From: Nadav Ivgi <nadav@shesek•info>
To: Anthony Towns <aj@erisian•com.au>
Cc: bitcoindev@googlegroups.com
Subject: Re: [bitcoindev] "Recursive covenant" with CTV and CSFS
Date: Wed, 12 Mar 2025 12:02:27 +0200 [thread overview]
Message-ID: <CAGXD5f3zHuwGq+M1jwBJjpEc3Wd8biwjwnrXu6VhrysQeyivLQ@mail.gmail.com> (raw)
In-Reply-To: <Z9ED_dez7_UHxjK0@erisian.com.au>
[-- Attachment #1: Type: text/plain, Size: 3626 bytes --]
On Wed, Mar 12, 2025 at 5:48 AM Anthony Towns <aj@erisian•com.au> wrote:
> I think the original COSHV implementation had the hash appear a push
> *after*
> the CTV opcode.
>
> https://github.com/JeremyRubin/bips/blob/op-checkoutputshashverify/bip-coshv.mediawiki
Yes you are of course correct. My memory failed me, should've looked up the
BIP :)
With either APO or CTV alone you can do an arbitrarily long chain of
> commitments,
adding CSFS and discarding the CSFS private key allows
> you to have a single commitment that can be reused indefinitely.
With APO alone, you can use one of two constructs:
1. Trustless, Finite - using a chain of pre-computed transactions where the
signature for the next transaction is committed to in the scriptPubKey.
This has similar properties to what you can get with CTV alone.
2. Trusted, Infinite - using a simple non-committed signature spending back
to the same address. This has similar properties to your CTV+CSFS construct.
Does adding CSFS enable any additional designs?
I think it's impossible to get Trustless, Infinite short of having full
introspection abilities (CAT/TXHASH/Elements-like), right?
With Elements it's pretty straightforward, something like
`OP_PUSHCURRENTINPUTINDEX OP_INSPECTINPUTSCRIPTPUBKEY <0>
OP_INSPECTOUTPUTSCRIPTPUBKEY OP_ROT OP_EQUALVERIFY OP_EQUAL`
You could have CTV commit to two inputs, with the second input's entire
> value being burnt to fees, but that's fairly annoying
Yes, preparing an exact-sized utxo for fees is indeed annoying. However
it's not much different from CPFP - an extra tx with the same overall
number of inputs/outputs, only around 46vB less efficient[0] (assuming you
need change[1]). So at least for some use-cases it's not terrible either.
One important difference is that for a BMM-like bidding system, losing bids
would still pay tx fees (and take up chain space) for creating the fee
utxo, unlike with CPFP where only the winning bid pays fees. But for other
cases, the difference would be negligible.
Of course, the most WU-optimal construct is APO|SINGLE (implying ACP) that
you mentioned, where no extra transaction is needed at all.
[0] Assuming you need to use N coins for fees and that change is needed,
with an exact-sized fee utxo you have a N-in, 2-out tx to prepare the fee
utxo, then a 2-in, 1-out for the main tx - for a total of N+2 inputs and 3
outputs. With CPFP, its 1-in, 2-out for the main tx, then a N+1-in, 1-out
tx for the CPFP fee bump - also for a total of N+2 inputs and 3 outputs.
However, with CPFP you could use Pay-to-Anchor (while the fee utxo has to
be key-encumbered), saving 65WU for one input plus 30vB/120WU for one
output, making it more efficient by a total of 185WU/46vB (assuming the fee
utxo uses key-path P2TR).
[1] If you happen to have an existing utxo to pay fees with, the 2-input
CTV template would be as efficient as it gets, on par with APO|SINGLE. This
can be extended to combos of multiple utxos, by adding more CTV tapleaves
for different numbers of inputs (at a slight cost of larger control
blocks). With large wallets it could be plausible to find such combos.
Cheers,
shesek
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAGXD5f3zHuwGq%2BM1jwBJjpEc3Wd8biwjwnrXu6VhrysQeyivLQ%40mail.gmail.com.
[-- Attachment #2: Type: text/html, Size: 5093 bytes --]
next prev parent reply other threads:[~2025-03-12 10:53 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-05 0:01 Anthony Towns
2025-03-05 6:14 ` Olaoluwa Osuntokun
2025-03-05 16:14 ` 'Antoine Poinsot' via Bitcoin Development Mailing List
2025-03-06 17:17 ` Greg Sanders
2025-03-06 18:36 ` 'moonsettler' via Bitcoin Development Mailing List
2025-03-06 21:26 ` Antoine Riard
2025-03-07 21:36 ` Anthony Towns
2025-03-07 21:01 ` Anthony Towns
2025-03-08 15:55 ` James O'Beirne
2025-03-05 17:53 ` 'moonsettler' via Bitcoin Development Mailing List
2025-03-05 22:46 ` Antoine Riard
2025-03-07 21:16 ` Anthony Towns
2025-03-10 22:36 ` Antoine Riard
2025-03-10 5:14 ` Nadav Ivgi
2025-03-12 3:48 ` Anthony Towns
2025-03-12 10:02 ` Nadav Ivgi [this message]
2025-03-12 16:15 ` Nadav Ivgi
2025-03-14 3:20 ` Anthony Towns
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAGXD5f3zHuwGq+M1jwBJjpEc3Wd8biwjwnrXu6VhrysQeyivLQ@mail.gmail.com \
--to=nadav@shesek$(echo .)info \
--cc=aj@erisian$(echo .)com.au \
--cc=bitcoindev@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox