OP_PAIRCOMMIT

moonsettler commented at 11:07 pm on November 11, 2024: none

OP_PAIRCOMMIT is the newest member of the LNhance family of opcodes. It provides limited vector commitment functionality in tapscript.

When evaluated, the OP_PAIRCOMMIT instruction:

pops the top two values off the stack,
takes the “PairCommit” tagged SHA256 hash of the stack elements,
pushes the resulting commitment on the top of the stack.

Discussion: https://delvingbitcoin.org/t/op-paircommit-as-a-candidate-for-addition-to-lnhance/1216/12

murchandamus commented at 4:32 pm on November 13, 2024: contributor

This document has a few formatting issues, please make sure that the preamble matches the BIP 2 requirements and take a look at the rich diff to see whether it looks the way you intend.

Please note that the BIPs repository also accepts markdown files.

moonsettler commented at 8:16 pm on November 13, 2024: none

Switched back to markdown. Header now in BIP-2 format.

moonsettler force-pushed on Nov 13, 2024

Add: PAIRCOMMIT f3f7f91d26

moonsettler force-pushed on Nov 13, 2024

moonsettler commented at 9:49 pm on November 13, 2024: none

The original create date of OP_PAIRCOMMIT is 2024-03-15 this is the latest revision based on feedback from Anthony Towns. https://gist.github.com/moonsettler/d7f1fb88e3e54ee7ecb6d69ff126433b/revisions What date should go to the header?

jonatack commented at 2:39 am on November 14, 2024: member

Added a discussion link to the PR description.

The original create date of OP_PAIRCOMMIT is 2024-03-15 this is the latest revision based on feedback from Anthony Towns. gist.github.com/moonsettler/d7f1fb88e3e54ee7ecb6d69ff126433b/revisions What date should go to the header?

Perhaps add a changelog with the revision based on Anthony Towns’ feedback followed by the initial version. Or use the date of the current draft revision as your starting point.

jonatack added the label New BIP on Nov 14, 2024

murchandamus commented at 3:51 pm on November 14, 2024: contributor

According to BIP 2:

The Created header records the date that the BIP was assigned a number, […]

moonsettler marked this as ready for review on Nov 14, 2024

Use <pre> formatting for header c06f7310f9

murchandamus commented at 10:10 pm on November 14, 2024: contributor

Has this proposal been sent to the mailing list?

Link PC from README 08ffb0303d

moonsettler commented at 10:16 pm on November 14, 2024: none

Has this proposal been sent to the mailing list?

~~Not yet. Wanted to get it into an acceptable shape before I post it there.~~

Proposed to the mailing list, waiting for feedback.

in README.mediawiki:1270 in 08ffb0303d outdated

1266@@ -1267,6 +1267,13 @@ Those proposing changes should consider that ultimately consent may rest with th
1267 | Gloria Zhao
1268 | Informational
1269 | Draft
1270+|- style="background-color: #cfffcf"

murchandamus commented at 3:15 pm on November 15, 2024:

For Draft status PRs the background color is not specified

0|-

in README.mediawiki:1273 in 08ffb0303d outdated

1266@@ -1267,6 +1267,13 @@ Those proposing changes should consider that ultimately consent may rest with th
1267 | Gloria Zhao
1268 | Informational
1269 | Draft
1270+|- style="background-color: #cfffcf"
1271+| [[bip-PC.md|PC]]
1272+| Consensus (soft fork)
1273+| PAIRCOMMIT

murchandamus commented at 3:15 pm on November 15, 2024:

This has to match the title header in the preamble:

0| OP_PAIRCOMMIT

in bip-PC.md:39 in 08ffb0303d outdated

34+
35+If `OP_CAT` was available, it could be used to combine multiple stack elements,
36+that get verified with `OP_CHECKSIGFROMSTACK` as a valid state update.
37+
38+`OP_PAIRCOMMIT` solves this specific problem without introducing a wide range
39+of potentially controversial new behaviors, such as novel 2-way peg mechanisms.

murchandamus commented at 3:17 pm on November 15, 2024:

It sounds like OP_PAIRCOMMIT is closely related to CAT and CSFS. Could you perhaps expand on the related work and design decisions in a Rationale section?

moonsettler commented at 3:44 pm on November 15, 2024:

Alternatives we discussed:

OP_CAT
Merkle operation opcodes
SHA256 streaming opcodes
‘Kitty’ CAT (result or inputs limited in size to try disable introspection and arithmetic extension uses)
OP_CTV also commiting to the taproot annex in tapscript
OP_CHECKSIGFROMSTACK variant on n elements as message instead of 1
OP_VECTORCOMMIT (decoupling above behavior)

Finally after weighing everything OP_PAIRCOMMIT was the simplest addition that got what we needed exactly in the most efficient way. It’s a minimal code change, very easy to reason about. Therefore we expect it to be the least controversial option.

Sadly a lot of the discussion is all over the place and on unsearchable mediums.

murchandamus commented at 9:45 pm on November 15, 2024:

That’s why I am suggesting that this proposal should collect some of that information.

moonsettler commented at 10:14 pm on November 15, 2024:

I would prefer to keep it simple and to the point. Added a more brief rationale section. Could do a more in depth recollection on what we learned and why certain alternatives fell out of favor on a delving thread we link from here, if people are actually curious.

Fix: README

Remove style, Correct title

40f0b0f3e4

in bip-PC.md:134 in 40f0b0f3e4 outdated

129+## Reference Implementation
130+
131+A reference implementation is provided here:
132+
133+https://github.com/lnhance/bitcoin/pull/6/files
134+

moonsettler commented at 4:30 pm on November 15, 2024:

Rationale

If OP_CAT was available, it could be used to combine multiple stack elements, that get verified with OP_CHECKSIGFROMSTACK as a valid state update.

OP_PAIRCOMMIT solves this specific problem without introducing a wide range of potentially controversial new behaviors, such as novel 2-way peg mechanisms.

Alternatives discussed

OP_CAT

OP_CAT allows for fine grained introspection possibly bigint operations and extending the arithmetic capabilities of bitcoin script using lookup tables.

SHA256 streaming opcodes

These would predictably allow for the same functionality as OP_CAT for introspection purposes, since verification of a computation is largely equivalent with carrying it out. Bigint and new arithmetic operations would be hard or even impossible.

Merkle operation opcodes

These would be of very limited general use and hard to rationalize without OP_CAT. Their complexity and resource cost is hard to justified for vector commitments only. Compatibility considerations with taproot MAST were also hard to resolve without knowing what other opcodes may be activated in the future.

‘Kitty’ CAT (result or inputs limited in size)

The original idea would have limited the maximum size of OP_CAT output to a size that is smaller than the smallest sighash preimage, thus disabling the introspection capabilities and trivial ways to extend the arithmetic repertoir of bitcoin script. This turned out to be an awkward, arbitrary and offering weak .

OP_CHECKTEMPLATEVERIFY commiting to the taproot annex in tapscript

A CTV template can be considered a sighash, however relaxing the relay policy to take advantage of this change would make various endogenous asset protocols more efficient, and therefore be controversial. There is also no consensus on how to use or how to structure the annex.

OP_CHECKSIGFROMSTACK on n elements as message

This was previosuly discussed and also implemented, it complicates the code and is a pretty arbitrary coupling of behaviors.

OP_VECTORCOMMIT

The obvious generalized solution for committing to n stack elements, however it involves looping and hard to argue about setting the proper limits to it.

moonsettler force-pushed on Nov 15, 2024

Add: Rationale section dfb0670660

moonsettler force-pushed on Nov 15, 2024

OP_PAIRCOMMIT #1699

Rationale

Alternatives discussed