OP_PAIRCOMMIT #1699
OP_PAIRCOMMIT #1699
Conversation
|
Switched back to markdown. Header now in BIP-2 format. |
moonsettler
force-pushed
the
paircommit
branch
from
73dab62
to
8f11758
Compare
moonsettler
force-pushed
the
paircommit
branch
from
8f11758
to
f3f7f91
Compare
|
The original create date of OP_PAIRCOMMIT is 2024-03-15 this is the latest revision based on feedback from Anthony Towns. |
|
Added a discussion link to the PR description.
Perhaps add a changelog with the revision based on Anthony Towns' feedback followed by the initial version. Or use the date of the current draft revision as your starting point. |
|
According to BIP 2:
|
|
Has this proposal been sent to the mailing list? |
Proposed to the mailing list, waiting for feedback. |
bip-PC.md
Outdated
| If `OP_CAT` was available, it could be used to combine multiple stack elements, | ||
| that get verified with `OP_CHECKSIGFROMSTACK` as a valid state update. | ||
|
|
||
| `OP_PAIRCOMMIT` solves this specific problem without introducing a wide range | ||
| of potentially controversial new behaviors, such as novel 2-way peg mechanisms. |
There was a problem hiding this comment.
It sounds like OP_PAIRCOMMIT is closely related to CAT and CSFS. Could you perhaps expand on the related work and design decisions in a Rationale section?
There was a problem hiding this comment.
Alternatives we discussed:
- OP_CAT
- Merkle operation opcodes
- SHA256 streaming opcodes
- 'Kitty' CAT (result or inputs limited in size to try disable introspection and arithmetic extension uses)
- OP_CTV also commiting to the taproot annex in tapscript
- OP_CHECKSIGFROMSTACK variant on n elements as message instead of 1
- OP_VECTORCOMMIT (decoupling above behavior)
Finally after weighing everything OP_PAIRCOMMIT was the simplest addition that got what we needed exactly in the most efficient way. It's a minimal code change, very easy to reason about. Therefore we expect it to be the least controversial option.
Sadly a lot of the discussion is all over the place and on unsearchable mediums.
There was a problem hiding this comment.
That’s why I am suggesting that this proposal should collect some of that information.
There was a problem hiding this comment.
I would prefer to keep it simple and to the point. Added a more brief rationale section. Could do a more in depth recollection on what we learned and why certain alternatives fell out of favor on a delving thread we link from here, if people are actually curious.
There was a problem hiding this comment.
Expanded on the rationale behind OP_PAIRCOMMIT on delvingbitcoin.
Remove style, Correct title
moonsettler
force-pushed
the
paircommit
branch
3 times, most recently
from
59249d9
to
dfb0670
Compare
moonsettler
force-pushed
the
paircommit
branch
from
dfb0670
to
92ffeb8
Compare
| Using in sequence `OP_CHECKTEMPLATEVERIFY`, `OP_PAIRCOMMIT`, `OP_INTERNALKEY` | ||
| and `OP_CHECKSIGFROMSTACK` we can construct a rebindable channel that is also | ||
| optimal. |
There was a problem hiding this comment.
This paragraph seems to indicate that the OP_PAIRCOMMIT proposal would be especially useful in combination with these other opcodes. Could you perhaps clarify whether and how OP_PAIRCOMMIT is useful by itself in absence of the other three opcodes you mention here?
There was a problem hiding this comment.
LNhance at it's core is CTV + CSFS. They together provide the core utility. IKEY is an optimization for not having to pay for the pubkey twice when the internal key can be used. PC is an optimization when CSFS has to commit to additional data required to recreate a spend script from an intermediate state, because OP_RETURN (to which CTV naturally commits to) is 4x more expensive in weight units for data availability.
PC could also be used by CHECKCONTRACTVERIFY to carry a complex state in the absence of CAT.
I don't think anyone would find PC useful enough to activate in isolation without the aforementioned other opcodes.
It can do general merkle tree style commitments that are not compatible with other merkle tree structures in bitcoin.
We probably will make a new BIP for LNhance that has these other BIPs as "Relies on".
Co-authored-by: Mark "Murch" Erhardt <[email protected]>
|
|
||
| When evaluated, the `OP_PAIRCOMMIT` instruction: | ||
| * Pops the top two values off the stack, | ||
| * takes the "PairCommit" tagged SHA256 hash of the stack elements, |
There was a problem hiding this comment.
consider linking to the section in bip340 about tagged hashes
There was a problem hiding this comment.
It is linked from Specification (line 53), not sure I would want to link from here.
| To do LN-Symmetry contracts that don't require the nodes to keep old states, | ||
| we need to solve the data availability problem presented by unilateral closes. | ||
| Channel peers must be able to reconstruct the script that spends an | ||
| intermediate state. |
There was a problem hiding this comment.
what data needs to be available? how does PC solve that problem (does it stick the data in the witness and put a commitment somewhere covered by a signature? something else?)? Is this mechanism useful for things outside of LN-Symmetry?
There was a problem hiding this comment.
The data that needs to be available for state n is:
state-n-recovery-data { settlement-n-hash or state-n-balance }
This is needed to reconstruct the whole script for the nth state address that the funds move to by the channel peer that only holds the latest state, so he can spend to the latest state.
edit:
Instead of an IF statement we could use different tap leaves (less optimal actually) and then merkle inclusion proof with sibling hashes would have to be known.
There was a problem hiding this comment.
Is this mechanism useful for things outside of LN-Symmetry?
It was obviously our primary motivation, but I would not be surprised if other applications that use CSFS find a similar use for it.
There was a problem hiding this comment.
One way to think about the 3 opcodes (CSFS, IKEY, PC) is we decompose a CSFS variant that can use 1 byte pubkey (internal key) and can commit to a vector of stack elements as message. They thus become more generally useful, but to a limited degree without additional opcodes.
Detailed introspection opcodes would also need vector commitments with CSFS, and as mentioned it would also be useful for CCV.
moonsettler
force-pushed
the
paircommit
branch
from
2dfe8fd
to
bbf8c49
Compare
OP_PAIRCOMMITis the newest member of the LNhance family of opcodes. It provides limited vector commitment functionality in tapscript.When evaluated, the
OP_PAIRCOMMITinstruction:Discussion: https://delvingbitcoin.org/t/op-paircommit-as-a-candidate-for-addition-to-lnhance/1216/12