{"type":"rich","version":"1.0","title":"Nadav Ivgi [ARCHIVE] wrote","author_name":"Nadav Ivgi [ARCHIVE] (npub1f2…ydpll)","author_url":"https://yabu.me/npub1f2w9pm06c4k9ay8rst7757thahg2tfrtd0n645zxrtsqwhvaysrswydpll","provider_name":"njump","provider_url":"https://yabu.me","html":"📅 Original date posted:2022-04-29\n📝 Original message:Here's a summary of the trade-offs I see for using APO as a CTV alternative:\n\n1. The resulting txids are not stable.\n\nCTV commits to enough tx information such that given the txid:vout of the\ncovenant-encumbered output, you can predict the txid of the spending tx\npermitted by CTV (and of the entire transaction graph descending from it).\n\nThis property could be important for some of the proposed CTV use-cases,\nlike channel factories.\n\n2. APO will only be available on Taproot, which some people might prefer to\navoid for long-term multi-decade vault storage due to QC concerns. (also\nsee my previous post on this thread [0])\n\n3. Higher witness satisfaction cost of roughly 3x vbytes vs CTV-in-Taproot\n(plus 33 extra vbytes vs CTV-in-segwitv0 *in the case of a single CTV\nbranch*, for the taproot control block. with more branches CTV-in-taproot\neventually becomes preferable).\n\n4. Higher network-wide full-node validation costs (checking a signature is\nquite more expensive than hashing, and the hashing is done in both cases).\n\n5. As APO is currently spec'd, it would suffer from the half-spend problem:\nif you have multiple outputs encumbered under an APO covenant that requires\nthe same tx sigmsg hash, it becomes possible to spend all of them together\nas multiple inputs in a single transaction and burn the extra to mining\nfees.\n\nIf I'm not mistaken, I believe this makes the simple-apo-vault\nimplementation [1] vulnerable to spending multiple vaulted outputs of the\nsame denomination together and burning all but the first one. I asked the\nauthor for a more definitive answer on twitter [2].\n\nFixing this requires amending BIP 118 with some new sigmsg flags (making\nthe ANYONECANPAY behaviour optional, as mentioned in the OP).\n\nThis is definitely possible but also means that APO as-is isn't a\nCTV-replacement candidate, without first going through some more design and\nreview iterations.\n\nshesek\n\n[0]\nhttps://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-April/020326.html\n[1] https://github.com/darosior/simple-anyprevout-vault\n[2] https://twitter.com/shesek/status/1519874493434544128\n\n\n\nOn Fri, Apr 22, 2022 at 2:23 PM darosior via bitcoin-dev \u003c\nbitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\n\u003e I would like to know people's sentiment about doing (a very slightly\n\u003e tweaked version of) BIP118 in place of\n\u003e (or before doing) BIP119.\n\u003e\n\u003e SIGHASH_ANYPREVOUT and its precedent iterations have been discussed for\n\u003e over 6 years. It presents proven and\n\u003e implemented usecases, that are demanded and (please someone correct me if\n\u003e i'm wrong) more widely accepted than\n\u003e CTV's.\n\u003e\n\u003e SIGHASH_ANYPREVOUTANYSCRIPT, if its \"ANYONECANPAY\" behaviour is made\n\u003e optional [0], can emulate CTV just fine.\n\u003e Sure then you can't have bare or Segwit v0 CTV, and it's a bit more\n\u003e expensive to use. But we can consider CTV\n\u003e an optimization of APO-AS covenants.\n\u003e\n\u003e CTV advocates have been presenting vaults as the flagship usecase.\n\u003e Although as someone who've been trying to\n\u003e implement practical vaults for the past 2 years i doubt CTV is necessary\n\u003e nor sufficient for this (but still\n\u003e useful!), using APO-AS covers it. And it's not a couple dozen more virtual\n\u003e bytes that are going to matter for\n\u003e a potential vault user.\n\u003e\n\u003e If after some time all of us who are currently dubious about CTV's stated\n\u003e usecases are proven wrong by onchain\n\u003e usage of a less efficient construction to achieve the same goal, we could\n\u003e roll-out CTV as an optimization.  In\n\u003e the meantime others will have been able to deploy new applications\n\u003e leveraging ANYPREVOUT (Eltoo, blind\n\u003e statechains, etc..[1]).\n\u003e\n\u003e\n\u003e Given the interest in, and demand for, both simple covenants and better\n\u003e offchain protocols it seems to me that\n\u003e BIP118 is a soft fork candidate that could benefit more (if not most of)\n\u003e Bitcoin users.\n\u003e Actually i'd also be interested in knowing if people would oppose the\n\u003e APO-AS part of BIP118, since it enables\n\u003e CTV's features, for the same reason they'd oppose BIP119.\n\u003e\n\u003e\n\u003e [0] That is, to not commit to the other inputs of the transaction (via\n\u003e `sha_sequences` and maybe also\n\u003e `sha_amounts`). Cf\n\u003e https://github.com/bitcoin/bips/blob/master/bip-0118.mediawiki#signature-message\n\u003e .\n\u003e\n\u003e [1] https://anyprevout.xyz/ \"Use Cases\" section\n\u003e _______________________________________________\n\u003e bitcoin-dev mailing list\n\u003e bitcoin-dev at lists.linuxfoundation.org\n\u003e https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev\n\u003e\n-------------- next part --------------\nAn HTML attachment was scrubbed...\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20220429/08486216/attachment.html\u003e"}