Update BIP 118 for taproot, rename to ANYPREVOUT #943

ajtowns commented at 9:33 PM on July 9, 2020: contributor

Lots of updates to BIP 118 in light of taproot. cc @cdecker

in bip-0118.mediawiki:87 in 0561aaf8d5 outdated

 182 | +* <code>SIGHASH_ANYPREVOUTANYSCRIPT = 0xc0</code>
 183 | +
 184 | +As per [[bip-0341.mediawiki|BIP 341]], the parameter ''ext_flag'' is an integer in the range 0-127, used for indicating that extensions are added at the end of the message. The parameter ''key_version'' is an 8-bit unsigned value (an integer in the range 0-255) used for committing to the public key version.
 185 | +
 186 | +The following restrictions apply and cause validation failure if violated:
 187 | +* Using any undefined ''hash_type'' (not ''0x00'', ''0x01'', ''0x02'',  ''0x03'', ''0x41'', ''0x42'', ''0x43', ''0x81'', ''0x82'', ''0x83', ''0xc1'', ''0xc2'', or ''0xc3'.

harding commented at 12:08 PM on July 10, 2020:

Nits: Unclosed italics on 0x43, 0x83, and 0xc3. Also unclosed parenthesis at end of link of hash types.

harding commented at 12:35 PM on July 10, 2020: contributor

Gave it a quick read and didn't spot anything objectionable. One micro-nit.

mcelrath commented at 1:31 AM on July 11, 2020: none

I suggest that you get a new BIP number for ANYPREVOUT and add "not recommended for implementation" to bip118 (including reasoning, please ;-).

The two approaches are conceptually distinct and it's worth keeping the other idea around for historical purposes, even if it's not pursued going forward. BIP118 as a segwit version has been around for over 3 years now.

Please just give us one or the other! We're dying out here! ;-)

harding commented at 6:20 AM on July 11, 2020: contributor

The two approaches are conceptually distinct and it's worth keeping the other idea around for historical purposes

Concept ACK for updating. The original BIP118 proposal will remain available via git history, so no information is lost by updating it. Noinput as its own separate segwit version never had any traction AFAICT---I think almost everyone has wanted this to be either a part of a larger soft fork or an add-on soft fork.

ajtowns force-pushed on Jul 13, 2020

cdecker commented at 2:23 PM on July 17, 2020: contributor

That was the rationale for proposing an update instead of leaving noinput lingering. noinput alone was lacking the details to make it work within taproot, and the update adds all the necessary details to make the proposal compatible with taproot. Given the timing of the taproot and the noinput proposal we tried to make the two independent by not adding any dependencies between them.

With taproot making good progress, and the shrinking probability of a raw noinput proposal without taproot integration making progress, it is desirable imho to replace the raw proposal with the integrated one.

luke-jr cross-referenced this on Aug 1, 2020 from issue Reject 118 (expired) by ysangkok

luke-jr added the label Proposed BIP modification on Aug 1, 2020

bitschmidty cross-referenced this on Aug 19, 2020 from issue link error by ZeevBB

luke-jr commented at 10:12 PM on August 20, 2020: member

poke @ajtowns @cdecker

in bip-0118.mediawiki:177 in c7c6a58b7a outdated

 271 | +It is expected that ANYPREVOUT signatures will only be rarely used in practice.
 272 | +Protocol and wallet designers should aim to have their transactions use Taproot key path spends whenever possible, both for efficiency reasons due to the lower transaction weight, but also for privacy reasons to avoid third parties being able to distinguish their transactions from those of other protocols.
 273 | +
 274 | +Transactions that do use ANYPREVOUT signatures will therefore reveal information about the transaction, potentially including that cooperation was impossible, or what protocol or software in use (due to the details of the script).
 275 | +
 276 | +In order to maximise privacy, it is therefore recommended that protocol designers only use BIP 118 public keys in scripts that will be spent using at least one ANYPREVOUT signature, and either use key path spends or alternate scripts in the taproot merkle tree for any spends that can be authorised without ANYPREVOUT signatures.

benthecarman commented at 7:11 AM on September 17, 2020:

nit: change these "ANYPREVOUT"s to "<code>ANYPREVOUT</code>"

benthecarman commented at 7:11 AM on September 17, 2020:

maximise

maximize

benthecarman commented at 7:12 AM on September 17, 2020:

authorised

authorized

remyers commented at 9:09 AM on September 17, 2020:

The z variants are the US spellings, the s variants common to the UK/Commonwealth. “England and America are two countries separated by the same language!” :-)

ajtowns commented at 10:14 PM on June 9, 2021:

I've left "ANYPREVOUT signatures" as regular text since it's talking about the concept, and only used <code> markup for SIGHASH_ANYPREVOUT and SIGHASH_ANYPREVOUTANYSCRIPT. I think that's reasonable, so keeping it that way at present... (Have made a couple of tweaks while rebasing though)

in bip-0118.mediawiki:167 in c7c6a58b7a outdated

 261 | +Further, for a chain of transactions using the same <code>scriptPubKey</code> and value, and only authenticated via ANYPREVOUT signatures (as envisioned in eltoo for failure cases), it may be possible for any third party to malleate the transactions (and their txids) without having access to any of the private keys, particularly by omitting intermediate transactions.
 262 | +
 263 | +This form of malleation can be dealt with by the child transactions also using ANYPREVOUT signatures -- when a parent transaction is malleated, its children can simply be adjusted to reference the new txid as the input and the ANYPREVOUT signatures remain valid.
 264 | +
 265 | +However child transactions that are authorised by a <code>SIGHASH_ALL</code> or <code>SIGHASH_ANYONECANPAY</code> signature will need new signatures if their inputs are malleated in this way.
 266 | +This risk may be mitigated somewhat by using [[bip-0068.mediawiki|BIP 68]]/[[bip-0112.mediawiki|BIP 112]] relative time locks before spending a UTXO that had been authorised via an ANYPREVOUT signature with <code>SIGHASH_ALL</code> or <code>SIGHASH_ANYONECANPAY</code>: a relative timelock can ensure that the inputs have enough confirmations that they can only be replaced in the event of a large block reorg.

benthecarman commented at 7:13 AM on September 17, 2020:

authorised

authorized

benthecarman changes_requested

benthecarman commented at 7:18 AM on September 17, 2020: contributor

It might be worth adding a section about recommendations for wallet devs on how to handle if funds are received to an address that has BIP 118 pub key, I would expect that they should immediately spend it to another address if they already given out a SIGHASH_ANYPREVOUTANYSCRIPT signature and do not want the newly received funds spendable by the parties with the signature.

cdecker commented at 2:26 PM on September 18, 2020: contributor

It might be worth adding a section about recommendations for wallet devs on how to handle if funds are received to an address that has BIP 118 pub key, I would expect that they should immediately spend it to another address if they already given out a SIGHASH_ANYPREVOUTANYSCRIPT signature and do not want the newly received funds spendable by the parties with the signature.

Our usual approach to this is "if you don't know how to handle ANYPREVOUT scripts you should not signal support for BIP118", and the wallets sending to you should never use BIP118". Having consumer wallets that do not require BIP118 support handle it is undesirable, and imho any guidance on how to handle them might give the contrary impression.

luke-jr commented at 5:30 PM on October 5, 2020: member

What is the status here? Can we merge it?

maaku commented at 10:13 AM on October 12, 2020: contributor

I just want to say that it is horribly confusing to have a standards document be completely rewritten to describe a totally different idea. This is a very atypical thing to do. If it's a new approach, please make a new BIP.

cdecker commented at 1:32 PM on October 12, 2020: contributor

It's not really new, it just adds the details for Taproot and addresses some concerns that have been raised during the discussion regarding replay-attacks. IMHO this is exactly the goal of updates to the BIPs.

luke-jr commented at 3:46 PM on October 12, 2020: member

Indeed, it's not like it was even Proposed yet, just a Draft.

cdecker commented at 3:58 PM on October 12, 2020: contributor

I'll soon have a bit more time to dig into BIP 118, and I have spoken with a number of people willing to join a review club to work through the proposal. If anybody is interested in joining a public discussion we can set something up :-)

But don't want to distract from the Taproot effort, which deserves all the attention it can get, and is the basis for anyprevout.

AndrejMitrovic cross-referenced this on Oct 20, 2020 from issue Implement proof of concept of Eltoo by AndrejMitrovic

instagibbs commented at 2:15 PM on June 9, 2021: member

I think now is a good time to revive public discussion efforts?

ajtowns force-pushed on Jun 9, 2021

ajtowns marked this as ready for review on Jun 9, 2021

ajtowns commented at 10:34 PM on June 9, 2021: contributor

Rebased, removed "draft" marker on PR, so should be okay for ACKs and eventual merge

kallewoof commented at 7:30 AM on June 11, 2021: member

There's a lot of style changes mixed in with contextual changes so it's hard to determine what is a style fix vs what is new content. It would be helpful if commit number 1 was a pure style tweak followed by the actual changes in subsequent commit(s).

ajtowns commented at 9:50 AM on June 11, 2021: contributor

There's a lot of style changes mixed in with contextual changes so it's hard to determine what is a style fix vs what is new content.

It's pretty much entirely new content, I don't think there's much you can extract as just a style fix?

in bip-0118.mediawiki:197 in 6b9316cd35 outdated

 300 | +As a soft fork, older software will continue to operate without modification.
 301 | +Nodes that have not upgraded to support [[bip-0341.mediawiki|BIP 341]] will see all taproot witness programs as anyone-can-spend scripts, and nodes that have upgraded to support [[bip-0341.mediawiki|BIP 341]] and [[bip-0342.mediawiki|BIP 342]] but not BIP 118 will simply treat any non-empty signature against a BIP 118 public key as valid.
 302 | +As such, nodes are strongly encourage to upgrade in order to fully validate signatures for the new public key type.
 303 | +
 304 | +Non-upgraded wallets can receive and send bitcoin from non-upgraded and upgraded wallets using SegWit version 0 programs, traditional pay-to-pubkey-hash, etc.
 305 | +Depending on the implementation, non-upgraded wallets may be able to send to SegWit version 1 programs if they support sending to [[bip-0173.mediawiki|BIP173]] Bech32 addresses and do not consider the outputs non-standard, and therefore prevent transaction broadcast.

benthecarman commented at 3:20 PM on June 11, 2021:

to send to SegWit version 1 programs if they support sending to [[bip-0173.mediawiki|BIP173]] Bech32 addresses

this is now BIP 350 bech32m addresses

JeremyRubin commented at 9:33 PM on June 11, 2021: contributor

Is there a current reference implementation?

Trying to figure out presently if the BIP is trying to imply a tap leaf with 0x01 CHECKSIG has the effect of being equivalent to <0x01 || internal key> checksig or not (it seems implied by the bip language but not explicit enough imo).

ajtowns commented at 12:48 PM on June 12, 2021: contributor

Is there a current reference implementation?

There's a reference implementation at https://github.com/ajtowns/bitcoin/tree/202101-anyprevout but it's not current both in that it's missing at least the change to have ANYPREVOUTANYSCRIPT not commit to the amount, is some months out of date, and may be buggy.

Trying to figure out presently if the BIP is trying to imply a tap leaf with 0x01 CHECKSIG has the effect of being equivalent to <0x01 || internal key> checksig or not (it seems implied by the bip language but not explicit enough imo).

I'm not sure what's unclear about:

To convert a 1-byte BIP 118 public key for use with BIP 340, simply use the 32-byte taproot internal key, p, as defined in BIP 341. To convert a 33-byte BIP 118 public key for use with BIP 340, simply remove the 0x01 prefix and use the remaining 32 bytes.

If your internal key is G, ie, "79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798" then doing either 210179BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798AC (push the 32-byte key prefixed by 0x01, then CHECKSIG) or 51AC (OP_1 and CHECKSIG) will result in a checksig operation against "G" as the BIP118 public key.

in bip-0118.mediawiki:193 in 00e0ef61a6 outdated

 296 | +This may be deployed as a soft-fork either concurrent with, or subsequent to the deployment of [[bip-0340.mediawiki|BIP 340]], [[bip-0341.mediawiki|BIP 341]] and [[bip-0342.mediawiki|BIP 342]].
 297 | +
 298 | +== Backwards compatibility ==
 299 | +
 300 | +As a soft fork, older software will continue to operate without modification.
 301 | +Nodes that have not upgraded to support [[bip-0341.mediawiki|BIP 341]] will see all taproot witness programs as anyone-can-spend scripts, and nodes that have upgraded to support [[bip-0341.mediawiki|BIP 341]] and [[bip-0342.mediawiki|BIP 342]] but not BIP 118 will simply treat any non-empty signature against a BIP 118 public key as valid.

JeremyRubin commented at 7:59 PM on June 12, 2021:

you use the word "simply" in the spec often, perhaps worth deleting as in most cases it doesn't clarify.

in bip-0118.mediawiki:70 in 00e0ef61a6 outdated

 164 | +* If the public key is the single byte <code>0x01</code>, or if the public key is 33 bytes and the first byte of the public key is <code>0x01</code>, it is considered to be a BIP 118 public key:
 165 | +** If the signature is not the empty vector, the signature is validated according to the [[bip-0341.mediawiki|BIP 341]] signing validation rules with the public key, allowable <code>hash_type</code> values, and transaction digest modified as defined below.
 166 | +
 167 | +==== Public key ====
 168 | +
 169 | +To convert a 1-byte BIP 118 public key for use with [[bip-0340.mediawiki|BIP 340]], simply use the 32-byte taproot internal key, <code>p</code>, as defined in [[bip-0341.mediawiki|BIP 341]].

JeremyRubin commented at 8:03 PM on June 12, 2021:

I think you could clarify here that it's not "a 1-byte BIP 118 public key" but 0x01 specifically?

JeremyRubin commented at 8:04 PM on June 12, 2021:

(this is why I missed it earlier)

ajtowns commented at 11:25 PM on June 12, 2021:

I've tweaked it to "the 1-byte BIP 118 public key" -- 1-byte versus 33-bytes is how the keys are defined in the immediately prior section (all BIP 118 keys begin with 0x01).

JeremyRubin commented at 3:14 PM on June 16, 2021:

This is more clear.

JeremyRubin commented at 8:15 PM on June 12, 2021: contributor

I'm not in love with the 0x01 to mean an anyprevout key based on the internal PK.

I think that this sort of mechanism is more generally useful (e.g., I imagine the script USE_INTERNAL CHECKSIGVERIFY SHA256 <H> EQUAL could be useful without APO because bip341 commits to the spend script).

I also think that 0x01 makes it so that there is a public key which is "computable" using script math, which is kind of weird (or at least merits consideration)? I mean I suppose <something> sha256 also is a 32 byte value, but conceivably finding d. dG == sha256(x) is hard?

ajtowns commented at 11:34 PM on June 12, 2021: contributor

I think that this sort of mechanism is more generally useful (e.g., I imagine the script USE_INTERNAL CHECKSIGVERIFY SHA256 <H> EQUAL could be useful without APO because bip341 commits to the spend script).

You could define the single-byte pubkey "0x81" (ie the value OP_1NEGATE pushes onto the stack) to be treated as the internal public key with the bip342 signature digest and get that sort of behaviour. The key and/or signature needs to encode what digest is going to be used however; but if you're happy for the signature to encode the digest, then just using the APO capable OP_1 with a non-ANYPREVOUT signature works.

I also think that 0x01 makes it so that there is a public key which is "computable" using script math, which is kind of weird (or at least merits consideration)? I mean I suppose <something> sha256 also is a 32 byte value, but conceivably finding d. dG == sha256(x) is hard?

CAT would also make public keys "computable" in this sense, except moreso since there would actually be multiple keys you could compute. But you can already write scripts that simply accept the pubkey as an input which is more flexible, and already in use since that's how P2PKH works.

Update BIP 118 for taproot, rename to ANYPREVOUT 5e052176ef

Update README a8787c51ff

BIP118: refer to bech32m instead of bech32 for segwit v1 outputs

Thanks to Ben Carman for spotting.

0cbc8674dd

BIP118: remove subliminal advertising of Simplicity 420dc42f0e

BIP118: tweak wording around 1-byte pubkey d616d5492b

in bip-0118.mediawiki:175 in 7b74bd1373 outdated

 269 | +==== Privacy considerations ====
 270 | +
 271 | +It is expected that ANYPREVOUT signatures will only be rarely used in practice.
 272 | +Protocol and wallet designers should aim to have their transactions use Taproot key path spends whenever possible, both for efficiency reasons due to the lower transaction weight, but also for privacy reasons to avoid third parties being able to distinguish their transactions from those of other protocols.
 273 | +
 274 | +Transactions that do use ANYPREVOUT signatures will therefore reveal information about the transaction, potentially including that cooperation was impossible, or what protocol or software in use (due to the details of the script).

bucko13 commented at 8:37 PM on June 27, 2021:

Small fix for a typo:

Transactions that do use ANYPREVOUT signatures will therefore reveal information about the transaction, potentially including that cooperation was impossible, or what protocol or software was used (due to the details of the script).

ajtowns commented at 4:47 AM on July 2, 2021:

Done

ajtowns force-pushed on Jul 2, 2021

luke-jr commented at 7:51 PM on July 2, 2021: member

@cdecker Think this is mergable? Even if not perfect, it can continue to be revised...

in bip-0118.mediawiki:44 in d616d5492b

  72 | +The [https://blockstream.com/eltoo.pdf eltoo] paper provides an example of why committing to the witness script is not always appropriate.
  73 | +It uses script and the transaction <code>nLockTime</code> to make signatures asymmetric, so that a transaction with an earlier signature can be spent by a transaction with a later signature, but a transaction with a later signature cannot be spent by a transaction with an earlier signature.
  74 | +As a result, a single signature for a third, even later transaction must be able to spend both the prior transactions, even though they have a different tapscript.
  75 | +On the other hand, these cases also provide a good reason to have the option to commit to the script: because each transaction has a new script, committing to the script allows you to produce a signature that applies to precisely one of these transactions.
  76 | +In the eltoo case, this allows you to have a signature for an update transaction that can be applied to any prior update, and a signature for a settlement transaction that applies only to the corresponding update transaction, while using the same key for both, which in turn allows for a more compact script.
  77 | +</ref> and value <ref>'''Why (and why not) commit to the input value?'''

JeremyRubin commented at 4:41 PM on July 3, 2021:

If i understand correctly:

APO: Commits to value APOAS: Doesn't commit to value

Can you better justify why we don't also want ANYPREVOUTANYVALUE and ANYPREVOUTANYSCRIPTSPECIFICVALUE?

JeremyRubin commented at 12:57 AM on July 8, 2021: contributor

In general, one thing that strikes me is that when anyprevout is used for eltoo you're generally doing a script like:

IF
    10 CSV DROP
    1::musigkey(As,Bs) CHECKSIG
ELSE
    <S+1> CLTV DROP
   1::musigkey(Au,Bu) CHECKSIG
ENDIF

This means that you're overloading the CLTV clause, which means it's impossible to use Eltoo and use a absolute lock time, it also means you have to use fewer than a billion sequences, and if you pick a random # to mask how many payments you've done / pick random gaps let's say that reduces your numbers in half. That may be enough, but is still relatively limited. There is also the issue that multiple inputs cannot be combined into a transaction if they have signed on different locktimes.

Since Eltoo is the primary motivation for ANYPREVOUT, it's worth making sure we have all the parts we'd need bundled together to see it be successful.

A few options come to mind that might be desirable in order to better serve the eltoo usecase

Define a new CSV type (e.g. define (1<<31 && 1<<30) as being dedicated to eltoo sequences). This has the benefit of giving a per input sequence, but the drawback of using a CSV bit. Because there's only 1 CSV per input, this technique cannot be used with a sequence tag.
CSFS -- it would be possible to take a signature from stack for an arbitrary higher number, e.g.:

IF
    10 CSV DROP
    1::musigkey(As,Bs) CHECKSIG
ELSE
    DUP musigkey(Aseq, BSeq) CSFSV <S+1> GTE VERIFY
   1::musigkey(Au,Bu) CHECKSIG
ENDIF

Then, posession of a higher signed sequence would allow for the use of the update path. However, the downside is that there would be no guarantee that the new state provided for update would be higher than the past one without a more advanced covenant. 3) Sequenced Signature: It could be set up such that ANYPREVOUT keys are tagged with a N byte sequence (instead of 1), and a part of the process of signature verification includes hashing a sequence on the signature itself.

E.g.

IF
    10 CSV DROP
    1::musigkey(As,Bs) CHECKSIG
ELSE
   <N>::musigkey(Au,Bu) CHECKSIG
ENDIF

To satisfy this clause, a signature <N+1>::S would be required. When validating the signature S, the APO digest would have to include the value <N+1>. It is non cryptographically checked that N+1 > N. 5) Similar to 3, but look at more values off the stack. This is also OK, but violates the principle of not making opcodes take variable numbers of things off the stack. Verify semantics on the extra data fields could ameliorate this concern, and it might make sense to do it that way. 4) Something in the Annex: It would also be possible to define a new generic place for lock times in the annex (to permit dual height/time relative/absolute, all per input. The pro of this approach is that it would be solving an outstanding problem for script that we want to solve anyways, the downside is that the Annex is totally undefined presently so it's unclear that this is an appropriate use for it. 5) Do Nothing :)

Overall I'm somewhat partial to option 3 as it seems to be closest to making ANYPREVOUT more precisely designed to support Eltoo. It would also be possible to make it such that if the tag N=1, then the behavior is identical to the proposal currently.

JeremyRubin commented at 12:58 AM on July 8, 2021: contributor

It occurs to me this might be the wrong venue to discuss the above as this is larger change outside the changes to the BIP outstanding, so I will move discussion to the mailing list.

cdecker commented at 8:46 AM on July 8, 2021: contributor

@cdecker Think this is mergable? Even if not perfect, it can continue to be revised...

I think it is excellent, let's ship it 🤓 We can do fine-tuning and corrections in separate PRs, agreed

luke-jr merged this on Jul 8, 2021

luke-jr closed this on Jul 8, 2021