Add small-data OP_DROP transactions as standard transactions. #1809

pull jgarzik wants to merge 2 commits into bitcoin:master from jgarzik:opdrop changing 4 files +41 −0
  1. jgarzik commented at 5:46 pm on September 9, 2012: contributor

    This change is longer than preferred, because mTemplates is a map, and as such, the notion of “variant of TX_PUBKEYHASH” is poorly supported.

    TX_PUBKEYHASH_*DATA was added, but is largely to quiet compiler warnings, because it is mapped to TX_PUBKEYHASH everywhere, including Solver()’s transaction-type return value.

    Intended to enable use cases such as Mike Hearn’s distributed bond markets: https://bitcointalk.org/index.php?topic=92421.0

  2. gmaxwell commented at 6:31 pm on September 9, 2012: contributor

    NAK.

    The intended application doesn’t currently exist, so we can’t know that the change is necessary and sufficient to enable it— or am I mistaken? Can you point to its transactions in the chain?

    Instead, this would enable a large amount of harmful usage while concurrently removing the incentive to develop and adopt the appropriate payment protocols and overlay networks which would enable them without selling Bitcoin’s future for some short term gains. Redone with more aggressive limits would probably elevate my opinion to MEH, but I’d be concerned that they’d break the intended use case too.

  3. gavinandresen commented at 7:24 pm on September 9, 2012: contributor

    NIT: you’d save a byte by using OP_2DROP instead of DROP DROP

    I’m torn on whether or not it is time to implement a standard OP_DROP transaction type. If we do, it feels to me like it should be:

    0..64-or-fewer bytes.. OP_DROP ..n.. ..pubkeys.. ..m.. OP_CHECKMULTISIG

    64 bytes because 64-byte SHA3 hashes are likely to be common in the next ten years. CHECKMULTISIG instead of CHECKSIG because that gives the most flexibility. And pubkeys instead of a pubkeyhash because I suspect wrapping these in a P2SH transaction will be useful.

    You should be able to do whatever you need with one max-64-byte push instead of two max-32-byte pushes. E.g. for distributed bonds the transaction might be

    0 PUSH("ISSUE<32-byte-hash>") DROP 1 <pukey> 1 CHECKMULTISIG

    Services interested in bond transactions would look for ISSUE+exactly 32 bytes.

    RE: removing the incentive to adopt appropriate payment protocols: If there is no new bitcoin address type corresponding to this transaction type, then I don’t think that is an issue.

    RE: limits: the intent has always been to move away from hard-coded limits and create a market for transactions based on size, priority and fees paid. Perhaps the right thing to do is allow these as standard transactions, but drop them if they don’t meet the minimum fee threshold (disallow them as “free” transactions).

  4. gmaxwell commented at 7:38 pm on September 9, 2012: contributor

    As I enumerated on Jeff’s call out for mob support ( :P ) , the actually likely applications of this are instant messaging, txn source deanonymization, and timestamping. The first two should be correctly addressed by a payment protocol (optionally via a p2p network), the latter should be accomplished via coinbase timestamping. There would be no reason to develop either of those functions with this transaction type made standard, except preserving Bitcoin’s long term viability. I don’t see how a new address type comes into play there.

    Disallowing them as free transactions is elegant. I do like that. I don’t like that this incentivizes script pubkey bloat over scriptsig bloat, mostly because our priority calculation is currently inadequate (treats scriptpubkey and scriptsig size the same).

  5. jgarzik commented at 8:20 pm on September 9, 2012: contributor

    Updated commit with the following changes:

    1. Ditch previous made-standard transaction types
    2. Make OP_DROP + multisig a standard transaction type
    3. Permit up to 80 bytes of OP_DROP data.

    80 bytes was chosen because OP_DROP + OP_DROP was intended to enable “hash + tiny bit of metadata” as shown in proposals. If the presumed hash size is 64, we want a bit extra.

  6. jgarzik commented at 8:24 pm on September 9, 2012: contributor

    RE fees: great suggestion. I am now endeavoring to figure out how to disable free transactions for TX_MULTISIG_DATA, and will do so in a separate commit.

    RE use cases: as I stated in IRC, I am working on a basic version of TD’s distributed bond proposal right now. I also feel quite strongly that the ability to attach a tiny bit of data to your own transaction should be a fundamental right of every bitcoin user, even unrelated to the distributed bond proposals. The use case crops up again and again, and people are doing to do it anyway, whether we like it or not. See Hal’s description of a standard transaction that right now may be [ab]used for data storage, for example.

  7. sipa commented at 8:38 pm on September 9, 2012: member
    @jgarzik Sure the use case for attaching metadata to payments comes up, but in my opinion that is just because no infrastructure for negotiating a payment exists. I still haven’t seen a need for that metadata to be attached to the actual bitcoin transaction that is used to perform that payment. My opinion remains that only data necessary for the world to validate the transfer belongs in the transaction - anything else is private information between sender and receiver.
  8. gmaxwell commented at 8:42 pm on September 9, 2012: contributor

    @jgarzik You actually think that people have a fundamental right to force third parties to perpetually store information unrelated to securing and inflation proofing Bitcoin as a price of being able to contribute their participation to the decentralized trust the Bitcoin is secure and inflation proof. I don’t agree.

    If you instead want to say that creating costs unrelated to operating the currency for users is regrettable but sometimes unavoidable, and that it’s better to enforce some least harmful methods in order to discourage some more harmful ones (e.g. paying to bogus pubkeys) I would agree…. but so long as the OP_DROP data is in scriptpubkey instead of scriptsig, it’s not really a least harmful method.

  9. luke-jr commented at 9:07 pm on September 9, 2012: member
    I agree this shouldn’t be standard or encouraged until there is a strong use case for it. Is there a good reason this metadata can’t be stored in a merged-mined block?
  10. BitcoinPullTester commented at 9:35 pm on September 9, 2012: none
    Automatic sanity-testing: PASSED, see http://jenkins.bluematt.me/pull-tester/8b5974ceb1542bb04c65d8a664019de3053ca1cf for binaries and test log.
  11. luke-jr commented at 9:37 pm on September 9, 2012: member
    Revising my comment with IRC input: probably ACK as soon as testnet-proven.
  12. mikehearn commented at 0:17 am on September 10, 2012: contributor

    Dropped data can be left out of the working set as it can’t affect spendability, I think? That means the only cost is disk storage, not disk seeks or memory, and rarely accessed disk storage is cheap. You can buy a terabyte hard disk for almost nothing these days.

    This does remind me a lot of the DNS discussions. We definitely don’t want totally random data-intensive applications to stuff data into the chain, for legal reasons if nothing else. On the other hand, financial applications that need to strongly associate data with a particular financial transaction don’t seem unreasonable. Satoshi said once that he spent a long time trying to find a way to allow messages in transactions:

    “I badly wanted to find some way to include a comment with indirect transfers, but there just wasn’t a way to do it. Bitcoin uses EC-DSA, which was essential for making the block chain compact enough to be practical with today’s technology because its signatures are an order of magnitude smaller than RSA. But EC-DSA can’t encrypt messages like RSA, it can only be used to verify signatures.”

    Sometimes it makes me wonder … if he’d known how to do encryption using the same keys, would v0.1 of Bitcoin have allowed size-limited text messages?

    I think the restrictions Gavin proposes would mean any IM system (etc) would be uncompetitive with a well implemented payment protocol.

    It’s possible to be too extreme about shrinking the chain. For instance, it’s technically possible to do threshold signatures without CHECKMULTISIG by using secret sharing (see Ibrahim, Ali and EI-Sawy). So maybe CHECKMULTISIG should be made non-standard to encourage somebody to implement that. Or … maybe we should just accept the efficiency hit and get threshold signatures deployed earlier. In practice we chose the latter. You could make the same arguments for addresses (they mean long term storage of a hash, key and sig instead of just a key and sig).

    Let’s see what Jeff comes up with. If he builds a really compelling bond market app on testnet and people want to use it, it’ll be easier to judge the costs and benefits.

  13. laanwj commented at 2:46 am on September 10, 2012: member

    I agree with @sipa. Only data that is strictly necessary for the world to validate a transaction has a place in the block chain. That’s the whole point of it. Everything that is only significant to the sender and receiver (or miner) should be between the sender and receiver (or miner) and doesn’t need to be stored forever by every other full node in the world.

    Really I’d love sending some metadata with transactions for UI purposes, or even messaging between users, but this data should ideally be transient and not carved in stone in the block chain. That just feels wrong.

    Would it be possible to have an expiration date on the information? So that the OP_DROP could truly be dropped after some time? I guess not, if they’re hashed into the transaction…

  14. mikehearn commented at 11:15 am on September 10, 2012: contributor

    Actually I remembered just after I posted my last message that you do need the entire script in the uxto set because of how the signature hash is calculated.

    OTOH I thought of something else - setting aside the uxto set, in terms of long term storage, this kind of thing is fairly neutral. <20 bytes of data> DROP 1 CHECKMULTISIG + a scriptSig is a hash, a key and a sig …. same as a pay-to-address output. Is 20 bytes enough? Well, if it’s just a pointer to some other data store then it’s fine.

  15. BitcoinPullTester commented at 10:10 am on September 11, 2012: none
    Automatic sanity-testing: PASSED, see http://jenkins.bluematt.me/pull-tester/5a62d80f715f06e42d178c437a33809a6d258a8d for binaries and test log.
  16. in src/main.cpp: in 5a62d80f71 outdated 
    526+        }
527+    }
528+
529+    // OP_DATA multisig transactions are never free
530+    if (IsDataCarrier())
531+        nMinFee = nBaseFee;
    luke-jr commented at 9:59 am on September 20, 2012:
    This replaces the previous min fee if it was greater. I’m not sure we want to accept 10 kB transactions for only nBaseFee if they add data to it…
  17. BitcoinPullTester commented at 8:52 am on October 21, 2012: none
    Automatic sanity-testing: PASSED, see http://jenkins.bluematt.me/pull-tester/7d68f17333d15c3d1af6c87bf56f45b4546eb219 for binaries and test log.
  18. Add <= 80-byte OP_DROP multisig transactions as standard transactions. b0b53dc068
  19. TX_MULTISIG_DATA transactions always require a fee. 8afa3ce75f
  20. jgarzik commented at 2:40 am on November 16, 2012: contributor
    rebased
  21. BitcoinPullTester commented at 6:56 pm on November 27, 2012: none
    Automatic sanity-testing: PASSED, see http://jenkins.bluematt.me/pull-tester/8afa3ce75f6f49f68e6310d2fffabfffcfbd7770 for binaries and test log.
  22. jgarzik commented at 11:08 pm on April 8, 2013: contributor
    Closing. It sounds like current consensus favors a slightly different approach, if small-data is ever accepted: a single TxOut per transaction may be obviously prunable, e.g. OP_RETURN.
  23. jgarzik closed this on Apr 8, 2013
  24. mikehearn commented at 10:08 am on April 9, 2013: contributor
    They’re orthogonal - some use cases require spendable outputs that contain a hash as well.
  25. jgarzik commented at 8:35 pm on June 4, 2013: contributor
    Renewed interested in this at the conference and elsewhere. We need to figure out a nice way to attach a hash to a transaction, given that people are already doing this in a not-nice way (unspendable addresses).
  26. luke-jr commented at 8:43 pm on June 4, 2013: member
    IMO, this kind of thing really should have @gmaxwell ’s hash preimage required-to-relay as a prerequisite…
  27. mikehearn commented at 10:44 am on June 17, 2013: contributor

    There’s a lot of interest in oracles coming down the line, it seems, and that’s a use case for this kind of transaction.

    If someone popped up with an actual working server that did this, I feel we’d be able to justify the OP_DROP OP_CHECKMULTISIG form.

  28. jgarzik deleted the branch on Aug 24, 2014
  29. DrahtBot locked this on Sep 8, 2021


jgarzik gmaxwell gavinandresen sipa luke-jr BitcoinPullTester mikehearn laanwj

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-10-05 07:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me