public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Ali Sherief <ali@notatether•com>
To: vjudeu@gazeta•pl
Cc: bitcoin-dev@lists•linuxfoundation.org
Subject: Re: [bitcoin-dev] Regarding BIP322 edge cases
Date: Wed, 10 Aug 2022 16:42:10 +0000	[thread overview]
Message-ID: <20220810164204.5toj4tph52lehpvv@artanis> (raw)
In-Reply-To: <166373835-fcb0adc6e7c70aa2d37a60a977c1af89@pmq4v.m5r2.onet>

Wait a minute. I did some lookup on OP_CHECKDATASIG to see if it's in some btc BIP draft somewhere, and it is actually an opcode in Bitcoin Cash since some years ago - https://mengerian.medium.com/the-story-of-op-checkdatasig-c2b1b38e801a

I think we can safely assume that Kalle and the other major BIP322 proponents do not have BCH script compatibility on a high prioirty, perhaps not even medium prioity, so we should be able to make an opcode called OP_CHECKDATASIG for this BIP's internal purposes.

However, a new opcode cannot be created without a lengthy soft-fork (which requires miner signalling - but for what use here, this BIP does not directly impact miners?) with an activation height. If we want to redefine an existing opcode, we must also make a similar soft-fork. Because consensus rules are being modified here.

At the same time, a message signing/verifying algorithm using Script must implement some way to verify a *single* ECDSA or Schnorr signature that is on the stack. The existing opcodes such as OP_CHECKSIG verify all of the inputs and outputs, and this won't work here since there's a deliberate invalid iput in "to_spend".

I tried to research if there is any known use of OP_RESERVED in a script, even if it's only of academic origin, but I unfortunately could not find any references except for https://bitcoin.stackexchange.com/questions/105778/why-were-op-reserved-op-reserved1-and-op-reserved2-originally-reserved .

So this is now an open problem: How should Script verify a single signature that is on the stack without touching any of the inputs or outputs?

- Ali

On Wed, Aug 10, 2022 at 05:05:59PM +0200, vjudeu@gazeta•pl wrote:
> > I suppose in the case of legacy P2PKH signing, a hypothetical OP_CHECKDATASIG can take <signature> <pubkeyhash> off the stack and perform an ECDSA public key recovery
>
> You can always perform key recovery for legacy ECDSA: "<signature> OP_SWAP OP_CHECKSIG" is always spendable, for any valid <r,s> DER-encoded pair. Here, if "<signature> <messageHash> <pubkey> OP_CHECKDATASIG" works for signature verification BIP, then you only need to provide "<signature>" as an input, the rest could be placed in some output, and your program could easily compute that. Or you can use "OP_DUP OP_HASH160 <address> OP_EQUALVERIFY <messageHash> OP_SWAP OP_CHECKDATASIG" as your output script, then the signer has to provide a valid signature, and a valid public key explicitly, but if you only have some signature, then you can always recover that key by yourself.
>
> Because if OP_CHECKDATASIG is not handled, then still, signing by scripts can handle that, but the Script would be unnecessarily complex. And because there is no need to introduce OP_CHECKDATASIG on-chain, it can be safely done inside this BIP.
>
> > I'm not sure how an OP_RESERVED in an unexcuted OP_IF is going to help implement an ECDSA pubkey recovery + DUP/HASH160/EQUALVERIFY hybrid instruction.
>
> Because if you want to support any script, and you want to add a new opcode, you have to make it somehow compatible with existing schemes. You have to assign some byte for OP_CHECKDATASIG or for any new opcodes you want to add. And you don't want to assign just the next free opcode, because you will get OP_CHECKSIGADD or other opcodes from TapScript, so your script decoder will no longer handle two script versions at once. Unless you want to make it also compatible with altcoins like BCH, but I guess it is not needed.
>
>
> On 2022-08-10 15:53:31 user Ali Sherief <ali@notatether•com> wrote:
> > > Backward compatibility. If we don't have OP_CHECKDATASIG, then it has to be somehow introduced to make it compatible with "Bitcoin Message".
>
> I suppose in the case of legacy P2PKH signing, a hypothetical OP_CHECKDATASIG can take <signature> <pubkeyhash> off the stack and perform an ECDSA public key recovery, followed by SHA256/RIPEMD160, kind of like a hybrid between OP_DUP/OP_HASH160/OP_EQUALVERIFY and OP_CHECKSIG.
>
> But the implementations would have to decode the Base58 address into "0x00" plus the address hash. As the only supported invoice type for the Legacy signing methods, this should be straight forward to do.
>
> > And we have opcodes like OP_RESERVED, that can be wrapped in OP_IF, then it is "conditionally valid transaction".
>
> I'm not sure how an OP_RESERVED in an unexcuted OP_IF is going to help implement an ECDSA pubkey recovery + DUP/HASH160/EQUALVERIFY hybrid instruction.
>
> - Ali
>
> On Wed, 10 Aug 2022 04:59:46 +0200, vjudeu@gazeta•pl wrote:
> > > I'm not sure what is to be gained from adding an opcode
> >
> > Backward compatibility. If we don't have OP_CHECKDATASIG, then it has to be somehow introduced to make it compatible with "Bitcoin Message". And we have opcodes like OP_RESERVED, that can be wrapped in OP_IF, then it is "conditionally valid transaction". It is also possible to assign some unused opcode, but then it will be more complex, because in Script, those opcodes make transaction invalid, but inside TapScript, those opcodes are defined as OP_SUCCESS, and make things automatically valid.
> >
> >



  reply	other threads:[~2022-08-10 16:42 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-08-10 15:05 vjudeu
2022-08-10 16:42 ` Ali Sherief [this message]
     [not found] <mailman.5.1660132803.3395.bitcoin-dev@lists.linuxfoundation.org>
2022-08-10 13:53 ` Ali Sherief
  -- strict thread matches above, loose matches on Subject: below --
2022-08-09 13:09 Ali Sherief
2022-08-10  2:59 ` vjudeu
2022-08-10 23:11 ` Ryan Grant
2022-08-11 16:56   ` Ali Sherief

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220810164204.5toj4tph52lehpvv@artanis \
    --to=ali@notatether$(echo .)com \
    --cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
    --cc=vjudeu@gazeta$(echo .)pl \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox