Transcript for #bitcoin-dev 2017/02/19

17:45 arubi trying jl12012's mast v3 branch, does anyone know the structure for the json used to redeem an input? I mean the json signrawtransaction\bitcoin-tx takes (if there's a way to do that at all). I can build redeeming transactions fine, but core's script_tests.json requires a specific dummy input and to feed a test back to core for "signing" requires to also pass the json with the redeeming info.
17:54 arubi ooh 'bool IsMASTStack()' ..
17:55 arubi wonder if wants the actual witness stack in "redeemScript".. I'm already passing it a proper witness stack but it's overwriting it with nothing as it signs then fails with "Invalid witness stack for MAST"
17:58 arubi the witness is empty when IsMASTStack() runs.. weird
19:21 arubi waxwing, so I was mentioning covenants before, seems like it's "almost" possible, almost means that you can do it if you break sha256: https://0bin.net/paste/SwIB39NtuUgbrhjn#OEAHZXZAcoZOQpFQlsbnSXOY8hFJS0NjfUpYQy-HI3h
19:22 arubi last time I tried I couldn't commit to a pubkey + sig in the same script, but that was because I was using the signature's hash160, and not the signature itself
19:22 waxwing what am i looking at :)
19:22 waxwing is the quoted string the return value from signrawtransaction? i haven't used that for ages
19:22 arubi the scriptpubkey for redeeming that input is the pubkey + signature + checksig
19:23 arubi nope, it's the inputs
19:23 arubi input*
19:23 arubi anyway, get this
19:23 arubi seems like there's a very little documented "feature" in checksig stuff
19:23 arubi it's called "find and delete", at least I think that's the name
19:24 waxwing sure, heard of it, apparently it's weird somehow
19:24 arubi if checksig spots a proper signature in its sighash, it deletes it
19:24 waxwing so can you write those scriptpubkey and redeemscripts?
19:24 arubi so '<signature> checksig' as a scriptpubkey becomes '<checksig>
19:25 waxwing i see; so only in scriptPubKey?
19:25 arubi only when a scriptcode is used in a checksig operation
19:26 arubi so you can send to a p2sh of 'pubkey codesep <sig> checksig', but when checksig is done, it only checks 'checksig'
19:27 arubi so, you can actually commit to a pubkey in the scriptpbukey itself, and sign a transaction to specific outputs... but! you still have to sign specific inputs
19:28 arubi er, s/<sig> checksig/<sig> swap checksig/g'
19:31 arubi waxwing, stack trace: https://paste.debian.net/plainh/eae9018c
19:32 arubi it kinda does a lot of ROLLs where a single swap is enough, but originally it was a 2-of-2 multisig and I just trimmed it down again to make sure I have to actually break sha256 to make it work :P
19:34 arubi I mean, the real issue is that you make the signature only after you know the input txid, and the input txid depends on the scriptpubkey that you used, and the scriptpubkey is a hash160 that includes the signature + pubkey.. even if you have the private key for that pubkey, you still can't sign it
19:35 arubi only if you don't commit to a pubkey, and then anyone can spend it as it's redeemed
19:36 arubi I /could/ make it work live if I used sighash single bug, but then again I haven't committed to anything. any hash is '1'
19:39 waxwing arubi: i'm not following, but maybe just write out the simplest example of a scriptPubkey for this? might help a bit.
19:40 arubi suppose I send funds to '<pubkey> codesep <sig> swap checksig'
19:40 waxwing right so findanddelete means the sig is deleted?
19:40 arubi when checksig is executed, what is checked as scriptsig is 'swap checksig'
19:41 MeoowWoof good evening
19:41 arubi sig is deleted because of find and delete, pubkey is gone because of op_codesep
19:42 arubi so really, the signature is made for some tx metadata like version, num inputs, num outputs, outputs themselves, and an nlocktime
19:42 arubi but what's missing is the input txid (and index, but meh)
19:43 waxwing i've probably forgotten some basics, but what you wrote there was the scriptpubkey write? what is used as scriptsig when spending?
19:43 waxwing s/write/right/
19:43 arubi right, checksig will use the scriptpubkey up to the leftmost code separator and up to the end to the right, deleting all code separators
19:44 arubi so here the pubkey is to the left of the codesep, so it's not in scriptsig when checksig is executed
19:44 waxwing sorry i still don't get what is used as scriptsig when spending? what you wrote above was the scriptpubkey, no?
19:45 waxwing you wrote "suppose I send funds to '<pubkey> codesep <sig> swap checksig'", so i assumed that was the scriptpubkey?
19:45 arubi oh I see where I'm confusing you here
19:46 arubi '<pubkey> codesep <sig> swap checksig' is the redeemscript of a p2sh which scriptpubkey is '<script hash160> equal', and when I send funds to that script, I send it to the p2sh script. this is clear, right?
19:46 waxwing ok, i didn't realise it was p2sh, got it
19:47 arubi right, so '<pubkey> codesep <sig> swap checksig' is what's executed
19:47 waxwing so i get that FAD removes the sig, but then you have 'swap op checksig' is that right?
19:47 arubi yea, and that's easy to sign "in advance"
19:48 waxwing i'm still lost because i thought you had to have two arguments to op checksig
19:48 arubi the pubkey and the sig
19:48 waxwing doesn't the codeseparator remove the pubkey from the stack or something?
19:48 arubi nope :)
19:48 arubi just used as a sighash "tweak"
19:48 waxwing i never really knew about codeseparator. what's it for? for sighashing?
19:48 waxwing ok yeah
19:49 waxwing that makes sense i think
19:49 arubi the pubkey and sig are already consumed by checksig when that happens
19:50 arubi so assuming I'm setting up a mock transaction that uses that scriptpubkey as a redeemscript from an unknown transaction to pay some predetermined outputs
19:51 arubi and for that signature I put in some mock "AAAAAAAAAAAAAAAAAA..." and index 0 as the txid and index, now if at any time there is a txid AAAAAAAAAAAA... that pays this scriptpubkey as output 0, then you have a guarantee to get paid by this transaction
19:51 arubi but of course, getting a transaction to get a txid of AAAAAAAA.. is.. /difficult/
19:52 waxwing hang on, slow progress for me here, i have to re-read the op-checksig page
19:53 arubi in the case where it's a single input and output, it looks just like the spend transaction but instead of having redeemscript pushed as a single vale (followed by signatures), it has the redeemscript as an actual script
19:55 waxwing so the gist of it is, you're creating an output whose spending is conditional on the tx metadata and input txids, something like that
19:56 arubi everything is set in stone once the scriptpubkey is made, even the input txid
19:56 waxwing if sighash_single i guess that narrows it a bit. but yeah seems academic without tx preimage somehow or other.
19:56 waxwing sorry hash preimage
19:57 arubi sighash single bug, where the signature will only have to sign 0x01
19:57 arubi 0100000001AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA000000004976A9143EED3148939D0C00549EFE8358E1A3EADE9FCA7A88AB0028302502205C4DE957015B013284B8BDD48074E176D80F6D831209F79E410F8C6B8E69FABA02010101537A537A51AEFDFFFFFF01C09EE605000000001976A914C00310F39283CCFE5AD84F152D14B85532A483F088AC0000000001000000
19:57 arubi is how it looks like for sighash, I hope I got that right
19:57 waxwing right so do i understand you're saying it can be done with single due to that bug (i never really looked into it)
19:58 arubi yea, but it loses all meaning because the hash is always 1
19:58 waxwing maybe you can play some games with zk proofs of hash preimage
19:59 arubi way too advanced for me.. I'm trying MAST right now, I think it has op codes that can be used to make it work
19:59 waxwing oh really? you think that could make it possible?
19:59 waxwing oh does mast have more op codes
20:00 arubi invert, xor, cat, substr.. really lots of possibilities to work on a signature
20:00 waxwing well re advanced: you could start by considering a spherical preimage :)
20:00 arubi is that like chameleon hashes?
20:00 arubi that's the vibe I'm getting :)
20:01 waxwing heh, no, reference to spherical cows :)
20:01 arubi ohh!
20:01 arubi yea I just got it haha
20:01 arubi you can see how my brain has completely melted at this point. I'm building some tools to let me debug mast scripts
20:01 waxwing i was just kind of saying, if you assumed that proof of hash preimage knowledge was available, maybe you could do something with it. but, on reflection probably not interesting.
20:02 arubi well, one of the examples on bip-mastopcodes is provably revealing a private key from a signature
20:02 arubi another example is zero trust lottery between two parties
20:02 waxwing bip # ?
20:02 arubi has no number, it's on jl2012's fork of the bips repo
20:03 arubi 'mastopcodes', really insane stuff
20:04 waxwing this one? https://github.com/jl2012/bips/blob/bip114v3/bip-0114.mediawiki
20:04 arubi https://github.com/jl2012/bips/blob/mastopcodes/bip-mastopcodes.mediawiki
20:04 arubi 114 is mast in general
20:05 waxwing thanks
20:07 arubi np, anyway, I'll be back after dinner for some more bitcoin, cya :)
20:23 MeoowWoof hey guys
20:23 MeoowWoof first time looking at the source
20:23 MeoowWoof can some one suggest which is a good point to put a breakpoint to follow a transaction.
20:23 MeoowWoof I cant seem to figure out where classes like coincontrol, wallet are init