rich1.0Nadav Ivgi [ARCHIVE] (npub1f2…ydpll)https://yabu.me/npub1f2w9pm06c4k9ay8rst7757thahg2tfrtd0n645zxrtsqwhvaysrswydpllnjumphttps://yabu.me📅 Original date posted:2022-04-29 📝 Original message:Here's a summary of the trade-offs I see for using APO as a CTV alternative: 1. The resulting txids are not stable. CTV commits to enough tx information such that given the txid:vout of the covenant-encumbered output, you can predict the txid of the spending tx permitted by CTV (and of the entire transaction graph descending from it). This property could be important for some of the proposed CTV use-cases, like channel factories. 2. APO will only be available on Taproot, which some people might prefer to avoid for long-term multi-decade vault storage due to QC concerns. (also see my previous post on this thread [0]) 3. Higher witness satisfaction cost of roughly 3x vbytes vs CTV-in-Taproot (plus 33 extra vbytes vs CTV-in-segwitv0 *in the case of a single CTV branch*, for the taproot control block. with more branches CTV-in-taproot eventually becomes preferable). 4. Higher network-wide full-node validation costs (checking a signature is quite more expensive than hashing, and the hashing is done in both cases). 5. As APO is currently spec'd, it would suffer from the half-spend problem: if you have multiple outputs encumbered under an APO covenant that requires the same tx sigmsg hash, it becomes possible to spend all of them together as multiple inputs in a single transaction and burn the extra to mining fees. If I'm not mistaken, I believe this makes the simple-apo-vault implementation [1] vulnerable to spending multiple vaulted outputs of the same denomination together and burning all but the first one. I asked the author for a more definitive answer on twitter [2]. Fixing this requires amending BIP 118 with some new sigmsg flags (making the ANYONECANPAY behaviour optional, as mentioned in the OP). This is definitely possible but also means that APO as-is isn't a CTV-replacement candidate, without first going through some more design and review iterations. shesek [0] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-April/020326.html [1] https://github.com/darosior/simple-anyprevout-vault [2] https://twitter.com/shesek/status/1519874493434544128 On Fri, Apr 22, 2022 at 2:23 PM darosior via bitcoin-dev < bitcoin-dev at lists.linuxfoundation.org> wrote: > I would like to know people's sentiment about doing (a very slightly > tweaked version of) BIP118 in place of > (or before doing) BIP119. > > SIGHASH_ANYPREVOUT and its precedent iterations have been discussed for > over 6 years. It presents proven and > implemented usecases, that are demanded and (please someone correct me if > i'm wrong) more widely accepted than > CTV's. > > SIGHASH_ANYPREVOUTANYSCRIPT, if its "ANYONECANPAY" behaviour is made > optional [0], can emulate CTV just fine. > Sure then you can't have bare or Segwit v0 CTV, and it's a bit more > expensive to use. But we can consider CTV > an optimization of APO-AS covenants. > > CTV advocates have been presenting vaults as the flagship usecase. > Although as someone who've been trying to > implement practical vaults for the past 2 years i doubt CTV is necessary > nor sufficient for this (but still > useful!), using APO-AS covers it. And it's not a couple dozen more virtual > bytes that are going to matter for > a potential vault user. > > If after some time all of us who are currently dubious about CTV's stated > usecases are proven wrong by onchain > usage of a less efficient construction to achieve the same goal, we could > roll-out CTV as an optimization. In > the meantime others will have been able to deploy new applications > leveraging ANYPREVOUT (Eltoo, blind > statechains, etc..[1]). > > > Given the interest in, and demand for, both simple covenants and better > offchain protocols it seems to me that > BIP118 is a soft fork candidate that could benefit more (if not most of) > Bitcoin users. > Actually i'd also be interested in knowing if people would oppose the > APO-AS part of BIP118, since it enables > CTV's features, for the same reason they'd oppose BIP119. > > > [0] That is, to not commit to the other inputs of the transaction (via > `sha_sequences` and maybe also > `sha_amounts`). Cf > https://github.com/bitcoin/bips/blob/master/bip-0118.mediawiki#signature-message > . > > [1] https://anyprevout.xyz/ "Use Cases" section > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev at lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20220429/08486216/attachment.html>