LNHANCE bips and implementation

reardencode · January 7, 2024, 6:40pm

I’ve just opened pull requests for bips and implementation of a combination of BIP119, OP_CHECKSIGFROMSTACK(VERIFY) and OP_INTERNALKEY (together I’m calling these “LNHANCE”).

github.com/bitcoin/bitcoin

OP_CHECKTEMPLATEVERIFY, OP_CHECKSIGFROMSTACK(VERIFY), OP_INTERNALKEY validation (LNHANCE)

bitcoin:master ← reardencode:lnhance

opened 06:35PM - 07 Jan 24 UTC

reardencode

+3892 -28

This pull request contains a the same implementation of OP_CHECKTEMPLATEVERIFY (…BIP119) as @jamesob's [Covenant Tools](https://github.com/bitcoin/bitcoin/pull/28550), an implementation of [OP_CHECKSIGFROMSTACK(VERIFY)](https://github.com/bitcoin/bips/pull/1535) and of [OP_INTERNALKEY](https://github.com/bitcoin/bips/pull/1534). There are no testnet or mainnet activation parameters proposed in this pull request. I am deeply uninterested in the details of activation semantics. This combination of changes allows for the implementation of a variety of layer two proposals and improvements. Including, but not limited to, Lightning Symmetry, Point-Time-Locked-Contracts, Timeout Trees, and unidirectional non-interactive channels. For anyone interested, I also have a [branch](https://github.com/reardencode/bitcoin/tree/lnhance-v26) with these same changes based on the latest release.

github.com/bitcoin/bips

Add bip-csfs OP_CHECKSIGFROMSTACK(VERIFY)

bitcoin:master ← reardencode:csfs

opened 06:32PM - 07 Jan 24 UTC

reardencode

+123 -0

This BIP is based on the BCH OP_CHECKDATASIG work, as well as postings from the …bitcoin dev mailing list in [this thread](https://www.mail-archive.com/bitcoin-dev@lists.linuxfoundation.org/msg10211.html). Some differences appear due to the activation of bips 340, 341, and 342 (taproot) since those were developed. OP_CHECKSIGFROMSTACKVERIFY is a NOP upgrade available in all script types. OP_CHECKSIGFROMSTACK is an OP_SUCCESS upgrade available only in BIP342 tapscript.

This combination of features seems to be a potentially safe and powerful starting point for bringing output restricting covenants to bitcoin and simultaneously supporting the next iteration of lightning development in the form of ln-symmetry and PTLCs.

michaelfolkson · January 7, 2024, 7:17pm

(Copying across from my comment on the Core repo)

This should be opened to bitcoin-inquisition rather than this repo at this stage? I thought that was the whole point of bitcoin-inquisition. I can summarize why bitcoin-inquisition was introduced in the first place if that helps. It might seem overly finicky but having all proposed consensus changes (especially if they are new) discussed in the Core repo just adds too much noise to all the work that is being done on non consensus changes in Core (imo).

Also I’m interested in why you think LN-Symmetry would be better implemented not using APO?

reardencode · January 7, 2024, 7:30pm

Inquisition is fine, and I’m happy to open a separate PR there for CSFS and INTERNALKEY if that is helpful to reviewers or others in the community. It is not, however, part of the flow for changes to bitcoin core. It is an optional place to test significant changes before they are proposed for activation in bitcoin core if that is helpful to the process for any particular change.

APO is one way to achieve LN-Symmetry. In the range of possible ways to achieve LN-Symmetry, APO is somewhat of a closed development path. It introduces new key types for the existing sigops with a concrete set of sighash flags that cannot later be upgraded without adding another new set of key types. I have a PR open against APO that suggests an alternative design for those sighash flags, and there is a known issue that they should be changed to commit to the control block or merkle path to the script being executed in some modes. In short, there is a large design space for those sighash flags and a lack of direct upgradeability.

In contrast, CTV has a fairly narrow design space. The basic output commitment template is pretty clearly exactly as BIP119 describes it, and this can be combined with a well understood operation (CHECKSIGFROMSTACK) to provide the same committment as that used in @instagibbs LN-Symmetry implementation. Once we have CTV and CSFS in production for some time, we will be much better positioned to further analyze what other sighash modes might be useful for our next Tapscript key versions, or to analyze what hashing modes might be worth adding as a flags byte (or bytes) to CTV.

In short, this approach gives us small building blocks that are lowest common denominator for a variety of 2nd layer enhancements and position us to continue the discussion on future improvements.

michaelfolkson · January 7, 2024, 7:55pm

I mean… sure it is optional. But if everyone takes your approach we get tens of different PRs in the Core repo from different authors all with different combinations of their favorite opcodes and sighash flags and supposedly that helps review and makes progress towards activation. In a repo that already suffers from being unnecessarily noisy. But ok, whatever.

Thanks, I wasn’t aware of this BIP PR you opened. I suspect that isn’t a universally agreed “known issue” unless you can point me to a different discussion I missed. But it does introduce a new public key type, if that’s your criticism I guess that holds.

instagibbs · January 7, 2024, 8:31pm

Hi! Do you have a short list of the well-understood constructs that can be built using these, along with their relative idea maturity(your estimate is fine )?

I think it’d be useful to make it clear what you’re getting. E.g., PTLCs are definitely possible today, but APO-like construction is certainly leaps nicer!

moonsettler · January 7, 2024, 8:45pm

Simple unidirectional NIC (non-interactive channel) that that is immune to TXID malleability and can be natural part of pool vTXOs (virtual UTXOs) from user Alice where you have a coordinator Bob that acts as an LSP:

<sigBob>
<sigAlice>
<template>
---
CHECKTEMPLATEVERIFY
<pubAlice>
OP_CHECKSIGFROMSTACKVERIFY
<pubBob>
OP_CHECKSIGVERIFY

You would have an alternative spending branch with a 24h timelock and Alice single sig. also have a 2-of-2 musig keyspend naturally.

Alice can keep giving Bob newer more favorable distributions. Bob gates them with his single sig.

What Alice would do is give Bob a new <sigAlice> <template> pairs and the new outputs that hash to the template to move funds to Alice. outputs can include HTLCs and then their updated settlement.

urza · January 8, 2024, 6:31am

Would this also allow construction of other things that APO would? Namely channel factories and Spacechains?

Ping @RubenSomsen

moonsettler · January 8, 2024, 10:21am

indeed. LN-symmetry is an other big thing it enables. (will try to dig up the contract, pretty sure someone already laid it out) it won’t do everything APO can, and that’s on purpose. just the most important things that are highly desired.

edit:

# S = 500000000
# IK -> A+B
<sig> <state-n-hash> | CTV IK CSFSV <S+1> CLTV

before funding sign first state template:

# state-n-hash { nLockTime(S+n), out(contract, amount(A)+amount(B)) }
# settlement-hash { nSequence(2w), out(A, amount(A)), out(B, amount(B)) }

# contract for state n < m
IF
  <sig> <state-m-hash> | CTV IK CSFSV <S+n+1> CLTV
ELSE
  <settlement-hash> CTV
ENDIF

CLTV ensures only a larger nLockTime transaction can spend the current on-chain state, the relative timelock for the last co-signed state’s CTV distribution is committed to in the settlement-hash

reardencode · January 9, 2024, 6:23pm

Here’s a new one, Oracle slashing (just proposed).

That relates closely to simplified DLCs with CTV.

Timeout Trees, pretty well specified.

LN-Symmetry, as written by @instagibbs, ports directly to LNHANCE (probably all of uses for SIGHASH_ANYPREVOUTANYSCRIPT|SIGHASH_ALL).

Ark, as originally proposed by Burak, and depending on ephemeral anchors.

Simple coin pools (with n-n signing required to advance the state of the pool) simple to implement, only useful for small (e.g. family) groups.

Simple CTV Vaults implemented, but somewhat hard to use.

edit to add: Didn’t mention the basic ability of CSFS to be used in delegation. This is often not the best method, but can be useful. Script like <pubkey> SWAP IF 2DUP CSFSV DROP ENDIF CHECKSIG.

And many many many more that I don’t have immediate links to.

RubenSomsen · January 10, 2024, 3:30pm

Spacechains are already possible without covenants, but yes, just about any covenant proposal that lets you pre-commit the next tx would be useful for spacechains.

alex · January 17, 2024, 2:51pm

Jeremy Rubin’s uxos.org is still a great resource for CTV-related applications

reardencode · January 18, 2024, 6:22am

Tonight, I created a PR against @ajtowns 's binana to create numbers for CSFS and INTERNALKEY.

I also created draft PRs for ctv, internalkey, csfs alone against core.

These 3 PRs include everything from #29198 except activation and functional tests that depend on CTV being active in regtest. They conflict with each other, due to overlap in SCRIPT_VERIFY_FLAGS numbers, which I’m not sure the best way to deal with.

hampus · January 19, 2024, 9:44pm

According to rearden, this would allow for an APO spacechain-like construction. https://twitter.com/reardencode/status/1748452392046334366

Presumably helpful for statechains too.

moonsettler · January 21, 2024, 11:17pm

a similar contract to LN-symmetry can be used for ‘immortal’ statecoins.

you can potentially do something even cooler, by stacking such constructs and thus transfer one end of an LN-symmetry channel, you can in theory reuse a single channel funding for any number of users.

in this case the final ‘distribution’ of the first channel opens the second (latest) one on-chain, then that has it’s own timeout for latest state.

ZmnSCPxj · February 4, 2024, 12:25pm

I have been thinking as well about mechanisms with internal fees, i.e. the funds that will be used to pay onchain fees in case of unilateral exit are inside the mechanism, instead of requiring an additional UTXO to be kept onchain to pay for unilateral exits. This allows for reduced blockspace use by not requiring anchor outputs and a CPFP-ing transaction, at the cost of requiring funds to be reserved per mechanism for the onchain fee in case of unilateral exit. Here is an attempt to design an extension for OP_CHECKTEMPLATEVERIFY for this: `sighash_outputdeltabounds` - #2 by ZmnSCPxj

cryptoquick · March 15, 2024, 7:14pm

Hi, I’ve made a modified version of rust-bitcoin-script that can do an implementation of LN symmetry script, so anything that needs the bytes for script somewhere can easily get the right format.

github.com

cryptoquick/rust-bitcoin-script/blob/1a7e1742b3a699fa5a021a73211e36d92a2c3bd5/tests/test.rs#L26-L44


      
          #[test]
          fn lnhance() {
              let s = hex::decode("a2f0e0d0c0b0a0908070605040302010").unwrap();
          
              let script = bitcoin_script! {
                  OP_CHECKTEMPLATEVERIFY
                  0x0102030405060708090a0b0c0d0e0f2a
                  OP_CHECKSIGFROMSTACKVERIFY
                  <s>
                  OP_CLTV
              };
          
              assert_eq!(
                  script.to_hex(),
                  "b3100102030405060708090a0b0c0d0e0f2ab410a2f0e0d0c0b0a0908070605040302010b1"
              );
          }

Forgive me if my byte counts are off in the example, I wasn’t sure of the exact inputs.

I don’t yet have support for IK, but I think that’s a Taproot thing anyway, so not the same as script.

Thanks to @cguida for nudging me towards doing this. He’ll be using this or something like it in trying to make an LNHANCE CLN plugin.

reardencode · March 19, 2024, 8:38pm

Nice, thank you!

IKEY is Tapscript only indeed, as it reads the BIP341 internal key from the control block and writes it to the stack.