I agree this emulation seems sound but also tap out at how the CT stuff works with this type of covenant as well. Happy hacking! On Tue, Feb 1, 2022, 5:29 PM Anthony Towns via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > On Wed, Jan 05, 2022 at 02:44:54PM -0800, Jeremy via bitcoin-dev wrote: > > CTV was an output of my personal "research program" on how to make simple > > covenant types without undue validation burdens. It is designed to be the > > simplest and least risky covenant specification you can do that still > > delivers sufficient flexibility and power to build many useful > applications. > > I believe the new elements opcodes [0] allow simulating CTV on the liquid > blockchain (or liquid-testnet [1] if you'd rather use fake money but not > use Jeremy's CTV signet). It's very much not as efficient as having a > dedicated opcode, of course, but I think the following script template > would work: > > INSPECTVERSION SHA256INITIALIZE > INSPECTLOCKTIME SHA256UPDATEE > INSPECTNUMINPUTS SCRIPTNUMTOLE64 SHA256UPDATE > INSPECTNUMOUTPUTS SCRIPTNUMTOLE64 SHA256UPDATE > > PUSHCURRENTINPUTINDEX SCRIPTNUMTOLE64 SHA256UPDATE > PUSHCURRENTINPUTINDEX INSPECTINPUTSEQUENCE SCRIPTNUMTOLE64 SHA256UPDATE > > { for in 0.. > INSPECTOUTPUTASSET CAT SHA256UPDATE > INSPECTOUTPUTVALUE DROP SIZE SCRIPTNUMTOLE64 SWAP CAT SHA256UPDATE > INSPECTOUTPUTNONCE SIZE SCRIPTNUMTOLE64 SWAP CAT SHA256UPDATE > INSPECTOUTPUTSCRIPTPUBKEY SWAP SIZE SCRIPTNUMTOLE64 SWAP CAT CAT > SHA256UPDATE > } > > SHA256FINALIZE EQUAL > > Provided NUMINPUTS is one, this also means the txid of the spending tx is > fixed, I believe (since these are tapoot only opcodes, scriptSig > malleability isn't possible); if NUMINPUTS is greater than one, you'd > need to limit what other inputs could be used somehow which would be > application specific, I think. > > I think that might be compatible with confidential assets/values, but > I'm not really sure. > > I think it should be possible to use a similar approach with > CHECKSIGFROMSTACK instead of " EQUAL" to construct APO-style > signatures on elements/liquid. Though you'd probably want to have the > output inspction blocks wrapped with "INSPECTNUMOUTPUTS GREATERTHAN > IF .. ENDIF". (In that case, beginning with "PUSH[FakeAPOSig] SHA256 > DUP SHA256INITIALIZE SHA256UPDATE" might also be sensible, so you're > not signing something that might be misused in a different context later) > > > Anyway, since liquid isn't congested, and mostly doesn't have lightning > channels built on top of it, probably the vaulting application is the > only interesting one to build on top on liquid today? There's apparently > about $120M worth of BTC and $36M worth of USDT on liquid, which seems > like it could justify some vault-related work. And real experience with > CTV-like constructs seems like it would be very informative. > > Cheers, > aj > > [0] > https://github.com/ElementsProject/elements/blob/master/doc/tapscript_opcodes.md > [1] https://liquidtestnet.com/ > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >