From: ZmnSCPxj <ZmnSCPxj@protonmail•com>
To: Zac Greenwood <zachgrw@gmail•com>
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists•linuxfoundation.org>
Subject: Re: [bitcoin-dev] Exploring: limiting transaction output amount as a function of total input value
Date: Mon, 16 Aug 2021 11:48:43 +0000 [thread overview]
Message-ID: <wdlRrp4fZxH79mzVpTQWp99V9uI8jLvRU40mwdJ8lZ5A2mGMsxUK1TmZEZTV7O4_eUnNyq3feEGv5BUN-ecPSlbL-EYR6ZyLxk9ErsFiPlE=@protonmail.com> (raw)
In-Reply-To: <CAJ4-pECSE=by2ag4QmqrXbX_R0sk6HOL1KH0z2h=+915jaEE6Q@mail.gmail.com>
Good morning Zac,
> Thank you for your counterproposal. I fully agree that as a first step we must establish whether the proposed functionality can be implemented without making any changes to consensus.
>
> Your counterproposal is understandably more technical in nature because it explores an implementation on top of Bitcoin as-is. However I feel that for a fair comparison of the functionality of both proposals a purely functional description of your proposal is essential.
>
> If I understand your proposal correctly, then I believe there are some major gaps between yours and mine:
>
> Keys for unrestricted spending: in my proposal, they never have to come online unless spending more than the limit is desired. In your proposal, these keys are required to come online in several situations.
Correct, that is indeed a weakness.
It is helpful to see https://zmnscpxj.github.io/bitcoin/unchained.html
Basically: any quorum of signers can impose any rules that are not implementable on the base layer, including the rules you desire.
That quorum is the "offline keyset" in my proposal.
>
> Presigning transactions: not required in my proposal. Wouldn’t such presigning requirement be detrimental for the usability of your proposal? Does it mean that for instance the amount and window in which the transaction can be spent is determined at the time of signing? In my proposal, there is no limit in the number of transactions per window.
No.
Remember, the output is a simple 1-of-1 or k-of-n of the online keyset.
The online keyset can spend that wherever and however, including paying it out to N parties, or paying part of the limit to 1 party and then paying the remainder back to the same onchain keyset so it can access the funds in the future.
Both cases are also available in your proposal, and the latter case (pay out part of the limit to a single output, then keep the rest back to the same onchain keyset) can be used to add an indefinite number of transactions per window.
>
> Number of windows: limited in your proposal, unlimited in mine.
Correct, though you can always have a fairly large number of windows ("640kB ought to be enough for anybody").
>
> There are probably additional gaps that I am currently not technically able to recognize.
It requires a fair amount of storage for the signatures at minimum, though that may be as small as 64 bytes per window.
1Mb of storage for signatures would allow 16,384 windows, assuming you use 1-day windows that is about 44.88 years, probably more than enough that a one-time onlining of the offline keys (or just print out the signatures on paper or display as a QR code, whatever) is acceptable.
> I feel that the above gaps are significant enough to state that your proposal does not meet the basic requirements of my proposal.
>
> Next to consider is whether the gap is acceptable, weighing the effort to implement the required consensus changes against the effort and feasibility of implementing your counterproposal.
>
> I feel that your counterproposal has little chance of being implemented because of the still considerable effort required and the poor result in functional terms. I also wonder if your proposal is feasible considering wallet operability.
See above, particularly the gap that does not, in fact, exist.
>
> Considering all the above, I believe that implementing consensus changes in order to support the proposed functionality would preferable over your counterproposal.
>
> I acknowledge that a consensus change takes years and is difficult to achieve, but that should not be any reason to stop exploring the appetite for the proposed functionality and perhaps start looking at possible technical solutions.
You can also look into the "covenant" opcodes (`OP_CHECKSIGFROMSTACK`, `OP_CHECKTEMPLATEVERIFY`, etc.), I think JeremyRubin has a bunch of them listed somewhere, which may be used to implement something similar without requiring presigning.
Since the basic "just use `nSequence`" scheme already implements what you need, what the covenant opcodes buy you is that you do not need the offline keyset to be onlined and there is no need to keep signatures, removing the remaining gaps you identified.
With a proper looping covenant opcode, there is also no limit on the number of windows.
The issue with the covenant opcodes is that there are several proposals with overlapping abilities and different tradeoffs.
This is the sort of thing that invites bikeshed-painting.
I suggest looking into the covenant opcodes and supporting those instead of your own proposal, as your application is very close to one of the motivating examples for covenants in the first place.
Regards,
ZmnSCPxj
next prev parent reply other threads:[~2021-08-16 11:48 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-21 5:56 [bitcoin-dev] Covenant opcode proposal OP_CONSTRAINDESTINATION (an alternative to OP_CTV) Billy Tetrud
2021-07-25 5:38 ` David A. Harding
2021-07-25 19:49 ` Billy Tetrud
2021-07-26 0:05 ` David A. Harding
[not found] ` <SN7PR18MB3981DC1CD23B90367045995FD2E89@SN7PR18MB3981.namprd18.prod.outlook.com>
2021-07-26 20:18 ` Billy Tetrud
2021-07-26 21:08 ` James MacWhyte
2021-07-27 0:41 ` Billy Tetrud
2021-07-27 11:18 ` Zac Greenwood
2021-07-27 17:21 ` Billy Tetrud
2021-07-28 4:57 ` Zac Greenwood
2021-07-28 17:57 ` Billy Tetrud
2021-07-28 22:30 ` Jeremy
2021-07-30 18:42 ` Billy Tetrud
2021-11-01 1:19 ` Billy Tetrud
2021-07-31 20:01 ` [bitcoin-dev] Exploring: limiting transaction output amount as a function of total input value Zac Greenwood
2021-08-02 4:40 ` Billy Tetrud
2021-08-10 2:17 ` ZmnSCPxj
2021-08-13 11:02 ` Zac Greenwood
2021-08-14 1:50 ` ZmnSCPxj
2021-08-16 11:17 ` Zac Greenwood
2021-08-16 11:48 ` ZmnSCPxj [this message]
2021-08-30 14:43 ` Zac Greenwood
2021-08-31 9:00 ` ZmnSCPxj
2021-08-31 14:09 ` Zac Greenwood
2021-08-31 14:22 ` ZmnSCPxj
2021-09-01 15:15 ` Zac Greenwood
2021-08-01 8:09 Zac Greenwood
2021-08-02 9:32 ` Zac Greenwood
2021-08-03 18:12 ` Billy Tetrud
2021-08-04 10:48 ` Zac Greenwood
2021-08-05 6:39 ` Billy Tetrud
2021-08-05 14:22 ` Zac Greenwood
2021-08-10 0:41 ` Billy Tetrud
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='wdlRrp4fZxH79mzVpTQWp99V9uI8jLvRU40mwdJ8lZ5A2mGMsxUK1TmZEZTV7O4_eUnNyq3feEGv5BUN-ecPSlbL-EYR6ZyLxk9ErsFiPlE=@protonmail.com' \
--to=zmnscpxj@protonmail$(echo .)com \
--cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
--cc=zachgrw@gmail$(echo .)com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox