transactionHead and transactionTail are not existing op codes and it fails to be obvious how to concatenations at the end of the script should ever rationally imply to implicitly store the input or output value of the transaction even if it was.



"Getting elliptic curves right is not a trivial task." first off most people could and probably should stick to secp256k1 anyway, the point is that theres a generic stack for generating the cryptographic protocol, once you make the choice to use a well known curve defining it correctly is just as easily as importing the correct library which is basic programming. Furthermore the generality would allow for MORE surface area as to not lock developers to this curve for VARIOUS potential reasoning. Restrictions could be made on the size of the curve and so on, but enforcing that it can only produce a certain format for covenant key ownership logic is unproductive in my opinion which is why I started this thread.


AND YOU'RE ADVOCATING FOR OP_CAT SOMETHING THAT REQUIRES A (DRUMROLL PLEASE) SOFT FORK!!! So why is it suddenly so easy when its OP_CAT sir riddle me that? In reality because of how utterly necessary this will be to make Bitcoin something other than a beta project for cryptographic money, getting it into the chain should not be super difficult. Similarly to how other actual improvements went very smoothly on Bitcoin. Similarly to how OP_CAT was forked out of the chain because it was constantly misused due to its confusing implementation. If it was reconfigured old scripts with OP_CAT are now consensus invalid, not that there would be many but its an extremely non-Bitcoin-like update, that draws from nostalgia instead of practicality. If in-fact OP_CAT is re-added w different functionality it would technically be the first breaking backwards compatibility change to the network as far as I can tell. If the functionality is not changed its just as problematic as it was before and there's no sense in trying to re soft fork it back in just because a couple of hacks were found for it.


My proposal is that the proper approach is generalization and modularity, two features held extremely highly in all areas of software development. If you are a software developer you should recognize why these are important immediately. This can happen in the way that an OP_CODE might free you up to provide your own generator point for the curve, it might allow you to perform scalar multiplication and modulo operations wherever it is necessary in your curve point formula, not just wherever it seemed to work with the first design built for a specific kind of covenant. It can combine the features of off chain and on chain script commitments instead of locking you into one or the other. The possibilities go on. When you have CHECKLAMPORT you get one thing, Lamport signatures, and whoever doesn't want to use them can eff themselves as far as you are concerned. I see no reason Bitcoin should be that elitist about cryptographic protocols, I only see reasons for incentivizing it to flourish into a research ground for novel protocols. Failing to scale the l1 due to cryptographic elitism seems very silly. Like I said before there are several alt-chains that have this exact modularity running in practice on their mainnet today.


Yes I get that I need to do that, but my thread was directed at trying to identify why it's me coming up with this idea. I might try to but I'm not professing that I have the best implementation for it right now. For now Im still convinced its the best approach towards scaling Bitcoin script. Im not fully against others like lamport and cat and ctv or whatnot but i am suspicious of them being adopted before something that I find to be more general and practical. Mainly that they wont match their hype and fail to scale Bitcoin to the extent it really needs to be scaled even if it does extend Bitcoins throughput by a little bit. Furthermore, I will be attempting a BIP about this and anyone who wants to help can message me. It will probably need to be a community effort if it succeeds at all.

OP_CAT does not enable things like inspectoutputvalue, this is part of my point, your philosophy is like "OP_CAT will solve all of this" but you fail to present a formal proof of that. Meanwhile formal proofs for various forms Discrete Log Curve Point cryptography are being built even with no input from Bitcoiners.


Weak curves are utterly irrelevant, people can ship malware using Bitcoin TODAY, you are simply concern trolling about the extent of potential failures in cryptographic algorithms. This kind of closed minded thinking is exactly what I'm talking about, instead of imagining what kinds of scaling protocols can be made by leveraging well researched cryptosystems, we theorize that one might build a wallet using a weak curve... as if there was no other way to ship Bitcoin wallet malware already.


I think it's incredibly misleading to suppose that because someone found a hack with known vulnerabilities still and not ready for production way to do Lamports on current Bitcoin, that suddenly that makes this implementation ideal and also means that all other crypto-systems are possible. You seem like you are arguing for halting innovation all together with this mentality. Bitcoin does not need more weakly defined hacks establishing themselves as legitimate protocols to unfortunately and inevitably leave end users holding the experimental bags. We need well defined standards that legitimately increase the surface area for innovation.


Yea you are describing a scenario in which you would lose to an attacker capable of fee pinning, there's no innovation there again. Sure it's extremely easy to create some contract that's tied to an off-chain script, its also incredibly easy to embed vulnerabilities in the entire process of funding and claiming from such scripts. This is asking for a lack of standardization to proliferate into vulnerabilities, the alternative I'm offering is a basic standard that would support all the current proposals and more. The lack of basic curve point functionality prevents many extremely straightforward approaches to securing these contracts and preventing pinning attacks entirely.

I'm pretty sure you are mainly discussing off chain and side-chain contracts, the scripts you provided might already serve that use case, however more complex / flexible ECC scripting conditions would enable native contracts reducing reliance on a side chain or off chain client side validated contract.

L2s can use this to build more useful UX, for example with Point Time Lock Contracts the lightning network would now be able to build lightning native privacy protocols and multi-sig custody protocols where previously the hash based contracts limit the extensibility of Lightning altogether. That's a relatively simple example, but ultimately more flexibility would open the flood gates in terms of scaling solutions.

This is in juxtaposition to each scaling protocol needing to settle with an extremely strict or at least specific standard which puts more limitations on the flexibility of the end product. I forgot to mention scripts like InspectInputValue and InspectOutputValue are probably required too (they exist on liquid already) however I think that's good because all of this is just very basic straightforward scripting that doesn't require a programmer to study a long document to figure out how it works in detail. Yes one has to study ECC if they want to build a scaling protocol but that is a well documented subject already and wont need redefinition to include into Bitcoin.

You could have PUBKEY_MUL but you could also just have basic EC_MUL I really don't see why not, it should be up to the protocol developer to determine what curve (and protocol math) they are using. That may also be used for migrating to different curves without hardforks. All you have to do is provide the correct generator point which can easily be supplied by a library that you use to build your scripts. Maybe we will never have to change the curve but if we want to be able to flexibly interact with cryptographic protocols that use other curves, this feels necessary. Or in the case where the curve is irrelevant and you simply want to use the points for any kind of cross-protocol computation, the scripts need to be completely functional as to not limit the expressiveness of the protocol.

That also means alt-chains like XMR that use a different curve might gain more compatibility in protocols like atomic swaps which might help reduce interactivity. Atomic swaps are already possible with XMR except they are unidirectional until XMR hard-forks to allow pre-signed txs. The really positive thing is you could potentially use generic curve point scripts to build privacy protocols on top of Bitcoin, maybe a bulletproof or pedersen commitment script or something like that.

I think another positive result would be that the costing of executing these scripts would be transparent, you shouldn't be able to exhaust a nodes resources by creating some kind of hidden verification loop that might go undetected in a script that comes in the form of a large expected template. Current scaling proposals AFAIK have not considered how to tackle costing for every script that can possibly be written for their templates, likely because that is a huge undertaking to consider. Without granularly applying weight to each operation it cant be done in a fair way IMO.

Pretty much every proposal ive seen IE CTV, Vault, etc... creates a standardized structure for the contract which creates a literal cultural divide amongst programmers who prefer different scaling implementations.
Other than that you have CAT which as far as Im concerned is pitifully un-standardized and bound to create unimaginable side effects.

Currently there is no basic generic Elliptic Curve Point Contract functionality, that is a BASIC and NEEDED upgrade that should not be controversial what soever. This can easily enable any of the functionality that all above mentioned proposals seek to implement, without restricting anyone to any of the standards created by an individual proposal other than a basic standard for generic Curve Point math in Bitcoin Script.

...?

Hello! I want to say I'm very impressed with your work and I would like to lighten up the suspicion that I casted on this project a while back.
I look forward to the immense potential of these tools. Also the BitVM paper is very cool!

I admit I have not studied Utreexo as much as I would like I only heard about it a month ago or so, my idea was slightly inspired by the basic idea of Utreexo which was turning outputs into commitments to outputs for scaling purposes. But as far as I can tell the Utreexo concept is more like a lite-client scaling technique and probably needs to be reinforced with EC cryptography in my opinion in order to become something that can be represented to a regular full node.

I may be incorrect but I think the issue is the merkle tree being committed to is not some kind of a tagged branch commitment scheme like taproot but more like a direct hash tree. My theory is that something with tagged commitments would be possible to reproduce without needing to store inclusion proofs similar to how taproot doesn't require you to hold all the involved public keys but bare multi-sig does.

I never heard of it before, according to them the goal is:

My idea is basically the first part of this where many users share a UTXO, the off chain transfer idea is good but was not part of my plan. I am curious to see if this is DOA or still being developed.

So aggregated UTXOs that do not require lots of interactivity.

https://www.youtube.com/watch?v=K3KvSg2KwzI
god bless

As a small fish I will be apeing any paper handed selling into the attack, however i want to again implore people to disrespect the inscription spam with ordisrespector https://minibolt.info/guide/bonus/bitcoin/ordisrespector.html#build-it-from-the-source-code

Make sure to run ordisrespector if you are running a node: https://minibolt.info/guide/bonus/bitcoin/ordisrespector.html#build-it-from-the-source-code

I think that you have little knowledge of English as well as what is required for innovation to occur on Bitcoin.

Ordinals are dead and were flawed from the start: https://twitter.com/super_testnet/status/1654212346171064328 tell your friends.

The problem with these things is that they do not need to exist, you need an alternate network to verify them. So by that logic said alternate network could simply inscribe its logic into a commitment to a hash of a Bitcoin transaction and achieve cheaper, less spammy/cloggy, and more practical utility from the base layer.

You would have to pay me atleast 1 bitcoin whole to do anything related to Logan Paul lol, offer is on the table.

To suggest you profited from this could only mean you are an insider who took money from others.

I think you are missing the goalpost here, the point of cryptocurrency is not to juggle a bunch of centralized useless hype based altcoins its to build value to the only well established decentralized network called Bitcoin.

Lmao yes he did and it is funny you would still defend him after all of the despicable and idiotic things including this that he does and promotes.

There was a fee spike caused deliberately by Udi, Taproot Wizards, and their sheep followers who send them real bitcoin to get some fake ponzi token that they paid for with REALLY HIGH SAT PER BYTE FOR 1 of 2 Reasons:

1. They are using some custodial wallet participating in the coordinated spam attack on the Bitcoin base layer.

2. They are people like Udi who enjoy wasting money on fees to brag about making others pay more for casual payments.

They have also been enlisting Bots of the shiba and dogecoin pump n dump type that spam twitter everyday causing tons of newbs to get scammed as well.

Only way to avoid this is to be VOCALLY AGAINST SCAMMERS LIKE UDI AND THE TAPROOT WIZARDS

Generally speaking though a one way compression to the UTXO set would likely be considered a lite client not a full node regardless of if it was in Core or not. My feature ideally would be full node compatible.

I would argue that if it is sound and an improvement it would be merged into core eventually.