BIP442: OP_PAIRCOMMIT

[moonsettler]

OP_PAIRCOMMIT is the newest member of the LNhance family of opcodes. It provides limited vector commitment functionality in tapscript.

When evaluated, the OP_PAIRCOMMIT instruction:

• pops the top two values off the stack,
• takes the "PairCommit" tagged SHA256 hash of the stack elements,
• pushes the resulting commitment on the top of the stack.

Discussion: https://delvingbitcoin.org/t/op-paircommit-as-a-candidate-for-addition-to-lnhance/1216/12

[murchandamus]

This document has a few formatting issues, please make sure that the preamble matches the BIP 2 requirements and take a look at the rich diff to see whether it looks the way you intend.

Please note that the BIPs repository also accepts markdown files.

[moonsettler]

Switched back to markdown. Header now in BIP-2 format.

[moonsettler]

The original create date of OP_PAIRCOMMIT is 2024-03-15 this is the latest revision based on feedback from Anthony Towns.
https://gist.github.com/moonsettler/d7f1fb88e3e54ee7ecb6d69ff126433b/revisions
What date should go to the header?

[jonatack]

Added a discussion link to the PR description.

The original create date of OP_PAIRCOMMIT is 2024-03-15 this is the latest revision based on feedback from Anthony Towns.
gist.github.com/moonsettler/d7f1fb88e3e54ee7ecb6d69ff126433b/revisions
What date should go to the header?

Perhaps add a changelog with the revision based on Anthony Towns' feedback followed by the initial version. Or use the date of the current draft revision as your starting point.

[murchandamus]

According to BIP 2:

The Created header records the date that the BIP was assigned a number, […]

[murchandamus]

Has this proposal been sent to the mailing list?

[moonsettler]

Has this proposal been sent to the mailing list?

Not yet. Wanted to get it into an acceptable shape before I post it there.

Proposed to the mailing list, waiting for feedback.

[murchandamus]

I would like to see this proposal to get more review from other covenant researchers before it moves forward.

[moonsettler]

It looks like we gonna have to amend the PAIRCOMMIT BIP with some new use cases.
Turns out within certain practical limitations any computational function can be proven out in the form of a merkle tree.
The root hash of the merkle tree represents the function the leaves represent the inputs and output.
Any 32 bit arithmetic function can certainly be proven out with this method.
CAT itself with a limited set of inputs or limited input sizes can be proven out.
At this point it's an open question if this enables new behaviors not enabled by taproot MAST itself?

Special thanks to: @JeremyRubin @Ademan @bigspider

edit:
Alternatively could consider imposing specific script limits that make PAIRCOMMIT explicitly less capable than MAST itself.

[Ademan]

I think I've changed my mind a bit. We were talking about computing a merkle tree for f(u32,u32) as if it was trivial but after a quick experiment it seems like that would take hundreds of years to compute (am I being dumb here?) Instead, you can compute mul(u32,u32) -> u32 using 3 mul(u16,u16)s which is feasible to compute. The witness size is worse, ~32 * 32 * 3 = 3072 instead of 32 * 64 * 1 = 2048, but computing the tree for mul(u16,u16) is feasible using a naive algorithm on commodity hardware.

The implication of this is that where a function can be decomposed into operations on smaller inputs, PAIRCOMMIT is massively more feasible to use than encoding things into a tap tree.

[bigspider]

I think I've changed my mind a bit. We were talking about computing a merkle tree for f(u32,u32) as if it was trivial but after a quick experiment it seems like that would take hundreds of years to compute (am I being dumb here?) Instead, you can compute mul(u32,u32) -> u32 using 3 mul(u16,u16)s which is feasible to compute. The witness size is worse, ~32 * 32 * 3 = 3072 instead of 32 * 64 * 1 = 2048, but computing the tree for mul(u16,u16) is feasible using a naive algorithm on commodity hardware.

Arithmetic and bitwise operations where inputs & outputs are small enough, can already be done in Script in cheaper ways. Merkle trees as lookup tables are only interesting for functions that are either extremely complex, or where preimages/images are larger than what Script can work with.
Note that you can already do small indexed lookup tables more efficiently by just hard-coding them in Script (that is: push the table on the stack and use OP_PICK to read its entries), and these techniques are widely used (e.g. in BitVM).

The implication of this is that where a function can be decomposed into operations on smaller inputs, PAIRCOMMIT is massively more feasible to use than encoding things into a tap tree.

I think the only substantial difference is that in a Script where you need several lookups, you can do it with Merkle trees, while you can only do a single lookup with a precomputed taptree.

[moonsettler]

Proving general computation

Merkle trees can be used to prove out computation where the root of the tree
represents the function and the leaves represent the inputs and output.
There are practical limits to the entropy space for the inputs as it needs
to be iterated over and hashed up.

Currently MAST trees can cover 128 bits of entropy space, which is well over
the practical limits to iterate over and merklize. Therefore we assume this
capability does not materially extend what computations are possible to prove
out in bitcoin script. While OP_PAIRCOMMIT is not limited to a height of 128,
that should not be practically feasible to utilize.

There is a way to reduce the size of the witness for proving out computation,
by eliminating the merkle path inclusion proofs, using OP_CHECKSIGFROMSTACK
together with OP_PAIRCOMMIT. This method involves deleted key assumptions,
most likely using MPC to create an enormous amount of signatures for the stack
elements representing the inputs and the output of the function.

Is this correct? Any suggestions? @Ademan @bigspider

[moonsettler]

The implication of this is that where a function can be decomposed into operations on smaller inputs, PAIRCOMMIT is massively more feasible to use than encoding things into a tap tree.

This is the main open question I believe. does it or does it not practically expand what we can already do?
For example using PC to emulate smolCAT and using traditional methods with lookup tables could make 32 bit or even 64 bit arithmetics more feasible?

edit:
Within the 32 bit realm we can already use OP_ADD, I see little practical diff between <0x1234> <0x5678> CAT and <0x12340000> <0x5678> ADD.
And it sounds like 64 bit smolCAT would be way too expensive to generate (and also to interact with trustlessly).

(actually the above examples are wrong, because internally bitcoin script uses little endian, but should convey the point)

[Ademan]

...

Arithmetic and bitwise operations where inputs & outputs are small enough, can already be done in Script in cheaper ways. Merkle trees as lookup tables are only interesting for functions that are either extremely complex, or where preimages/images are larger than what Script can work with. Note that you can already do small indexed lookup tables more efficiently by just hard-coding them in Script (that is: push the table on the stack and use OP_PICK to read its entries), and these techniques are widely used (e.g. in BitVM).

Even u16,u16 is quite a bit larger than I think is practical as a lookup table, but the efficiency for repeated operations is constant, obviously. The lookup table is less efficient for small numbers of operations (a u8,u8 table is 16k vs 1 u8,u8 proof is 0.4k) but the merkle tree loses quickly when those operations are repeated.

The implication of this is that where a function can be decomposed into operations on smaller inputs, PAIRCOMMIT is massively more feasible to use than encoding things into a tap tree.

I think the only substantial difference is that in a Script where you need several lookups, you can do it with Merkle trees, while you can only do a single lookup with a precomputed taptree.

Right, and the key point is these merkle trees and lookup tables rapidly become infeasible to compute as the input size grows, so multiple smaller lookups is significantly more useful.

EDIT: But your point is well taken that for smaller operations they can already be better accomplished by lookup tables.

[Ademan]

...
edit: Within the 32 bit realm we can already use OP_ADD, I see little practical diff between <0x1234> <0x5678> CAT and <0x12340000> <0x5678> ADD. And it sounds like 64 bit smolCAT would be way too expensive to generate (and also to interact with trustlessly).

(actually the above examples are wrong, because internally bitcoin script uses little endian, but should convey the point)

Yeah for arbitrary 8 byte strings smolCAT seems infeasible to compute the table or merkle tree for. After a bit of conversation on IRC it could probably be feasible for arbitrary f(b[4],b[4]) -> b[8] with a custom ASIC¹ or maybe a cluster of FPGAs in a span of ~a few years but that would not be very useful for the average person.

Bit shifts over 32 bit integers seems pretty feasible though, that's f(u32,u6)->u32 (maybe save some space by special casing shift = 0). it seems like my incredibly naive, unoptimized, single-core experiment could calculate that merkle tree in ~96 hours. Of course the proof is ~1.2k and users would likely need multiple, but the lookup table for that wouldn't fit in a block anyway so maybe something new is possible?

You can also separate positive and negative shifts, and maybe break it down into multiple rounds of shifts 1-3 or something (or 1k for a proof for a constant shift)

[1]: afaik existing ASICs operate on block headers so couldn't help

[moonsettler]

Should we add this table to this BIP? And it's not just vBytes but also the number of sigops to consider, which is a cost all nodes on the p2p network have to bear.

edit: I think it looks like this:

Method	ChannelS	UpdateSc	UpdateWi	1-Update	2-Update
APO-annex	2.25 vB	28.25 vB	25 vB	305 vB	461.5 vB
APO-return	2.25 vB	28.25 vB	16.5 vB	338.5 vB	528.5 vB
CTV+CSFS+IKEY	2.75 vB	12.25 vB	24.5 vB	331 vB	513 vB
CTV+CSFS	11 vB	20.5 vB	24.5 vB	347.5 vB	537.75 vB
LNhance	3 vB	12.5 vB	32.75 vB	297.75 vB	446.25 vB
CTV+CSFS+VAULT	18.75 vB	30 vB	35 vB	333.75 vB	502.25 vB
rekey	7.25 vB	16.75 vB	73.75 vB	347.25 vB	541 vB

Method	ForceC	Update	Settle	OP_RETURN
APO-annex	1 SigOp	1 SigOp	1 SigOp
APO-return	1 SigOp	1 SigOp	1 SigOp	X
CTV+CSFS+IKEY	1 SigOp	1 SigOp	CTV	X
CTV+CSFS	1 SigOp	1 SigOp	CTV	X
LNhance	1 SigOp	1 SigOp	CTV
CTV+CSFS+VAULT	2* SigOp	2* SigOp	CTV
rekey	3 SigOp	3 SigOp	CTV

* VAULT is not exactly a SigOp, but close enough. Has a budget cost of 1.2 SigOps.

[JeremyRubin]

tbh i have no idea how to read that table, so might be good to have clearer labeling somehow / break down where the accounting came from?

[moonsettler]

This is based on @reardencode's spreadsheet:
https://docs.google.com/spreadsheets/d/1UNW1AV7F8Srf-vHL5F3bKnkezbHIMabQqhU21tV915o/edit?gid=0#gid=0

[murchandamus]

It would be useful if we could reference it by a number. Can we get a BIP number assigned? Not asking for a merge yet.

Looking at the Motivation section, it seems to me that the main application for this proposal would be a construction that depends on three other undeployed proposals some of which are themselves draft stage or pre-draft. This proposal feels a bit hypothetical at this point. I’ll get back to you next week.

[moonsettler]

This proposal feels a bit hypothetical at this point.

While PAIRCOMMIT would only be truly useful with certain other future upgrades, it is proposed to activate in a bundle with said updates. We are in the process of trying to reach consensus on said package.

It's unlikely I would withdraw OP_PAIRCOMMIT, unless OP_CAT got activated first.

[jonatack]

What date should go to the header?

The Created header records the date that the BIP was assigned a number (see BIP-2).

[jonatack]

A few edit suggestions on first read.

I think this can potentially be assigned a number once the BIP-2 criteria are met. A non-exhaustive list:

"When the BIP draft is complete, a BIP editor will assign the BIP a number, label it as Standards Track, Informational, or Process, and merge the pull request to the BIPs git repository.
"The BIP editors will not unreasonably reject a BIP.
"Reasons for rejecting BIPs include duplication of effort, disregard for formatting rules, being too unfocused or too broad, being technically unsound, not providing proper motivation or addressing backwards compatibility, or not in keeping with the Bitcoin philosophy.
"For a BIP to be accepted it must meet certain minimum criteria.
"It must be a clear and complete description of the proposed enhancement.
"The enhancement must represent a net improvement.
"The proposed implementation, if applicable, must be solid and must not complicate the protocol unduly."

[murchandamus]

Let’s call this BIP 442.

[reardencode]

PAIRCOMMIT continues to grow on me.

Getting the primary benefits of OP_CAT without introducing ugly introspection seems like a clear win for bitcoin.

Better introspection should also be added in follow-up forks. Thanks for your work on this!

[reardencode]

Does this section belong in the PC BIP?

[moonsettler]

Maybe we should have an LNhance BIP that depends on the others and move some stuff over?

[jonatack]

I think it may be fine here if this section is moved up next to the Motivation section and the term LNHANCE is introduced clearly, ideally with a link to lnhance.org if that url is viable long-term.

[JeremyRubin]

I get that there is a goal here to avoid introspection...

but it seems that it'd be more generically useful if the function were e.g., a TapBranch function, so then it could be used in the future with some other taproot editing opcodes.

e.g., if OP_TAPBRANCHCOMMIT were to lexicographic sort, then cat, then commit, you could do paircommit like functionality by doing:

<a> <b> TUCK OP_TAPBRANCHCOMMIT OP_TAPBRANCHCOMMIT

this works because while the first commit commits to either a||b or b||a, and also has sliceable errors (e.g., (a||b)[:i] and (a||b)[i:]), the second commit re-commits to <b> and it's length which uniquely determines order and prevents sliceable errors.

One concern: OP_TAPBRANCHCOMMIT is witness "malleable", in that items could show up in the witness stack in either order and get the same result. It'd still be possible to make non-malleable witnesses by requiring the stack elements to be in order with a OP_LEXSORT or equivalent functionality.

[moonsettler]

If we did OP_TAPBRANCHCOMMIT then with OP_CHECKCONTRACTVERIFY I believe you get TLUV behavior?
You can verify a tapleaf on the input and can also replace it with an other on the output?

To be honest the OP_PAIRCOMMIT domain separation was aimed to prevent the possibility of such uses as potentially being more controversial.

[JeremyRubin]

I think it's actually less controversial, because if you do OP_TAPBRANCHCOMMIT you're doing something that even once you have OP_CAT, is really handy to have (because sorting two strings is actually still pretty hard with CAT).

Whereas now you're getting a lot of people thinking that paircommit is not so useful if CAT gets in eventually.

[moonsettler]

Right. I did consider something like a sorting merkle operator for lamport stuff for example, however when you need order dependent commitments (which is pretty much everything we are doing with it rn) then you would have to use a dummy value like:
<a> <1> <b> OP_TAPBRANCHCOMMIT OP_TAPBRANCHCOMMIT
or maybe:
<a> <b> OP_SHA256 OP_TAPBRANCHCOMMIT
instead of:
<a> <b> OP_PAIRCOMMIT
So if I wanted to support both of these functionalities I would probably end up with 2 separate opcodes for them.

[moonsettler]

I think this is ready for a merge from my point of view.
Rebased to latest master and squashed all the changes to 1 commit.

[Ademan]

Maybe this is obvious to everyone else and I'm a slowpoke here, but PC+CSFS+CTV enables a kind of "multi-transaction-signature". You sign a merkle root that commits to a bunch of CTV transaction templates, and you can provide an inclusion proof with PC with the signature.

I've been spitballing with someone about a multiparty eltoo scheme and came up with a way to bound the state resolution but without state carrying covenants it requires a possible field of ~2^N transactions (of which, at most N will end up on-chain), and every party shares N*(N+1)/2 signatures.

With PC+CSFS+CTV it still requires ~2^N transactions, but each party only needs to share their 1 signature over the merkle root.

EDIT: Not 100% sure it works for my mutliparty eltoo scheme just yet, but I'm still >50% confident it does...
EDIT EDIT: More confident it works, but it looks like the number of transactions is exponential rather than polynomial... and so my estimate for how many signatures would need to be shared without the "multi-transaction-signature" commitment is probably way low.
EDIT EDIT EDIT: I genuinely have no idea how I decided "multi-signature" was an acceptable term considering it already has a different meaning in Bitcoin... s/"multi-signature"/"multi-transaction-signature"/g

[murchandamus]

I find this BIP still somewhat hard to read. Many sections seem to expect a lot of prior knowledge from the reader. Overall, it seems to me that several sections could do with a bit more context. Maybe I’m not in the target audience for the BIP, but I would suggest that people who are more invested in this topic proofread this BIP and provide feedback with approachability in mind.

[murchandamus]

This is a subsection of the Specification section, but does "Use in LN-Symmetry" actually belong to the Specification? Wouldn’t it make more sense for it to be in the Rationale or a section with example uses?

[murchandamus]

Same as above, "Use with future updates" doesn’t seem to belong to the Specification.

[jonatack]

Using ## instead of ### for this section and for "Use in LN-Symmetry" might suffice (e.g. moving them out of the Specification section).

[murchandamus]

Some of these abbreviations are just a few characters shorter than the actual term. How about something along the lines of:

Suggested change

	| Method | ChannelSc | UpdateSc | UpdateW | ForceC | Contest | Settle |
	| :------------ | --------: | -------: | ------: | ------: | ------: | :----: |
	| APO-Annex | 8 WU | 113 WU | 100 WU | 1221 WU | 627 WU | SigOp |
	| APO-Return | 8 WU | 113 WU | 66 WU | 1359 WU | 765 WU | SigOp |
	| CTV+CSFS+IKEY | 10 WU | 48 WU | 98 WU | 1328 WU | 732 WU | CTV |
	| CTV+CSFS | 43 WU | 81 WU | 98 WU | 1394 WU | 765 WU | CTV |
	| LNhance | 11 WU | 49 WU | 131 WU | 1191 WU | 594 WU | CTV |
	*ChannelSc: channel script, UpdateSc: update script, UpdateW: witness is the
	same size for both Force Close and Contest in LN-Symmetry, ForceC: total cost of unilateral close transactions*
	| Method | Channel Script | Update Script | Update Witness¹ | Force Close² | Contest | Settlement Mechanism |
	| :------------ | --------: | -------: | ------: | ------: | ------: | :----: |
	| APO-Annex | 8 WU | 113 WU | 100 WU | 1221 WU | 627 WU | SigOp |
	| APO-Return | 8 WU | 113 WU | 66 WU | 1359 WU | 765 WU | SigOp |
	| CTV+CSFS+IKEY | 10 WU | 48 WU | 98 WU | 1328 WU | 732 WU | CTV |
	| CTV+CSFS | 43 WU | 81 WU | 98 WU | 1394 WU | 765 WU | CTV |
	| LNhance | 11 WU | 49 WU | 131 WU | 1191 WU | 594 WU | CTV |
	¹ *witness is the same weight for both Force Close and Contest in LN-Symmetry*
	² *total cost of unilateral close transactions*

[murchandamus]

This table is also provided barren of context. It would probably be useful to link to the compared schemas, or to the source of the table, and to add a couple sentence as to what we are looking at in the first place.

[murchandamus]

Suggested change

	### Cost comparison of LN-Symmetry constructions
	### Weight comparison of LN-Symmetry constructions

[murchandamus]

This is the first mention of LNHANCE in this BIP, but is not further explained. LNHANCE is not introduced in this repository (except for a cursory mention in BIP 348 OP_CHECKSIGFROMSTACK). It would probably make sense to introduce the term, if this section is retained.

[murchandamus]

What are "Taproot MAST trees"? The taproot BIPs speaks of "Script Trees" and MAST would be understood as "Merklized Alternative Script Trees" in the context of Taproot. On the other hand, MAST as described in BIP 114 and BIP 117 speaks of Merklized Abstract Syntax Trees where multiple leaves are used in combination.

You mention MAST here in the context taproot, where only a single leaf is ever used at once, but it seems to me that you might be thinking of Abstract Syntax Trees. Either way, it is not clear to me what you are referring to here, when you speak of the "entropy space covered by Taproot MAST trees" while treating leaves as "inputs and outputs".

This section is jumping right in the middle of something. I’m not sure that the scenario is described sufficiently to understand what the supposed concern is, let alone why the supposed concern is not a concern. If this section is relevant to this BIP, I reckon that more context is necessary for the reader to understand why and how, e.g., add aa link to a description of this scheme, or provide a bit more explanation what this section is talking about.

[JeremyRubin]

IMO this is a problem in the taproot BIP series, where various individuals decided it pertinent to change a well understood acronym (MAST) to suit taproot, rather than resepcting an existing body of literature including other BIPs.

I'd rather the taproot BIPs get updated to reflect the terminology Merklized Abstract Syntax Trees (or Tap Script Merkle Commitments, TSMC, if we're fond of confusing backronyming but should be less ambiguous in context) rather than Merklized Alternative Script Trees, which was a backronym.

[JeremyRubin]

correction: it seems there is no mention of alt script tree in the bips repos, just abstract syntax tree, including in the BIPs for Taproot itself. It's just a confusing rename people have made outside of this repo.

[moonsettler]

So should it be "Taptrees" instead of "Taproot MAST trees"? Or "Tapscript trees"?

[reardencode]

I think "Taproot script tree" or "Taproot Merkle tree" would both be clear, I prefer the former.

[reardencode]

I'm gonna spend some time with this BIP today and will either make comments or offer a revision to put the sections of this into a more cohesive sequence.

[reardencode]

Suggested change

	Currently, bitcoin lacks a way to hash multiple stack elements together. Which
	means building Merkle trees or verifying inclusion in a tree is not supported.
	Currently, bitcoin lacks a way to commit to multiple stack elements together. It is common practice to hash a single item as part of a bitcoin script, either in hash/time locked contracts, or in pay-to-pubkey-hash (P2PKH) scripts, but there is no way to commit to multiple items with a single hash.
	In a contrived but demonstrative example, if PAIRCOMMIT existed in legacy script, P2PKH could be extended to pay-to-pubkey-time-hash with scriptPubKey `2DUP PAIRCOMMIT RIPEMD160 <hash> EQUALVERIFY CHECKLOCKTIMEVERIFY DROP CHECKSIG`. This script format for single signature, time-locked bitcoin could be transformed into an address format.
	With the ability to commit to pairs of elements, PAIRCOMMIT can be generalized Merklized commitments to a tree of elements with a single hash. On its own, this could enable a hash lock contract where the holder of any pre-image in a Merkle tree can unlock the spend, for example.
	If `OP_CHECKSIGFROMSTACK` is combined with PAIRCOMMIT, the ability to sign commitments to multiple items enables both of the above but as a form of delegation. In cases where any single item can be used to unlock an output, additional off chain signatures be simply can be used as an alternative to PAIRCOMMIT. However in cases where multiple items must be used for spending together, PAIRCOMMIT removes the need for complex laddering schemes to ensure that all items were authorized together.

[reardencode]

This seems like something that belongs in a footnote not in the main text.

[reardencode]

I think "Taproot script tree" or "Taproot Merkle tree" would both be clear, I prefer the former.

[jonatack]

WIP review.

[jonatack]

Does "Tag" here refer to this, as you are writing elsewhere in this draft?

Suggested change

	optimize for. Since the Tag can be pre-computed as mid-state, it would only
	optimize for. Since the tagged SHA256 hash can be pre-computed mid-state, it would only

• drop "as"?
• s/in validation/to validate/ (line 34)?

[jonatack]

Using ## instead of ### for this section and for "Use in LN-Symmetry" might suffice (e.g. moving them out of the Specification section).

[jonatack]

nit, could link to or mention BIP348 with CHECKSIGFROMSTACK here.

[jonatack]

This isn't part of any BIP (number) yet, maybe add it later if that changes.

[jonatack]

Suggest moving this Rationale section up to just after Motivation, before Specification.

[jonatack]

Could link to or mention BIP347 with OP_CAT here.

[jonatack]

could link to or mention BIP348

[jonatack]

Could link to or mention BIP119

[jonatack]

It may make sense to put this section next to (or in) the "Use in LN-Symmetry" section.

[jonatack]

I think it may be fine here if this section is moved up next to the Motivation section and the term LNHANCE is introduced clearly, ideally with a link to lnhance.org if that url is viable long-term.

[jonatack]

The pseudocode below might be clearer if the acronyms are defined beforehand

Suggested change

	Using in sequence `OP_CHECKTEMPLATEVERIFY`, `OP_PAIRCOMMIT`, `OP_INTERNALKEY`
	Using in sequence `OP_CHECKTEMPLATEVERIFY` (`CTV`), `OP_PAIRCOMMIT` (`PC`), `OP_INTERNALKEY` (`IK`)

(idem for CSFS on the next line)

[reardencode]

Thanks so much Jon. we have a significant revision coming that does include defining abbreviations. @moonsettler should we move this to draft until we finish workshopping the revisions we're working on?