BIP 348: OP_CHECKSIGFROMSTACK #1535

pull reardencode wants to merge 1 commits into bitcoin:master from reardencode:csfs changing 2 files +149 −0
  1. reardencode commented at 6:32 pm on January 7, 2024: contributor

    This BIP is based on the BCH OP_CHECKDATASIG work, as well as postings from the bitcoin dev mailing list in this thread. Some differences appear due to the activation of bips 340, 341, and 342 (taproot) since those were developed.

    OP_CHECKSIGFROMSTACK is an OP_SUCCESS upgrade available only in BIP342 tapscript.

  2. reardencode force-pushed on Jan 13, 2024
  3. in bip-csfs.mediawiki:10 in 5df867cb87 outdated
     5+  Author: Brandon Black <freedom@reardencode.com>
     6+  Comments-Summary: No comments yet.
     7+  Status: Draft
     8+  Type: Standards Track
     9+  Created: 2023-12-22
    10+  License: PD
    


    ajtowns commented at 5:41 am on January 18, 2024:

    Why is Public Domain no longer acceptable for new BIPs?

    • In some jurisdictions, public domain is not recognised as a legitimate legal action, leaving the BIP simply copyrighted with no redistribution or modification allowed at all.
  4. in bip-csfs.mediawiki:21 in 5df867cb87 outdated
    16+signatures in bitcoin scripts against data other than bitcoin transactions.
    17+
    18+==Summary==
    19+
    20+We propose replacing OP_NOP5 (0xb4) in bitcoin script with
    21+<code>OP_CHECKSIGFROMSTACKVERIFY</code>. When verifying taproot script spends having
    


    Roasbeef commented at 1:29 am on April 23, 2024:
    Why split across two extension mechanisms instead of just focusing on the modern path (op success)?

    reardencode commented at 9:53 pm on April 24, 2024:

    Checking signatures from the stack is something that can be supported on all script types (i.e. is compatible with NOP upgrade), and there are use cases where segwit v0 scripts still make the most sense vs. tapscripts.

    If supporting legacy and segwitv0 where possible for new opcodes is not something that others value, switching CSFSV to an OP_SUCCESS upgrade would make sense.

  5. in bip-csfs.mediawiki:40 in 5df867cb87 outdated
    35+* The public key (top element), message (second to top element), and signature (third from top element) are read from the stack.
    36+* For <code>OP_CHECKSIGFROMSTACK</code> the top three elements are popped from the stack.
    37+* If the public key size is zero, the script MUST fail and terminate immediately.
    38+* If the public key size is 32 bytes, it is considered to be a public key as described in BIP340:
    39+** If the signature is not the empty vector, the signature is validated against the public key and message according to BIP340. Validation failure in this case immediately terminates script execution with failure.
    40+* For legacy and segwit v0 scripts, if the public key size is 33 bytes and its first byte is 0x02 or 0x03, it is considered a compressed public key as described in BIP137:
    


    Roasbeef commented at 1:32 am on April 23, 2024:
    Is the ref to BIP 137 here a typo? 137 is primarily about the old Bitcoin signed message scheme.

    reardencode commented at 9:44 pm on April 24, 2024:
    These legacy keys are no longer supported - sorry for the waste of time, this PR had gotten out of date while I was working on this document as a BIN
  6. in bip-csfs.mediawiki:42 in 5df867cb87 outdated
    37+* If the public key size is zero, the script MUST fail and terminate immediately.
    38+* If the public key size is 32 bytes, it is considered to be a public key as described in BIP340:
    39+** If the signature is not the empty vector, the signature is validated against the public key and message according to BIP340. Validation failure in this case immediately terminates script execution with failure.
    40+* For legacy and segwit v0 scripts, if the public key size is 33 bytes and its first byte is 0x02 or 0x03, it is considered a compressed public key as described in BIP137:
    41+** If the signature is not the empty vector, the signature is validated against the public key and message using ECDSA. Validation failure in this case immediately terminates script execution with failure.
    42+* If the public key size is not zero, and it is not a BIP340 public key, nor a BIP137 compressed public key; the public key is of an unknown public key type, and no actual signature verification is applied. During script execution of signature opcodes they behave exactly as known public key types except that signature validation is considered to be successful.
    


    Roasbeef commented at 1:34 am on April 23, 2024:
    Public key types were only introduced in segwit v1 (BIP 342), so this wouldn’t apply to a version of this op code that also exists under the segwit v0 paradigm.

    reardencode commented at 9:43 pm on April 24, 2024:
    Signature verification for CHECKSIGFROMSTACK is done the same regardless of the script context.
  7. in bip-csfs.mediawiki:49 in 5df867cb87 outdated
    44+** If the signature is the empty vector:
    45+*** For <code>OP_CHECKSIGFROMSTACKVERIFY</code>, the script MUST fail and terminate immediately.
    46+*** For <code>OP_CHECKSIGFROMSTACK</code>, an empty vector is pushed onto the stack, and execution continues with the next opcode.
    47+** If the signature is not the empty vector:
    48+*** For tapscript 0xc0, the opcode is counted towards the sigops budget as described in BIP341.
    49+*** For legacy and segwit v0, the opcode is counted towards the sigops limit, as described in BIP141
    


    Roasbeef commented at 1:36 am on April 23, 2024:
  8. in bip-csfs.mediawiki:51 in 5df867cb87 outdated
    46+*** For <code>OP_CHECKSIGFROMSTACK</code>, an empty vector is pushed onto the stack, and execution continues with the next opcode.
    47+** If the signature is not the empty vector:
    48+*** For tapscript 0xc0, the opcode is counted towards the sigops budget as described in BIP341.
    49+*** For legacy and segwit v0, the opcode is counted towards the sigops limit, as described in BIP141
    50+*** For <code>OP_CHECKSIGFROMSTACKVERIFY</code>, execution continues without any further changes to the stack.
    51+*** For <code>OP_CHECKSIGFROMSTACK</code>, a 1-byte value 0x01 is pushed onto the stack.
    


    Roasbeef commented at 1:43 am on April 23, 2024:

    I wonder if there’s a use for a OP_CHECKSIGFROMSTACKADD variant…

    So something that would be compatible with usage of OP_CHECKSIGADD. On the other hand, it is possible to replicate such behavior with OP_CHECKSIGFROMSTACK in combination with other existing op codes, eg:

    0OP_TOALTSTACK (assuming the number N is on the top of the stack)
    1<pubkey> OP_CHECKSIGFROMSTACK
    2OP_IF
    3    OP_DROP (drop the 0x01 pushed in the success case)
    4    OP_FROMALTSACK (bring back the accumulator) 
    5    1 OP_ADD (acc += 1)
    6OP_ELSE
    7    OP_DROP (drop the empty vector) 
    8    OP_FROMALTSACK (put unchanged accumulator back on the stack)
    9OP_ENDIF
    

    reardencode commented at 9:56 pm on April 24, 2024:

    Yep. I had the same internal conversation and concluded that the rare cases where CSFSA behavior is needed using the altstack is an acceptable alternative.

    Compared to standard CHECKSIG where CHECKMULTISIG was in active use on legacy/segwitv0 wallets, new wallets or protocols built on CSFS are much more likely to use MuSig2 or FROST when multiple signers are insolved, or (as BitGo’s 2-of-3 MuSig2/tapscript wallet does) to have the different signing combinations split between tapscript paths where CSFSV+CSFS are more efficient than CSFSA.


    reardencode commented at 3:17 pm on November 26, 2024:
    Keeping this BIP to 1 opcode. Other CSFS(A/V) variants can be added later if they are specifically needed.
  9. jonatack added the label New BIP on Apr 23, 2024
  10. in bip-csfs.mediawiki:105 in 5df867cb87 outdated
    100+
    101+TBD
    102+
    103+==Credits==
    104+
    105+Reference implementation was made with reference to the implementation in
    


    Roasbeef commented at 2:08 am on April 24, 2024:
    Perhaps this should also credit Jeremy (as he made a mailing list post soliciting feedback for a design in 2021), and also the authors of the proposal he directly references in the ML?
  11. reardencode force-pushed on Apr 24, 2024
  12. reardencode force-pushed on Apr 24, 2024
  13. reardencode force-pushed on Apr 24, 2024
  14. reardencode commented at 9:59 pm on April 24, 2024: contributor
    Updated to match the BIN, and with @Roasbeef ’s comments. TYVM!
  15. jonatack added the label Needs number assignment on Apr 24, 2024
  16. reardencode force-pushed on Apr 25, 2024
  17. reardencode force-pushed on Apr 25, 2024
  18. in bip-csfs.md:9 in 0267f3fe47 outdated
    0@@ -0,0 +1,122 @@
    1+| BIP-XXXX   | `CHECKSIGFROMSTACK`
    2+| :--------- | :------------------
    3+| Layer      | Consensus (soft fork)
    4+| Author     | Brandon Black <freedom@reardencode.com>, Jeremy Rubin <j@rubin.io>
    5+| Discussion | https://delvingbitcoin.org/t/lnhance-bips-and-implementation/376/9
    6+| Status     | Draft
    7+| Type       | Standards Track
    8+| Created    | 2023-12-22
    9+| License    | BSD-3-CLAUSE
    


    murchandamus commented at 7:18 pm on May 1, 2024:
    Please use the preamble format specified in BIP2.
  19. murchandamus added the label PR Author action required on May 8, 2024
  20. reardencode force-pushed on May 14, 2024
  21. reardencode commented at 9:50 pm on May 14, 2024: contributor

    Fixed preamble.

    There’s still 2 open conversations around this one:

    • Should it add CSFSA (after discussions in ATX with Rusty and Rob, I’m inclined to add it)
    • Should CSFSV be tapscript only (I’m inclined to add this functionality to legacy scripts as well, but may be in the minority there)

    I’ll post on the mailing list for additional opinions on these topics, but not sure whether it makes sense for the BIP to get numbered and merged as is while still potentially subject to those revisions.

  22. murchandamus commented at 3:06 pm on May 22, 2024: contributor
    @reardencode: If you feel that your proposal is not ready to be merged, please convert the pull request to a Draft.
  23. murchandamus removed the label Needs number assignment on May 22, 2024
  24. in bip-csfs.md:33 in a15c86aab2 outdated
    30+other key lengths no signature verification is performed.
    31+
    32+## Specification
    33+
    34+* If fewer than 3 elements are on the stack, the script MUST fail and terminate immediately.
    35+* The public key (top element), message (second to top element), and signature (third from top element) are read from the stack.
    


    ProofOfKeags commented at 7:21 pm on May 22, 2024:

    nit: I’d like to offer the suggestion that the push order goes:

    <msg> <sig> <key> instead of <sig> <msg> <key>. The current CHECKSIG ordering is <sig> <key> and it seems odd to me that we would make the CSFS opcode put the msg between these other pushes. Alternatively you could go <sig> <key> <msg> and it would seem to me as equally intuitive. As is though it feels like a gotcha.

    Is there a specific reason this choice was made that I hadn’t considered?


    reardencode commented at 9:21 pm on June 5, 2024:

    Anything that comes from the input stack should be before things that are provided by the locking script, so sig definitely comes first. Depending on particulars msg might come from the input stack or the locking script, and key always comes from the locking script. Examples:

    • <delegate-sig> <sig> <delegate-key> || DUP TOALT <key> CSFS VERIFY FROMALT CHECKSIG
    • <sig> <hash> || CTV <key> CSFS
    • <sig> || <flags> TXHASH <key> CSFS
    • <sig> <settlement-hash> <update-hash> || CTV SHA256 CAT <key> CSFS

    ProofOfKeags commented at 6:05 pm on June 7, 2024:

    Retracted.

    I understand the general direction of what you’re getting at but I have to admit that I’m not following the specific use cases where <msg> might come from the witness instead of the script. It makes sense to me why you’d want <msg> in the script, what’s lest clear is under what conditions it is useful to let the witness define it.


    reardencode commented at 6:11 pm on June 7, 2024:

    In any kind of delegation (see the first example above) the message is provided by the witness (i.e. the thing you’re delegating to by signing). Here’s a powerful example:

    <delegate_sig> <sig> <delegate_pubkey> <locktime> || CLTV SHA256 CAT <pubkey> CSFS VERIFY CHECKSIG

    Delegate to a key but only after <locktime>, with different locktimes per delegate key.


    ProofOfKeags commented at 6:41 pm on June 7, 2024:

    Forgive me but I have to expand this out because it doesn’t make sense to me:

    Witness:

    1. delegate signature is pushed onto the stack: <delegate_sig>
    2. the signature authorizing the delegate is pushed: <delegate_sig> <authorizing_sig>
    3. the delegate pubkey is pushed: <delegate_sig> <authorizing_sig> <delegate_pubkey>
    4. locktime is pushed: <delegate_sig> <authorizing_sig> <delegate_pubkey> <locktime>

    Script: 5. locktime is checked: <delegate_sig> <authorizing_sig> <delegate_pubkey> <locktime> 6. locktime is hashed: <delegate_sig> <authorizing_sig> <delegate_pubkey> <locktime_hash> 7. locktime hash combined with delegate pubkey: <delegate_sig> <authorizing_sig> <delegate_pubkey || locktime_hash> 8. authorizing pubkey is pushed: <delegate_sig> <authorizing_sig> <delegate_pubkey || locktime_hash> <authorizing_pubkey> 9. CSFS(V) operation(s) checks that the delegate pubkey is authorized after the locktime by checking the key || locktime message was signed by authorizing_sig: <delegate_sig> 10. CHECKSIG operation fails because we don’t have a key? Maybe you forgot a dup somewhere? Maybe I don’t understand script as well as I thought? idk.

    Assuming this is roughly what you meant, then I’d imagine in this case the authorizing signature would be pre-signed and distributed. Then at transaction time the delegate presents the authorizing signature along with their key and assigned locktime.

    Assuming all of this is a fair reading, then I think I get what you mean with <msg> having an interesting use case wherein it could be:

    1. provided by the script
    2. provided by the witness
    3. collaboratively derived from witness and script participation.

    … which seems pretty cool. I’d love if you can correct either my understanding or your example for completeness, but otherwise I’m satisfied with this and this thread can be resolved.


    reardencode commented at 6:25 am on November 26, 2024:

    Sorry for the long delay. You’re quite correct that the example I gave does not work. Apparently I should have waited for Taproot Wizards new neovim script plugin. I believe this works for 3 more opcodes :(

    <sig> <delegate_sig> <delegate_pubkey> <locktime> || CLTV SHA256 OVER CAT TOALT CHECKSIGVERIFY FROMALT <pubkey> CSFS

    1. the signature authorizing the delegate is pushed: <authorizing_sig>
    2. delegate signature is pushed onto the stack: <authorizing_sig> <delegate_sig>
    3. the delegate pubkey is pushed: <authorizing_sig> <delegate_sig> <delegate_pubkey>
    4. locktime is pushed: <authorizing_sig> <delegate_sig> <delegate_pubkey> <locktime>
    5. locktime is checked: <authorizing_sig> <delegate_sig> <delegate_pubkey> <locktime>
    6. locktime is hashed: <authorizing_sig> <delegate_sig> <delegate_pubkey> <locktime_hash>
    7. delegate pubkey is copied over: <authorizing_sig> <delegate_sig> <delegate_pubkey> <locktime_hash> <delegate_pubkey>
    8. locktime hash combined with delegate pubkey: <authorizing_sig> <delegate_sig> <delegate_pubkey> <locktime_hash || delegate_pubkey>
    9. concatenation is moved to alt stack: <authorizing_sig> <delegate_sig> <delegate_pubkey>
    10. CHECKSIGVERIFY validates the signature from the delegated key: <authorizing_sig>
    11. concatenation is moved from alt stack: <authorizing_sig> <locktime_hash || delegate_pubkey>
    12. authorizing pubkey is pushed: <authorizing_sig> <locktime_hash || delegate_pubkey> <authorizing_pubkey>
    13. CSFS operation(s) checks that the delegate pubkey is authorized after the locktime by checking the locktime || key message was signed by authorizing_sig: TRUE

    Thanks for checking the script.

  25. Jesus5432 approved
  26. murchandamus marked this as a draft on Nov 7, 2024
  27. murchandamus commented at 7:48 pm on November 7, 2024: contributor
    I converted this to draft since @reardencode indicated that this would likely need more changes before being ready for number assignment and merge. Given that this hasn’t been updated in half a year, is this still in progress?
  28. reardencode commented at 9:40 pm on November 7, 2024: contributor

    Definitely still WIP. Just hasn’t been much reason to advance the conversation around the two specific questions I mentioned given the state of the broader conversation around bitcoin’s future consensus changes.

    I am a bit confused about the need to have those questions answered before merging. Is the intention of the BIPs repository only to hold final specifications for consensus changes, or to enable iterating on consensus changes before proposing a document for numbering and merging?

  29. jonatack commented at 3:32 pm on November 8, 2024: member
    @reardencode per your question in #1535 (comment) and above, the current process is that of BIP 2. Iteration while in Draft status seems to be expected, but a BIP may only change status from Draft to Proposed when the author deems it is complete. An incomplete and unofficial simplified requirement list might be: (for number assignment) dev ML discussion, is high-quality, technically sound and complete, keeps with Bitcoin philosophy, well-scoped, has motivation, accurate title, addresses backwards compatibility, no BIP number conflicts, and (for draft merge): preamble, acceptable copyright, complete header (with status and type, correct layer if provided).
  30. murchandamus commented at 10:03 pm on November 8, 2024: contributor

    I am a bit confused about the need to have those questions answered before merging. Is the intention of the BIPs repository only to hold final specifications for consensus changes, or to enable iterating on consensus changes before proposing a document for numbering and merging?

    You had written above

    I’ll post on the mailing list for additional opinions on these topics, but not sure whether it makes sense for the BIP to get numbered and merged as is while still potentially subject to those revisions.

    which I interpreted as a request to hold off while the situation might still be developing. I take it that I misunderstood you?

  31. reardencode commented at 9:41 pm on November 14, 2024: contributor

    which I interpreted as a request to hold off while the situation might still be developing. I take it that I misunderstood you?

    Gotcha. Yeah, I honestly just don’t know whether it makes sense to number and merge the BIP with outstanding questions like those or not. Since we’re back in motion LNHANCE, I’ll follow through and see what opinions appear :)

    Thanks!

  32. murchandamus commented at 9:51 pm on November 14, 2024: contributor

    @reardencode: Preferably, as much as possible of the proposal is in place before it is put forth for an Editor review. Open questions tend to signal that a BIP may still be developing directionally and editors may be holding off due to that. ;)

    If the open questions concern minor details, or have been resolved, please let us know that it is ready for an editor review.

  33. moonsettler commented at 10:22 am on November 15, 2024: contributor

    There’s still 2 open conversations around this one:

    * Should it add CSFSA (after discussions in ATX with Rusty and Rob, I'm inclined to add it)
    
    * Should CSFSV be tapscript only (I'm inclined to add this functionality to legacy scripts as well, but may be in the minority there)
    

    For what it’s worth, I also think signature aggregation will be the dominant form of CSFS use. LNhance at it’s core is CTV + CSFS, and so it makes sense to have both of those available in pre-tapscript.

    No strong opinion on CHECKSIGFROMSTACKADD, agree with the general reasoning.

    It’s a bit weird to backport Schnorr this way, and the NOP upgrade path leaving 3 elements on the stack is also unfortunate. On the other hand, reverting CSFSV to use ECDSA in pre-tapscript would force us to consider implementing script multisig, to do anything really worthwhile there.

  34. moonsettler commented at 9:31 pm on November 23, 2024: contributor

    Posted this on the ML, but also adding here too. I think we are getting very close to finalizing this proposal.

    Can anyone think of a reason to keep OP_CHECKSIGFROMSTACKVERIFY as NOP5 available in legacy script?

    Currently Brandon and I are leaning towards simply removing CSFSV from LNhance and from the CSFS BIP.

    Reasoning:

    • CSFS is more likely to be used in Symmetry
    • In case where CSFSV is desired OP_CSFS OP_VERIFY is perfectly workable.
    • Simplifies code
    • Don’t have an actual use case for CSFSV in legacy rn
    • Upgradeable NOPs are scarce
    • Backporting tapscript would bring all functionality to legacy
  35. reardencode force-pushed on Nov 26, 2024
  36. reardencode force-pushed on Nov 26, 2024
  37. moonsettler commented at 9:22 am on November 26, 2024: contributor
    Can we change the name of this PR and remove (VERIFY) to more accurately reflect the latest state of the proposal?
  38. reardencode force-pushed on Nov 26, 2024
  39. reardencode renamed this:
    Add bip-csfs OP_CHECKSIGFROMSTACK(VERIFY)
    Add bip-csfs OP_CHECKSIGFROMSTACK
    on Nov 26, 2024
  40. reardencode commented at 3:18 pm on November 26, 2024: contributor
    Updated with an additional example, removed CSFSV, and all earlier review comments addressed.
  41. reardencode marked this as ready for review on Nov 26, 2024
  42. in bip-csfs.md:15 in 426eb8912d outdated
    10+License: BSD-3-CLAUSE
    11+```
    12+
    13+## Abstract
    14+
    15+This BIP describes two new opcodes for the purpose of checking cryptographic
    


    murchandamus commented at 5:56 pm on November 26, 2024:

    I think this was overlooked after CSFSV got removed:

    0This BIP describes a new opcode for the purpose of checking cryptographic
    
  43. in bip-csfs.md:24 in 426eb8912d outdated
    19+
    20+When verifying taproot script spends having leaf version 0xc0 (as defined in
    21+[BIP 342]), we propose `OP_CHECKSIGFROMSTACK` to replace `OP_SUCCESS204`
    22+(0xcc).
    23+
    24+`OP_CHECKSIGFROMSTACKVERIFY` has semantics similar to `OP_CHECKSIG`, as
    


    murchandamus commented at 6:03 pm on November 26, 2024:
    This mentions OP_CSFSV, was that supposed to say just OP_CHECKSIGFROMSTACK or is this sentence obsolete?
  44. in bip-csfs.md:49 in 426eb8912d outdated
    44+
    45+## Design Considerations
    46+
    47+1. Message hashing: [BIP 340] is compatible with any size of message and does not require it to be a securely hashed input, so the message is not hashed prior to [BIP 340] verification.
    48+2. Lack of verify semantics: Adding a single opcode for this purpose keeps the implementation and design simple. An earlier draft had a verify variant as a NOP upgrade, and if this funcationality is later brought to legacy scripts, that would be a good time to add a verify variant.
    49+3. Add/multisig: No concession is made to `OP_CHECKMULTISIG` or `OP_CHECKSIGADD` semantics with `OP_CHECKSIGFROMSTACK(VERIFY)`. In Tapscript, add semantics can be implemented with 1 additional vByte per key (`OP_TOALTSTACK OP_CHECKSIGFROMSTACK OP_FROMALTSTACK OP_ADD`).
    


    murchandamus commented at 6:03 pm on November 26, 2024:

    Is this “(VERIFY)” obsolete or shorthand for OP_CSFS OP_VERIFY here?

    03. Add/multisig: No concession is made to `OP_CHECKMULTISIG` or `OP_CHECKSIGADD` semantics with `OP_CHECKSIGFROMSTACK`. In Tapscript, add semantics can be implemented with 1 additional vByte per key (`OP_TOALTSTACK OP_CHECKSIGFROMSTACK OP_FROMALTSTACK OP_ADD`).
    
  45. in bip-csfs.md:28 in 426eb8912d outdated
    23+
    24+`OP_CHECKSIGFROMSTACKVERIFY` has semantics similar to `OP_CHECKSIG`, as
    25+specified below.
    26+
    27+Only 32-byte keys are constrained. Similar to [BIP 341] unknown key types, for
    28+other key lengths no signature verification is performed.
    


    murchandamus commented at 6:07 pm on November 26, 2024:
    This feels a bit out-of-context because keys have not been mentioned at all so far.
  46. in bip-csfs.md:38 in 426eb8912d outdated
    33+* The public key (top element), message (second to top element), and signature (third from top element) are read from the stack.
    34+* The top three elements are popped from the stack.
    35+* If the public key size is zero, the script MUST fail and terminate immediately.
    36+* If the public key size is 32 bytes, it is considered to be a public key as described in [BIP 340]:
    37+    * If the signature is not the empty vector, the signature is validated against the public key and message according to [BIP 340]. Validation failure in this case immediately terminates script execution with failure.
    38+* If the public key size is not zero, and it is not a [BIP 340] public key; the public key is of an unknown public key type, and no actual signature verification is applied. During script execution of signature opcodes they behave exactly as known public key types except that signature validation is considered to be successful.
    


    murchandamus commented at 6:25 pm on November 26, 2024:

    I’m not sure whether this is intentional, but previously we treat a 32-byte key as a BIP 340 public key. I assume if it were out-of-range, the signature validation would fail. However here, rather than repeating that the lengths 0-byte and 32-byte are excluded, the criterion appears to be “not zero and not a BIP 340 public key”. I assume this is covered by the previous line, but what if a 32-byte value were provided that is out of range, would this line apply or not?

    Is it possible that this should read:

    0* If the public key size is not zero bytes and not 32 bytes; the public key is of an unknown public key type. Signature verification for unknown public key types succeeds as if signature verification for a known public key type had succeeded.
    

    reardencode commented at 7:00 pm on November 26, 2024:
    I believe I copied that text from BIP340. Your wording is more clear.
  47. in bip-csfs.md:50 in 426eb8912d outdated
    45+## Design Considerations
    46+
    47+1. Message hashing: [BIP 340] is compatible with any size of message and does not require it to be a securely hashed input, so the message is not hashed prior to [BIP 340] verification.
    48+2. Lack of verify semantics: Adding a single opcode for this purpose keeps the implementation and design simple. An earlier draft had a verify variant as a NOP upgrade, and if this funcationality is later brought to legacy scripts, that would be a good time to add a verify variant.
    49+3. Add/multisig: No concession is made to `OP_CHECKMULTISIG` or `OP_CHECKSIGADD` semantics with `OP_CHECKSIGFROMSTACK(VERIFY)`. In Tapscript, add semantics can be implemented with 1 additional vByte per key (`OP_TOALTSTACK OP_CHECKSIGFROMSTACK OP_FROMALTSTACK OP_ADD`).
    50+4. Splitting R/S on the stack: Implementing split/separate signatures is left as an exercise for other bitcoin upgrades, such as `[BIP 347]`.
    


    murchandamus commented at 6:28 pm on November 26, 2024:

    It would be easier to follow if the title of BIP 347 were mentioned:

    04. Splitting R/S on the stack: Implementing split/separate signatures is left as an exercise for other bitcoin upgrades, such as [BIP 347] (OP_CAT).
    

    It also isn’t clear to me why this link text is code formatted.

  48. in bip-csfs.md:51 in 426eb8912d outdated
    46+
    47+1. Message hashing: [BIP 340] is compatible with any size of message and does not require it to be a securely hashed input, so the message is not hashed prior to [BIP 340] verification.
    48+2. Lack of verify semantics: Adding a single opcode for this purpose keeps the implementation and design simple. An earlier draft had a verify variant as a NOP upgrade, and if this funcationality is later brought to legacy scripts, that would be a good time to add a verify variant.
    49+3. Add/multisig: No concession is made to `OP_CHECKMULTISIG` or `OP_CHECKSIGADD` semantics with `OP_CHECKSIGFROMSTACK(VERIFY)`. In Tapscript, add semantics can be implemented with 1 additional vByte per key (`OP_TOALTSTACK OP_CHECKSIGFROMSTACK OP_FROMALTSTACK OP_ADD`).
    50+4. Splitting R/S on the stack: Implementing split/separate signatures is left as an exercise for other bitcoin upgrades, such as `[BIP 347]`.
    51+5. [BIP 118]-style Taproot internal key: Rather than introducing an additional key type in this change, we suggest implementing [BIP 349] or separately introducing that key type for all Tapscript signature checking operations in a separate change.
    


    murchandamus commented at 6:34 pm on November 26, 2024:

    I expect that not all readers know all BIP numbers by heart, so it might be easier to follow if proposals were referred to by name rather than just number:

    05. APO-style ([BIP 118]) Taproot internal key: Rather than introducing an additional key type in this change, we suggest implementing `OP_INTERNALKEY` ([BIP 349]) or separately introducing that key type for all Tapscript signature checking operations in a separate change.
    

    Note that the latter link is currently broken, because BIP 349 is not merged yet.


    murchandamus commented at 6:59 pm on November 26, 2024:
    Ah, my bad, it’s not that it’s not merged, but that it is a markdown file rather than mediawiki.

    reardencode commented at 7:07 pm on November 26, 2024:
    am confused, the PR shows merged.

    reardencode commented at 7:08 pm on November 26, 2024:
    ah, had the link wrong - md
  49. in bip-csfs.md:64 in 426eb8912d outdated
    59+## Motivation
    60+
    61+### LN Symmetry
    62+
    63+When combined with [BIP 119] (`OP_CHECKTEMPLATEVERIFY`/CTV),
    64+`OP_CHECKSIGFROMSTACK` (CSFS) can be used in Lightning Symmetry channels.
    


    murchandamus commented at 6:36 pm on November 26, 2024:

    What do you mean with “can be used in Lightning Symmetry channels”? Do you mean that the two opcodes together can replicate the behavior of APO?

    0When combined with [BIP 119] (`OP_CHECKTEMPLATEVERIFY`/CTV),
    1`OP_CHECKSIGFROMSTACK` (CSFS) can be used to implement Lightning Symmetry channels.
    
    0When combined with [BIP 119] (`OP_CHECKTEMPLATEVERIFY`/CTV),
    1`OP_CHECKSIGFROMSTACK` (CSFS) can be used to replicate Lightning Symmetry channels.
    

    reardencode commented at 7:10 pm on November 26, 2024:
    For the purposes of Lightning Symmetry, when not attempting to build an alternative Lightning Symmetry that has endogenous fees, CSFS+CTV are a minimal substitute for APO. CSFS+CTV+PC+IKEY (LNHANCE) are byte-wise and composability-wise better substitute to APO.

    reardencode commented at 7:14 pm on November 26, 2024:
    Added a brief summary of this to the BIP
  50. in bip-csfs.md:16 in 426eb8912d outdated
    11+```
    12+
    13+## Abstract
    14+
    15+This BIP describes two new opcodes for the purpose of checking cryptographic
    16+signatures in bitcoin scripts against data other than bitcoin transactions.
    


    murchandamus commented at 6:41 pm on November 26, 2024:

    I’m not sure “other than bitcoin transactions” is accurate. Would perhaps this fit better?

    0signatures in bitcoin scripts against data on the stack.
    
  51. in bip-csfs.md:9 in 426eb8912d outdated
    0@@ -0,0 +1,133 @@
    1+```
    2+BIP: XXX
    3+Layer: Consensus (soft fork)
    4+Title: CHECKSIGFROMSTACK
    5+Author: Brandon Black <freedom@reardencode.com>, Jeremy Rubin <j@rubin.io>
    6+Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-XXXX
    7+Status: Draft
    8+Type: Standards Track
    9+Created: 2023-12-22
    


    murchandamus commented at 6:43 pm on November 26, 2024:
    0Created: 2024-11-26
    
  52. murchandamus commented at 6:46 pm on November 26, 2024: contributor
    Let’s call this BIP 348.
  53. murchandamus renamed this:
    Add bip-csfs OP_CHECKSIGFROMSTACK
    BIP 348: OP_CHECKSIGFROMSTACK
    on Nov 26, 2024
  54. reardencode force-pushed on Nov 26, 2024
  55. reardencode force-pushed on Nov 26, 2024
  56. in bip-0348.md:127 in 7676dda845 outdated
    122+
    123+[BIP 341]: https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki
    124+
    125+[BIP 342]: https://github.com/bitcoin/bips/blob/master/bip-0342.mediawiki
    126+
    127+[BIP 349]: https://github.com/bitcoin/bips/blob/master/bip-0349.mediawiki
    


    murchandamus commented at 6:59 pm on November 26, 2024:
    0[BIP 349]: https://github.com/bitcoin/bips/blob/master/bip-0349.md
    
  57. reardencode force-pushed on Nov 26, 2024
  58. reardencode force-pushed on Nov 26, 2024
  59. reardencode force-pushed on Nov 26, 2024
  60. reardencode force-pushed on Nov 26, 2024
  61. reardencode force-pushed on Nov 26, 2024
  62. Add BIP 0348 - CHECKSGIFROMSTACK d2932bd00d
  63. reardencode force-pushed on Nov 26, 2024
  64. reardencode commented at 7:26 pm on November 26, 2024: contributor

    I believe I’ve addressed your comments. Thanks much!

    Would love you to read over the new text I added in the Lightning Symmetry section.

  65. reardencode requested review from murchandamus on Nov 26, 2024
  66. murchandamus commented at 7:35 pm on November 26, 2024: contributor

    Would love you to read over the new text I added in the Lightning Symmetry section.

    LGTM

    Nit: In the future, if you don’t reposition all the linebreaks, it’s much easier to see what was changed in text. :nerd_face:

    I.e. it’s harder to discern what all the changes are in

     0-`OP_CHECKSIGFROMSTACK` (CSFS) can be used in Lightning Symmetry channels.
     1-The construction `OP_CHECKTEMPLATEVERIFY <pubkey> OP_CHECKSIGFROMSTACK` with a
     2-spend stack containing the CTV hash and a signature for it is logically
     3-equivalent to `<bip118_pubkey> OP_CHECKSIG` and a signature over
     4-`SIGHASH_ALL|SIGHASH_ANYPREVOUTANYSCRIPT`. The `OP_CHECKSIGFROMSTACK`
     5-construction is 8 vBytes larger.
     6+`OP_CHECKSIGFROMSTACK` (CSFS) can be used to implement Lightning Symmetry
     7+channels. The construction `OP_CHECKTEMPLATEVERIFY <pubkey>
     8+OP_CHECKSIGFROMSTACK` with a spend stack containing the CTV hash and a
     9+signature for it is logically equivalent to `<bip118_pubkey> OP_CHECKSIG` and
    10+a signature over `SIGHASH_ALL|SIGHASH_ANYPREVOUTANYSCRIPT`. The
    11+`OP_CHECKSIGFROMSTACK` construction is 8 vBytes larger.
    

    than in

    0-`OP_CHECKSIGFROMSTACK` (CSFS) can be used in Lightning Symmetry channels.
    1+`OP_CHECKSIGFROMSTACK` (CSFS) can be used to implement Lightning Symmetry channels.
    
  67. reardencode commented at 8:58 pm on November 26, 2024: contributor
    @murchandamus I believe moon and a couple others will take a look today, then I think this is G2G.
  68. moonsettler approved
  69. moonsettler commented at 9:32 pm on November 26, 2024: contributor

    ACK on the current content.

    Might want to consider mentioning the deleted key function verification scheme we learned from @bigspider?

    edit: Will add to PAIRCOMMIT instead! Since it needs multiple elements signed to work.

  70. murchandamus approved
  71. murchandamus commented at 6:29 pm on December 6, 2024: contributor

    I’m not sure whether you were still waiting for the other couple reviewers, but they can also take a look when it is a merged draft. The Rationale seems a bit concise, I would like to suggest that relevant questions and comments may still be added to this as they are brought up per coming review.

    Gonna merge this now, if you want to make further changes, please open another pull request.

  72. murchandamus merged this on Dec 6, 2024
  73. murchandamus closed this on Dec 6, 2024

  74. murchandamus removed the label PR Author action required on Dec 6, 2024
  75. Jesus5432 approved
  76. Jesus5432 approved

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bips. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-12-26 18:10 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me