Re: [bitcoin-dev] proposal: new opcode OP_ZKP to enable ZKP-based spending authorization

public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed

From: ZmnSCPxj <ZmnSCPxj@protonmail•com>
To: Weiji Guo <weiji.g@gmail•com>,
	Bitcoin Protocol Discussion
	<bitcoin-dev@lists•linuxfoundation.org>
Subject: Re: [bitcoin-dev] proposal: new opcode OP_ZKP to enable ZKP-based spending authorization
Date: Sun, 30 Apr 2023 02:15:50 +0000	[thread overview]
Message-ID: <xNzSDtvj-BH4EW9eJMqn_yAiVUEiggnS3WIrvLml6gGAZ6CPADO9pbPV4B30txzSY9laEmX3ckXX8L2Hu18ZrWMUjMH23csL-YK-mDse6DY=@protonmail.com> (raw)
In-Reply-To: <CA+ydi=LtskFh89TW75=CBwbdZzWR-ZjWS77TnrF4G+xUfm8z+Q@mail.gmail.com>

Good morning Weiji,

Have not completed reading, but this jumped out to me:

> 3.  Dealing with system limitation: verification keys could be very long and exceed the MAX_SCRIPT_ELEMENT_SIZE (520 bytes). They could be put into configurations and only use their hash in the scriptPubKey. The configuration information such as new verification keys could be propagated through P2P messages (we might need a separate BIP for this);

`scriptPubKey` is consensus-critical, and these new P2P messages would have to be consensus-critical.

As all nodes need to learn the new verification keys, we should consider how much resources are spent on each node just to maintain and forever remember verification keys.

Currently our resource-tracking methodology is via the synthetic "weight units" computation.
This reflects resources spent on acquiring block data, as well as maintaining the UTXO database.
For instance, the "witness discount" where witness data (i.e. modern equivalent of `scriptSig`) is charged 1/4 the weight units of other data, exists because spending a UTXO reduces the resources spent in the UTXO database, although still consumes resources in downloading block data (hence only a discount, not free or negative/rebate).

Similarly, any propagation of verification keys would need a similar adjustment for weight units.

As verification keys MUST be seen by all nodes before they can validate an `OP_ZKP`, I would suggest that it is best included in block data (which similarly needs to be seen by all nodes), together with some weight unit adjustment for that data, depending on how much resources verification keys would consume.
This is similar to how `scriptPubKey`s and amounts are included in block data, as those data are kept in the UTXO database, which nodes must maintain in order to validate the blockchain.

If verification keys are permanent, they should probably be weighted heavier than `scriptPubKey`s and amounts --- UTXOs can theoretically be deleted later by spending the UTXO (which reduces UTXO database size), while any data that must be permanently stored in a database must correspondingly be weighted higher.

Similarly, my understanding is that the CPU resources needed by validation of generic ZKPs is higher than that required for validation of ECC signatures.
Much of the current weight calculation assumes that witness data is primarily ECC signatures, so if ZKP witnesses translate to higher resource consumption, the weighting of ZKP witnesses should also be higher (i.e. greater than the 1/4 witness-discounted weight of current witness data).

Regards,
ZmnSCPxj

next prev parent reply	other threads:[~2023-04-30  2:16 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-04-28  8:29 Weiji Guo
2023-04-30  2:15 ` ZmnSCPxj [this message]
2023-05-01 12:46   ` Weiji Guo
2023-05-02 15:01     ` ZmnSCPxj
2023-05-04 15:31       ` Weiji Guo
2023-05-04 17:13         ` ZmnSCPxj
2023-05-05 23:06           ` Weiji Guo
2023-05-06  2:51             ` ZmnSCPxj

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='xNzSDtvj-BH4EW9eJMqn_yAiVUEiggnS3WIrvLml6gGAZ6CPADO9pbPV4B30txzSY9laEmX3ckXX8L2Hu18ZrWMUjMH23csL-YK-mDse6DY=@protonmail.com' \
    --to=zmnscpxj@protonmail$(echo .)com \
    --cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
    --cc=weiji.g@gmail$(echo .)com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox