Add PayToAnchor(P2A), OP 1 <0x4e73> as standard output script for spending (tx fees and policy)

Aug 7, 2024

https://github.com/bitcoin/bitcoin/pull/30352

Host: glozow  -  PR author: instagibbs

The PR branch HEAD was 67c3537f75bcf085bb98e3830649e93da124cb06 at the time of this review club meeting.

Notes

• Lightning Network (LN) commitment transactions may use anchor outputs to allow channel participants to fee-bump the presigned transactions through Child Pays For Parent (CPFP) at broadcast time. The current design (see BOLT 3) has a few limitations described in this blog post.

  • The most relevant point here is the fact that the anchors currently specify a p2wsh script including two spending paths: using the party’s funding key, or anyone 16 blocks after the transaction confirms. Spending this anchor output requires paying fees for a relatively large amount of data. We call these anchors keyed because of the presence of a key in the locking script.

  • Assuming there are no reasons to use keyed anchor outputs (there are, but that is out of scope for this review club), a keyless anchor may reduce complexity (including for a watchtower) and make fee-bumping more space and fee-efficient.

• Ephemeral Anchors enable a new pattern for adding fees to presigned transactions, with a few key improvements:

  • The anchor output can have any nValue, including amounts below the dust threshold such as 0, as long as it is spent immediately, i.e. relayed in a package with a fee-bumping child. Implementing this policy requires ensuring that the anchor is always spent after subsequent mempool updates, so it is only implemented for TRUC transactions which are restricted to a very simple topology. This portion of the proposal was split into its own “ephemeral dust” PR, #30239.

  • The anchor output is “keyless” or “anyone-can-spend”, reducing the amount of data (and thus fees) needed in the CPFP transaction, and making it easier for watchtowers to help broadcast presigned transactions. This part of the proposal, #30352, is independent of the “ephemeral dust” concept, and the implementation is simple regardless of transaction topology.

• While scriptPubKeys can be fairly freeform, Bitcoin Core enumerates several TxoutTypes. These correspond to output types that you may be familiar with like SCRIPTHASH (P2SH), WITNESS_V0_KEYHASH (P2WPKH), WITNESS_V0_SCRIPTHASH (P2WSH), and NULL_DATA (OP_RETURN or datacarrier).

  • Solver pattern-matches scriptPubKeys to classify their output type; anything that does not fall into the known categories is TxoutType::NONSTANDARD.

  • By default, a transaction must pass standardness checks to be accepted to mempool. IsStandardTx() inspects the TxoutTypes of each of the transaction’s inputs and outputs, among other checks.

  • Notice the difference in rules applied to inputs and outputs. A particular output type may be nonstandard to create but standard to spend, and vice versa.

• This PR does two things: it defines OP_1 <0x4e74> as a new output type, and relaxes policy rules to make it standard to spend this output type, as long as the witness is empty.

Questions

1. Did you review the PR? Concept ACK, approach ACK, tested ACK, or NACK? What was your review approach?

2. Before TxoutType::ANCHOR is defined in this PR, what TxoutType would a scriptPubKey OP_1 <0x4e73> be classified as? (Hint: what would Solver return?)

3. Based on the answer to the previous question, would it be standard to create this output type? What about to spend it? (Hint: how do IsStandard and AreInputsStandard treat this type?)

4. Before this PR, with default settings, which output types can be created in a standard transaction? Is that the same as the script types that can be spent in a standard transaction?

5. Define anchor output, without mentioning Lightning Network transactions (try to be more general).

6. The PR description claims that creation of the defined P2A output type is already standard prior to the PR. Is this true, and how did you verify this?

7. Why does the size of the output script of an anchor output matter?

8. What other ways can you think of to implement an ‘anyone-can-spend’ anchor?

9. Continuing on the previous question, what would be the problem with using P2SH(OP_TRUE)?

10. What is the difference between OP_TRUE and OP_1? (Hint: where are they defined in the code?)

11. How many virtual bytes are needed to create and spend a P2A output?

12. The 3rd commit adds if (prevScript.IsPayToAnchor()) return false to IsWitnessStandard. What does this do, and why is it needed?

13. How is witness program defined in BIP141? Where is it implemented in the code? (Hint: look for IsWitnessProgram)

14. VerifyWitnessProgram is modified to allow version 1, <0x4e73>, if is_p2sh is false. Why is !is_p2sh needed?

Meeting Log

1

17:00

<glozow> #startmeeting

2

17:00

<glozow> hi

3

17:00

<monlovesmango> hey

4

17:00

<instagibbs> hi (lurking only)

5

17:00

<vostrnad> hi

6

17:00

<codingp110> hi

7

17:00

<glozow> Welcome to PR Review Club! Feel free to say hi

8

17:00

<stickies-v> hi

9

17:01

<glozow> Today's PR is P2A: https://bitcoincore.reviews/30352

10

17:01

<glozow> Did everybody get a chance to review the PR or read through the notes?

11

17:01

<monlovesmango> yes

12

17:01

<stickies-v> yup

13

17:02

<glozow> Awesome. For those who reviewed, what was your review approach?

14

17:02

<emc99> hi

15

17:03

<monlovesmango> mostly just reviewed the code (as much as I could) and read through pr and some of other linked documentation

16

17:03

<glozow> monlovesmango: cool!

17

17:03

<glozow> Let's dive into the questions

18

17:03

<glozow> Before `TxoutType::ANCHOR` is defined in this PR, what TxoutType would a scriptPubKey OP_1 <0x4e73> be classified as?

19

17:04

<monlovesmango> TxoutType::WITNESS_UNKONWN I think

20

17:04

<stickies-v> yup that's my understanding too

21

17:04

<glozow> monlovesmango: yep!

22

17:05

<stickies-v> it's witness version 1 but not 32 bytes in size

23

17:05

<glozow> didn't need to give the hint, but here's the code: https://github.com/bitcoin/bitcoin/blob/24f86783c87e836c98404bcc20a07742736d6b56/src/script/solver.cpp#L172-L176

24

17:05

<glozow> And would it be standard to create this output type (`WITNESS_UNKNOWN`)?

25

17:05

<monlovesmango> yes

26

17:06

<vostrnad> it's even been done already ;)

27

17:06

<instagibbs> *looks suspiciously at vostrnad*

28

17:06

<monlovesmango> XD

29

17:06

<glozow> indeed, do anyone have a block explorer link to that tx? I couldn't find it

30

17:06

<glozow> does*

31

17:07

<vostrnad> all 3 existing P2A UTXOs here: https://mempool.space/address/bc1pfeessrawgf

32

17:07

<glozow> Ok, what about to spend it? Would that have been standard? (before this PR)

33

17:07

<instagibbs> b10c0000004da5a9d1d9b4ae32e09f0b3e62d21a5cce5428d4ad714fb444eb5d

34

17:07

<monlovesmango> no

35

17:07

<glozow> monlovesmango: bonus points if you have a link to code :P

36

17:08

<glozow> (correct)

37

17:08

<monlovesmango> https://github.com/bitcoin/bitcoin/blob/master/src/policy/policy.cpp#L188

38

17:08

<monlovesmango> ?

39

17:09

<instagibbs> that's one spot, there's another too(read hte comment)

40

17:10

<vostrnad> https://github.com/bitcoin/bitcoin/blob/master/src/script/interpreter.cpp#L1950

41

17:12

<glozow> vostrnad: nice

42

17:12

<glozow> Before this PR, with default settings, which output types can be created in a standard transaction?

43

17:12

<monlovesmango> haha i was not going to find that anytime soon...

