BIP446: OP_TEMPLATEHASH and BIP Draft: TH+CSFS+IK Bundle#1974
BIP446: OP_TEMPLATEHASH and BIP Draft: TH+CSFS+IK Bundle#1974instagibbs wants to merge 7 commits intobitcoin:masterfrom
Conversation
|
Some previous related discussions:
|
|
I'm afraid I'm going to write a lot and say very little, but I have a few thoughts maybe worth sharing. The improvements on CTV are obvious, pushing the hash onto the stack is better, leveraging only cached intermediate hashes is better. scriptSig CommitmentDropping the scriptSig commitment seems debatable, but I accept the given rationale for omitting it. Furthermore, CTV's scriptSig commitment introduces a new variable length chunk of data to hash. The Annex CommitmentThe annex commitment is of course the most controversial addition. On the one hand, it is incredibly useful to eltoo style protocols, and I can imagine, for example, that CISA might leverage the annex to set the order of public keys in an aggregate key. In this scenario, committing to the entire annex ahead of time would prevent using CISA, though once again I confess I don't know what such a scheme would actually look like. My instinct here is to reduce the scope of On the other hand, introducing a future This is why I'm ok with the proposal as-is, if the annex commitment proves to be a mistake, it can still serve a useful purpose now and into the future, and a second opcode could be introduced to address the annex-less case. Crazy TalkI'd like to very tentatively float another way to dodge the annex issue: a hash selector bitfield. To this, instagibbs said something like "why not go full TXHASH then?" Unlike TXHASH which has a huge amount of flexibility, a bitfield that permits choosing to commit to all or none of the sequences, all or none of the outputs, and all or none of the annex should not change the stopping point. One could also leverage the other five bits of a 1 byte stack item to potentially commit to the first N<32 outpoints, to support the sibling commitments. This last one in particular changes the performance profile of I can say that for me, committing to all of the outputs but none of the input sequences (and therefore not the input count) would be very useful for one of my projects which currently uses a deleted key ALL|ANYONECANPAY signature. Hashing PerformanceToday one can use the script With At exactly n = 80, the SHA256 script will hash 41600 bytes with a 763 byte script. Less naively, one can use the script Similarly, the The less naive SHA256 script will hash 57720 bytes in 782 script bytes, and the less naive I suppose all of that is to say "This is strictly less hashing than is necessary for other existing operations." seems correct, assuming there aren't more clever pathological scripts. Furthermore, the result of |
Wouldn't the hash naturally be cached in implementation? |
|
Thanks for the feedback @Ademan.
Some amount of bikeshedding is justified for a proposal as consequential as a consensus change. :)
If i understand correctly, your criticism is that while committing to the annex is very useful for the flagship usecase of this proposal, this may clash with potential future usages of the annex. That on its own i don't think is a valid reason not to have the annex commitment, if only because you can make the same argument in the other direction: not committing to the annex would be a design mistake as it allows to be forward-compatible with future usages of the annex, and is already provably useful for some of the main applications enabled by this proposal. To substantiate your point you bring up that the annex would be the only witness element committed to by As more of a general point, i think starting from |
In the Taproot signature hash (which this proposal re-uses), various parts of the transaction are pre-hashed such that the hash can be cached across signatures. For each signature, those pre-computed hashes are hashed together along with some fixed-size transaction fields, such that the maximum amount of data hashed per signature is capped: Line 128 in 87f3fe1 This final hash is pointless to cache, because other opcodes let you hash strictly more arbitrary (i.e. uncachable) data (and even have less restrictions on them). |
Clearly, I think, this is the most debatable point precisely because there isn't widespread use (or demand yet) for such space.
Any scheme that wants to shift from sign-time OP_RETURN to witness data may want to use it in the same manner. It's my fault for making ln-symmetry the go-to during discussion. Granted, this is a fairly minimal improvement, and can be done by many other means with CSFS and friends, or just eating the OP_RETURN cost. In the end, "Any annex scheme that is compatible with OP_CHECKSIG(ADD) is compatible with OP_TEMPLATEHASH" seems the most straight-forward and least foot-gunny to me.
I feel like without a specific proposal, we're going to miss the real costs in terms of complexity. I'm also worried that if a proposal becomes "general purpose" without actually being general, it won't capture the behavior we actually want, with respect to "programmable money".
No BitVM bridge has launched, and the space is moving very very fast. It's on my docket to try to learn more about the fundamental requirements of these systems to transition from permissioned systems to permissionless for both safety of funds and unilateral exit (these are different concepts IIUC), but I think this is out of scope, and the answer may be "we need GSR / btclisp / Simplicity" and stop trying to guess what specific systems need? I have plenty of controversial thoughts on this but seems way out of scope here, unless we find the next-tx capability and rebindable signatures insufficient motivation for a softfork. |
|
My take on the annex is as long as there is no clear potential use for the annex proposed, treating it consistently seems to make the most sense. We treat it exactly like the taproot sighashes are, so that's consistent. Take note that we're only committing the current input's annex, if the annex would be used for something that doesn't work with TEMPLATEHASH, it just means they can't be used together, which seems fine. It would also not be able to be used together with any other sighash-(all/default)-using scheme. I feel that since new use-cases for the annex will almost certainly come with their own soft fork, they can be resolved when the time comes. You speak about CISA, which I think is a great example, but in my opinion by the time we have a solid CISA soft fork proposal, the TXHASH and TXSIGHASH ideas will hopefully also be more mature and they can solve the annex aspect more elegantly. This proposal is trying to move the needle for simple next-tx commitment and basic rebindable signatures. Two arguably very simple features that are undeniably useful for almost all second-layer protocols currently being developed and used. |
|
If nodes start relaying transactions with non-empty annex the result will predictably a new exogenous asset protocols and a new simpler more efficient ways to inscribe arbitrary data without the need for pre-commitment. Unleashing the annex is a predictable footgun socially speaking. |
To be clear, this PR / implementation isn't about relaxing these rules for relay. |
Yes, this is only relevant further down the line. I think what @Ademan was also picking at is that this proposal feels predictive direction wise. |
Sure! I hope it's productive...
From my very limited perspective, that seems considerably less likely than the opposite, but that is kind of the problem, this is ~guessing. Maybe it would be useful to at least attempt to identify concrete or partially specified proposals that use the annex. I suppose the onus is on me since I'm the one suggesting they may conflict, but you, instagibbs, steven and moonsettler are all likely closer to the people who might be working on them.
Absolutely! I just want to ensure that "it's useful" isn't overriding compatibility concerns. There are other ways to do data publication, it doesn't necessarily need to be a part of
To be clear, I'm distinguishing between ahead of time commitment (via I think I may have been talked out of my position, but I still think it deserves some litigation (perhaps with a better advocate than I). To give it one last go, I suspect (admittedly without evidence!) that varying annex data independently of the rest of the TX will be the norm and desirable if/when the annex finds uses besides data publication.
Fair enough, I definitely agree with the second part. |
| transaction. `OP_CHECKTEMPLATEVERIFY` gives txid stability when the committed spending transaction has a single input, | ||
| and when the scriptSig of this single input has been committed by the hash. | ||
| Taproot scriptSigs must be empty and therefore under the single input case `OP_TEMPLATEHASH` has no requirement | ||
| to commit to scriptSigs to achieve txid stability. |
There was a problem hiding this comment.
everytime I read through this always my biggest question is "why not commit to all script sigs being empty" or "what are the potential downsides to having multi input malleability"
would be nice to have an explanation in this to explain why this trade off is okay
There was a problem hiding this comment.
- the input is segwit, so it already explicitly commits to its own scriptSig being blank
- the purported benefit to committing to other scriptSigs in addition was to ensure txid stability, but without fixing the other inputs' prevout ahead of time, this cannot be achieved in general. (The "BitVM Trick" was to ensure this was actually possible, but I consider this not an intentional design decision; I'd rather the "sibling input commitment" be done properly if that's what we want!)
