don't think there's any demos of jamesob's simple-ctv-vault [0], whichI think uses a p2wsh of "IF n CSV DROP hotkey CHECKSIG ELSE lockcoldtx CTVENDIF", rather than taproot branches.
> [0] https://github.com/jamesob/simple-ctv-vault
> Likewise I don't think there's any examples of "this CTV immediately;or if fees are too high, this other CTV that pays more fees after Xdays", though potentially they could be hidden in the untaken taprootmerkle branches.
> I don't think there's any examples of two CTV outputs being combinedand spent in a single transaction.
> I don't see any txs with nSequence set meaningfully; though most (all?)of the CTV spends seem to set nSequence to 0x00400000 which I thinkdoesn't have a different effect from 0xfffffffe?
> That looks to me like there's still not much practical (vs theoretical)exploration of CTV going on; but perhaps it's an indication that CTVcould be substantially simplified and still get all the benefits thatpeople are particularly eager for.
> I am unsure that "learning in public" is required --
> For a consensus system, part of the learning is "this doesn't seem thatinteresting to me; is it actually valuable enough to others that thechange is worth the risk it imposes on me?" and that's not somethingyou can do purely in private.
> One challenge with building a soft fork is that people don't want tocommit to spending time building something that relies on consensusfeatures and run the risk that they might never get deployed. But thereverse of that is also a concern: you don't want to deploy consensuschanges and run the risk that they won't actually turn out to be useful.
> Or, perhaps, to "meme-ify" it -- part of the "proof of work" for deployinga consensus change is actually proving that it's going to be useful.Like sha256 hashing, that does require real work, and it might turn outto be wasteful.
> Cheers,

[-- Attachment #1.1.2.1: Type: text/html, Size: 22450 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 249 bytes --]

^ permalink raw reply	[flat|nested] 16+ messages in thread

• * Re: [bitcoin-dev] CTV Signet Parameters
    2022-04-20 17:13 Buck O Perley
  @ 2022-04-21  5:03 ` Anthony Towns
    2022-04-21  6:16   ` Jeremy Rubin
    2022-04-21 13:22   ` Russell O'Connor
    0 siblings, 2 replies; 16+ messages in thread
  From: Anthony Towns @ 2022-04-21  5:03 UTC (permalink / raw)
    To: Buck O Perley, Bitcoin Protocol Discussion
  
  On Wed, Apr 20, 2022 at 05:13:19PM +0000, Buck O Perley via bitcoin-dev wrote:
  > All merits (or lack thereof depending on your view) of CTV aside, I find this topic around decision making both interesting and important. While I think I sympathize with the high level concern about making sure there are use cases, interest, and sufficient testing of a particular proposal before soft forking it into consensus code, it does feel like the attempt to attribute hard numbers in this way is somewhat arbitrary.
  
  Sure. I included the numbers for falsifiability mostly -- so people
  could easily check if my analysis was way off the mark.
  
  > For example, I think it could be reasonable to paint the list of examples you provided where CTV has been used on signet in a positive light. 317 CTV spends “out in the wild” before there’s a known activation date is quite a lot
  
  Not really? Once you can make one transaction, it's trivial to make
  hundreds. It's more interesting to see if there's multiple wallets or
  similar that support it; or if one wallet has a particularly compelling
  use case.
  
  > (more than taproot had afaik).
  
  Yes; as I've said a few times now, I think we should have had more
  real life demos before locking taproot's activation in. I think that
  would have helped avoid bugs like Neutrino's [0] and made it easier for
  hardware wallets etc to have support for taproot as soon as it was active,
  without having to rush around adding library support at the last minute.
  
  [0] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-November/019589.html 
  
  Lightning's "two independent implementations" rule might be worth aspiring
  too, eg.
  
  > If we don’t think it is enough, then what number of unique spends and use cases should we expect to see of a new proposal before it’s been sufficiently tested?
  
  I don't really think that's the metric. I'd go for something more like:
  
   1a) can you make transactions using the new feature with bitcoin-cli,
       eg createrawtransaction etc?
   1b) can you make transactions using the new feature with some other
       library?
   1c) can you make transactions using the new feature with most common
       libraries?
  
   2) has anyone done a usable prototype of the major use cases of the new
      feature?
  
  I think the answers for CTV are:
  
   1a) no
   1b) yes, core's python test suite, sapio
   1c) no
   2) no
   
  Though presumably jamesob's simple ctv vault is close to being an answer
  for (2)?
  
  For taproot, we had,
  
   1a) yes, with difficulty [1]
   1b) yes, core's python test suite; kalle's btcdeb sometimes worked too
   1c) no
   2) optech's python notebook [2] from it's taproot workshops had demos for
      musig and degrading multisig via multiple merkle paths, though I
      think they were out of date with the taproot spec for a while
  
  [1] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-October/019543.html
  [2] https://github.com/bitcoinops/taproot-workshop/
  
  To some extent those things are really proxies for:
  
   3) how well do people actually understand the feature?
  
   4) are we sure the tradeoffs being made in this implementation of the
      feature, vs other implementations or other features actually make
      sense?
  
   5) how useful is the feature?
  
  I think we were pretty confident in the answers for those questions
  for taproot. At least personally, I'm still not super confident in
  the answers for CTV. In particular:
  
   - is there really any benefit to doing it as a NOP vs a taproot-only
     opcode like TXHASH? Theoretically, sure, that saves some bytes; but as
     was pointed out on #bitcoin-wizards the other day, you can't express
     those outputs as an address, which makes them not very interoperable,
     and if they're not interoperable between, say, an exchange and its
     users trying to do a withdraw, how useful is that really ever going
     to be?
  
   - the scriptSig commitments seems very kludgy; combining multiple
     inputs likewise seems kludgy
  
  The continual push to rush activation of it certainly doesn't increase my
  confidence either. Personally, I suspect it's counterproductive; better
  to spend the time answering questions and improving the proposal, rather
  than spending time going around in circles about activating something
  people aren't (essentially) unanimously confident about.
  
  > In absence of the above, the risk of a constantly moving bar 
  
  I'd argue the bar *should* be constantly moving, in the sense that we
  should keep raising it.
  
  > To use your meme, miners know precisely what they’re mining for and what a metric of success looks like which makes the risk/costs of attempting the PoW worth it 
  
  The difference between mining and R&D is variance: if you're competing for
  50k blocks a year, you can get your actual returns to closely match your
  expected return, especially if you pool with others so your probability
  of success isn't miniscule -- for consensus dev, you can reasonably only
  work on a couple of projects a year, so your median return is likely $0,
  rather than a close match to your average/expected return.
  
  > We also have new ideas that only started coming up after Taproot activation (TLUV and Taro for example), so there’s also the unknown of what we could have once it becomes clear that it’s worth devoting mental energy and financial resources towards research.
  
  TLUV was an offshoot of SCRIPTREPLACE which was public (though not
  really published) since 2019.
  
  > One last wrinkle with regards to using countable metrics to determine a feature’s “worth” is that not all features are the same. Many of the use cases that people are excited to use CTV for ([5], [6]) are very long term in nature and targeted for long term store of value in contrast to medium of exchange.
  
  I mean, if those use cases are so exciting, it really doesn't seem much
  to ask to see them demoed live on the CTV signet that already exists?
  
  > You can build a CTV vault in signet, but you’ll only really see a lot of people using it when it’s to store real value on a time scale measured in decades not minutes or days 
  
  On the other hand, if the value is really "very long term" and there's no
  rush to implement these features and demo them ASAP, then it doesn't seem
  like there should be a rush to adapt consensus to these use cases either.
  Why not wait until someone does have time to finish sketching out the
  use case so they can demo them in public?
  
  > To put another way and leave CTV out of it completely, what should an outside, unbiased observer that doesn’t spend much time on Twitter expect to be able to see to evaluate the readiness or acceptability of ANYPREVOUT, TLUV, 
  
  For ANYPREVOUT, I would like to see a toy implementation of eltoo using
  it, that can handle fees and layered transactions (or has a good argument
  why layered transactions aren't necessary). It's going to take a while
  even to update LN to taproot and PTLCs though, so eltoo doesn't seem like
  it's on the immediate horizon. Besides eltoo, I don't think ANYPREVOUT
  is an optimal design for covenants, so if that was the motivation and
  not eltoo, maybe some other approach would be better.
  
  TLUV's design parameters don't really seem optimal (the mess with x-only
  pubkeys, alternatives like OP_EVICT), so I think it's still on the
  whiteboard.
  
  Cheers,
  aj
  
  
  
  ^ permalink raw reply	[flat|nested] 16+ messages in thread

• • * Re: [bitcoin-dev] CTV Signet Parameters
      2022-04-21  5:03 ` Anthony Towns
    @ 2022-04-21  6:16   ` Jeremy Rubin
      2022-04-21  6:25     ` Jeremy Rubin
      2022-04-21 13:22   ` Russell O'Connor
      1 sibling, 1 reply; 16+ messages in thread
    From: Jeremy Rubin @ 2022-04-21  6:16 UTC (permalink / raw)
      To: Anthony Towns, Bitcoin Protocol Discussion
    
    [-- Attachment #1: Type: text/plain, Size: 12010 bytes --]
    
    Probably merits a more thorough response, but, I wanted to respond on the
    framework above:
    
    
     1a) can you make transactions using the new feature with bitcoin-cli,
         eg createrawtransaction etc? (*YES)*
    
    since ~Feb 2020, this has existed:
    https://github.com/JeremyRubin/bitcoin/tree/checktemplateverify-feb1-workshop
    
    CTV hasn't changed so this code should work un-rebased. The transaction
    outputs may need to be manually submitted to the network, but the covenant
    is enforced. This covers congestion control and vaults.
    
    
     1b) can you make transactions using the new feature with some other
         library? *(YES)*
    Sapio, Test Framework, also https://min.sc/nextc/ produced independently by
    Shesek
    
     1c) can you make transactions using the new feature with most common
         libraries? *(YES, kinda)*
    
    Yes, https://crates.io/crates/sapio-miniscript and
    https://crates.io/crates/sapio-bitcoin have been maintained for about 1
    year, and are now taproot compatible.
    
    Sapio's use of these libraries has even helped find bugs in the release
    process of Taproot for rust-bitcoin.
    
    kinda: It's not _most_ common libraries, it's _a_ common library. it's also
    not upstreamed, because the patches would not be accepted were it to be.
    
     2) has anyone done a usable prototype of the major use cases of the new
        feature?* (YES)*
    
    In addition to https://github.com/jamesob/simple-ctv-vault, there is also
    https://github.com/kanzure/python-vaults, although it has an interesting
    bug.
    
    There's also a myriad of uses shown in
    https://github.com/sapio-lang/sapio/tree/master/sapio-contrib/src/contracts
    and in https://github.com/sapio-lang/sapio/tree/master/plugin-example.
    While these aren't quite "usable" as an end-to-end application, e.g.,
    something you'd want to put real money on, they are a part of a *massive*
    infrastructure investment in general purpose smart contract tooling for
    covenant design with CTV. That CTV can be targeted with a compiler to
    generate a wide variety of composable use cases *is* one of the use cases
    for CTV, since it enables people to design many different types of thing
    relatively easily. That is a feature of CTV! It's not just for one use case.
    
    The suite of Sapio apps are less "production ready" than they could be for
    a few reasons:
    
    1) I've been working hard at pushing the limits of what is possible & the
    theory of it v.s. making it production ready
    2) I prioritized supporting Taproot v.s. legacy script, and much of the
    taproot tooling isn't production ready
    3) Sapio is really ambitious undertaking, and it will take time to make it
    production
    
    That said, https://rubin.io/bitcoin/2022/03/22/sapio-studio-btc-dev-mtg-6/
    tutorial was completed by people who weren't me, and at the
    pleb.fi/miami2022 one of the projects was able to use sapio congestion
    control transactions as well, so it does "work". As it matures, we'll get a
    number of implemented use cases people have been excited about like DLCs,
    which are implemented here
    https://github.com/sapio-lang/sapio/blob/master/sapio-contrib/src/contracts/derivatives/dlc.rs.
    You can see the test case shows how to construct one.
    
    Why did I not focus on production grade? Well, production grade can always
    happen later, and I don't think it takes as much imagination. But the main
    critique I'd heard of CTV was that no one could see it being used for
    anything but one or two use cases. So I built Sapio, in part, to show how
    CTV could be used for an incredibly wide and diverse set of applications,
    as opposed to the polish on them.
    
    If I knew the bar to surpass was to be polish, I probably could have taken
    a less ambitious approach with Sapio and shown like 1-2 applications
    working end-to-end. But because the main feedback I got was that CTV wasn't
    powerful enough, I opted to build a very general framework for covenants
    and demonstrate how CTV fits that.
    
    
    
    
    
    --
    @JeremyRubin <https://twitter.com/JeremyRubin>
    
    On Thu, Apr 21, 2022 at 12:05 AM Anthony Towns via bitcoin-dev <
    bitcoin-dev@lists•linuxfoundation.org> wrote:
    
    > On Wed, Apr 20, 2022 at 05:13:19PM +0000, Buck O Perley via bitcoin-dev
    > wrote:
    > > All merits (or lack thereof depending on your view) of CTV aside, I find
    > this topic around decision making both interesting and important. While I
    > think I sympathize with the high level concern about making sure there are
    > use cases, interest, and sufficient testing of a particular proposal before
    > soft forking it into consensus code, it does feel like the attempt to
    > attribute hard numbers in this way is somewhat arbitrary.
    >
    > Sure. I included the numbers for falsifiability mostly -- so people
    > could easily check if my analysis was way off the mark.
    >
    > > For example, I think it could be reasonable to paint the list of
    > examples you provided where CTV has been used on signet in a positive
    > light. 317 CTV spends “out in the wild” before there’s a known activation
    > date is quite a lot
    >
    > Not really? Once you can make one transaction, it's trivial to make
    > hundreds. It's more interesting to see if there's multiple wallets or
    > similar that support it; or if one wallet has a particularly compelling
    > use case.
    >
    > > (more than taproot had afaik).
    >
    > Yes; as I've said a few times now, I think we should have had more
    > real life demos before locking taproot's activation in. I think that
    > would have helped avoid bugs like Neutrino's [0] and made it easier for
    > hardware wallets etc to have support for taproot as soon as it was active,
    > without having to rush around adding library support at the last minute.
    >
    > [0]
    > https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-November/019589.html
    >
    > Lightning's "two independent implementations" rule might be worth aspiring
    > too, eg.
    >
    > > If we don’t think it is enough, then what number of unique spends and
    > use cases should we expect to see of a new proposal before it’s been
    > sufficiently tested?
    >
    > I don't really think that's the metric. I'd go for something more like:
    >
    >  1a) can you make transactions using the new feature with bitcoin-cli,
    >      eg createrawtransaction etc?
    >  1b) can you make transactions using the new feature with some other
    >      library?
    >  1c) can you make transactions using the new feature with most common
    >      libraries?
    >
    >  2) has anyone done a usable prototype of the major use cases of the new
    >     feature?
    >
    > I think the answers for CTV are:
    >
    >  1a) no
    >  1b) yes, core's python test suite, sapio
    >  1c) no
    >  2) no
    >
    > Though presumably jamesob's simple ctv vault is close to being an answer
    > for (2)?
    >
    > For taproot, we had,
    >
    >  1a) yes, with difficulty [1]
    >  1b) yes, core's python test suite; kalle's btcdeb sometimes worked too
    >  1c) no
    >  2) optech's python notebook [2] from it's taproot workshops had demos for
    >     musig and degrading multisig via multiple merkle paths, though I
    >     think they were out of date with the taproot spec for a while
    >
    > [1]
    > https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-October/019543.html
    > [2] https://github.com/bitcoinops/taproot-workshop/
    >
    > To some extent those things are really proxies for:
    >
    >  3) how well do people actually understand the feature?
    >
    >  4) are we sure the tradeoffs being made in this implementation of the
    >     feature, vs other implementations or other features actually make
    >     sense?
    >
    >  5) how useful is the feature?
    >
    > I think we were pretty confident in the answers for those questions
    > for taproot. At least personally, I'm still not super confident in
    > the answers for CTV. In particular:
    >
    >  - is there really any benefit to doing it as a NOP vs a taproot-only
    >    opcode like TXHASH? Theoretically, sure, that saves some bytes; but as
    >    was pointed out on #bitcoin-wizards the other day, you can't express
    >    those outputs as an address, which makes them not very interoperable,
    >    and if they're not interoperable between, say, an exchange and its
    >    users trying to do a withdraw, how useful is that really ever going
    >    to be?
    >
    >  - the scriptSig commitments seems very kludgy; combining multiple
    >    inputs likewise seems kludgy
    >
    > The continual push to rush activation of it certainly doesn't increase my
    > confidence either. Personally, I suspect it's counterproductive; better
    > to spend the time answering questions and improving the proposal, rather
    > than spending time going around in circles about activating something
    > people aren't (essentially) unanimously confident about.
    >
    > > In absence of the above, the risk of a constantly moving bar
    >
    > I'd argue the bar *should* be constantly moving, in the sense that we
    > should keep raising it.
    >
    > > To use your meme, miners know precisely what they’re mining for and what
    > a metric of success looks like which makes the risk/costs of attempting the
    > PoW worth it
    >
    > The difference between mining and R&D is variance: if you're competing for
    > 50k blocks a year, you can get your actual returns to closely match your
    > expected return, especially if you pool with others so your probability
    > of success isn't miniscule -- for consensus dev, you can reasonably only
    > work on a couple of projects a year, so your median return is likely $0,
    > rather than a close match to your average/expected return.
    >
    > > We also have new ideas that only started coming up after Taproot
    > activation (TLUV and Taro for example), so there’s also the unknown of what
    > we could have once it becomes clear that it’s worth devoting mental energy
    > and financial resources towards research.
    >
    > TLUV was an offshoot of SCRIPTREPLACE which was public (though not
    > really published) since 2019.
    >
    > > One last wrinkle with regards to using countable metrics to determine a
    > feature’s “worth” is that not all features are the same. Many of the use
    > cases that people are excited to use CTV for ([5], [6]) are very long term
    > in nature and targeted for long term store of value in contrast to medium
    > of exchange.
    >
    > I mean, if those use cases are so exciting, it really doesn't seem much
    > to ask to see them demoed live on the CTV signet that already exists?
    >
    > > You can build a CTV vault in signet, but you’ll only really see a lot of
    > people using it when it’s to store real value on a time scale measured in
    > decades not minutes or days
    >
    > On the other hand, if the value is really "very long term" and there's no
    > rush to implement these features and demo them ASAP, then it doesn't seem
    > like there should be a rush to adapt consensus to these use cases either.
    > Why not wait until someone does have time to finish sketching out the
    > use case so they can demo them in public?
    >
    > > To put another way and leave CTV out of it completely, what should an
    > outside, unbiased observer that doesn’t spend much time on Twitter expect
    > to be able to see to evaluate the readiness or acceptability of ANYPREVOUT,
    > TLUV,
    >
    > For ANYPREVOUT, I would like to see a toy implementation of eltoo using
    > it, that can handle fees and layered transactions (or has a good argument
    > why layered transactions aren't necessary). It's going to take a while
    > even to update LN to taproot and PTLCs though, so eltoo doesn't seem like
    > it's on the immediate horizon. Besides eltoo, I don't think ANYPREVOUT
    > is an optimal design for covenants, so if that was the motivation and
    > not eltoo, maybe some other approach would be better.
    >
    > TLUV's design parameters don't really seem optimal (the mess with x-only
    > pubkeys, alternatives like OP_EVICT), so I think it's still on the
    > whiteboard.
    >
    > Cheers,
    > aj
    >
    > _______________________________________________
    > bitcoin-dev mailing list
    > bitcoin-dev@lists•linuxfoundation.org
    > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
    >
    
    [-- Attachment #2: Type: text/html, Size: 18994 bytes --]
    
    ^ permalink raw reply	[flat|nested] 16+ messages in thread

  • • * Re: [bitcoin-dev] CTV Signet Parameters
        2022-04-21  6:16   ` Jeremy Rubin
      @ 2022-04-21  6:25     ` Jeremy Rubin
        0 siblings, 0 replies; 16+ messages in thread
      From: Jeremy Rubin @ 2022-04-21  6:25 UTC (permalink / raw)
        To: Anthony Towns, Bitcoin Protocol Discussion
      
      [-- Attachment #1: Type: text/plain, Size: 12852 bytes --]
      
      Missed one for part 2:
      
      Shesek's social recovery wallet using CTV to enforce timelocks without
      expiry, using his Minsc toolchain:
      
      https://twitter.com/shesek/status/1511619296367153153
      https://docs.google.com/presentation/d/1B59CdMIXW-wSW6CaLSgo7y4kvgrEwVgfY14IW2XV_MA/edit#slide=id.g1235f9ffb79_0_81
      https://github.com/shesek/plebfi2022-social-recovery
      --
      @JeremyRubin <https://twitter.com/JeremyRubin>
      
      
      On Thu, Apr 21, 2022 at 1:16 AM Jeremy Rubin <jeremy.l.rubin@gmail•com>
      wrote:
      
      > Probably merits a more thorough response, but, I wanted to respond on the
      > framework above:
      >
      >
      >  1a) can you make transactions using the new feature with bitcoin-cli,
      >      eg createrawtransaction etc? (*YES)*
      >
      > since ~Feb 2020, this has existed:
      > https://github.com/JeremyRubin/bitcoin/tree/checktemplateverify-feb1-workshop
      >
      > CTV hasn't changed so this code should work un-rebased. The transaction
      > outputs may need to be manually submitted to the network, but the covenant
      > is enforced. This covers congestion control and vaults.
      >
      >
      >  1b) can you make transactions using the new feature with some other
      >      library? *(YES)*
      > Sapio, Test Framework, also https://min.sc/nextc/ produced independently
      > by Shesek
      >
      >  1c) can you make transactions using the new feature with most common
      >      libraries? *(YES, kinda)*
      >
      > Yes, https://crates.io/crates/sapio-miniscript and
      > https://crates.io/crates/sapio-bitcoin have been maintained for about 1
      > year, and are now taproot compatible.
      >
      > Sapio's use of these libraries has even helped find bugs in the release
      > process of Taproot for rust-bitcoin.
      >
      > kinda: It's not _most_ common libraries, it's _a_ common library. it's
      > also not upstreamed, because the patches would not be accepted were it to
      > be.
      >
      >  2) has anyone done a usable prototype of the major use cases of the new
      >     feature?* (YES)*
      >
      > In addition to https://github.com/jamesob/simple-ctv-vault, there is also
      > https://github.com/kanzure/python-vaults, although it has an interesting
      > bug.
      >
      > There's also a myriad of uses shown in
      > https://github.com/sapio-lang/sapio/tree/master/sapio-contrib/src/contracts
      > and in https://github.com/sapio-lang/sapio/tree/master/plugin-example.
      > While these aren't quite "usable" as an end-to-end application, e.g.,
      > something you'd want to put real money on, they are a part of a *massive*
      > infrastructure investment in general purpose smart contract tooling for
      > covenant design with CTV. That CTV can be targeted with a compiler to
      > generate a wide variety of composable use cases *is* one of the use cases
      > for CTV, since it enables people to design many different types of thing
      > relatively easily. That is a feature of CTV! It's not just for one use case.
      >
      > The suite of Sapio apps are less "production ready" than they could be for
      > a few reasons:
      >
      > 1) I've been working hard at pushing the limits of what is possible & the
      > theory of it v.s. making it production ready
      > 2) I prioritized supporting Taproot v.s. legacy script, and much of the
      > taproot tooling isn't production ready
      > 3) Sapio is really ambitious undertaking, and it will take time to make it
      > production
      >
      > That said, https://rubin.io/bitcoin/2022/03/22/sapio-studio-btc-dev-mtg-6/
      > tutorial was completed by people who weren't me, and at the
      > pleb.fi/miami2022 one of the projects was able to use sapio congestion
      > control transactions as well, so it does "work". As it matures, we'll get a
      > number of implemented use cases people have been excited about like DLCs,
      > which are implemented here
      > https://github.com/sapio-lang/sapio/blob/master/sapio-contrib/src/contracts/derivatives/dlc.rs.
      > You can see the test case shows how to construct one.
      >
      > Why did I not focus on production grade? Well, production grade can always
      > happen later, and I don't think it takes as much imagination. But the main
      > critique I'd heard of CTV was that no one could see it being used for
      > anything but one or two use cases. So I built Sapio, in part, to show how
      > CTV could be used for an incredibly wide and diverse set of applications,
      > as opposed to the polish on them.
      >
      > If I knew the bar to surpass was to be polish, I probably could have taken
      > a less ambitious approach with Sapio and shown like 1-2 applications
      > working end-to-end. But because the main feedback I got was that CTV wasn't
      > powerful enough, I opted to build a very general framework for covenants
      > and demonstrate how CTV fits that.
      >
      >
      >
      >
      >
      > --
      > @JeremyRubin <https://twitter.com/JeremyRubin>
      >
      > On Thu, Apr 21, 2022 at 12:05 AM Anthony Towns via bitcoin-dev <
      > bitcoin-dev@lists•linuxfoundation.org> wrote:
      >
      >> On Wed, Apr 20, 2022 at 05:13:19PM +0000, Buck O Perley via bitcoin-dev
      >> wrote:
      >> > All merits (or lack thereof depending on your view) of CTV aside, I
      >> find this topic around decision making both interesting and important.
      >> While I think I sympathize with the high level concern about making sure
      >> there are use cases, interest, and sufficient testing of a particular
      >> proposal before soft forking it into consensus code, it does feel like the
      >> attempt to attribute hard numbers in this way is somewhat arbitrary.
      >>
      >> Sure. I included the numbers for falsifiability mostly -- so people
      >> could easily check if my analysis was way off the mark.
      >>
      >> > For example, I think it could be reasonable to paint the list of
      >> examples you provided where CTV has been used on signet in a positive
      >> light. 317 CTV spends “out in the wild” before there’s a known activation
      >> date is quite a lot
      >>
      >> Not really? Once you can make one transaction, it's trivial to make
      >> hundreds. It's more interesting to see if there's multiple wallets or
      >> similar that support it; or if one wallet has a particularly compelling
      >> use case.
      >>
      >> > (more than taproot had afaik).
      >>
      >> Yes; as I've said a few times now, I think we should have had more
      >> real life demos before locking taproot's activation in. I think that
      >> would have helped avoid bugs like Neutrino's [0] and made it easier for
      >> hardware wallets etc to have support for taproot as soon as it was active,
      >> without having to rush around adding library support at the last minute.
      >>
      >> [0]
      >> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-November/019589.html
      >>
      >> Lightning's "two independent implementations" rule might be worth aspiring
      >> too, eg.
      >>
      >> > If we don’t think it is enough, then what number of unique spends and
      >> use cases should we expect to see of a new proposal before it’s been
      >> sufficiently tested?
      >>
      >> I don't really think that's the metric. I'd go for something more like:
      >>
      >>  1a) can you make transactions using the new feature with bitcoin-cli,
      >>      eg createrawtransaction etc?
      >>  1b) can you make transactions using the new feature with some other
      >>      library?
      >>  1c) can you make transactions using the new feature with most common
      >>      libraries?
      >>
      >>  2) has anyone done a usable prototype of the major use cases of the new
      >>     feature?
      >>
      >> I think the answers for CTV are:
      >>
      >>  1a) no
      >>  1b) yes, core's python test suite, sapio
      >>  1c) no
      >>  2) no
      >>
      >> Though presumably jamesob's simple ctv vault is close to being an answer
      >> for (2)?
      >>
      >> For taproot, we had,
      >>
      >>  1a) yes, with difficulty [1]
      >>  1b) yes, core's python test suite; kalle's btcdeb sometimes worked too
      >>  1c) no
      >>  2) optech's python notebook [2] from it's taproot workshops had demos for
      >>     musig and degrading multisig via multiple merkle paths, though I
      >>     think they were out of date with the taproot spec for a while
      >>
      >> [1]
      >> https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-October/019543.html
      >> [2] https://github.com/bitcoinops/taproot-workshop/
      >>
      >> To some extent those things are really proxies for:
      >>
      >>  3) how well do people actually understand the feature?
      >>
      >>  4) are we sure the tradeoffs being made in this implementation of the
      >>     feature, vs other implementations or other features actually make
      >>     sense?
      >>
      >>  5) how useful is the feature?
      >>
      >> I think we were pretty confident in the answers for those questions
      >> for taproot. At least personally, I'm still not super confident in
      >> the answers for CTV. In particular:
      >>
      >>  - is there really any benefit to doing it as a NOP vs a taproot-only
      >>    opcode like TXHASH? Theoretically, sure, that saves some bytes; but as
      >>    was pointed out on #bitcoin-wizards the other day, you can't express
      >>    those outputs as an address, which makes them not very interoperable,
      >>    and if they're not interoperable between, say, an exchange and its
      >>    users trying to do a withdraw, how useful is that really ever going
      >>    to be?
      >>
      >>  - the scriptSig commitments seems very kludgy; combining multiple
      >>    inputs likewise seems kludgy
      >>
      >> The continual push to rush activation of it certainly doesn't increase my
      >> confidence either. Personally, I suspect it's counterproductive; better
      >> to spend the time answering questions and improving the proposal, rather
      >> than spending time going around in circles about activating something
      >> people aren't (essentially) unanimously confident about.
      >>
      >> > In absence of the above, the risk of a constantly moving bar
      >>
      >> I'd argue the bar *should* be constantly moving, in the sense that we
      >> should keep raising it.
      >>
      >> > To use your meme, miners know precisely what they’re mining for and
      >> what a metric of success looks like which makes the risk/costs of
      >> attempting the PoW worth it
      >>
      >> The difference between mining and R&D is variance: if you're competing for
      >> 50k blocks a year, you can get your actual returns to closely match your
      >> expected return, especially if you pool with others so your probability
      >> of success isn't miniscule -- for consensus dev, you can reasonably only
      >> work on a couple of projects a year, so your median return is likely $0,
      >> rather than a close match to your average/expected return.
      >>
      >> > We also have new ideas that only started coming up after Taproot
      >> activation (TLUV and Taro for example), so there’s also the unknown of what
      >> we could have once it becomes clear that it’s worth devoting mental energy
      >> and financial resources towards research.
      >>
      >> TLUV was an offshoot of SCRIPTREPLACE which was public (though not
      >> really published) since 2019.
      >>
      >> > One last wrinkle with regards to using countable metrics to determine a
      >> feature’s “worth” is that not all features are the same. Many of the use
      >> cases that people are excited to use CTV for ([5], [6]) are very long term
      >> in nature and targeted for long term store of value in contrast to medium
      >> of exchange.
      >>
      >> I mean, if those use cases are so exciting, it really doesn't seem much
      >> to ask to see them demoed live on the CTV signet that already exists?
      >>
      >> > You can build a CTV vault in signet, but you’ll only really see a lot
      >> of people using it when it’s to store real value on a time scale measured
      >> in decades not minutes or days
      >>
      >> On the other hand, if the value is really "very long term" and there's no
      >> rush to implement these features and demo them ASAP, then it doesn't seem
      >> like there should be a rush to adapt consensus to these use cases either.
      >> Why not wait until someone does have time to finish sketching out the
      >> use case so they can demo them in public?
      >>
      >> > To put another way and leave CTV out of it completely, what should an
      >> outside, unbiased observer that doesn’t spend much time on Twitter expect
      >> to be able to see to evaluate the readiness or acceptability of ANYPREVOUT,
      >> TLUV,
      >>
      >> For ANYPREVOUT, I would like to see a toy implementation of eltoo using
      >> it, that can handle fees and layered transactions (or has a good argument
      >> why layered transactions aren't necessary). It's going to take a while
      >> even to update LN to taproot and PTLCs though, so eltoo doesn't seem like
      >> it's on the immediate horizon. Besides eltoo, I don't think ANYPREVOUT
      >> is an optimal design for covenants, so if that was the motivation and
      >> not eltoo, maybe some other approach would be better.
      >>
      >> TLUV's design parameters don't really seem optimal (the mess with x-only
      >> pubkeys, alternatives like OP_EVICT), so I think it's still on the
      >> whiteboard.
      >>
      >> Cheers,
      >> aj
      >>
      >> _______________________________________________
      >> bitcoin-dev mailing list
      >> bitcoin-dev@lists•linuxfoundation.org
      >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
      >>
      >
      
      [-- Attachment #2: Type: text/html, Size: 20998 bytes --]
      
      ^ permalink raw reply	[flat|nested] 16+ messages in thread

  • * Re: [bitcoin-dev] CTV Signet Parameters
      2022-04-21  5:03 ` Anthony Towns
      2022-04-21  6:16   ` Jeremy Rubin
    @ 2022-04-21 13:22   ` Russell O'Connor
      2022-04-21 15:05     ` Jeremy Rubin
      1 sibling, 1 reply; 16+ messages in thread
    From: Russell O'Connor @ 2022-04-21 13:22 UTC (permalink / raw)
      To: Anthony Towns, Bitcoin Protocol Discussion
    
    [-- Attachment #1: Type: text/plain, Size: 4340 bytes --]
    
    On Thu, Apr 21, 2022 at 1:04 AM Anthony Towns via bitcoin-dev <
    bitcoin-dev@lists•linuxfoundation.org> wrote:
    
    >
    >  - is there really any benefit to doing it as a NOP vs a taproot-only
    >    opcode like TXHASH? Theoretically, sure, that saves some bytes; but as
    >    was pointed out on #bitcoin-wizards the other day, you can't express
    >    those outputs as an address, which makes them not very interoperable,
    >    and if they're not interoperable between, say, an exchange and its
    >    users trying to do a withdraw, how useful is that really ever going
    >    to be?
    >
    
    FWIW, this is also approximately where my sticking point lies with BIP-119.
    
    Overall I've come around to the idea of something like CTV.  The ability to
    construct "smart contracts" that commit to *multiple* possible payout
    schemes based on some conditions seems like a very useful construct, and
    there have been several examples of  schemes proposed that use this feature.
    
    However, I'm still skeptical of the bare-CTV part of BIP-119 (and I'm told
    that bare-CTV hasn't even appeared on the CTV signet).  Unlike the general
    smart-contracting case, bare-CTV does not have any branches.  All it can do
    is commit to a subsequent transaction's outputs.  At first glance this
    appears to be a waste because, for less bandwidth, that transaction could
    just realize those outputs immediately, so why would anyone want to delay
    the inevitable?
    
    One reason might be that you want to commit to the output early during a
    high-fee time, and then complete the transaction later during a low-fee
    time.  While there are fee-rate situations where this could result in lower
    fees than committing to the outputs all at once, it would be even cheaper
    still to just wait to do the payout at the low-fee time.  I'm struggling to
    understand the advantages of the advanced commitment, along with all the
    overhead that entails.  Doesn't it just cause more blockspace to be used
    overall?
    
    There are some other proposed use cases for bare-CTV.  A bare-CTV can be
    used to delay a "trigger"-transaction.  Some contracts, such as vaults, use
    a relative-locktime as part of their construction and it could make sense
    to make an output commitment but not realize those outputs yet until you
    are ready to start your relative-time lock clock.  But bare-CTV doesn't
    support any co-signing ability here, so you are relying entirely on keeping
    the transaction data secret to prevent a third-party from triggering your
    relative-lock clock.  More specifically for a vault scheme, since
    bare-CTV's are currently unaddressable, and AFAIK, there is no address
    format proposal yet, it is impossible to receive funds directly into a
    vault.  You must shuffle received funds into your vault yourself, which
    seems very likely to negate the cost savings of using bare-CTV in the first
    place (please correct me if I'm wrong).  Better to receive funds directly
    into a taproot-CTV vault, which has an address, and while you are at it,
    you could place the cold-key as the taproot key to save even more when
    using the cold-key to move vault funds.
    
    There might be even more exotic use cases of bare-CTV.  For example you
    could commit to a transaction that has a second input that doesn't yet
    exist in the UTXO set in an attempt to coax it into existence. I don't know
    if there have been any proposals to take advantage of this.
    
    With that said, everything that bare-CTV can do, can also be done by
    tapscript-CTV; so it is just a matter of cost.  I'm struggling to
    understand where this cost savings is and how much those savings are going
    to be given that bare-CTV is unaddressable and seems to ultimately occupy
    more-blockspace than if the outputs were directly committed to.
    
    I also believe the bare-CTV question is material, because if bare-CTV were
    not part of the spec, then I'd be advocating for using an OP_SUCCESS code
    from tapscript instead, and either use push-style semantics for CTV, which
    would be composed with EQUAL_VERIFY to mimic the currently proposed
    verification style-semantics, or a hybrid push-or-verify semantics that
    would either push or verify depending on the size of the input.  (And I
    still think a more general TXHASH would be even better, though if I cannot
    convince aj then perhaps I'm wrong.)
    
    I'm not saying bare-CTV is necessarily a bad idea.  I'm just struggling
    with its justification.
    
    [-- Attachment #2: Type: text/html, Size: 5027 bytes --]
    
    ^ permalink raw reply	[flat|nested] 16+ messages in thread

  • • * Re: [bitcoin-dev] CTV Signet Parameters
        2022-04-21 13:22   ` Russell O'Connor
      @ 2022-04-21 15:05     ` Jeremy Rubin
        2022-04-22  0:58       ` Anthony Towns
        0 siblings, 1 reply; 16+ messages in thread
      From: Jeremy Rubin @ 2022-04-21 15:05 UTC (permalink / raw)
        To: Russell O'Connor, Bitcoin Protocol Discussion; +Cc: Anthony Towns
      
      [-- Attachment #1: Type: text/plain, Size: 7692 bytes --]
      
      Hi Russell,
      
      Thank you for your feedback here.
      
      
      
      > However, I'm still skeptical of the bare-CTV part of BIP-119 (and I'm told
      > that bare-CTV hasn't even appeared on the CTV signet).  Unlike the general
      > smart-contracting case, bare-CTV does not have any branches.  All it can do
      > is commit to a subsequent transaction's outputs.  At first glance this
      > appears to be a waste because, for less bandwidth, that transaction could
      > just realize those outputs immediately, so why would anyone want to delay
      > the inevitable?
      >
      
      I can probably make some show up sometime soon. Note that James' vault uses
      one at the top-level https://github.com/jamesob/simple-ctv-vault, but I
      think the second use of it (since it's not segwit wrapped) wouldn't be
      broadcastable since it's nonstandard.
      
      
      
      
      >
      > One reason might be that you want to commit to the output early during a
      > high-fee time, and then complete the transaction later during a low-fee
      > time.  While there are fee-rate situations where this could result in lower
      > fees than committing to the outputs all at once, it would be even cheaper
      > still to just wait to do the payout at the low-fee time.  I'm struggling to
      > understand the advantages of the advanced commitment, along with all the
      > overhead that entails.  Doesn't it just cause more blockspace to be used
      > overall?
      >
      
      One case where you actually use less space is if you have a few different
      sets of customers at N different fee priority level. Then, you might need
      to have N independent batches, or risk overpaying against the customer's
      priority level. Imagine I have 100 tier 1 customers and 1000 tier 2
      customers. If I batcher tier 1 with tier 2, to provide tier 1 guarantees
      I'd need to pay tier 1 rate for 10x the customers. With CTV, I can combine
      my batch into a root and N batch outputs. This eliminates the need for
      inputs, signatures, change outputs, etc per batch, and can be slightly
      smaller. Since the marginal benefit on that is still pretty small, having
      bare CTV improves the margin of byte wise saving.
      
      I give this as an example where CTV uses less space, it is detailed more
      here: https://utxos.org/analysis/batching_sim/. This benefit might be
      marginal and absurd, given these are already big transactions, but it may
      _also_ be absurd that feerates only ever go up and congestion control is
      not valuable.
      
      Another example where this arises is where you have a transaction set you
      need to pay top-of-mempool rate for the soonest confirmation you can get.
      CTV has a decongesting effect, because your top-of-mempool transaction is
      small, which doesn't trigger as much rivalrous behavior with other
      transactors. Concretely, the current policy max txn size is 100kb, or 10%
      of a block. If you bump out of next block window 10% of the mempool, then
      if those transactors care to maintain their positioning, they will need to
      put themselves into a higher percentile with e.g. RBF or CPFP. Whereas if
      you put in a transaction that is just 100 bytes, you only bump out 100
      bytes of rivals (0.01%), not 10%.
      
      Lastly, perhaps a more realistic scenario, is where I am batching to 100
      customers who all wish to do something else after I pay them. E.g., open a
      lightning channel. Being able to use CTV noninteractive channels cuts
      through the extra hop transaction (unless dual funded channels, unless the
      channels are opened between two customers, then they can be dual funded
      again). So using CTV here also saves in net blockspace (although, note,
      this is sort of orthogonal to using CTV over the batch itself, just a good
      example for the related question of 'doesn't ctv generally use more
      blockspace').
      
      
      > There are some other proposed use cases for bare-CTV.  A bare-CTV can be
      > used to delay a "trigger"-transaction.  Some contracts, such as vaults, use
      > a relative-locktime as part of their construction and it could make sense
      > to make an output commitment but not realize those outputs yet until you
      > are ready to start your relative-time lock clock.  But bare-CTV doesn't
      > support any co-signing ability here, so you are relying entirely on keeping
      > the transaction data secret to prevent a third-party from triggering your
      > relative-lock clock.  More specifically for a vault scheme, since
      > bare-CTV's are currently unaddressable, and AFAIK, there is no address
      > format proposal yet, it is impossible to receive funds directly into a
      > vault.  You must shuffle received funds into your vault yourself, which
      > seems very likely to negate the cost savings of using bare-CTV in the first
      > place (please correct me if I'm wrong).  Better to receive funds directly
      > into a taproot-CTV vault, which has an address, and while you are at it,
      > you could place the cold-key as the taproot key to save even more when
      > using the cold-key to move vault funds.
      >
      >
      This is not quite true, you can receive funds into a bare-CTV from your
      vault software, and you can send into one from your vault software. What
      doesn't work is exporting or creating an address for that. As a reminder
      for those following along at home, not all standard output types have
      addresses, even today. For example, OP_RETURN.
      
      However, this is a standarness question. If the market _wanted_ such an
      address, one could be adopted without requiring consensus processes.
      
      Generally, the vault designs I work on use Sapio and therefore also use
      Taproot since I have not added support for non-taproot scripts / removed
      support for witness v0. I will eventually add these back, but it's a
      marginal fee savings optimization and I'm focused primarily on feature
      completeness.
      
      
      > There might be even more exotic use cases of bare-CTV.  For example you
      > could commit to a transaction that has a second input that doesn't yet
      > exist in the UTXO set in an attempt to coax it into existence. I don't know
      > if there have been any proposals to take advantage of this.
      >
      
      There are, but it's not specific to how bare ctv works, it should work from
      any CTV context.
      
      >
      > With that said, everything that bare-CTV can do, can also be done by
      > tapscript-CTV; so it is just a matter of cost.  I'm struggling to
      > understand where this cost savings is and how much those savings are going
      > to be given that bare-CTV is unaddressable and seems to ultimately occupy
      > more-blockspace than if the outputs were directly committed to.
      >
      > I also believe the bare-CTV question is material, because if bare-CTV were
      > not part of the spec, then I'd be advocating for using an OP_SUCCESS code
      > from tapscript instead, and either use push-style semantics for CTV, which
      > would be composed with EQUAL_VERIFY to mimic the currently proposed
      > verification style-semantics, or a hybrid push-or-verify semantics that
      > would either push or verify depending on the size of the input.  (And I
      > still think a more general TXHASH would be even better, though if I cannot
      > convince aj then perhaps I'm wrong.)
      >
      
      Even if we got rid of bare ctv, segwit v0 CTV would still exist, so we
      couldn't use OP_SUCCESSx there either. segwitv0 might be desired if someone
      has e.g. hardware modules or MPC Threshold Crypto that only support ECDSA
      signatures, but still want CTV.
      
      >
      > I'm not saying bare-CTV is necessarily a bad idea.  I'm just struggling
      > with its justification.
      >
      
      
      Fair. I wouldn't have a big problem removing it, if it were clear that were
      it to become desired, we could add it back. I think the case for CTV in
      Segwitv0 is stronger, which has the same implication for a PUSH variant of
      CTV.
      
      
      Thanks again,
      
      Jeremy
      
      
      
      > _______________________________________________
      > bitcoin-dev mailing list
      > bitcoin-dev@lists•linuxfoundation.org
      > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
      >
      
      [-- Attachment #2: Type: text/html, Size: 13088 bytes --]
      
      ^ permalink raw reply	[flat|nested] 16+ messages in thread

    • • * Re: [bitcoin-dev] CTV Signet Parameters
          2022-04-21 15:05     ` Jeremy Rubin
        @ 2022-04-22  0:58       ` Anthony Towns
          2022-04-22  1:10         ` Nadav Ivgi
          2022-04-22  5:30         ` Jeremy Rubin
          0 siblings, 2 replies; 16+ messages in thread
        From: Anthony Towns @ 2022-04-22  0:58 UTC (permalink / raw)
          To: bitcoin-dev
        
        On Thu, Apr 21, 2022 at 10:05:20AM -0500, Jeremy Rubin via bitcoin-dev wrote:
        > I can probably make some show up sometime soon. Note that James' vault uses
        > one at the top-level https://github.com/jamesob/simple-ctv-vault, but I
        > think the second use of it (since it's not segwit wrapped) wouldn't be
        > broadcastable since it's nonstandard.
        
        The whole point of testing is so that bugs like "wouldn't be broadcastable
        since it's nonstandard" get fixed. If these things are still in the
        "interesting thought experiment" stage, but nobody but Jeremy is
        interested enough to start making them consistent with the proposed
        consensus and policy rules, it seems very premature to be changing
        consensus or policy rules.
        
        > One case where you actually use less space is if you have a few different
        > sets of customers at N different fee priority level. Then, you might need
        > to have N independent batches, or risk overpaying against the customer's
        > priority level. Imagine I have 100 tier 1 customers and 1000 tier 2
        > customers. If I batcher tier 1 with tier 2, to provide tier 1 guarantees
        > I'd need to pay tier 1 rate for 10x the customers. With CTV, I can combine
        > my batch into a root and N batch outputs. This eliminates the need for
        > inputs, signatures, change outputs, etc per batch, and can be slightly
        > smaller. Since the marginal benefit on that is still pretty small, having
        > bare CTV improves the margin of byte wise saving.
        
        Bare CTV only saves bytes when *spending* -- but this is when you're
        creating the 1100 outputs, so an extra 34 or 67 bytes of witness data
        seems fairly immaterial (0.05% extra vbytes?). It doesn't make the small
        commitment tx any smaller.
        
        ie, scriptPubKey looks like:
         - bare ctv: [push][32 bytes][op_nop4]
         - p2wsh: [op_0][push][32 bytes]
         - p2tr: [op_1][push][32 bytes]
        
        while witness data looks like:
         - bare ctv: empty scriptSig, no witness
         - pw2sh: empty scriptSig, witness = "[push][32 bytes][op_nop4]"
         - p2tr: empty scriptSig, witness = 33B control block,
                 "[push][32 bytes][op_nop4]"
        
        You might get more a benefit from bare ctv if you don't pay all 1100
        outputs in a single tx when fees go lower; but if so, you're also wasting
        quite a bit more block space in that case due to the intermediate
        transactions you're introducing, which makes it seem unlikely that
        you care about the extra 9 or 17 vbytes bare CTV would save you per
        intermediate tx...
        
        I admit that I am inclined towards micro-optimising things to save
        those bytes if it's easy, which does incline me towards bare CTV; but
        the closest thing we have to real user data suggests that nobody's going
        to benefit from that possibility anyway.
        
        > Even if we got rid of bare ctv, segwit v0 CTV would still exist, so we
        > couldn't use OP_SUCCESSx there either. segwitv0 might be desired if someone
        > has e.g. hardware modules or MPC Threshold Crypto that only support ECDSA
        > signatures, but still want CTV.
        
        If you desire new features, then you might have to upgrade old hardware
        that can't support them.
        
        Otherwise that would be an argument to never use OP_SUCCESSx: someone
        might want to use whatever new feature we might imagine on hardware that
        only supports ECDSA signatures.
        
        Cheers,
        aj
        
        
        ^ permalink raw reply	[flat|nested] 16+ messages in thread

      • • * Re: [bitcoin-dev] CTV Signet Parameters
            2022-04-22  0:58       ` Anthony Towns
          @ 2022-04-22  1:10         ` Nadav Ivgi
            2022-04-22  5:30         ` Jeremy Rubin
            1 sibling, 0 replies; 16+ messages in thread
          From: Nadav Ivgi @ 2022-04-22  1:10 UTC (permalink / raw)
            To: Anthony Towns, Bitcoin Protocol Discussion
          
          [-- Attachment #1: Type: text/plain, Size: 4037 bytes --]
          
          > nobody's going to benefit from that possibility anyway.
          
           James O'Beirne's simple-ctv-vault appears to be using bare CTV outputs:
          
          https://github.com/jamesob/simple-ctv-vault/blob/7dd6c4ca25debb2140cdefb79b302c65d1b24937/main.py#L217-L218
          https://github.com/jamesob/simple-ctv-vault/blob/7dd6c4ca25debb2140cdefb79b302c65d1b24937/main.py#L324-L325
          
          I guess this suggests that it was not tested on signet?
          
          On Fri, Apr 22, 2022 at 3:58 AM Anthony Towns via bitcoin-dev <
          bitcoin-dev@lists•linuxfoundation.org> wrote:
          
          > On Thu, Apr 21, 2022 at 10:05:20AM -0500, Jeremy Rubin via bitcoin-dev
          > wrote:
          > > I can probably make some show up sometime soon. Note that James' vault
          > uses
          > > one at the top-level https://github.com/jamesob/simple-ctv-vault, but I
          > > think the second use of it (since it's not segwit wrapped) wouldn't be
          > > broadcastable since it's nonstandard.
          >
          > The whole point of testing is so that bugs like "wouldn't be broadcastable
          > since it's nonstandard" get fixed. If these things are still in the
          > "interesting thought experiment" stage, but nobody but Jeremy is
          > interested enough to start making them consistent with the proposed
          > consensus and policy rules, it seems very premature to be changing
          > consensus or policy rules.
          >
          > > One case where you actually use less space is if you have a few different
          > > sets of customers at N different fee priority level. Then, you might need
          > > to have N independent batches, or risk overpaying against the customer's
          > > priority level. Imagine I have 100 tier 1 customers and 1000 tier 2
          > > customers. If I batcher tier 1 with tier 2, to provide tier 1 guarantees
          > > I'd need to pay tier 1 rate for 10x the customers. With CTV, I can
          > combine
          > > my batch into a root and N batch outputs. This eliminates the need for
          > > inputs, signatures, change outputs, etc per batch, and can be slightly
          > > smaller. Since the marginal benefit on that is still pretty small, having
          > > bare CTV improves the margin of byte wise saving.
          >
          > Bare CTV only saves bytes when *spending* -- but this is when you're
          > creating the 1100 outputs, so an extra 34 or 67 bytes of witness data
          > seems fairly immaterial (0.05% extra vbytes?). It doesn't make the small
          > commitment tx any smaller.
          >
          > ie, scriptPubKey looks like:
          >  - bare ctv: [push][32 bytes][op_nop4]
          >  - p2wsh: [op_0][push][32 bytes]
          >  - p2tr: [op_1][push][32 bytes]
          >
          > while witness data looks like:
          >  - bare ctv: empty scriptSig, no witness
          >  - pw2sh: empty scriptSig, witness = "[push][32 bytes][op_nop4]"
          >  - p2tr: empty scriptSig, witness = 33B control block,
          >          "[push][32 bytes][op_nop4]"
          >
          > You might get more a benefit from bare ctv if you don't pay all 1100
          > outputs in a single tx when fees go lower; but if so, you're also wasting
          > quite a bit more block space in that case due to the intermediate
          > transactions you're introducing, which makes it seem unlikely that
          > you care about the extra 9 or 17 vbytes bare CTV would save you per
          > intermediate tx...
          >
          > I admit that I am inclined towards micro-optimising things to save
          > those bytes if it's easy, which does incline me towards bare CTV; but
          > the closest thing we have to real user data suggests that nobody's going
          > to benefit from that possibility anyway.
          >
          > > Even if we got rid of bare ctv, segwit v0 CTV would still exist, so we
          > > couldn't use OP_SUCCESSx there either. segwitv0 might be desired if
          > someone
          > > has e.g. hardware modules or MPC Threshold Crypto that only support ECDSA
          > > signatures, but still want CTV.
          >
          > If you desire new features, then you might have to upgrade old hardware
          > that can't support them.
          >
          > Otherwise that would be an argument to never use OP_SUCCESSx: someone
          > might want to use whatever new feature we might imagine on hardware that
          > only supports ECDSA signatures.
          >
          > Cheers,
          > aj
          > _______________________________________________
          > bitcoin-dev mailing list
          > bitcoin-dev@lists•linuxfoundation.org
          > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
          >
          
