Hi, Lloyd, thanks for this excellent writeup. I must say that indeed using CTV seems like it would very much lower the complexity of the DLC protocol (and it seems like APO would also work, thanks Jonas for pointing that out). Though thinking about it, I can't help wondering if the ideal op code for DLC wouldn't actually be CHECKSIGFROMSTACK? It feels to me that this would give the most natural way of doing things. If I'm not mistaken, this would enable simply requiring an oracle signature over the outcome, without any special trick, and without even needing the oracle to release a nonce in advance (the oracle could sign `event_outcome + event_id` to avoid signature reuse). I must say that I haven't studied covenant opcodes in detail yet so is that line of thinking correct or am I missing something?
Cheers, Thibaut On Wed, Jan 26, 2022 at 1:27 AM Jonas Nick via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > Thank you, that's an interesting application of OP_CTV. > > Perhaps worth pointing out that this does not require OP_CTV but could > also be > enabled by other covenant constructions. For example, it seems like > ANYPREVOUT-based covenants provide similar benefits. The script of the > Taproot > leaves could be set to > > <sig> <G> CHECKSIGVERIFY <CET_i> CHECKSIGVERIFY > > where <sig> is an ANYPREVOUTANYSCRIPT signature of the CET for public key > P = G. > When using nonce R = G, signature creation has negligible computational > cost (s > = 1 + H(R, P, m)). A downside compared to CTV is the additional overhead > of 64 > witness bytes (<sig>). > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >
_______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
