[bitcoin-dev] bitcoin scripting and lisp

2022-03-03 Thread Anthony Towns via bitcoin-dev 
On Sun, Feb 27, 2022 at 04:34:31PM +, ZmnSCPxj via bitcoin-dev wrote:
> In reaction to this, AJ Towns mailed me privately about some of his
> thoughts on this insane `OP_EVICT` proposal.
> He observed that we could generalize the `OP_EVICT` opcode by
> decomposing it into smaller parts, including an operation congruent
> to the Scheme/Haskell/Scala `map` operation.

At much the same time Zman was thinking about OP_FOLD and in exactly the
same context, I was wondering what the simplest possible language that
had some sort of map construction was -- I mean simplest in a "practical
engineering" sense; I think Simplicity already has the Euclidean/Peano
"least axioms" sense covered.

The thing that's most appealing to me about bitcoin script as it stands
(beyond "it works") is that it's really pretty simple in an engineering
sense: it's just a "forth" like system, where you put byte strings on a
stack and have a few operators to manipulate them.  The alt-stack, and
supporting "IF" and "CODESEPARATOR" add a little additional complexity,
but really not very much.

To level-up from that, instead of putting byte strings on a stack, you
could have some other data structure than a stack -- eg one that allows
nesting. Simple ones that come to mind are lists of (lists of) byte
strings, or a binary tree of byte strings [0]. Both those essentially
give you a lisp-like language -- lisp is obviously all about lists,
and a binary tree is just made of things or pairs of things, and pairs
of things are just another way of saying "car" and "cdr".

A particular advantage of lisp-like approaches is that they treat code
and data exactly the same -- so if we're trying to leave the option open
for a transaction to supply some unexpected code on the witness stack,
then lisp handles that really naturally: you were going to include data
on the stack anyway, and code and data are the same, so you don't have
to do anything special at all. And while I've never really coded in
lisp at all, my understanding is that its biggest problems are all about
doing things efficiently at large scales -- but script's problem space
is for very small scale things, so there's at least reason to hope that
any problems lisp might have won't actually show up for this use case.

So, to me, that seemed like something worth looking into...



After looking into it, I actually think chia lisp [1] gets pretty much all
the major design decisions pretty much right. There are obviously a few
changes needed given the differences in design between chia and bitcoin:

 - having secp256k1 signatures (and curve operations), instead of
   BLS12-381 ones

 - adding tx introspection instead of having bundle-oriented CREATE_COIN,
   and CREATE/ASSERT results [10]

and there are a couple of other things that could maybe be improved
upon:

 - serialization seems to be a bit verbose -- 100kB of serialized clvm
   code from a random block gzips to 60kB; optimising the serialization
   for small lists, and perhaps also for small literal numbers might be
   a feasible improvement; though it's not clear to me how frequently
   serialization size would be the limiting factor for cost versus
   execution time or memory usage.

 - I don't think execution costing takes into account how much memory
   is used at any one time, just how much was allocated in total; so
   the equivalent of (OP_DUP OP_DROP OP_DUP OP_DROP ..) only has the
   allocations accounted for, with no discount given for the immediate
   freeing, so it gets treated as having the same cost as (OP_DUP
   OP_DUP ..  OP_DROP OP_DROP ..). Doing it that way would be a worse
   than how bitcoin script is currently costed, but doing better might
   mean locking in an evaluation method at the consensus level. Seems
   worth looking into, at least.

But otherwise, it seems a pretty good match.