          [-- Attachment #2: Type: text/html, Size: 5541 bytes --]
          
          ^ permalink raw reply	[flat|nested] 16+ messages in thread

        • * Re: [bitcoin-dev] CTV Signet Parameters
            2022-04-22  0:58       ` Anthony Towns
            2022-04-22  1:10         ` Nadav Ivgi
          @ 2022-04-22  5:30         ` Jeremy Rubin
            1 sibling, 0 replies; 16+ messages in thread
          From: Jeremy Rubin @ 2022-04-22  5:30 UTC (permalink / raw)
            To: Anthony Towns, Bitcoin Protocol Discussion
          
          [-- Attachment #1: Type: text/plain, Size: 5306 bytes --]
          
          small note, it's a savings of 34 or 67 bytes *per histogram bucket* to have
          bare CTV v.s. v0/v1, so the interesting thing is that by making it cheaper
          bytes wise it might enable one to have, for the same byte budget, more
          buckets, which would make the feerate savings for the user even greater.
          E.g., assume user priorities are exponential, like:
          
          [10, 12, 14, 17, 20, 24, 29, 35, 42, 51]
          
          suppose binning into 4 groups yields:
          
          [10, 12, 14], [17, 20, 24], [29, 35, 42], [51]
          then the feerate of each group summarized by the max times bin count is
          [14 x 3], [24 x 3], [42 x 3], [51 x 1] =
          
          291
          
          suppose binning into 5 groups yields:
          
          [10, 12], [14, 17], [20, 24], [29, 35], [42, 51]
          [12 x 2] [17 x 2] [24 x 2] [35 x 2] [51x2] =
          
          278
          
          so it's clear that bins of 5 yields a discount, and the marginal cost
          difference of 5 bins vs 4 can be more than "paid for" by switching to bare
          instead of segwit v0.
          
          E.g., 4 segwits = 4*34 additional
          5 bares = 1 extra output (34 bytes) + 1 extra input (41 bytes) + extra tx
          body (~10 bytes?) = ~2.5 x 34 additional weight
          
          so while in this particular case, the savings mean that 4 would likely be a
          better binning than 5 even if bare were available, if you imagine the
          groups scaled to more elements under the same distribution would have
          eventually the cost (291-278)*S > 2.5*34  make it worth switching the
          binning to 5 bins earlier than with would if the bins were more expensive.
          
          Kinda hard to perfectly characterize this type of knock-on effect, but it's
          also cool to think about how cheapness of the nodes in the graph changes
          the optimal graph, which means you can't just do a simple comparison of how
          much is a bigger than b.
          
          
          
          
          
          On Thu, Apr 21, 2022 at 7:58 PM Anthony Towns via bitcoin-dev <
          bitcoin-dev@lists•linuxfoundation.org> wrote:
          
          > On Thu, Apr 21, 2022 at 10:05:20AM -0500, Jeremy Rubin via bitcoin-dev
          > wrote:
          > > I can probably make some show up sometime soon. Note that James' vault
          > uses
          > > one at the top-level https://github.com/jamesob/simple-ctv-vault, but I
          > > think the second use of it (since it's not segwit wrapped) wouldn't be
          > > broadcastable since it's nonstandard.
          >
          > The whole point of testing is so that bugs like "wouldn't be broadcastable
          > since it's nonstandard" get fixed. If these things are still in the
          > "interesting thought experiment" stage, but nobody but Jeremy is
          > interested enough to start making them consistent with the proposed
          > consensus and policy rules, it seems very premature to be changing
          > consensus or policy rules.
          >
          > > One case where you actually use less space is if you have a few different
          > > sets of customers at N different fee priority level. Then, you might need
          > > to have N independent batches, or risk overpaying against the customer's
          > > priority level. Imagine I have 100 tier 1 customers and 1000 tier 2
          > > customers. If I batcher tier 1 with tier 2, to provide tier 1 guarantees
          > > I'd need to pay tier 1 rate for 10x the customers. With CTV, I can
          > combine
          > > my batch into a root and N batch outputs. This eliminates the need for
          > > inputs, signatures, change outputs, etc per batch, and can be slightly
          > > smaller. Since the marginal benefit on that is still pretty small, having
          > > bare CTV improves the margin of byte wise saving.
          >
          > Bare CTV only saves bytes when *spending* -- but this is when you're
          > creating the 1100 outputs, so an extra 34 or 67 bytes of witness data
          > seems fairly immaterial (0.05% extra vbytes?). It doesn't make the small
          > commitment tx any smaller.
          >
          > ie, scriptPubKey looks like:
          >  - bare ctv: [push][32 bytes][op_nop4]
          >  - p2wsh: [op_0][push][32 bytes]
          >  - p2tr: [op_1][push][32 bytes]
          >
          > while witness data looks like:
          >  - bare ctv: empty scriptSig, no witness
          >  - pw2sh: empty scriptSig, witness = "[push][32 bytes][op_nop4]"
          >  - p2tr: empty scriptSig, witness = 33B control block,
          >          "[push][32 bytes][op_nop4]"
          >
          > You might get more a benefit from bare ctv if you don't pay all 1100
          > outputs in a single tx when fees go lower; but if so, you're also wasting
          > quite a bit more block space in that case due to the intermediate
          > transactions you're introducing, which makes it seem unlikely that
          > you care about the extra 9 or 17 vbytes bare CTV would save you per
          > intermediate tx...
          >
          > I admit that I am inclined towards micro-optimising things to save
          > those bytes if it's easy, which does incline me towards bare CTV; but
          > the closest thing we have to real user data suggests that nobody's going
          > to benefit from that possibility anyway.
          >
          > > Even if we got rid of bare ctv, segwit v0 CTV would still exist, so we
          > > couldn't use OP_SUCCESSx there either. segwitv0 might be desired if
          > someone
          > > has e.g. hardware modules or MPC Threshold Crypto that only support ECDSA
          > > signatures, but still want CTV.
          >
          > If you desire new features, then you might have to upgrade old hardware
          > that can't support them.
          >
          > Otherwise that would be an argument to never use OP_SUCCESSx: someone
          > might want to use whatever new feature we might imagine on hardware that
          > only supports ECDSA signatures.
          >
          > Cheers,
          > aj
          > _______________________________________________
          > bitcoin-dev mailing list
          > bitcoin-dev@lists•linuxfoundation.org
          > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
          >
          
          [-- Attachment #2: Type: text/html, Size: 9781 bytes --]
          
          ^ permalink raw reply	[flat|nested] 16+ messages in thread

end of thread, other threads:[~2022-04-28 12:23 UTC | newest]

Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-17 21:58 [bitcoin-dev] CTV Signet Parameters Jeremy Rubin
2022-02-18 11:13 ` 0x0ff
2022-02-22  3:19   ` Jeremy Rubin
2022-04-20  2:31 ` Anthony Towns
2022-04-20 17:05   ` Nadav Ivgi
2022-04-21  2:36     ` Anthony Towns
2022-04-28 12:23   ` Jeremy Rubin
2022-04-20 17:13 Buck O Perley
2022-04-21  5:03 ` Anthony Towns
2022-04-21  6:16   ` Jeremy Rubin
2022-04-21  6:25     ` Jeremy Rubin
2022-04-21 13:22   ` Russell O'Connor
2022-04-21 15:05     ` Jeremy Rubin
2022-04-22  0:58       ` Anthony Towns
2022-04-22  1:10         ` Nadav Ivgi
2022-04-22  5:30         ` Jeremy Rubin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox