Thanks for sharing some objections. Here is my attempt at addressing them. > ISTM even something as simple as a rate-limit requires more full-featured > introspection than only > "commit to the exact next transaction" can provide. For example, a trivial > construction would be > something which requires that transactions spending an output have an output > which claims at least > Amount - Rate, which requires both more full-featured introspection as well > as a bit of math.
Yes. These capabilities are really only useful for reducing interactivity in second-layer protocols. They do not (reasonably) help for vaults and we do not claim it as a use case. Previous efforts to promote opcodes implementing those capabilities have unfortunately fallen into the trap of overpromising and claiming use cases they do not really enable. But this should not make us overlook what they are really good at: interactivity reduction. Do you think that the use cases presented in OP, if demonstrated, are not enough to warrant soft forking in a primitive enabling them? > Given one of the loudest groups advocating for the additional features of > CTV+CSFS are enterprise > or large-value personal custody providers Yes. We intentionally do not mention vaults as a use case in our steelman. We should not change Bitcoin on the basis of misleading use cases. If people are interested in vaults, they should sponsor efforts on a different set of capabilities. Probably "programmable forwarding of value from inputs to outputs", "programmable forwarding of spending conditions from inputs to outputs" and maybe "commit to the exact transaction spending an output" (or more powerful introspection). The lack of a similar enthusiasm for proposals enabling most or all of these functionalities (like Salvatore Ingala's BIP334 or previously James O'Beirne's and Greg Sanders' BIP345) suggests such loud support are in fact in favour of "just doing something" and rationalize nice-sounding use cases backward from this proposal (but vaults!) because it appears to them to be "further down the road". I think this view is very dangerous and is part of our motivation for redirecting discussions toward what these capabilities actually enable. > it seems somewhat of a loss to not work our way towards really basic features > for this use-case. I personally grew more skeptical of the reactive security model of vaults after working on it. Your mileage may vary and that's fine if people want to work on capabilities that actually enable vaults, but i don't think they should be a required use cases and block introducing primitives that substantially improve existing layer 2s and make new ones possible. > Indeed, ISTM many use-cases for a construction like TXHASH become a lot more > substantial with Math > [...], I'm quite skeptical that *just* looking at an individual fork on its > own is the right > benchmark. I agree that modularity and forward composability with potential future upgrades are arguments in favour of a more flexible approach. But those need to be balanced with the additional risk and implementation complexity such an approach entails. I'm happy to be convinced if supporters of this approach demonstrate the added flexibility does enable important use cases and the risks associated are manageable. But if nobody is interested in doing so, i don't think it's reasonable to hold off a safer upgrade as long as it is demonstrated to provide substantial benefits. It's also unclear that we should stop at "programmable introspection" in this case. Why not also include "programmable amount / spending condition forwarding" too, which would give you vaults? Why not even CAT, which is a neat tool in many situations and would let ZK people experiment with validation rollups? And at this point, it would seem wiser to just work on a sane Bitcoin Script replacement rather than throwing buckets of opcodes at it and hoping it holds off. Which as we say in OP i don't think is realistic. > I don't see how this results in a net reduction in risk to Bitcoin, rather > just means more total > work and more cruft in Bitcoin's consensus. In theory, i agree. But by this token the same goes for every future extension that introduces more expressivity to Bitcoin Script. This ties back to the stopping point: why add more cruft to the existing interpreter when we could all focus on BTCLisp instead? It's also the case that even if future extensions introduce a superset of the capabilities being discussed, it's unlikely that such simple ones like "just commit to the next transaction" and "verify a signature for an arbitrary message" would ever be made fully redundant. Finally, when considering technical debt we should also weigh the actual cost of the implementation of these simple capabilities. Signature verification on arbitrary message reuses existing signature checking logic. Similarly, committing to the next transaction can heavily lean on existing Taproot signature messages, only minimally departing when necessary, and be implemented in a strictly simpler manner than the existing CTV proposal. A minimal implementation of these capabilities would not introduce significant technical debt. Interestingly, this argument applies more to introducing more involved capabilities like arbitrary transaction introspection, because of the substantially larger technical debt it would impose to first support in Bitcoin Script instead of focusing on a replacement with transaction introspection from the get go. > Indeed, more flexible introspection provides for a difference in risk to the > system (though its > worth noting we cannot both argue that there is no "demonstrated utility" > *and* that the utility > of a change is so substantially higher that it adds material risk to the > system in the form of > MEVil from its use-cases). Yes we can? It's reasonable to see how arbitrary introspection could be useful in various handwavy ways, and therefore how they can be used for undesirable applications, while also not having an important use case it enables clearly defined, much less demonstrated. > However, given the uses of the Bitcoin chain today, it seems entirely > possible (assuming > sufficient adoption) that we end up with a substantial MEVil risk with or > without any > functionality expansion. Sure, but I’d argue that the presence of risk now is a reason to be more cautious about adding to it, rather than accepting it as inevitable. Best, Antoine On Tuesday, June 24th, 2025 at 12:00 PM, Matt Corallo <[email protected]> wrote: > > > Thanks, responding to one specific point: > > On 6/23/25 9:14 AM, 'Antoine Poinsot' via Bitcoin Development Mailing List > wrote: > > > Yet another alternative is a set of more powerful capabilities, enabling > > the use cases that "commit to next transaction" > > and "verify a BIP340 signature for an arbitrary message" enable and more. > > For instance replacing "commit to the exact > > transaction which must spend this output" with "programmable introspection > > on the spending transaction's fields" has > > been considered. However this approach increases implementation complexity > > and broadens the risk surface[^8] > > > Responded to below [1] > > > which > > warrants a compelling demonstration that arbitrary transaction > > introspection does enable important use cases not > > achievable with more minimal capabilities. > > > I'm somewhat skeptical that showing this isn't rather simple, though I admit > I've spent less time > thinking about these concepts. ISTM even something as simple as a rate-limit > requires more > full-featured introspection than only "commit to the exact next transaction" > can provide. For > example, a trivial construction would be something which requires that > transactions spending an > output have an output which claims at least Amount - Rate, which requires > both more full-featured > introspection as well as a bit of math. Given one of the loudest groups > advocating for the > additional features of CTV+CSFS are enterprise or large-value personal > custody providers, it seems > somewhat of a loss to not work our way towards really basic features for this > use-case. > > More generally, more full-featured introspection like TXHASH provides a lot > of flexibility in the > constructs people can build. For example, allowing BYO fees in the form of an > additional input + > output in a transaction, rather than fixing an anchor output in the fixed > "next transaction" > commitment to allow for fees (and then requiring the same additional input + > output later). There's > also open questions as to the incentive-compatibility of anchors in a world > with expensive block > space, as OOB fees become much cheaper. > > Indeed, ISTM many use-cases for a construction like TXHASH become a lot more > substantial with Math > (though, again, I spend less time thinking about the use-cases of these > things than most, so I'm > sure others have more examples), I'm quite skeptical that just looking at an > individual fork on > its own is the right benchmark. Sure, functionality in proposed changes to > Bitcoin's consensus need > to be well-justified, but they don't need to be well-justified purely on > their own. We add things > like OP_SUCCESS opcodes in soft forks specifically to expand the set of > things we can do later, not > specifically in this fork. > > If we assume that we end up wanting things like velocity limits (which I > imagine we would?) then it > seems to me we should do a logical fork that adds features today, but which > will allow us to make > minimal extensions in the future to further expand its use-cases later. > Taking a more myopic view of > the present and ignoring the future results in us doing one thing today, then > effectively replacing > it later by adding more flexibility in a new opcode later, subsuming the > features of what we do > today. I don't see how this results in a net reduction in risk to Bitcoin, > rather just means more > total work and more cruft in Bitcoin's consensus. > > [1] > > Responding to the MEVil question OOO because I think the above should go > first :). > > Indeed, more flexible introspection provides for a difference in risk to the > system (though its > worth noting we cannot both argue that there is no "demonstrated utility" and > that the utility of > a change is so substantially higher that it adds material risk to the system > in the form of MEVil > from its use-cases). However, given the uses of the Bitcoin chain today, it > seems entirely possible > (assuming sufficient adoption) that we end up with a substantial MEVil risk > with or without any > functionality expansion. This mandates a response from the Bitcoin > development community in either > case, and I'm confident that response can happen faster than any reasonable > soft fork timeline. > > While its possible that existing CSV-based MEVil risk never grows beyond its > current anemic state > (due to preferences for stronger trust models from their users), and that > there's a particularly > clever design using expanded introspection that improves the trust model such > that suddenly > CSV-based protocol use explodes, ISTM given the risk and the need to mitigate > it on its own, taking > decisions that are sub-optimal for Bitcoin's consensus on this basis isn't > accomplishing much and > has real costs. > > Matt > > -- > You received this message because you are subscribed to the Google Groups > "Bitcoin Development Mailing List" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/d/msgid/bitcoindev/8a9a2299-ab4b-45a4-8b9d-95798e6bb62a%40mattcorallo.com. -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/73PXNVcmgiN2Kba63P2SRZfs42lvgME_8EF-DlYtkOSY8mLRxEXPEw5JAi5wtPU2MEMw1C6_EDFHKKrhaa1F53OgIJOcam-kbOUP3aG2_e0%3D%40protonmail.com.
