OP_CHECKTEMPLATEVERIFY, OP_CHECKSIGFROMSTACK(VERIFY), OP_INTERNALKEY validation (LNHANCE) #29198
Conversation
|
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. Code CoverageFor detailed information about the code coverage, see the test coverage report. ReviewsSee the guideline for information on the review process.
If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update. ConflictsReviewers, this pull request conflicts with the following ones:
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first. |
|
This should be opened to bitcoin-inquisition rather than this repo at this stage? I thought that was the whole point of bitcoin-inquisition. I'm interested in why you think LN-Symmetry would be better implemented not using APO but perhaps that discussion can be had elsewhere. |
Let's focus on code review. There is no strict process suggesting that code first flow through inquisition.
Happy to discuss on delving |
reardencode
force-pushed
the
lnhance
branch
2 times, most recently
from
3f01b52
to
ec96ee5
Compare
| @@ -591,7 +652,42 @@ bool EvalScript(std::vector<std::vector<unsigned char> >& stack, const CScript& | |||
| break; | |||
| } | |||
|
|
|||
| case OP_NOP1: case OP_NOP4: case OP_NOP5: | |||
There was a problem hiding this comment.
case OP_NOP1: was removed (by accident?). Should it be added back to L691?
Edit: sorry, misread, already done.
There was a problem hiding this comment.
Git diff. Making life unnecessarily hard sometimes.
There was a problem hiding this comment.
Concept ACK
CHECKSIGFROMSTACK complements CHECKTEMPLATEVERIFY and helps in ticking more boxes. INTERNALKEY saves 32 bytes in some cases.
|
In commit 0ac5cf9 Edit: 4371ffe two commits later appears to contain the missing change. Can wait until next need to push for something else. |
|
Concept ACK; this would make pretty much all sides happy. |
|
Force pushed to fix clean commits. |
|
Concept ACK. |
|
It seems too early in the process to open a pull request like this. It's also possible to open a pull request against your own repo-fork of Bitcoin Core, or Inquisition as suggested above. For comparison, the first Taproot pull request to this repo #17977 was made in early 2020, which was after about year of in person workshops studying the proposal. The BIP's themselves were first proposed in 2018. The first work-in-progress taproot branch, not a pull request, is also from around 2018. Then again, being able to use the full Bitcoin Core CI can help in getting the code in good shape, which in turn is useful in improving the proposal. You can run that locally too in Docker. That said, a few extra (draft) PR's for soft-fork proposals is not a significant drain on (paid for by someone) CI capacity. Typically if a pull request depends on another pull request we mark it as draft. That's not the case here, but it does depend on two BIP proposals that were made only two days ago. We could also use some other tag to indicate that the underlying proposal is still in the concept stage. |
Agree |
There is a pull request open (in draft) that contains CTV in addition to other opcodes and sighash flags (ie proposed consensus changes). You don't have to be an expert in combinatorics to realize that continuing down this path results in multiple pull requests to this repo from different authors with different combinations of opcodes and sighash flags depending on the PR author's individual preference. That was one of the major motivations for bitcoin-inquisition where multiple opcodes and sighash flags can be activated on the default signet not creating noise in this repo and allowing both review and experimentation with new opcodes and sighash flags that may or may not ever get activated on mainnet. If for some reason bitcoin-inquisition isn't to the PR author's tastes (I"m not aware of any problems so far) the same can be done on a custom signet with a different fork of this repo. I totally agree with Sjors. The approach taken here of avoiding steps other soft fork proposals have gone through and just assuming shortcuts can be taken is a massive backwards step and I suspect won't achieve anything except creating more unnecessary noise in this repo. |
Co-authored-by: James O'Beirne <github@au92.org>
|
Force pushed to deconflict opcodes with VAULT, add deployment info output, and slightly improve tx_invalid tests. |
| } else if (pubkey_in.size() == 32) { | ||
| if (!success) return true; | ||
| if (sig.size() != 64) return set_error(serror, SCRIPT_ERR_SCHNORR_SIG_SIZE); | ||
|
|
||
| XOnlyPubKey pubkey{pubkey_in}; | ||
|
|
||
| if (!pubkey.VerifySchnorr(msg, sig)) return set_error(serror, SCRIPT_ERR_SCHNORR_SIG); |
There was a problem hiding this comment.
does this mean you can do schnorr sigs with segwit v0 and p2sh? is that intended?
There was a problem hiding this comment.
msg size is also not verifiied here
There was a problem hiding this comment.
Yes, intended to support both ECDSA and BIP340 sigs in segwitv0 and legacy.
No need for message size check here because BIP340 supports arbitrary length message.
| // Pubkeys of length 33 are only constrained in legacy and segwitv0. In these script types only those beginning | ||
| // with 0x02 or 0x03 are constrained. Others are unknown pubkey types. |
There was a problem hiding this comment.
if schnorr is allowed in non-taproot then why forbid ecdsa for taproot?
There was a problem hiding this comment.
Decision was somewhat arbitrary on my part. ECDSA doesn't really add anything in Tapscrpit where Schnorr adds ability to use well specified MPC protocols like MuSig2 and FROST in legacy, so I settled on adding Schnorr for legacy but not adding ECDSA for Tapscript.
In Tapscript, I wonder if we'll eventually want to fork in 33-byte 02/03 keys as x-y Schnorr, so I was a bit hesitant to consume those prefixes now.
| return false; | ||
| } | ||
|
|
||
| if (msg.size() != 32) return set_error(serror, SCRIPT_ERR_INVALID_DATA_LENGTH); |
There was a problem hiding this comment.
should different message sizes be left for future upgrades
There was a problem hiding this comment.
ECDSA requires 32-byte message. OP_SHA256 ahead would enable scripts to handle other data sizes. Making that explicit seems like the better option for ECDSA to enable shorter scripts when pre-hashing is not needed, but also allow pre-hashed data when needed.
|
Thanks for the comments @benthecarman ! |
Testing is minimal, but so is the code.
Some code and ideas from Elements by stevenroose, and sanket1729 Porting help from moonsettler Tests added to the transaction tests framework.
|
I think consensus label should be added for this pull request |
|
Converted this to a draft while I work through AJ's review on my similar PR to inquisition. Will port those changes over here and undraft when the time comes. |
|
🚧 At least one of the CI tasks failed. Make sure to run all tests locally, according to the Possibly this is due to a silent merge conflict (the changes in this pull request being Leave a comment here, if you need help tracking down a confusing failure. |
|
🐙 This pull request conflicts with the target branch and needs rebase. |
This pull request contains a the same implementation of OP_CHECKTEMPLATEVERIFY (BIP119) as @jamesob's Covenant Tools, an implementation of OP_CHECKSIGFROMSTACK(VERIFY) and of OP_INTERNALKEY.
There are no testnet or mainnet activation parameters proposed in this pull request. I am deeply uninterested in the details of activation semantics.
This combination of changes allows for the implementation of a variety of layer two proposals and improvements. Including, but not limited to, Lightning Symmetry, Point-Time-Locked-Contracts, Timeout Trees, and unidirectional non-interactive channels.
For anyone interested, I also have a branch with these same changes based on the latest release.