Thanks for the thoughtful reply AJ. > I don't think that makes sense? With a general scheme, you'd only be > bloating the witness data (perhaps including the witness script) not > the scriptPubKey? Sorry, sloppy language on my part. To be charitable, I'm talking about the "figurative sPK," which of course these days lives in the witness for script-path-ish spends. Maybe the witness discount means that "complicated" scripts aren't as big a deal, depending on the actual difference in raw script size. > I think it might be better to use a pay-to-contract construction for > the recovery path, rather than an empty witness. So I guess the one advantage that what you're proposing has over just using a recovery-path key signature is that it's all derivable from your cold privkey; you don't have to worry about accidentally losing the recovery-path key. Of course you're still vulnerable to spurious sweeps if the sha256(secret) value gets found out, which presumably you'd want in an accessible cache to avoid touching the cold secret every time you want to sweep. What do you think about the idea of making the recovery-path authorization behavior variable on a single byte flag preceding the 32 byte data push, as I mentioned in another post? I think it may make sense to leave this option open to end-users (and also allow for some upgradeability). > I think a generic OP_UNVAULT can be used to simulate OP_CTV: replace > " OP_CTV" with "<000..0> 0 OP_UNVAULT". Yup, that's an inefficient way of emulating CTV. If people want CTV, we should just look at activating CTV. Greg Sanders has a thing about "jetting" CTV into this proposal (I think) so that the code-paths are shared, but I haven't figured out how that would work. They really don't share that much code AFAICT. > The paper seems to put "OP_UNVAULT" first, but the code seems to > expect it to come last, not sure what's up with that inconsistency. Again some sloppy notation on my part. What I sort of meant in the paper was a kind of functional notation `OP_VAULT(param1, param2, ...)`. Let's chalk that up to my inexperience actually working on script stuff. > I think there's maybe a cleverer way of batching / generalising > checking that input/output amounts match. > > [...] > > * set C = the sum of each output that has a vault tag with > #recovery=X This would also need to take into account that the s are compatible, but your point is well taken. > I think one meaningful difference between these two approaches is that > the current proposal means unvaulting locks up the entire utxo for the > delay period, rather than just the amount you're trying to unvault. This is a really good point and I think is one that's important to incorporate with a change to the existing proposal. A simple fix for facilitating the use of a "partial revault" while the OP_UNVAULT UTXO is outstanding would be to allow for an optional third output that is a redeposit back to the identical OP_VAULT sPK that is being spent by the OP_UNVAULT transaction, then the script interpreter would just ensure that the nValue of those two outputs sums to the sum of the input nValues. I can see what you're saying about having more generic "group amounts by compatible vault params, and then compare to similarly grouped outputs," but I'm just wondering if there are other uses that enables besides the partial-revault thing I mentioned above. If not, I'd probably rather just stick with something simple like having the third optional re-vault output. > Changing the unvault construction to have an optional OP_VAULT output > would remedy that, I think. Oh - okay, this is what you're saying. Right! Is that a sufficient change, or are there other benefits that the more complicated clever-I/O-vault-grouping would enable that you have in mind? > What would it look like to just hide all this under taproot? > > [...] > > It also needs some way of constructing "unvault[X]", which could be a > TLUV-like construction. > > That all seems possible to me; though certainly needs more work/thought > than just having dedicated opcodes and stuffing the data directly in > the sPK. I think this is a very important comparison to do, but I'm eager to see code for things like this. There have been a lot of handwavey proposals lately without tangible code artifacts. I'm eager to see what these alternatives look like in practice - i.e. in functional tests. Thanks again for the great mail. James