44

17:13

<monlovesmango> PUBKEY, PUBKEYHASH, SCRIPTHASH, MULTISIG, NULL_DATA, WITNESS_V0_KEYHASH, WITNESS_V0_SCRIPTHASH, WITNESS_V1_TAPROOT, WITNESS_UNKNOWN

45

17:14

<vostrnad> correct

46

17:14

<glozow> monlovesmango: awesome yeah, more details at https://github.com/bitcoin/bitcoin/blob/e8eab747192bd330e67bff1222bb851bc515b134/src/policy/policy.cpp#L53-L74

47

17:14

<glozow> And as we've established, that's not the same as what can be spent in a standard tx

48

17:15

<glozow> Define anchor output, without mentioning Lightning Network transactions (ie try to be more general).

49

17:16

<monlovesmango> an extra output created on presigned transactions which allows fees to be added via CPFP at the time of broadcasting.

50

17:16

<glozow> monlovesmango: great definition 👍

51

17:17

<glozow> Not on the list, but can someone tell us the difference between a keyed and a keyless anchor? And why that matters?

52

17:17

<stickies-v> a keyless anchor doesn't contain a pubkey in its scriptpubkey, significantly reducing its on-chain footprint (and cost)

53

17:18

<glozow> stickies-v: yes, and anybody can spend it

54

17:18

<monlovesmango> I think keyless means that anyone can create a child for it (ie you don't need a specific key), which reduces the scriptPubkey size

55

17:19

<glozow> monlovesmango: yes anybody can spend it. it doesn't inherently make the onchain data smaller but it is true in this case

56

17:19

<glozow> for example you could have a p2wsh where one of several spending paths is something anybody can spend, which is larger

57

17:20

<glozow> Did anybody, while reviewing, try to verify that a P2A tx can be created but not spend in policy (before the PR)?

58

17:20

<glozow> Beyond code review I mean

59

17:20

<monlovesmango> was just about to ask about what case this wouldn't be true! thanks!

60

17:20

<monlovesmango> no

61

17:22

<vostrnad> instagibbs was, using Twitter as a broadcasting channel, doesn't seem to have worked

62

17:22

<glozow> current LN commitment transactions are a more concrete example https://github.com/lightning/bolts/blob/master/03-transactions.md#to_local_anchor-and-to_remote_anchor-output-option_anchors (there is a key, but since it is revealed, anybody can reconstruct the script)

63

17:22

<glozow> vostrnad: ah cool i didn't see that

64

17:22

<instagibbs> vostrnad ;(

65

17:23

<glozow> I was just suggesting you compile master, and then run the tests 😅

66

17:23

<glozow> Why does the size of the output script of an anchor output matter?

67

17:24

<vostrnad> the smaller the betterer?

68

17:24

<monlovesmango> the larger the anchor output size, the more fees you need to prioritize it to be relayed

69

17:25

<glozow> yeah pretty much

70

17:25

<instagibbs> smaller script also means min satoshi value to relay is smaller too

71

17:26

<glozow> also more efficient fee bumping = incentives to fee bump this way...

72

17:27

<glozow> What other ways can you think of to implement an ‘anyone-can-spend’ anchor?

73

17:27

<vostrnad> instagibbs: sure but policy can be changed any time, perhaps there could be a dust policy carve out for P2A as it's unusually cheap to spend

74

17:28

<monlovesmango> P2SH of OP_TRUE..?

75

17:28

<glozow> I suppose you could just implement GetDustThreshold for P2A for the same effect, no?

76

17:28

<glozow> monlovesmango: great! And why is that not as good as P2A?

77

17:28

<monlovesmango> bc it introduces transaction malleability

78

17:29

<monlovesmango> (which makes chained presigned transactions unreliable)

79

17:30

<glozow> monlovesmango: how would you malleate the tx?

