From: "'Antoine Poinsot' via Bitcoin Development Mailing List" <bitcoindev@googlegroups.com>
To: Matt Corallo <lf-lists@mattcorallo•com>
Cc: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Subject: Re: [bitcoindev] What's a good stopping point? Making the case for the capabilities enabled by CTV+CSFS
Date: Wed, 25 Jun 2025 16:50:15 +0000 [thread overview]
Message-ID: <73PXNVcmgiN2Kba63P2SRZfs42lvgME_8EF-DlYtkOSY8mLRxEXPEw5JAi5wtPU2MEMw1C6_EDFHKKrhaa1F53OgIJOcam-kbOUP3aG2_e0=@protonmail.com> (raw)
In-Reply-To: <8a9a2299-ab4b-45a4-8b9d-95798e6bb62a@mattcorallo.com>
Thanks for sharing some objections. Here is my attempt at addressing them.
> ISTM even something as simple as a rate-limit requires more full-featured introspection than only
> "commit to the exact next transaction" can provide. For example, a trivial construction would be
> something which requires that transactions spending an output have an output which claims at least
> Amount - Rate, which requires both more full-featured introspection as well as a bit of math.
Yes. These capabilities are really only useful for reducing interactivity in second-layer protocols.
They do not (reasonably) help for vaults and we do not claim it as a use case.
Previous efforts to promote opcodes implementing those capabilities have unfortunately fallen into
the trap of overpromising and claiming use cases they do not really enable. But this should not make
us overlook what they are really good at: interactivity reduction.
Do you think that the use cases presented in OP, if demonstrated, are not enough to warrant soft
forking in a primitive enabling them?
> Given one of the loudest groups advocating for the additional features of CTV+CSFS are enterprise
> or large-value personal custody providers
Yes. We intentionally do not mention vaults as a use case in our steelman. We should not change
Bitcoin on the basis of misleading use cases. If people are interested in vaults, they should
sponsor efforts on a different set of capabilities. Probably "programmable forwarding of value from
inputs to outputs", "programmable forwarding of spending conditions from inputs to outputs" and maybe
"commit to the exact transaction spending an output" (or more powerful introspection).
The lack of a similar enthusiasm for proposals enabling most or all of these functionalities (like
Salvatore Ingala's BIP334 or previously James O'Beirne's and Greg Sanders' BIP345) suggests such
loud support are in fact in favour of "just doing something" and rationalize nice-sounding use cases
backward from this proposal (but vaults!) because it appears to them to be "further down the road".
I think this view is very dangerous and is part of our motivation for redirecting discussions toward
what these capabilities actually enable.
> it seems somewhat of a loss to not work our way towards really basic features for this use-case.
I personally grew more skeptical of the reactive security model of vaults after working on it. Your
mileage may vary and that's fine if people want to work on capabilities that actually enable vaults,
but i don't think they should be a required use cases and block introducing primitives that
substantially improve existing layer 2s and make new ones possible.
> Indeed, ISTM many use-cases for a construction like TXHASH become a lot more substantial with Math
> [...], I'm quite skeptical that *just* looking at an individual fork on its own is the right
> benchmark.
I agree that modularity and forward composability with potential future upgrades are arguments in
favour of a more flexible approach. But those need to be balanced with the additional risk and
implementation complexity such an approach entails. I'm happy to be convinced if supporters of this
approach demonstrate the added flexibility does enable important use cases and the risks associated
are manageable. But if nobody is interested in doing so, i don't think it's reasonable to hold off a
safer upgrade as long as it is demonstrated to provide substantial benefits.
It's also unclear that we should stop at "programmable introspection" in this case. Why not also
include "programmable amount / spending condition forwarding" too, which would give you vaults? Why
not even CAT, which is a neat tool in many situations and would let ZK people experiment with
validation rollups? And at this point, it would seem wiser to just work on a sane Bitcoin Script
replacement rather than throwing buckets of opcodes at it and hoping it holds off. Which as we say
in OP i don't think is realistic.
> I don't see how this results in a net reduction in risk to Bitcoin, rather just means more total
> work and more cruft in Bitcoin's consensus.
In theory, i agree. But by this token the same goes for every future extension that introduces more
expressivity to Bitcoin Script. This ties back to the stopping point: why add more cruft to the
existing interpreter when we could all focus on BTCLisp instead?
It's also the case that even if future extensions introduce a superset of the capabilities being
discussed, it's unlikely that such simple ones like "just commit to the next transaction" and
"verify a signature for an arbitrary message" would ever be made fully redundant.
Finally, when considering technical debt we should also weigh the actual cost of the implementation
of these simple capabilities. Signature verification on arbitrary message reuses existing signature
checking logic. Similarly, committing to the next transaction can heavily lean on existing Taproot
signature messages, only minimally departing when necessary, and be implemented in a strictly
simpler manner than the existing CTV proposal. A minimal implementation of these capabilities would
not introduce significant technical debt.
Interestingly, this argument applies more to introducing more involved capabilities like arbitrary
transaction introspection, because of the substantially larger technical debt it would impose to
first support in Bitcoin Script instead of focusing on a replacement with transaction introspection
from the get go.
> Indeed, more flexible introspection provides for a difference in risk to the system (though its
> worth noting we cannot both argue that there is no "demonstrated utility" *and* that the utility
> of a change is so substantially higher that it adds material risk to the system in the form of
> MEVil from its use-cases).
Yes we can? It's reasonable to see how arbitrary introspection could be useful in various handwavy
ways, and therefore how they can be used for undesirable applications, while also not having an
important use case it enables clearly defined, much less demonstrated.
> However, given the uses of the Bitcoin chain today, it seems entirely possible (assuming
> sufficient adoption) that we end up with a substantial MEVil risk with or without any
> functionality expansion.
Sure, but I’d argue that the presence of risk now is a reason to be more cautious about adding to
it, rather than accepting it as inevitable.
Best,
Antoine
On Tuesday, June 24th, 2025 at 12:00 PM, Matt Corallo <lf-lists@mattcorallo•com> wrote:
>
>
> Thanks, responding to one specific point:
>
> On 6/23/25 9:14 AM, 'Antoine Poinsot' via Bitcoin Development Mailing List wrote:
>
> > Yet another alternative is a set of more powerful capabilities, enabling the use cases that "commit to next transaction"
> > and "verify a BIP340 signature for an arbitrary message" enable and more. For instance replacing "commit to the exact
> > transaction which must spend this output" with "programmable introspection on the spending transaction's fields" has
> > been considered. However this approach increases implementation complexity and broadens the risk surface[^8]
>
>
> Responded to below [1]
>
> > which
> > warrants a compelling demonstration that arbitrary transaction introspection does enable important use cases not
> > achievable with more minimal capabilities.
>
>
> I'm somewhat skeptical that showing this isn't rather simple, though I admit I've spent less time
> thinking about these concepts. ISTM even something as simple as a rate-limit requires more
> full-featured introspection than only "commit to the exact next transaction" can provide. For
> example, a trivial construction would be something which requires that transactions spending an
> output have an output which claims at least Amount - Rate, which requires both more full-featured
> introspection as well as a bit of math. Given one of the loudest groups advocating for the
> additional features of CTV+CSFS are enterprise or large-value personal custody providers, it seems
> somewhat of a loss to not work our way towards really basic features for this use-case.
>
> More generally, more full-featured introspection like TXHASH provides a lot of flexibility in the
> constructs people can build. For example, allowing BYO fees in the form of an additional input +
> output in a transaction, rather than fixing an anchor output in the fixed "next transaction"
> commitment to allow for fees (and then requiring the same additional input + output later). There's
> also open questions as to the incentive-compatibility of anchors in a world with expensive block
> space, as OOB fees become much cheaper.
>
> Indeed, ISTM many use-cases for a construction like TXHASH become a lot more substantial with Math
> (though, again, I spend less time thinking about the use-cases of these things than most, so I'm
> sure others have more examples), I'm quite skeptical that just looking at an individual fork on
> its own is the right benchmark. Sure, functionality in proposed changes to Bitcoin's consensus need
> to be well-justified, but they don't need to be well-justified purely on their own. We add things
> like OP_SUCCESS opcodes in soft forks specifically to expand the set of things we can do later, not
> specifically in this fork.
>
> If we assume that we end up wanting things like velocity limits (which I imagine we would?) then it
> seems to me we should do a logical fork that adds features today, but which will allow us to make
> minimal extensions in the future to further expand its use-cases later. Taking a more myopic view of
> the present and ignoring the future results in us doing one thing today, then effectively replacing
> it later by adding more flexibility in a new opcode later, subsuming the features of what we do
> today. I don't see how this results in a net reduction in risk to Bitcoin, rather just means more
> total work and more cruft in Bitcoin's consensus.
>
> [1]
>
> Responding to the MEVil question OOO because I think the above should go first :).
>
> Indeed, more flexible introspection provides for a difference in risk to the system (though its
> worth noting we cannot both argue that there is no "demonstrated utility" and that the utility of
> a change is so substantially higher that it adds material risk to the system in the form of MEVil
> from its use-cases). However, given the uses of the Bitcoin chain today, it seems entirely possible
> (assuming sufficient adoption) that we end up with a substantial MEVil risk with or without any
> functionality expansion. This mandates a response from the Bitcoin development community in either
> case, and I'm confident that response can happen faster than any reasonable soft fork timeline.
>
> While its possible that existing CSV-based MEVil risk never grows beyond its current anemic state
> (due to preferences for stronger trust models from their users), and that there's a particularly
> clever design using expanded introspection that improves the trust model such that suddenly
> CSV-based protocol use explodes, ISTM given the risk and the need to mitigate it on its own, taking
> decisions that are sub-optimal for Bitcoin's consensus on this basis isn't accomplishing much and
> has real costs.
>
> Matt
>
> --
> You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
> To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/8a9a2299-ab4b-45a4-8b9d-95798e6bb62a%40mattcorallo.com.
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/73PXNVcmgiN2Kba63P2SRZfs42lvgME_8EF-DlYtkOSY8mLRxEXPEw5JAi5wtPU2MEMw1C6_EDFHKKrhaa1F53OgIJOcam-kbOUP3aG2_e0%3D%40protonmail.com.
next prev parent reply other threads:[~2025-06-25 16:54 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-23 13:14 'Antoine Poinsot' via Bitcoin Development Mailing List
2025-06-24 14:29 ` [bitcoindev] " Harsha Goli
2025-06-24 15:54 ` [bitcoindev] " Matt Corallo
2025-06-25 16:50 ` 'Antoine Poinsot' via Bitcoin Development Mailing List [this message]
2025-06-25 20:34 ` Ethan Heilman
2025-06-25 19:22 ` Chris Stewart
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='73PXNVcmgiN2Kba63P2SRZfs42lvgME_8EF-DlYtkOSY8mLRxEXPEw5JAi5wtPU2MEMw1C6_EDFHKKrhaa1F53OgIJOcam-kbOUP3aG2_e0=@protonmail.com' \
--to=bitcoindev@googlegroups.com \
--cc=darosior@protonmail$(echo .)com \
--cc=lf-lists@mattcorallo$(echo .)com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox