> On 23 Dec 2018, at 12:26 PM, Anthony Towns <a...@erisian.com.au> wrote: > > On Sat, Dec 22, 2018 at 02:54:42AM +0800, Johnson Lau wrote: >> The question I would like to ask is: is OP_CODESEPARATOR useful under >> taproot? Generally speaking, CODESEPARATOR is useful only with conditional >> opcodes (OP_IF etc), and conditional opcodes are mostly replaced by >> merklized scripts. I am not sure how much usability is left with >> CODESEPARATOR > > If you don't have conditionals, then I think committing to the (masked) > script gives you everything you could do with codeseparator.
I don’t think CODESEPARATOR is useful without conditionals. By useful I mean making a script more compact > > If you don't commit to the (masked) script, don't have conditionals, > and don't have codeseparator, then I don't think you can make a signature > distinguish which alternative script it's intending to sign; but you can > just give each alternative script in the MAST a slight variation of the > key and that seems good enough. You can and should always use a different in different branch. If this best practice is always followed, committing to masked script is not necessary > > OTOH, I think for (roughly) the example you gave: > > DEPTH 3 EQUAL > IF <Bob> CHECKSIGVERIFY HASH160 <H> EQUALVERIFY CODESEP > ELSE <n> CLTV DROP > ENDIF > <Alice> CHECKSIG > > then compared to the taproot equivalent: > > P = muSig(Alice,Bob) > S1 = <Alice1> CHECKSIGVERIFY <Bob> CHECKSIGVERIFY HASH160 <H> EQUAL > S2 = <Alice2> CHECKSIGVERIFY <n> CLTV > > the IF+CODESEP approach is actually cheaper (lighter weight) if you're > mostly (>2/3rds of the time) taking the S1 branch. This is because the > "DEPTH 3 EQUAL IF/ELSE/ENDIF CODESEP <n> CLTV DROP" overhead is less > than the 32B overhead to choose a merkle branch). > > (That said, I'm not sure what Alice's signature in the S1 branch actually > achieves in that script; and without that in S1, the taproot approach is > cheaper all the time. Scriptless scripts would be cheaper still) > >> If no one needs CODESEPARATOR, we might just disable it, and makes the >> validation code a bit simpler > > Since it only affects the behaviour of the checkdls (checksig) operators, > even if it was disabled, it could be re-enabled fairly easily in a new > script subversion if needed (ie, it could be re-added when upgrading > witness version 1 from script version 0 to 1). > > Cheers, > aj > Yes, I don’t think it needs Alice signature in S1 at all. So the original example doesn’t even need CODESEPARATOR at all. Could anyone propose a better use case of CODESEPARATOR? _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