80

17:31

<monlovesmango> i guess i am fuzzy on whether its a problem if there is only a single presigned tx. however if there were multiple presigned txs strung together, the miner could insert a OP_NOP in the scriptSig which would change the tx id

81

17:31

<monlovesmango> which would break the chain

82

17:32

<monlovesmango> (all taken from instagibbs pr comment https://github.com/bitcoin/bitcoin/pull/30352#issuecomment-2228528366)

83

17:33

<instagibbs> fwiw p2sh requires push-only scriptsig, so I don't think the NOP thing works for p2sh, but cleanstack is the other thing

84

17:33

<glozow> it's also larger, no?

85

17:33

<instagibbs> yeh. p2sh(OP_DEPTH OP_NOT) might be txid stable?

86

17:33

<instagibbs> (but ugh)

87

17:34

<glozow> wait what does OP_DEPTH do?

88

17:34

<monlovesmango> if there were only usecases for a single presigned tx, would there be any issue with P2SH?

89

17:34

<monlovesmango> (apart from maybe size..?)

90

17:34

<glozow> oh size of stack

91

17:35

<sipa> p2sh(OP_DEPTH OP_1 OP_EQUALVERIFY OP_1) maybe?

92

17:35

<sipa> eh

93

17:35

<sipa> p2sh(OP_DEPTH OP_0 OP_EQUALVERIFY OP_1) maybe?

94

17:35

<sipa> oh, OP_NOT, i misread it as OP_NOP; indeed!

95

17:35

<vostrnad> instagibbs: interesting, it never occurred to me you could make a non-malleable P2SH output like that

96

17:35

<instagibbs> so you could probably get smaller than P2WSH(OP_TRUE) and still be txid stable

97

17:36

<monlovesmango> what does push-only scriptsig mean? that you can only use OP codes that push onto the stack?

98

17:36

<sipa> monlovesmango: indeed, this is a BIP16 consensus rule

99

17:36

<instagibbs> vostrnad h/t jeremy, he proposed the bare version

100

17:36

<vostrnad> monlovesmango: scriptSig is actually a script that in legacy script can have non-push opcodes as well

101

17:37

<sipa> which likely was one day intended to support delegation, before the scriptSig/scriptPubkey execution split in 2010

102

17:37

<monlovesmango> got it thank you for all the background!!

103

17:37

<vostrnad> instagibbs: bare version is malleable though because no push-only

104

17:37

<instagibbs> vostrnad exactly 👍

105

17:38

<glozow> What is the difference between OP_TRUE and OP_1? (Hint: where are they defined in the code?)

106

17:39

<monlovesmango> but just to verify my understanding, its the spending tx that becomes malleable when using the bare version right?

107

17:39

<instagibbs> monlovesmango yes a miner can insert OP_NOP

108

17:40

<monlovesmango> awesome thanks

109

17:41

<abubakarsadiq> glozow: I think they are the same?

110

17:41

<vostrnad> "they're the same picture"

111

17:41

<glozow> abubakarsadiq: yes :D

112

17:41

<abubakarsadiq> `OP_TRUE=OP_1`

113

17:41

<glozow> What is the difference between OP_TRUE and OP_1? (Hint: where are they defined in the code?)

114

17:41

<glozow> oops wrong paste

115

17:41

<glozow> https://github.com/bitcoin/bitcoin/blob/da083d4bbdb37737f5080fada97bd15f5a8bfb2d/src/script/script.h#L82-L83

116

17:42

<monlovesmango> haha tricky q

117

17:42

<Murch[m]> What’s OP_TRUE? Isn’t that just OP_1?

118

17:42

<glozow> it's a Q to get people out of lurking, it worked :P

119

17:42

<monlovesmango> heheheh

120

17:42

<glozow> How many virtual bytes are needed to create and spend a P2A output?

121

17:43

<glozow> that Q was designed to lure Murch here, but I see he's already appeared

122

17:43

<sipa> Murch[m]: I see your message as "What’s QOP_TRUE? Isn’t that just QOP_1?", what are those Qs?

123

17:43

— Murch[m] goes back into hiding

124

17:43

<glozow> backticks?

125

17:44

— Murch[m] uploaded an image: (7KiB) < https://matrix.bitcoin.ninja/_matrix/media/v3/download/matrix.org/OwgTaVVPBpxeysmEgKuIuRET/image.png >

126

17:44

<Murch[m]> Are you on IRC or Matrix?

127

17:44

<Murch[m]> But sorry, we are derailing

128

17:45

<Murch[m]> A keyless Anchor is 11 bytes, and the input would be 41 bytes?

129

17:45

<Murch[m]> s/bytes/vbytes/

130

17:46

<vostrnad> Murch[m]: I count 40.25 vbytes to spend, did you round down?

131

17:46

<vostrnad> *up

132

17:46

<Murch[m]> The input script length is a whole vbyte, right?

133

17:46

<Murch[m]> 32+4+4+1

134

17:47

<vostrnad> sorry, 41.25 vbytes (1 WU for the witness stack length)

135

17:47

<Murch[m]> Also it might only be 10 bytes for the output? Amount (8 B), output script length (1  B), OP_1 (1 B)

136

17:47

<Murch[m]> vostrnad: Sure, if you have other inputs with witnesses

137

17:48

<vostrnad> you better do!

138

17:48

<instagibbs> segwit.... but !HasWitness(), spooky

139

17:49

<vostrnad> I get 12 bytes for a P2A output, 8 bytes for amount and 4 bytes for output script

140

17:49

<vostrnad> wrong again, 13 (forgot output script length)

141

17:49

<instagibbs> :)

142

17:49

<vostrnad> these things are hard

143

17:49

<Murch[m]> Yeah

144

17:49

<Murch[m]> What do you have for the output script in detail?

145

17:50

<glozow> 51 02 4e 73 is 4 bytes yes?

146

17:50

<glozow> oh and 1

147

17:50

<Murch[m]> Oh, it’s witness output, not a bare output

148

17:50

<vostrnad> bare output would be malleable

149

17:50

<glozow> instagibbs: too spooky

150

17:51

<glozow> ok so we've landed on 13 + 41?

151

17:51

<sipa> woah, segwit output but !HasWitness() on the input is legal?

152

17:51

<sipa> i guess it's only the other way around that non-segwit output with HasWitness() is illegal?

153

17:51

<glozow> 9 more minutes, 3 more questions

154

17:51

<glozow> The 3rd commit adds `if (prevScript.IsPayToAnchor()) return false` to IsWitnessStandard. What does this do, and why is it needed?

155

17:55

<monlovesmango> does it allow the option to opt out of anchor txs?

156

17:55

<abubakarsadiq> It prevent adding a witness for a keyless anchor input, since it's no witness is needed to validate the utxo

157

17:55

<glozow> maybe the code link will help https://github.com/bitcoin-core-review-club/bitcoin/commit/ccad5a5728c8916f8cec09e838839775a6026293#diff-ea6d307faa4ec9dfa5abcf6858bc19603079f2b8e110e1d62da4df98f4bdb9c0R228-R232

158

17:56

<glozow> abubakarsadiq: correct, no witness stuffing allowed

159

17:56

<glozow> anybody have a link to the test case for this? (you can find it by commenting out this line to see what fails)

160

17:56

<instagibbs> an adversary could take an honest spend, add stuff to witness, propagate it at a lower feerate, and honest user would have to pay incremental fees to replace it...

161

17:57

<instagibbs> (and the adversary could just keep doing it)

162

17:57

<abubakarsadiq> the tx is just not standard, but still valid right?

163

17:58

<glozow> ye, `IsWitnessStandard`

164

17:58

<vostrnad> abubakarsadiq: yes, but miners have no reason to inflate your tx if it doesn't malleate it

165

17:59

<glozow> test: https://github.com/bitcoin/bitcoin/blob/da083d4bbdb37737f5080fada97bd15f5a8bfb2d/test/functional/mempool_accept.py#L399-L414

166

18:00

<glozow> that's time

167

18:00

<glozow> #endmeeting