Re: [bitcoin-dev] BIP for OP_VAULT

[Anthony Towns via bitcoin-dev]

On Wed, Mar 01, 2023 at 10:05:47AM -0500, Greg Sanders via bitcoin-dev wrote:
> Below is a sketch of a replacement for the two opcodes. 

I like this! I tried to come up with something along similar lines for
similar reasons, but I think I tried too hard to reduce it to two opcodes
or something and got myself confused.

> `OP_TRIGGER_FORWARD`: Takes exactly three arguments:
> 1) output index to match against (provided at spend time normally)
> 2) target-outputs-hash: 32 byte hash to be forwarded to output given at (1)
> (provided at spend time normally)
> 3) spend-delay: value to be forwarded to output given at (1)

I think you could generalise this as follows:

   idx .. npush script OP_FORWARD_LEAF_UPDATE

(OP_FLU :) with the behaviour being:

   pop script from the stack
   pop npush from the stack (error if non-minimal or <0)
   pop npush entries from the stack,
 prefix script with a minimal push of that entry
   pop idx off the stack (error if idx is not a valid output)
   calculate the spk corresponding to taking the current
 input's spk and replacing the current leaf with the
 given script
   check the output at idx matches this spk, and the
 value from this input accumulates to that output

Then instead of `idx hash delay OP_TRIGGER_FORWARD` you
write `idx hash delay 2 "OP_CSV OP_DROP OP_FORWARD_OUTPUTS"
OP_FORWARD_LEAF_UPDATE`

That's an additional 5 witness bytes, but a much more generic/composable
opcode.

Being able to prefix a script with push opcodes avoids the possibility
of being able to add OP_SUCCESS instructions, so I think this is a fairly
safe way of allowing a TLUV-ish script to be modified, especially compared
to OP_CAT.

I do recognise that it makes it take a variable number of stack elements
though :)

> As the derived tapscript, embedded in a output scriptpubkey of the form:
> `tr(NUMS,{...,EXPR_WITHDRAW})`, meaning we literally take the control block
> from the spending input, swap the inner pubkey for `NUMS`, use
> `EXPR_WITHDRAW` as the tapleaf, reconstruct the merkle root. If the output
> scriptpubkey doesnt match, fail.

I don't think replacing the internal-public-key makes sense -- if it
was immediately spendable via the keypath before there's no reason for
it not to be immediately spendable now.

> Could save 2 WU having OP_FORWARD_OUTPUTS take the  directly
> as an argument, or keep it more general as I did.

Having OP_FORWARD_OUTPUTS not leave its input on the stack would let
you move the OP_CSV to the end and drop the OP_DROP too, saving 1 WU.

> Would love to know what you and others think about this direction. I
> apologies for any misunderstandings I have about the current OP_VAULT BIP!

I think the existing OP_VAULT cleverness would work here, allowing you
to spend two inputs to the same output, accumulating their values.

I don't think it quite gives you a way to "refund" values though -- so
that you can take a vault with 3 BTC, start the  wait to spend
1.4 BTC, and then immediately decide to spend an additional 0.8 BTC on
something else, without the 0.8 BTC effectively having a doubled delay.

I think you could fix that with something as simple as an additional
"idx OP_FORWARD_REFUND" opcode, though -- then the restriction is just
that the output at the refund idx has the same sPK as this input, and
the total value of this input is accumulated amongst all the outputs
specified by OP_FORWARD opcodes. (Maybe you need to specify the refund
amount explicitly as well, to keep verification easy)

That would make maybe three new opcodes to cover the "accumulate value
from one or more inputs into specified outputs":

 - OP_FORWARD_LEAF_UPDATE --> forward input value to modified spk
 - OP_FORWARD_DESTINATION --> forward input value to given spk
 - OP_FORWARD_REFUND --> forward part of input value to same spk

along with OP_CTV:

 - OP_FORWARD_OUTPUTS --> pay to specific outputs

OP_VAULT's "accumulate value" behaviour here makes the OP_IN_OUT_AMOUNT
things from TLUV more implicit and automatic, which is nice. I think
doing TLUV payment pools wouldn't require much more than the ability to
combine OP_FLU and OP_FDEST in a single script, explicitly specifying
how much value is extracted via OP_FDEST with the rest assigned to OP_FLU.

Cheers,
aj
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] Minimum fees

[Nadav Ivgi via bitcoin-dev]

Hi Giuseppe,

One side-effect this has is that until enough fees accumulate in the
mempool to satisfy min_fees, the rational behaviour for miners would be to
try and fork the chain tip, competing for the fees in the latest block
(+whatever got into the mempool in the meanwhile and can fit in). This
could lead to increased reorgs/orphan rates and chain instability. It could
also lead to miners preferring to set their low_fee to zero, to avoid other
miners from forking their blocks off.

I'm also not sure that this would actually change much. If humanity is
willing to spend X BTC/day on mining fees, it doesn't really matter if it's
spread out through fewer or more blocks.

shesek

On Wed, Mar 1, 2023 at 10:25 PM Giuseppe B via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> Hello everyone,
>
> I'm relatively new here so what I'm proposing could have already been
> discussed, or may be flawed or inapplicable. I apologize for that.
>
> I was picturing a situation where block rewards are almost zero, and the
> base layer is mainly used as a settlement layer for relatively few large
> transactions, since the majority of smaller ones goes through LN.
>
> In such a case it may very well be that even if transaction amounts are
> very consistent, transaction fees end up being very small since there is
> enough space for everyone in a block. Users wouldn't mind paying higher
> fees as they know that that would increase the network security, however
> nobody wants to be the only one doing that. Miners would of course like
> being paid more. So everyone involved would prefer higher fees but they
> just stay low because that's the only rational individual choice.
>
> Therefore I was imagining the introduction of a new protocol rule,
> min_fees, that would work like this:
> - the miner that gets to mine a block appends a min_fee field to the
> block, specifying the minimum fees that need to be contained in the
> following block in order for it to be valid.
> - one can also mine an empty block and reset the min_fee, to avoid the
> chain getting stuck.
>
> min_fees could either represent the total fees of the following block, or
> the minimal fee for each single transaction, as a percentage of the value
> transacted. Both seem to have some merits and some potential drawbacks. Of
> course min_fees=0 would correspond to the current situation.
>
> It looks to me that this could have the potential to bring the equilibrium
> closer to a socially optimal one (as opposed to individually optimal), and
> to benefit the network security in the long term. Of course it's just a
> rough sketch and it would deserve a much deeper analysis. I was just
> interested in knowing if you think that the principle has some merit or if
> it's not even worth discussing it for some reason that I'm not considering.
>
> Cheers,
>
> Giuseppe.
>
> ___
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

[bitcoin-dev] Minimum fees

[Giuseppe B via bitcoin-dev]

Hello everyone,

I'm relatively new here so what I'm proposing could have already been
discussed, or may be flawed or inapplicable. I apologize for that.

I was picturing a situation where block rewards are almost zero, and the
base layer is mainly used as a settlement layer for relatively few large
transactions, since the majority of smaller ones goes through LN.

In such a case it may very well be that even if transaction amounts are
very consistent, transaction fees end up being very small since there is
enough space for everyone in a block. Users wouldn't mind paying higher
fees as they know that that would increase the network security, however
nobody wants to be the only one doing that. Miners would of course like
being paid more. So everyone involved would prefer higher fees but they
just stay low because that's the only rational individual choice.

Therefore I was imagining the introduction of a new protocol rule,
min_fees, that would work like this:
- the miner that gets to mine a block appends a min_fee field to the block,
specifying the minimum fees that need to be contained in the following
block in order for it to be valid.
- one can also mine an empty block and reset the min_fee, to avoid the
chain getting stuck.

min_fees could either represent the total fees of the following block, or
the minimal fee for each single transaction, as a percentage of the value
transacted. Both seem to have some merits and some potential drawbacks. Of
course min_fees=0 would correspond to the current situation.

It looks to me that this could have the potential to bring the equilibrium
closer to a socially optimal one (as opposed to individually optimal), and
to benefit the network security in the long term. Of course it's just a
rough sketch and it would deserve a much deeper analysis. I was just
interested in knowing if you think that the principle has some merit or if
it's not even worth discussing it for some reason that I'm not considering.

Cheers,

Giuseppe.
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] BIP proposal: Fee-redistribution contracts

[David A. Harding via bitcoin-dev]

On 2023-02-27 03:32, Rastislav Budinsky via bitcoin-dev wrote:

When a miner mines a block he takes all the fees currently. However
with the proposed solution he takes only fraction M and remaining
fraction C is sent to one of more contracts. One contract at its
simplest collects fees from the miner and at the same time
redistributes it back to the miner.


Hi Rastislav,

I think you've incorrectly made the assumption that the only way a miner 
can profit from confirming a transaction is by collecting its 
transaction fees.  Miners can (and many have) accept payment through 
alternative means, which the Bitcoin technical community often calls 
"out-of-band fees".[1]  For example, some miners have provided a 
"transaction accelerator" service that accepts fiat-denominated credit 
cards to increase their prioritization of certain transactions and I'm 
personally aware of a large web wallet provider that would occasionally 
pay miners out of band to confirm hundreds or thousands of transactions 
rather than fix its broken fee estimation.


Out-of-band fees aren't frequently used in Bitcoin today because they 
have no advantage over correctly estimated in-band fees, and good fee 
estimation is very accessible to modern wallets.  However, if the 
consensus rules are changed to require each miner pay a percentage of 
its in-band fees to future miners, then there would be a strong 
incentive for them to prefer out-of-band fees that weren't subject to 
this redistribution scheme.


I think may have seen a variation on the scheme you propose play out in 
real life.  Here's how it works where I live: the government imposes 
taxes on goods, services, and income.  Ostensibly, it redistributes the 
collected funds back to citizens in the future by providing government 
services.  When I go to pay someone who trusts my discretion, they often 
offer me a discounted rate if I pay in a way that isn't reported to the 
government (e.g., I pay with cash); even with the discount provided to 
me, they get to keep more of their income than if they had reported the 
transaction to the government.


In the case of a government, tax evasion can be reduced by the 
deployment of investigators and enforcers.  In Bitcoin, we have no 
control over activity that happens outside of the protocol and so even a 
modest incentive to pay fees out of band might quickly lead to almost 
all fees being paid out of band.  This prevents the effective 
redistribution of fees as in your proposal.  Additionally, previous 
discussions on this mailing list about paying out-of-band fees have 
highlighted that larger miners have an advantage over smaller miners in 
collecting miner-specific fee payments, undermining the essential 
decentralization of Bitcoin's transaction confirmation mechanism (moreso 
than it is already weakened by fundamental economies of scale in 
mining).


In short, I think serious consideration of your proposal can only 
proceed if it adequately addresses the problem of out-of-band fees.


That said, thank you and your co-authors for putting serious thought 
into Bitcoin's long-term economic incentives.


-Dave

[1] https://bitcoinsearch.xyz/?q=out%20of%20band%20fees=n_50_n
___
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Re: [bitcoin-dev] BIP for OP_VAULT

[Greg Sanders via bitcoin-dev]

Hello James,

First off, thank you for crafting an interesting idea like this that is
aimed at solving a serious problem. I see a lot of excitement about the use
cases, and I think it's worth iterating on.

Attempting to keep the idealized functionality constant, I'd like to
explore a design detour. I'm attempting to decouple the 3 functionalities
of `OP_VAULT` and `OP_UNVAULT` into their constituent functions with names
I just made up.

The goals of this e-mail:

1) Removing variable number of arguments based on values of arguments for
the opcodes.
To me as a spec reader, I find it very difficult to parse what's precisely
happening when. I think the only/last opcode to support this behavior was
OP_CHECKMULTISIG(could be wrong), and now I know another reason why OP_CSA
construct is nicer going forward with taproot.

2) Remove the recursive evaluation functionality used for authentication,
without reducing the efficacy of the targeted solution. Recursive
evaluation has a fraught history in Bitcoin script, makes composing
functionality with tooling likely more difficult, and has a lot of
templated behavior. If we can rely on regular old tapscript to get us where
we need to go, I'd prefer that.

3) Increase legibility of the spec. There's a ton going on, breaking things
up and naming them based on the method rather than the goal may help here.

4) Not (greatly) increase the expressiveness of the proposal. It's a
targeted proposal, and I'd like to respect that. These covenant opcodes are
intended to be drop-in replacements for the OP_(UN)VAULT opcodes.

To recap, there are three things happen in idealized OP_VAULT scenario:
1) Money comes out, then has to wait (trigger transaction)
2) Money waits long enough, then withdrawals to dynamic set of outputs that
are declared at trigger time (withdrawal transaction)
3) Money to single specified output script picked up front, with no wait
(recovery)

Below is a sketch of a replacement for the two opcodes. Ignore my
inconsistency on VERIFY/non-VERIFY behavior, seeing if people agree with
this general direction:

`OP_TRIGGER_FORWARD`: Takes exactly three arguments:
1) output index to match against (provided at spend time normally)
2) target-outputs-hash: 32 byte hash to be forwarded to output given at (1)
(provided at spend time normally)
3) spend-delay: value to be forwarded to output given at (1)

Fails script immediately if there aren't enough inputs or they're the wrong
format.

These last two arguments are "forwarded" to output at index declared in
first argument, resulting in:

`EXPR_WITHDRAW:  OP_CHECKSEQUENCEVERIFY OP_DROP
 OP_FORWARD_OUTPUTS`

As the derived tapscript, embedded in a output scriptpubkey of the form:
`tr(NUMS,{...,EXPR_WITHDRAW})`, meaning we literally take the control block
from the spending input, swap the inner pubkey for `NUMS`, use
`EXPR_WITHDRAW` as the tapleaf, reconstruct the merkle root. If the output
scriptpubkey doesnt match, fail.

This TLUV-ish script/inner pubkey replacement is meant to allow arbitrary
other conditions, which is where the "recovery" path comes in for typical
usage.

If output at the target output index doesn't match the constructed script,
the evaluation fails.

`OP_FORWARD_DESTINATION`: Takes exactly two arguments:
1) `dest-vout-idx`: index of output that contains the so-called "recovery"
path
2) : the hash of the script destination

Fails immediately if the reconstructed output script doesn't match.

`OP_FORWARD_OUTPUTS` takes exactly one argument:
1) target-outputs-hash: commits to all outputs' scripts and values

Fails immediately if transaction's outputs(including value) hash doesn't
match.

**Typical usage**:
```
DEPOSITING TO VAULT SCRIPT:

EXPR_RECOVERY:   OP_FORWARD_DESTINATION
EXPR_TRIGGER: OP_TRIGGER_FORWARD

tr(KEY, {EXPR_RECOVERY, EXPR_TRIGGER})
```

```
EXPR_WITHDRAW:  OP_CHECKSEQUENCEVERIFY OP_DROP
 OP_FORWARD_OUTPUTS
```

```
TRIGGERING WITHDRAWAL TIMER SCRIPT:

tr(NUMS, {EXPR_RECOVERY,EXPR_WITHDRAW}) <--- note EXPR_RECOVERY is forced
by the OP_TRIGGER_FORWARD TLUV action
```

Could save 2 WU having OP_FORWARD_OUTPUTS take the  directly
as an argument, or keep it more general as I did.

Would love to know what you and others think about this direction. I
apologies for any misunderstandings I have about the current OP_VAULT BIP!

Cheers,
Greg

On Mon, Feb 13, 2023 at 4:09 PM James O'Beirne via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

> Since the last related correspondence on this list [0], a number of
> improvements have been made to the OP_VAULT draft [1]:
>
> * There is no longer a hard dependence on package relay/ephemeral
>   anchors for fee management. When using "authorized recovery," all
>   vault-related transactions can be bundled with unrelated inputs and
>   outputs, facilitating fee management that is self contained to the
>   transaction. Consequently, the contents of this proposal are in theory
>   usable today.
>
> * Specific output locations are no