19:00:15 <aj> #startmeeting 19:00:15 <lightningbot> Meeting started Tue Nov 12 19:00:15 2019 UTC. The chair is aj. Information about MeetBot at http://wiki.debian.org/MeetBot. 19:00:15 <lightningbot> Useful Commands: #action #agreed #help #info #idea #link #topic. 19:00:17 <jnewbery> hi 19:00:20 <sipa> hi 19:00:20 <bjarnem> hi 19:00:40 <schmidty> Hi 19:00:43 <moneyball> hi 19:00:44 <r251d> hi 19:00:49 <ariard> hi 19:00:54 <jonatack> hi 19:01:00 <devrandom> hi 19:01:31 <kabaum> hi 19:01:31 <aj> hi 19:01:31 <hebasto> hi 19:02:15 <cdecker> Hi 19:02:19 <hebasto> Q from group 5 (1/2): 1. What happens when using other leaf versions now before they are defined? 19:02:48 <fjahr> hi 19:03:22 <sipa> hebasto: they're spendable by anyone (who can give the internal key and merkle path) 19:03:51 <bjarnem> I was having the same question and I don't think this is specified in the BIP. 19:04:05 <sipa> bjarnem: it is, i think, though not explicitly 19:04:19 <hebasto> yes, it is not obvious from bip... 19:04:27 <sipa> bip-taproot just states that any relevant scripts are executed 19:04:43 <jnewbery> would those spends be non-standard initially? 19:04:48 <sipa> jnewbery: of course 19:04:49 <kabaum> I think taproot rationale [10] is what we're looking for, 19:04:58 <pyskell> hi 19:05:07 <sipa> bip-tapscript defines one for one particular leaf version 19:05:21 <aj> sipa: "of course" -- should it be written down somewhere which bits should be treated as non-standard? 19:05:42 <jnewbery> I think standardness falls outside the BIPs, which only deal with consensus, no? 19:05:42 <sipa> perhaps we can add that if no script semantics are defined for a particular leaf version, the spend is unconditionally valid 19:05:52 <sipa> jnewbery: yeah, that's my thinking 19:05:53 <Moller40> Hi 19:06:23 <cdecker> That'd be a nice addition 19:06:45 <sipa> aj: it feels strange to specify standardness rules in these bips, as they're far less "everyoneust agree on this" than the consensus parts 19:06:52 <aj> treating things as non-standard is important for future soft-forks to be safe (so that nodes that don't validate the new rules dont relay new tx's that might violate them) though? 19:07:04 <sipa> but i also see that it'd be nice to have it written up somewhere 19:07:18 <aj> sipa: yeah, agree on both points :) 19:08:04 <hebasto> Q from group 5 (2/2). Disabled script opcodes."unexecuted branch" means unexecuted branch in the revealed script? 19:08:18 <sipa> hebasto: correct 19:08:26 <hebasto> sipa; ty 19:08:27 <sipa> i see how branch can be confusing here 19:08:45 <hebasto> a bit ;) 19:08:49 <sipa> it means execution branch of the script, not merkle branch 19:09:08 <cdecker> Related: aborting when decoding the script instead of executing is merely a performance improvement, or am I missing something? 19:09:33 <hebasto> maybe "execution branch" and "merkle branch" are good wording for bip? 19:10:09 <sipa> cdecker: it also implies that any later success isn't apllicable 19:10:17 <sipa> hebasto: sure 19:10:23 <bjarnem> Q: Regarding the tweak value `t` must be less than the SECP256K1_ORDER: What to do if the calculated value is greater/equal? 19:10:33 <sipa> bjarnem: it won't be 19:10:44 <jnewbery> bjarnem: buy a lottery ticket 19:10:47 <cdecker> Right, but it allows statically discarding things early on, without having to execute 19:11:25 <sipa> cdecker: if your question is whether you can write an alternative way to interpreting that does not actually return false immediately upon abort, of course 19:12:05 <sipa> but abort in this context is more than giving a suggested optimization for implementers; it's stating that if that condition is reached, the script must fail 19:12:44 <pyskell> The Taproot BIP says: "To the best of the authors' knowledge, no existing use of SHA256 in Bitcoin feeds it a message that starts with two single SHA256 outputs, making collisions between hashtag with other hashes extremely unlikely." What is meant by it and what would happen if it's true? Mostly interested because it's stated in somewhat uncertain terms. 19:12:44 <cdecker> Yep, just felt strange to abort on a script branch that isn't even executed :-) 19:13:11 <sipa> cdecker: i see 19:13:28 <bjarnem> Q: Regarding the squareness of `Q`: (Disclaimer: I am not a cryptographer, so I hope this question is not naive) 19:13:28 <bjarnem> I am unsure regarding the necesity of using a bit to indicate the `has_square_y(Q)` in the control block (Ad7 and Ad6 explain that the squareness of y cannot be guaranteed for `Q`). 19:13:28 <bjarnem> The `Q` value (tweaked pubkey) is commited as scriptPubKey. It can hence also be spend using the key path with a Schnorr signature. But BIP-Schnorr then requires the (tweaked) pubkey `Q` to pass `has_square_y(Q)`. Shouldn't it therefore be guaranteed that for `Q` such a y-coord exists? Or am I misunderstanding something completely? 19:14:17 <sipa> cdecker: not sure how to formulate more clearly... you can see it as a preprocessing step of executing the script (in which case it's just a failure rather than aborting during execution itself 19:15:16 <cdecker> The formulation is clear, I was just wondering about the rationale. All good, don't want to hold up the QA ^^ 19:15:23 <nickler> bjarnem: for key spending Q doesn't have a y coordinate. So the verifier will choose the y coordinate that is square (there's only two options). 19:15:27 <sipa> bjarnem: when spending using the key path, you interpret Q as a has_square point, regardlesz of how it was constructed, and sign possibly with its negation 19:15:34 <pyskell> Is it referring to the SHA256 opcode or something else? 19:15:59 <sipa> bjarnem: when signing using the script path, you have to actually know the squaredness of Y, otherwise the commitment equation won't hold 19:16:20 <jnewbery> One thing that we spent a bit of time talking about in our group session was the annex. Both the format (ie starting with 0x50) and the purpose. 19:16:30 <jnewbery> For the format, I think we explicitly want a leading byte that can't be interpreted as a pubkey (so it can't be confused for P2WPKH) or a opcode (so it can't be confused for P2WSH). 0x50 fits the bill because it can't be a pubkey leading byte (which must be 0x02 or 0x03) and it's an invalid opcode (defined as OP_RESERVED internally, but with unconditional fail semantics). 19:16:45 <aj> sipa, bjarnem: and you can't just try both options if we want to batch verify to make it more efficient 19:17:26 <sipa> jnewbery: it's stronger than that! you can recognize an annex in an input without knowing which output is being spent 19:17:27 <jnewbery> citation 3: https://github.com/sipa/bips/blob/bip-schnorr/bip-taproot.mediawiki#cite_note-3 explains that briefly, but I think it could be expanded a bit (I had to dig around to find 0x50 in script/interpreter.cpp 19:17:39 <sipa> jnewbery: which is by design 19:17:40 <bjarnem> sipa: ok, I see, so for the script path it is important to show exactly which point, and the x-coord is not enough. I will try to read up on that to understand it a little better :) 19:18:13 <jnewbery> right. What are the benefits of being able to recognise a P2TR spend without having the UTXO being spent? 19:18:14 <sipa> bjarnem: feel free to PR a clarification if you find text that would make it easier to understand for you 19:18:46 <sipa> jnewbery: did you get the idea of using an annex to artifically increase an input's weight? 19:19:10 <jnewbery> I understood the purpose, but wondered why you couldn't just do that in the tapscript 19:19:21 <sipa> ? 19:19:51 <sipa> oh you mean by putting a big push + OP_DROP in the script? 19:20:24 <jnewbery> I think the idea is that if we redefine an OP_SUCCESS to be something like OP_VERIFYSNARK, then we want to increase the weight becuase of the increased validation cost 19:20:42 <jnewbery> yes, why not just add that weight to the script 19:20:57 <sipa> jnewbery: that seems.like highly inefficient use of the chain 19:21:17 <sipa> if you need to pad it with garbage 19:21:28 <jnewbery> isn't that what the annex is doing? 19:21:31 <bjarnem> Q: What is reasoning behind OP_SUCCESSx instead of only using the available versioning fields to soft-fork new Tapscript logic into the system (e.g. using the leaf version)? 19:21:32 <ariard> can't it be used also for a per-input locktime IIRC ? 19:21:35 <sipa> jnewbery: no! 19:21:46 <jnewbery> oh, then I misunderstand! 19:22:28 <sipa> jnewbery: the idea would be for example that an annex whose first byte (after the 0x50, using some encoding) is 0x37, a 2-byte field follows 19:22:47 <sipa> and the value of that two byte field is added to the weight of the tx 19:23:15 <sipa> while simultaneously equivalently increasing the budget for expensivw opcodes in tbe script 19:23:36 <sipa> ariard: for examlle 19:23:49 <sipa> ariard: or a block height hash requirement 19:23:55 <ariard> sipa: yes but the value of that two byte can be choosed by the spender how would you make it mandatory ? 19:24:21 <sipa> ariard: if they set it tol high, they'll pay extra fees 19:24:22 <jnewbery> after this imaginary future OP_VERIFYSNARK softfork, are unupgraded miners still able to mine? How do they account block weight? 19:24:29 <ariard> don't you need to combine with some sighash flags to force annex value being covered by transaction digest 19:24:35 <sipa> of they set it too low, the script will fail 19:24:37 <aj> ariard: if you spend more computation than the budget, your tx is invalid; so to increase the budget, you put the smallest value you can into the annex 19:24:54 <sipa> ariard: annexes are always covered by signatures 19:24:58 <hebasto> sipa: annex could increase weight without bloating chain, right? 19:25:04 <sipa> hebasto: right 19:25:17 <sipa> jnewbery: increasing the weight for a transaction is a softfork 19:25:32 <sipa> and using an unknown annex is nonstandard 19:25:41 <sipa> so i think this is perfectly possible to deploy 19:25:59 <sipa> (that doesn't mean we need to; there may never be a reason to) 19:26:11 <ariard> aj: okay so it means we track budget during script evaluation and if committed budget in annex doesn't match it's a failure ? 19:26:13 <jnewbery> unupgraded miners just don't include anything with an annex because it's non-standard? 19:26:18 <sipa> right 19:26:45 <sipa> ariard: the budget is the size of the input, which if amended by an annex, includes that amount 19:27:07 <waxwing> wait surely we expect miners to upgrade in SF scenarios to avoid mis-mining? 19:27:27 <nickler> sipa: with op_zkverify would the limit be something like #(OP_CHECKSIG)*50 + #(OP_ZKVERIFY)*X <= weight? 19:27:35 <sipa> nickler: exactly 19:27:36 <ariard> sipa: and you check the budget against which reference value ? that's where I choke 19:27:49 <sipa> ariard: the weight of the input 19:28:04 <sipa> right now that is literally the number of bytes of the witness 19:28:24 <sipa> if an annex is defined that increments the weight, that counts too 19:28:40 <elichai2> nickler: op_zkverify? 19:28:56 <moneyball> elichai2: a hypothetical example 19:29:34 <jnewbery> What are the benefits of being able to recognise a P2TR spend without having the UTXO being spent? 19:29:57 <sipa> jnewbery: for this annex weight increase example it's useful 19:30:17 <sipa> as otherwise you wouldn't be able to compute a tx's weight without access to the output being spent 19:30:53 <devrandom> group 3 Q 1/?: "The total number of bytes hashed is at most 211" - this doesn't include the sub-hashes, like computing sha_prevouts, etc., right? the reason sub-hashes are not included in the 211 bytes is because they can be cached across sigs for the same tx? 19:31:09 <sipa> devrandom: exactly 19:31:19 <elichai2> moneyball: :) I thought we're already planning tapscript V2 :P 19:31:45 <devrandom> maybe that sentence can be expanded to mention the sub-hashes? I can PR? or do you think it's clear enough as is? 19:32:20 <sipa> devrandom: feel free 19:32:28 <devrandom> OK 19:32:57 <devrandom> group 3 Q/?: "Just like other existing output types, taproot outputs should never reuse keys" - this is for the standard privacy reason, as in "don't reuse addresses"? 19:32:59 <jnewbery> would there ever be a reason to need more than one annex? 19:33:19 <sipa> jnewbery: possibly 19:33:50 <aj> jnewbery: if you need a per input timelock and are using OP_ZKVERIFY, you'd use two annex entries maybe 19:34:26 <cdecker> Couldn't they be serialized back to back then? 19:34:28 <jnewbery> so should we change the definition to be that any n trailing witness elements starting 0x50 are annexes? 19:34:58 <sipa> jnewbery: yes, that's possible, but concatenating them is more efficient i think 19:35:04 <aj> 0x50 { <len> <tag> <values> } seems a fine encoding to only use a single witness element 19:35:14 <jnewbery> got it 19:35:34 <aj> (makes lightning people twitch since they like tag/length/value though) 19:35:53 <sipa> it's also a tradeoff between taking a complexity hit now, and wondering whether we'll ever even need it 19:36:05 <cdecker> aj: just thought the same :-) 19:36:13 <nickler> devrandom: agree that this is confusing. Made more sense when the section was called Privacy. 19:36:24 <sipa> by saying some annex but not specifying any of its semantics we maximally defer the complexity to when it's needed 19:36:46 <jnewbery> sipa: makes sense. Thanks 19:39:00 <sipa> pyskell: the comment on the tagged hashes use refers to all sha256 anywhere in any protocol related to bitcoin 19:39:05 <sipa> not just inside script 19:39:20 <sipa> and the effect of being wrong about it is very likely nothing 19:40:08 <sipa> in most cases tagged hashing is not needed 19:40:19 <jnewbery> The control block can just be (one leading byte plus) the tapleaf hash in the case where only one script is committed. I thought it was slightly interesting that this is the only case where you can know for sure that no other spending conditions were committed to (with keypath spend you don't know whether there was a tweak and with a taptree spend you don't know the other branches) 19:40:52 <sipa> jnewbery: good point 19:41:07 <devrandom> group 3 Q 3/?: there was some group discussion about the fact that specifying the pubkey in the output saves bytes in the blockchain overall, but it's actually heavier in *vbytes*. The discussion then got into whether the weight calculation should be different for taproot (I assume so as to encourage use by not penalizing with higher fees). what do you think? 19:41:35 <pyskell> sipa: Gotcha, thanks for clarifying 19:41:54 <waxwing> devrandom, i think i remember coming up with 1.5 vbytes heavier for p2tr vs p2wpkh when discussing it with aj last week 19:41:55 <sipa> devrandom: for starters, i don't think this matters, because the output cost is paid by the sender 19:41:59 <waxwing> i mean average of course, not exact 19:42:28 <sipa> and the sender is already willing to pay fot 32-byte witness programs, or he'd not have implemented bip173 19:43:00 <waxwing> that's an argument on segwit v1 vs v0 uptake, but not legacy to v1 uptake right 19:43:06 <sipa> right 19:43:35 <bjarnem> Q: Regarding wording for signature hash: 19:43:35 <bjarnem> Under "Constructing and spending Taproot outputs" -> "Spending using the key path": 19:43:35 <bjarnem> "[...] To do so, a witness stack consists of a single element: a bip-schnorr signature on the signature hash as defined above, [...]" <- Is the "transaction digest" defined above the same as what is called "signature hash" here? 19:43:37 <nickler> waxwing: I came up with 1.25 :) https://medium.com/blockstream/reducing-bitcoin-transaction-sizes-with-x-only-pubkeys-f86476af05d7 19:44:25 <waxwing> nickler, lol i'll take it. 19:44:33 <sipa> bjarnem: yep 19:45:10 <devrandom> the difference in vbytes for the sender is (32 - 20) * 4 = 48 if I'm not mistaken. that said I don't have an opinion about this personally, if anybody from group 3 does they can say something ;) 19:45:26 <moneyball> sipa: thoughts on adjusting the weight calculation to make spending PT2R slightly more favorable? advantage being increased adoption of it + improved privacy/fungibility 19:45:45 <sipa> moneyball: that would be a hard fork. good luck. 19:45:52 <moneyball> oh... 19:46:09 <waxwing> a much less technical point, but our group (6) felt that the Motivation section of BIP-taproot does not actually address the motivation, at least to a reader who doesn't know all historical context. it seems like the motivation is in the "Design" section that immediately follows. 19:47:34 <waxwing> sipa, or maybe swipe a byte or two off the witness program? :) 19:47:51 <bjarnem> sipa: I feel that those terms could be defined as being the same under "Transaction digest", or maybe just use one term. Becuase it also happens in BIP-Taproot that sometimes it refers to the "transaction digest" and other times to the "signature hash". But if they are the same maybe just use one term? 19:48:13 <aj> devrandom: (32-20)*4 gives difference in weight units, vbytes is just (32-20) (and if you were counting witness data, you'd divide that part by 4) 19:48:14 <nickler> bjarnem: agreed 19:48:38 <bjarnem> (edit: I meant also in BIP-TapSCRIPT) 19:48:44 <devrandom> aj: got it 19:49:14 <sipa> waxwing: can you open an issue in my bips repo for that? i think that perhaps needs some more discussion than just a PR 19:49:48 <waxwing> sipa, the motivation? sure yeah that makes sense. i'll copy in the notes i made about it earlier. 19:50:04 <sipa> bjarnem: good point, let's use signature hash everywhere (transaction digest is confusing, as it contains some data that's not actually in the transaction) 19:50:07 <sipa> waxwing: yeah 19:50:35 <aj> sipa: maybe "signature digest" for the stuff you feed into the hash function and "signature hash" for the result? 19:50:55 <aj> sipa: it keeps annoying me there's no term to use for the stuff you feed into the hash 19:51:16 <sipa> aj: "message digest" is a historical name for cryptographic hash function, so i wouldn't use digest to refer to its preimage 19:51:35 <devrandom> group 3 Q 4/?: "The new signature hashing algorithm fixes the verification capabilities of offline signing devices by including amount and scriptPubKey in the digest" - the difference is that segwit commits to input value, but taproot commits to *all* inputs, right? is the difference mainly for transaction with inputs from different parties? 19:51:41 <aj> sipa: fair 19:52:11 <waxwing> devrandom, yes i was wondering about that, is it related to the kinds of attacks instagibbs came up with wrt coinjoin and similar? 19:52:24 <sipa> devrandom: no, there is an existing issue where you ask a device to sign a 2-input tx twice, and each time you lie about the other input's value 19:52:41 <sipa> the result is that a malicious online wallet can trick an offline wallet in spending more on fees than it intends to 19:54:25 <waxwing> right so not specifically coinjoin but that's one of the main ways it might come up 19:54:32 <sipa> right 19:54:40 <sipa> it's more general than that, but indeed 19:54:53 <bjarnem> I already asked but cannot find an answer, so in case it was overlooked in the discussion here it comes again :) 19:54:54 <bjarnem> Q: What is reasoning behind OP_SUCCESSx instead of only using the available versioning fields to soft-fork new Tapscript logic into the system (e.g. using the leaf version)? 19:55:09 <devrandom> sipa: got it, I assumed that HW wallets signed all inputs at the same time 19:55:11 <sipa> bjarnem: OP_SUCCESSx is the most powerful upgrade mechanism there is 19:55:38 <sipa> bjarnem: if you'd have me pick one of leaf versions, upgradable pubkeys, or op_success, i'd pick the last one 19:56:07 <bjarnem> sipa: Doesn't leaf versioning have the same power, allowing to change the semantics of the script language like segwit versioning?? 19:56:29 <sipa> bjarnem: yes, but you need a new leaf version any time you introduce a new opcode for example 19:56:48 <sipa> with OP_SUCCESSx you just pick a number and define it; it can be done in parallel with other new opcodes even 19:57:13 <devrandom> group 3 Q 5/5: should the BIP have a Requires header referring to schnorr, etc.? 19:57:27 <bjarnem> sipa: ah, ok I see that 19:57:46 <sipa> bjarnem: OP_SUCCESSx is the most natural choice for new opcodes, i think; leaf versions are the most natural choice for large redefinitions of the language 19:58:02 <sipa> and leaf versions essentially come at zero cost, because we have a few unused bits in the control block anyway 19:58:12 <sipa> devrandom: yeah 19:58:16 <nickler> devrandom: I think so. there's a PR for that already https://github.com/sipa/bips/pull/135 19:58:17 <bjarnem> sipa: thanks for the clarifiaction of the reasoning! 19:59:16 <sipa> as time is running out here... i feel there have been a lot of good questions here that got a response consisting of a rationale that isn't actually in the BIPs; i'll do an effort to go through the transcript and addressing the ones asked, but feel free to help with that 20:00:04 <aj> "feel free to help" ~= "please do help" :) 20:00:28 <moneyball> shall we wrap? 20:00:29 <sipa> if you got a satisfactory answer, you're probably in the best position to add to the bip exactly what insight would have made the text more clear to you 20:00:44 <devrandom> will PR for the stuff I asked 20:00:50 <sipa> awesome, thanks 20:00:56 <sipa> i need to run, thanks everyone! 20:00:59 <moneyball> #endmeeting 20:01:06 <jonatack> thanks! 20:01:11 <b10c> Thanks! 20:01:12 <kabaum> Thanks 20:01:15 <bjarnem> Thanks a lot!! 20:01:23 <cdecker> Thanks ^^ 20:01:24 <aj> also, quick tip since a few people haven't had much luck getting groups together -- (a) if no one else has taken the initiative to choose a time, or talk about things, that might just be a cue for you to do it; (b) it might be that everyone else in your group really is too busy, so feel free to contact to join a different group 20:01:28 <aj> #endmeeting