Using Collider Script or Functional Encryption you can do introspection on Bitcoin today, i.e., without OP_CAT. These approaches both have downsides, Collider script costs millions of dollars in compute per spend, Functional Encryption requires fancy cryptography that we only have candidate constructions for (see Bitcoin PIPEs).
I wish to amend my earlier statement "I don't think it is clear how to turn this into a covenant. The bits you are extracting using OP_SIZE are only related to the sighash via a random function." I believe that with no opcode limit in Bitcoin pre-tapscript, we can use OP_SIZE to enforce covenants and do arbitrary introspection of Bitcoin's blockchain. 1. Use OP_SIZE to extract bits related to the sighash via a random function from the spending ECDSA signature s1, we will call these B = <b1, b2, ..., bn>. 2. Write a Small Script function that takes the ECDSA signature s2 encoded as a list of 32-bit values and also takes the bits B. This function reruns the OP_SIZE bit extraction process on the ECDSA signature encoded as a list of 32-bit values to learn B' = <b1', b2', ..., bn'>. If B == B' then the two ECDSA signatures are the same signature: s1 = s2. 3. Small Script can extract the sighash from the ECDSA spending signature and then check if it matches a set of values and rules also encoded as 32-bit elements. For background on the Small Script, Big Script divide in Bitcoin Script see https://bitcoinmagazine.com/technical/script-state-from-lamport-signatures- Small script can perform any computation on values encoded as lists of 32-bit elements, including OP_CAT, it is only bound by opcode limit and the ability to check equivalence between Small Script encoded values and Big Script stake elements. Andrew Poelstra noted this earlier in the thread when he said: "IMO it's a pretty big deal that size limits are now the only reason that Bitcoin doesn't have covenants." On Sat, Nov 16, 2024 at 8:16 PM Xiaohui Liu <[email protected]> wrote: > > Introspection using SPV requires OP_CAT, besides hashing, IMO. > > On Sat, Nov 16, 2024 at 6:56 AM Ethan Heilman <[email protected]> wrote: >> >> I don't think it is clear how to turn this into a covenant. The bits you are >> extracting using OP_SIZE are only related to the sighash via a random >> function. >> >> That said, I don't see any reason that with an unlimited number of opcodes >> you can build an small script that's uses SPV to introspect into the entire >> blockchains and enforce anything without having to use OP_SIZE or OP_CAT. >> You could build snarks in small script so the size of the small script would >> be large but constant in the size of the blockchains. >> >> On Fri, Nov 15, 2024, 5:02 PM Xiaohui Liu <[email protected]> wrote: >>> >>> Hi, >>> >>> How does covenant work without OP_CAT here, assuming no size limit? Don't >>> you still need OP_CAT to parse/introspect fields (e.g., input/output) of >>> the spending transaction? >>> >>> Regards, >>> sCrypt >>> >>> On Tuesday, April 30, 2024 at 7:22:54 AM UTC-7 Andrew Poelstra wrote: >>>> >>>> On Tue, Apr 30, 2024 at 08:32:42AM -0400, Matthew Zipkin wrote: >>>> > > if an attacker managed to grind a 23-byte r-value at a cost of 2^72 >>>> > computations, it would provide the attacker some advantage. >>>> > >>>> > If we are assuming discrete log is still hard, why do we need Lamport >>>> > signatures at all? In a post-quantum world, finding k such that r is 21 >>>> > bytes or less is efficient for the attacker. >>>> > >>>> >>>> Aside from Ethan's point that a variant of this technique is still >>>> secure in the case that discrete log is totally broken (or even >>>> partially broken...all we need is that _somebody_ is able to find the >>>> discrete log of the x=1 point and for them to publish this). >>>> >>>> Another reason this is useful is that if you have a Lamport signature on >>>> the stack which is composed of SIZE values, all of which are small >>>> enough to be manipulated with the numeric script opcodes, then you can >>>> do covenants in Script. >>>> >>>> (Sadly(?), I think none of this works in the context of the 201-opcode >>>> limit...and absent BitVM challenge-response tricks it's unlikely you can >>>> do much in the context of the 4MWu block size limit..), but IMO it's a >>>> pretty big deal that size limits are now the only reason that Bitcoin >>>> doesn't have covenants.) >>>> >>>> -- >>>> Andrew Poelstra >>>> Director, Blockstream Research >>>> Email: apoelstra at wpsoftware.net >>>> Web: https://www.wpsoftware.net/andrew >>>> >>>> The sun is always shining in space >>>> -Justin Lewis-Webster >>>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "Bitcoin Development Mailing List" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> To view this discussion visit >>> https://groups.google.com/d/msgid/bitcoindev/129a9605-7a91-42a7-a9ef-07de6662ca7en%40googlegroups.com. -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAEM%3Dy%2BVeb%3DTWPBYtK4v7gQm8L9L%2BzMo6DE-zi6ygP%2BYJ0XKk_Q%40mail.gmail.com.
