Hi Thread,

I made a reply to the OP but didn't "reply all" so it just went directly to Ethan. Since the comments were interesting I'll attempt to salvage them by posting them in full:

== Lloyd's post ==
Hi Ethan,

I'd be interested to know what protocols you need OP_CAT for. I'm trying to figure out if there really exists any script based protocol that doesn't have a more efficient scriptless counterpart.  For example, A²L[1] achieves the same thing as Tumblebit but requires no script. I can imagine paying based on a merkle path could be useful, but a protocol was recently suggested on lightning-dev [2] that does this but without OP_CAT (and without any script!).


[1] https://eprint.iacr.org/2019/589.pdf
[2] https://www.mail-archive.com/lightning-dev@lists.linuxfoundation.org/msg01427.html (*I linked to the wrong thread in the original email*).

LL

== Ethan's response ==
Hi Lloyd,

Thanks for your response. I am not sure if you intended to take this off list or not.

I plan to at some point to enumerate in detail protocols that OP_CAT would benefit. A more important point is that OP_CAT is a basic building block and that we don't know what future protocols it would allow. In my own research I have avoiding going down certain paths because it isn't worth the time to investigate knowing that OP_CAT wouldn't make the protocol practical.

In regards to scriptless scripts they almost always require an interactive protocol and sometimes ZKPs. A2L is very impressive but like TumbleBit it places a large burden on the developer. Additionally I am aware of no way to reveal a subset of preimages with scriptless scripts, do a conditioned reveal i.e. these preimages can only spend under these two pubkeys and timelockA where after timelockZ this other pubkey can spend without a preimages. Scriptless scripts are a fantastic tool but they shouldn't be the only tool that we have.

I'm not sure I follow what you are saying with [2]

This brings me back a philosophical point:
Bitcoin should give people basic tools to build protocols without first knowing what all those protocols are especially when those tools have very little downside.

I really appreciate your comments.

Thanks,
Ethan
==

*Back to normal thread*

Hi Ethan,

Thanks for the insightful reply and sorry for my mailing list errors.

> I plan to at some point to enumerate in detail protocols that OP_CAT would benefit.

Sweet. Thanks.

> Additionally I am aware of no way to reveal a subset of preimages with scriptless scripts, do a conditioned reveal i.e. these preimages can only spend under these two pubkeys and timelockA where after timelockZ this other pubkey can spend without a preimages. Scriptless scripts are a fantastic tool but they shouldn't be the only tool that we have.

Yes. With adaptor signatures there is no way to reveal more than one pre-image; you are limited to revealing a single scalar. But you can have multiple transactions spending from the same output, each with a different set of scriptless conditions (absolute time locks, relative time locks and pre-image reveal). This is enough to achieve what I think you are describing. FWIW there's a growing consensus that you can do lightning without script [1]. Perhaps we can't do everything with this technique. My current focus is figuring out what useful things we can't do like this (even if we were to go wild and add whatever opcodes we wanted). So far it looks like covenants are the main exception.

> I'm not sure I follow what you are saying with [2]

That is perfectly understandable as I linked the wrong thread (sorry!). Here's the right one: https://www.mail-archive.com/lightning-dev@lists.linuxfoundation.org/msg01427.html

I was pointing to the surprising result that you can actually pay for a merkle path with a particular merkle root leading to a particular leaf that you're interested in without validating the merkle path on chain (e.g. OP_CAT and OP_SHA256). The catch is that the leaves have to be pedersen commitments and you prove the existence of your data in the merkle root by showing an opening to the leaf pedersen commitment. This may not be general enough to cover every merkle tree use case (but I'm not sure what those are!).

> This brings me back a philosophical point:
> Bitcoin should give people basic tools to build protocols without first knowing what all those protocols are especially when those tools have very little downside.

This is a really powerful idea. But I've started feeling like you have to just design the layer 2 protocols first and then design layer 1! It seems like almost every protocol that people want to make requires very particular fundamental changes: SegWit for LN-penalty and NOINPUT for eltoo for example. On top of that it seems like just having the right signature scheme (schnorr) at layer 1 is enough to enable most useful stuff in an elegant way.

[1] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2019-September/017309.html

Cheers,

LL

On Fri, Oct 4, 2019 at 1:08 AM Ethan Heilman <eth3rs@gmail.com> wrote:
To avoid derailing the NO_INPUT conversation, I have changed the
subject to OP_CAT.

Responding to:
"""
* `SIGHASH` flags attached to signatures are a misdesign, sadly
retained from the original BitCoin 0.1.0 Alpha for Windows design, on
par with:
[..]
* `OP_CAT` and `OP_MULT` and `OP_ADD` and friends
[..]
"""

OP_CAT is an extremely valuable op code. I understand why it was
removed as the situation at the time with scripts was dire. However
most of the protocols I've wanted to build on Bitcoin run into the
limitation that stack values can not be concatenated. For instance
TumbleBit would have far smaller transaction sizes if OP_CAT was
supported in Bitcoin. If it happens to me as a researcher it is
probably holding other people back as well. If I could wave a magic
wand and turn on one of the disabled op codes it would be OP_CAT.  Of
course with the change that size of each concatenated value must be 64
Bytes or less.


On Tue, Oct 1, 2019 at 10:04 PM ZmnSCPxj via bitcoin-dev
<bitcoin-dev@lists.linuxfoundation.org> wrote:
>
> Good morning lists,
>
> Let me propose the below radical idea:
>
> * `SIGHASH` flags attached to signatures are a misdesign, sadly retained from the original BitCoin 0.1.0 Alpha for Windows design, on par with:
>   * 1 RETURN
>   * higher-`nSequence` replacement
>   * DER-encoded pubkeys
>   * unrestricted `scriptPubKey`
>   * Payee-security-paid-by-payer (i.e. lack of P2SH)
>   * `OP_CAT` and `OP_MULT` and `OP_ADD` and friends
>   * transaction malleability
>   * probably many more
>
> So let me propose the more radical excision, starting with SegWit v1:
>
> * Remove `SIGHASH` from signatures.
> * Put `SIGHASH` on public keys.
>
> Public keys are now encoded as either 33-bytes (implicit `SIGHASH_ALL`) or 34-bytes (`SIGHASH` byte, followed by pubkey type, followed by pubkey coordinate).
> `OP_CHECKSIG` and friends then look at the *public key* to determine sighash algorithm rather than the signature.
>
> As we expect public keys to be indirectly committed to on every output `scriptPubKey`, this is automatically output tagging to allow particular `SIGHASH`.
> However, we can then utilize the many many ways to hide public keys away until they are needed, exemplified in MAST-inside-Taproot.
>
> I propose also the addition of the opcode:
>
>     <sighash> <pubkey> OP_SETPUBKEYSIGHASH
>
> * `sighash` must be one byte.
> * `pubkey` may be the special byte `0x1`, meaning "just use the Taproot internal pubkey".
> * `pubkey` may be 33-byte public key, in which case the `sighash` byte is just prepended to it.
> * `pubkey` may be 34-byte public key with sighash, in which case the first byte is replaced with `sighash` byte.
> * If `sighash` is `0x00` then the result is a 33-byte public key (the sighash byte is removed) i.e. `SIGHASH_ALL` implicit.
>
> This retains the old feature where the sighash is selected at time-of-spending rather than time-of-payment.
> This is done by using the script:
>
>     <pubkey> OP_SETPUBKEYSIGHASH OP_CHECKSIG
>
> Then the sighash can be put in the witness stack after the signature, letting the `SIGHASH` flag be selected at time-of-signing, but only if the SCRIPT specifically is formed to do so.
> This is malleability-safe as the signature still commits to the `SIGHASH` it was created for.
>
> However, by default, public keys will not have an attached `SIGHASH` byte, implying `SIGHASH_ALL` (and disallowing-by-default non-`SIGHASH_ALL`).
>
> This removes the problems with `SIGHASH_NONE` `SIGHASH_SINGLE`, as they are allowed only if the output specifically says they are allowed.
>
> Would this not be a superior solution?
>
> Regards,
> ZmnSCPxj
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
_______________________________________________
Lightning-dev mailing list
Lightning-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/lightning-dev