Hello ZmnSCPxj,
I agree that adding OP_CHECKSIGFROMSTACK doesn't preclude adding shortcuts such as `SIGHASH_ANYPREVOUT` and `OP_CHECKOUTPUTSHASHVERIFY`, and I agree we ought to support such operations directly, especially if we see widespread use of these constructions in practice.
I think it is desirable to add OP_CHECKSIGFROMSTACK for its direct purposes of enabling oracle verification and discreet log contracts. Moreover, it would be better decide if we do or do not want to do this first, because whether or not we chose to implement a general OP_CHECKSIGFROMSTACK will influence the design of these other proposals.
For example, if we choose to deploy OP_CHECKSIGFROMSTACK, then the design of OP_CHECKOUTPUTSHASHVERIFY ought to be simplified to OP_PUSHOUTPUTHASH and OP_PUSHNUMINPUTS (etc.) because the proposal would no longer be extending the expressiveness of Bitcoin Script. And while OP_CHECKSIGFROMSTACK doesn't directly address whether SIGHASH_ANYPREVOUT should be with or without a chaperone (as the simulated version with OP_CHECKSIGFROMSTACK is necessarily chaperoned), we might get an opportunity to learn if users are willing to take advantage of the chaperone, or whether they rather bypass it by using a short well-known pubkey: (e.g. 0x0200000000000000000000003b78ce563f89a0ed9414f5aa28ad0d96d6795f9c63) and/or similar short signatures if we deploy OP_CHECKSIGFROMSTACK first.
Since most of the "scary" recursive convents are not available with OP_CHECKSIGFROMSTACK within taproot (without further extensions), the OP_CHECKSIGFROMSTACK proposal now has quite different consequences than before.
Good morning Russell,
While I am sympathetic to this argument from first principles, as I understand it, it requires that provided witness inputs will become larger, compared to "shortcuts" like `SIGHASH_ANYPREVOUT` and `OP_CHECKOUTPUTSHASHVERIFY`.
For instance, to simulate `SIGHASH_ANYPREVOUT` with `OP_CAT` and `OP_CHECKSIGFROMSTACK`, I would effectively split the unsigned transaction into its "inputs" and "outputs" part, concat them and use `OP_CHECKSIGFROMSTACK` on the chaperone signature, and also use a normal `OP_CHECKSIGVERIFY` on that same chaperone signature, then dup the "outputs" part and use `OP_CHECKSIGFROMSTACK` on the "any prevout"/"noinput" signature.
I would effectively give the transaction to itself as part of the witness, and further, I would also have to very carefully write the script (admittedly the writing of the template could be done once, but it would require far more review than simple usages of the "limited" operations like `SIGHASH_ANYPREVOUT`).
So my witness stack would contain two signatures, and a duplicate of the transaction itself, plus a very much complicated script, whereas use of `SIGHASH_ANYPREVOUT` just requires two signatures and a script not much longer than pre-Schnorr multisig scripts.
It seems to me desirable, to try to reduce bandwidth consumption on the Bitcoin blockchain, including witness data.
Indeed, I had thought the whole exercise of putting `OP_CHECKSIGFROMSTACK` in a federated sidechain (Elements/Liquid) was to try to identify common patterns of usage for that opcode, and *then* to propose those common patterns as specific "optimized" opcodes as a sort of "jet" for Bitcoin itself (but not `OP_CHECKSIGFROMSTACK` itself).
Regards,
ZmnSCPxj
Sent with ProtonMail Secure Email.