Given that it doesn't ensure the "next transaction" commitment we are aiming for which includes additional hashing on top of taproot hashes already existing, it was not added to the proposal.
|
@instagibbs how do you feel about adding OP_SHA256TAGGED to this mix? Even with the "French CTV" it would be a pretty viable LNhance alternative I could support without any misgivings. |
| committed in the output itself. Committing to all other prevouts or scriptpubkeys would introduce hashing a quantity | ||
| of data quadratic in the number of inputs. It would also prevent spending two coins encumbered by a template hash | ||
| check in the same transaction. Finally, the flexibility of not committing to the specific coins spent is also | ||
| desirable to recover from mistakes[^no-commit-other-coins]. |
There was a problem hiding this comment.
Wouldn’t the commitment to all of the inputs’ sequence fields, sha_sequences, indirectly commit to the count of inputs, and therefore prevent adding another input?
(Or maybe I’m misconstruing what sha_sequences exactly is, feel free to correct me in that case.)
There was a problem hiding this comment.
commit to the count of inputs, and therefore prevent adding another input?
Yes, it commits to the total number of inputs. Typically this would be 1, but you can certainly have more for batching scenarios.
There was a problem hiding this comment.
Right, but when your OP_TEMPLATEHASH commits to the spending transaction having a single input, you would not have the flexibility to add a second output to provide more funds, i.e., doesn’t that contradict your flexibility point?
There was a problem hiding this comment.
there's an included footnote for a (weak) example with respect to value, though it doesn't apply to prevouts per se. If the other coin gets swept, you can "contribute" a new utxo to make it whole and rescue the locked funds.
It's not the primary motivation for the design decision compared to the others.
There was a problem hiding this comment.
On second reading, I do see what you mean. It seems to me that this could be discussed more explicitly than such a subtle footnote.
|
|
||
| The ability to push the Taproot internal key on the stack is a natural and extremely simple optimisation for rebindable | ||
| signatures. | ||
|
|
There was a problem hiding this comment.
This BIP appears to be missing a Specification section.
There was a problem hiding this comment.
added mini implementation section for completeness
There was a problem hiding this comment.
Looking at this again, I currently don’t see this document meeting the criteria for a BIP, let alone a Specification BIP.
This could for example be remedied by adding a Deployment section, even if the content were TBD.
Alternatively, I would still recommend that this document were split off from BIP 446, given that OP_TEMPLATEHASH in itself is basically ready for publication.
There was a problem hiding this comment.
I would still recommend that this document were split off from BIP 446
I think OP_TEMPLATEHASH only really makes sense as part of the bundle. I'd rather take the time to clean up the bundle.
| rules: there is no block that is valid under the rules proposed in this BIP but not under the existing Bitcoin consensus | ||
| rules. As a consequence these changes are backward-compatible with non-upgraded node software. That said, the authors | ||
| strongly encourage node operators to upgrade in order to fully validate all consensus rules. | ||
|
|
There was a problem hiding this comment.
If there is a reference implementation for this opcode package, could you please add a section that links to the corresponding code?
There was a problem hiding this comment.
no current one exists, we haven't moved forward on bitcoin-inquisition with templatehash and likely won't until the BIP becomes stable
adf18c9 to
d359ceb
Compare
Seems out of scope here, unless I'm missing some key motivation. |
You came up with the motivation yourself afaik (for LN-Symmetry). It's about the whole annex/nulldata/paircommit data availability thing. It is also mildly useful for MATT stuff in a more expressive future script, otherwise it gives us a safe pair-commitment for two stack elements. Assuming this proposal is activated as-is (as a thought experiment), even if core would be reluctant to, as proven by precedents, it would be a trivial exercise for an LSP to break the annex "filter" using the libre strategy with just a few tens of nodes. Forcing core to "face the reality of the network" and relax policy. Hence our comments on this proposal being predictive of annex use. I don't want to waste too much time on this topic. But this is exactly why after much agonizing PC was included in LNhance. |
|
Thanks for writing these specifications. I like the general direction and think that One small observation is that the chosen opcode |
|
@bigspider Our bad, we can switch to another value edit: trying to find something not colliding 😭 |
|
0xcd is PAIRCOMMIT btw which has an implementation and activation client sort of "out there". // Tapscript expansion
OP_INTERNALKEY = 0xcb,
OP_CHECKSIGFROMSTACK = 0xcc,
OP_PAIRCOMMIT = 0xcd,lnhance/bitcoin@91b3036#diff-93c5ddf703879287802d651b68c9c6199644afe23db0dd3ff77e8d1ce3c20045 |
59d6870 to
b6c8a64
Compare
There was a problem hiding this comment.
Thanks for adopting the changes and sidestepping the collision with CCV.
I’m still a bit confused as to what the bundle document is trying to be. It seems that it is perhaps a placeholder for the activation parameters, and while it does provide some additional motivation for the bundle, it feels like there is still some crunch missing here.
The TH proposals is looking pretty close to number assignment to me.
Overall, both documents could perhaps use some more reviewers?
A possible alternative would be to add a Deployment section to the templatehash BIP draft that explicitly links it with bip348/349, like https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki#deployment . I'm not sure what the best thing is, but having motivating "glue" text is important. Would be curious as to what others think.
💯 |
|
I think a separate bundle BIP is preferable for at least two reasons:
That said, if we can make a reasonably clear document that features both the main motivations of the proposal and the specification of OP_TH, i would be fine with that. |
|
It isn’t that they should be combined or that the FISHSTCK proposal is a bad idea. My point is that its type is “Standards Track”, but it lacks a Specification that an implementation could be in compliance with. It therefore appears incomplete. |
|
I didn't mean to imply you suggested that. I was just chiming in as it appeared to have been welcome above. Anyways, what would you recommend here? |
|
Not sure, perhaps separate the two documents into different PRs. The Templatehash one is probably close to ready, and the FISHSTCK one would be draft stage and could be moved forward when there is a Specification section that describes activation or smth. Open to other ideas. |
|
Let’s refer to the OP_TEMPLATEHASH document as BIP 446. I’d like to see some follow-up on the bundle proposal. |
murchandamus
left a comment
There was a problem hiding this comment.
Note that the preamble needs some changes due to BIP 3 deploying.
This comment was marked as spam.
This comment was marked as spam.
Sorry, something went wrong.
4a6f1de to
ce33378
Compare
d33942f to
4ca2744
Compare
Co-authored-by: Mark "Murch" Erhardt <murch@murch.one>
|
@murchandamus i took a shot at merging the bundle document inside the OP_TEMPLATEHASH document. I think it makes sense. Here is the branch. This is just a PoC, some details need cleaning up. What do you think of this approach? |
Thanks for the PoC branch. I’m not excited about this approach. I like the name “Twine” for the bundle, but putting everything into one BIP muddles the scope. I would prefer OP_TEMPLATEHASH to remain a separate document as proposed (and numbered) previously, and the bundle BIP be renamed to Twine, extended with a short and sweet Specification section that reiterates which OP_SUCCESS opcodes are used, defines the three proposals as a bundle to be activated together, and proposes a concrete deployment. |
darosior
left a comment
There was a problem hiding this comment.
nit from when i played with merging the two documents.
| ## Abstract | ||
|
|
||
| This document proposes bundling three new operations for [Tapscript][tapscript-bip]: | ||
| [`OP_TEMPLATEHASH`][templatehash-bip], [`BIP348 OP_CHECKSIGFROMSTACK`][csfs-bip], and [`BIP349 OP_INTERNALKEY`][internalkey-bip]. |
There was a problem hiding this comment.
nit
| [`OP_TEMPLATEHASH`][templatehash-bip], [`BIP348 OP_CHECKSIGFROMSTACK`][csfs-bip], and [`BIP349 OP_INTERNALKEY`][internalkey-bip]. | |
| [`OP_TEMPLATEHASH`][templatehash-bip], [BIP348 `OP_CHECKSIGFROMSTACK`][csfs-bip], and [BIP349 `OP_INTERNALKEY`][internalkey-bip]. |
|
From communicating out of band, my understanding is that this PR is waiting for an update from the authors to expand the content of the Twine document. |
Opening this here for wider discussion and feedback.
edit: Probably need to add implementation section: https://github.com/instagibbs/bitcoin/tree/2025-07-op_templatehash