Bitcoin Optech Newsletter #109

This week’s newsletter describes the new Minsc policy language and contains our regular sections with recently
transcribed talks and conversations, releases and release candidates,
and notable changes to popular Bitcoin infrastructure projects.

Action items

None this week.

News

  • New spending policy language: Nadav Ivgi announced a new
    language he’s developed named Minsc which makes it easier for
    developers to specify a set of conditions that must be fulfilled in
    order for a UTXO to be spent. The new language is based on the
    miniscript policy language but adds the ability to
    use variables and functions along with several other features. Minsc
    policies can be compiled to miniscript policies, which can be themselves
    be compiled into miniscript and used to produce regular Bitcoin Script. Compatibility
    with miniscript means that policies developed using Minsc will be
    solvable using any miniscript-aware wallet in the future, allowing
    wallets to contribute signatures, preimages, or other data needed to
    spend bitcoins without their developers having to manually specify how
    to handle each specific script template the wallet supports. This
    should allow faster upgrades to new language features and greatly
    simplify development of interoperable wallets for coinjoins, contract
    protocols, shared coin ownership, and other types of desirable
    collaborations.

    Ivgi has also created an outstanding website for the language. It includes both a plethora of examples and a live compiler that allows linking to its input so that developers can easily play with the language and share their Minsc policies with other developers. We recommend anyone interested in developing spending policies visit the website, but as an illustration of what Minsc can do, we offer the following example adapted from Ivgi’s own examples. Several years ago, before miniscript or Minsc, LN developers hand crafted the following HTLC script specified in BOLT3:

     # To remote node with revocation key OP_DUP OP_HASH160 <RIPEMD160(SHA256(revocationpubkey))> OP_EQUAL OP_IF OP_CHECKSIG OP_ELSE <remote_htlcpubkey> OP_SWAP OP_SIZE 32 OP_EQUAL OP_IF # To local node via HTLC-success transaction. OP_HASH160 <RIPEMD160(payment_hash)> OP_EQUALVERIFY 2 OP_SWAP <local_htlcpubkey> 2 OP_CHECKMULTISIG OP_ELSE # To remote node after timeout. OP_DROP <cltv_expiry> OP_CHECKLOCKTIMEVERIFY OP_DROP OP_CHECKSIG OP_ENDIF OP_ENDIF
    

    The same encumbrance can be specified using the following Minsc policy (setting the cltv_expiry to 3 hours):

     fn htlc_received($revocationpubkey, $local_htlcpubkey, $remote_htlcpubkey, $payment_hash, $cltv_expiry) { // To local node via HTLC-success transaction $success = pk($local_htlcpubkey) && hash160($payment_hash); // To remote node after timeout $timeout = older($cltv_expiry); // To remote node with revocation key, or use success/timeout pk($revocationpubkey) || (pk($remote_htlcpubkey) && ($success || $timeout)) } htlc_received(A, B, C, H, 3 hours)
    

    The Minsc policy is significantly easier for most developers to analyze and it’s able to take advantage of miniscript to transform the policy into a moderately smaller script than the original hand-crafted script.

Recently transcribed talks and conversations

Bitcoin Transcripts is the home for transcripts of technical
Bitcoin presentations and discussions. In this monthly feature, we
highlight a selection of the transcripts from the previous month.

  • RaspiBlitz full node: Rootzoll and Openoms appeared on
    Potzblitz to present the RaspiBlitz, a Bitcoin and Lightning
    Network full node built on a Raspberry Pi (but also compatible with
    other hardware). Openoms explored some of the apps and services you
    can install on your RaspiBlitz such as ThunderHub and Balance of
    Satoshis
    . Rootzoll explained how the IP2TOR subscription service
    addresses the challenge of connecting a mobile wallet to a RaspiBlitz
    full node running on a home network. (transcript, video,
    slides)

  • Chicago meetup discussion: Anonymized participants discussed
    various Lightning Network attacks including flood and loot, fee
    blackmail, transaction pinning, preimage denial (see Newsletter
    #95
    ) and time dilation (see Newsletter
    #101
    ). In light of these various attacks of
    varying severities it was debated what current users should do to
    protect themselves on the Lightning Network and longer term what
    sufficient mitigations would be. Some solutions such as package relay,
    anchor outputs and rearchitecting the Bitcoin Core mempool are being
    worked on—but more work will be required at both the onchain layer and the
    Lightning layer in the coming months and years.
    (transcript)

  • Sapio: Jeremy Rubin presented Sapio at Reckless VR in virtual
    reality. Sapio is a new high level programming language designed for
    building stateful smart contracts with OP_CHECKTEMPLATEVERIFY. Rubin used the case study of the recent
    timelock issue with Blockstream’s Liquid sidechain to explain how
    Sapio and OP_CHECKTEMPLATEVERIFY could theoretically have been
    utilized to prevent funds unintentionally moving to the 2-of-3
    multisig emergency backup. (transcript, video, slides)

  • Sydney meetup discussion: Anonymized participants discussed
    resolved bugs in the Bitcoin Core build system over the past months
    and the future challenges of building and distributing Bitcoin Core
    binaries on MacOS in light of notarization requirements and Apple
    transitioning from Intel to ARM processors. Other topics included
    updates to the SIGHASH_ANYPREVOUT
    proposal, generalized Bitcoin-compatible channels, and the latest thinking
    on taproot activation. (transcript)

  • BIP-Taproot: Pieter Wuille and Russell O’Connor participated in a
    joint event organized by London BitDevs and Bitcoin Munich exploring
    the history of how the original idea of MAST evolved
    into the final taproot proposal. Wuille talked about
    how his personal motivation switched from seeking to enable cross
    input signature aggregation to bolstering the privacy and efficiency
    of more complex transactions. O’Connor also gave an update on
    development of the Simplicity language (see Newsletter #96). He speculated how Simplicity could be
    implemented as a Tapleaf version in the coming years and used for
    delegation, covenants, and other functionality not currently available using
    Bitcoin Script. The PR for schnorr signatures in libsecp256k1 and
    the taproot PR in Bitcoin Core are seeking
    further review and O’Connor encouraged the community to consider what
    taproot might break in their own software well in advance of any
    possible deployment. (transcript, video)

Releases and release candidates

New releases and release candidates for popular Bitcoin infrastructure
projects. Please consider upgrading to new releases or helping to test
release candidates.

  • C-Lightning 0.9.0 is the newest major version of
    C-Lightning. It adds support for the updated pay command and new
    keysend RPC, both described in Newsletter #107. It
    also includes several other notable changes and multiple bug fixes.

  • Bitcoin Core 0.20.1 is a new maintenance
    release. In addition to bug fixes and some RPC behavior changes
    resulting from those fixes, the planned release provides compatibility
    with recent versions of HWI and its support for hardware
    wallet firmware released for the fee overpayment attack.

  • LND 0.11.0-beta.rc1 is the first release candidate
    for a new major release.

Notable code and documentation changes

Notable changes this week in Bitcoin Core,
C-Lightning, Eclair, LND,
Rust-Lightning, libsecp256k1,
Hardware Wallet Interface (HWI), Bitcoin Improvement Proposals
(BIPs)
, and Lightning BOLTs.

  • Bitcoin Core #19569 allows Bitcoin Core to fetch the parents of orphan
    transactions from peers that relay transactions using wtxid. An orphan
    transaction is an unconfirmed transaction that we receive from a peer where we
    don’t yet have the parent transactions, either as part of our best block
    chain, or in the mempool. More precisely, an orphan transaction has at least
    one transaction input whose associated output is not in the UTXO set or our
    mempool’s outpoint map.

    When we receive an orphan transaction, we place it in a temporary data structure called the orphan set. We then ask the peer that sent us the orphan to also send us the parent transactions that we don’t yet have. We can do that because the orphan transaction contains the txids of its parent transactions. We simply send a getdata message containing those txids to the peer to request the parent transactions.

    For wtxid relay peers, transactions are announced and requested using the wtxid of the transaction, not the txid. However, orphan transactions contain their parents’ txids, not wtxids, so it’s not possible to request the parent transaction using wtxid. PR #18044, which introduced wtxid relay peers and was merged last week, did not permit fetching parent transactions from wtxid peers. This follow-up PR allows us to fetch those parents using the txid.

    Fetching parent transactions using txid may eventually be replaced by a package relay mechanism, where we can ask a peer for all the unconfirmed ancestors of a transaction directly.

  • Eclair #1491 adds partial support for creating, using, and closing
    channels that use anchor outputs to both reduce
    onchain transaction fees in normal cases and increase fees when
    necessary for security. This implementation handles all the basics
    but does not yet support mutual channel closes or actual fee bumping;
    those will be added later. Additionally, interoperability testing
    with LND’s implementation revealed a case where the
    specification should be clarified.

  • LND #4488 updates the minimum CLTV expiry delta users may set to
    18 blocks in line with an updated recommendation. The
    default remains at 40 blocks. When there are only this many blocks
    until an LN payment has to be settled, LND will unilaterally close the
    channel to ensure the latest state gets recorded onchain. However,
    the higher the expiry is, the more time a payment could become
    temporarily stuck in a channel (either by accident or deliberately).
    This has led some LN implementations to use route-finding algorithms
    that optimize for routes with low CLTV expiry deltas, which has in
    turn led some users to set their deltas to values that are especially
    unsafe. This new minimum should help prevent inexperienced users from
    naively setting an unsafe value.

  • BIPs #948 updates the BIP174 specification of PSBT input
    records to explicitly allow for providing both a non-witness UTXO (the full
    transaction) and a witness UTXO for a single input. This is in line with the
    current behavior in Bitcoin Core and was motivated
    by the possibility of a fee overpayment attack on multi-input segwit PSBTs
    which did not include the non-witness UTXOs as detailed in a previous
    newsletter
    .

  • BIPs #947 updates the BIP325 specification of signet to change the block signature verification method. Signets
    are test networks where valid blocks are signed by trusted signers
    rather than using proof of work, a change which eliminates some issues
    and makes certain types of testing easier.

    Previously, signet assumed the use of signatures compatible with legacy Bitcoin Script (e.g. DER-encoded ECDSA signatures). After this change, signet instead uses a pair of virtual transactions—transactions that aren’t valid on the block chain and aren’t included inside the block but which can easily be constructed by Bitcoin software (directly or using a PSBT). The first transaction commits to paying the network’s trusted signer script. A second virtual transaction then spends the output of the first virtual transaction. The signature or signatures from the second virtual transaction are included in the coinbase transaction of the block to prove the block is validly signed.

    The main advantage of this new approach is that it allows using segwit transactions. The opcodes available in current segwit v0 are almost all identical to legacy script, so this may seem irrelevant—but if segwit v1 (taproot) is made available on a signet, this will allow signing blocks with schnorr signatures. As future protocol changes will probably also use segwit, this will allow those features to be used as well. A secondary advantage is that any software or hardware that can sign PSBTs for arbitrary inputs will now be able to operate as a trusted signer for a signet.

—Source link—

What do you think?

How Bancor V2 Works

Kava Cross-Chain Lending