I think you'd need about 40 opcodes to match bitcoin script and (roughly)
chia lisp, something like:

   q- quote
   a- apply
   x- exception / immediately fail (OP_RETURN style)
   i- if/then/else
   softfork - upgradability
   not, all, any- boolean logic
   bitand, bitor, bitxor, bitnot, shift - bitwise logic
   =- bitwise equality
   > - + * / divmod - (signed, bignum) arithmetic
   ashift   - arithmetic shift (sign extended)
   >s   - string comparison
   strlen, substr, concat - string ops
   f, r, c, l   - list ops (head, tail, make a list, is this a list?)
   sha256   - hashing

   numequal - arithmetic equal, equivalent to (= (+ a 0) (+ b 0))
   ripemd160, hash160, hash256 - more hashing
   bip342-txmsg - given a sighash byte, construct the bip342 message
   bip340-verify- given a pubkey, message, and signature bip340 verify it
   tx   - get various information about the tx
   taproot  - get merkle path/internalpubkey/program/annex information
   ecdsa-

[bitcoin-dev] Recurring bitcoin/LN payments using DLCs

2022-03-03 Thread Chris Stewart via bitcoin-dev 
DLCs are typically thought to be used for betting. Alice & Bob want to
speculate on an event, and have bitcoin payouts rewarded to them if they
bet correctly. The oracle determines what event occurred and produces
attestations representing that outcome.

Recently I had a conversation with a friend about implementing recurring
subscriptions with Discreet Log Contracts. At a high level, you should
think about this working like ACH. If you are purchasing a subscription
from Netflix, they will deduct $20 from your bank account every month. To
do this, you give them your credit card information.

You can do this with Discreet Log Contracts. It requires a slightly
modified DLC setup. Netflix would create an oracle representing a monthly
subscription. They require that users setup DLCs to them that will be
executed at the end of the month. Alice, a subscriber to Netflix, creates a
unilaterally funded DLC to Netflix. She creates adaptor signatures for her
payment and sends them to Netflix.

No bitcoin transaction is required to create this subscription since the
DLC is unilaterally funded. Alice can “cancel” the subscription at any time
by spending from the utxo she is using to fund the DLC.

At the end of the month, Netflix attests that it is time to charge Alice
for her subscription. Netflix takes its own attestation and decrypts
Alice’s adaptor signature to get her signature to send funds to Netflix.
Netflix publishes the settlement transaction for the DLC which pays Netflix
it’s subscription fee for the next month. Netflix also publishes a new
announcement for next month so that Alice can create a new DLC subscription.

Netflix needs to give Alice a bitcoin address to pay to.

The information Alice is required to send Netflix is


   1.

   Her utxo used to fund the DLC
   2.

   Her adaptor signature representing her monthly subscription to netflix.


Netflix must verify the adaptor signatures are correct and the utxo exists.

Why is this useful?

It's very convenient for a user to give access to withdraw a certain amount
of money from a bank account at a given time in the future. This is how
recurring payments work in tradfi. This brings the same principle to
bitcoin payments.

DLCs also give you the power to specify how much the service can withdraw.
For instance, with Netflix, they shouldn’t have the ability to withdraw
thousands of dollars worth of bitcoin. The monthly service fee is $20. With
DLCs, you can cryptographically enforce that they will only receive $20.
They cannot withdraw more or less money than they are authorized to.

There may be concerns about Netflix being both the oracle and the entity
receiving a monthly payment. I would argue this is mitigated by the fact
that the service provider could steal at most one months worth of service
fees for users of the subscription. After users get scammed once, they will
cancel their future subscription and distrust the service. The key feature
is the amount of money in the subscription is predetermined, thus the
oracle cannot withdraw excess funds if they are evil.

### QA

Does the DLC use a 2 of 2 multisig between Netflix and Alice?

No, the DLC is unilaterally funded by Alice. This allows her to create the
subscription without an onchain transaction, and also allows her to cancel
the subscription at any time. She cancels the subscription by double
spending the utxo.

Can Netflix steal all the money in the funding output?

No, Alice’s adaptor signatures allow Netflix to withdraw a specific amount
of bitcoin. The change is sent back to an address Alice controls. Both of
these outputs are protected by the adaptor signature.

Is there a perverse incentive for Netflix to be the oracle and receive the
subscription?

The most Netflix can steal in this setup is one months worth of
subscription fees across the entire customer base. In this setup, Alice is
accepting that risk for the convenience of auto withdrawals from her
bitcoin wallet. Remember, Alice can cancel the subscription at any time she
wants by spending from the funding utxo.
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev