1 2017-02-19 17:45:52 <arubi> trying jl12012's mast v3 branch, does anyone know the structure for the json used to redeem an input?  I mean the json signrawtransaction\bitcoin-tx takes (if there's a way to do that at all).  I can build redeeming transactions fine, but core's script_tests.json requires a specific dummy input and to feed a test back to core for "signing" requires to also pass the json with the redeeming info.
  2 2017-02-19 17:54:05 <arubi> ooh 'bool IsMASTStack()' ..
  3 2017-02-19 17:55:22 <arubi> wonder if wants the actual witness stack in "redeemScript"..  I'm already passing it a proper witness stack but it's overwriting it with nothing as it signs then fails with "Invalid witness stack for MAST"
  4 2017-02-19 17:58:54 <arubi> the witness is empty when IsMASTStack() runs..  weird
  5 2017-02-19 19:21:00 <arubi> waxwing, so I was mentioning covenants before, seems like it's "almost" possible, almost means that you can do it if you break sha256:  https://0bin.net/paste/SwIB39NtuUgbrhjn#OEAHZXZAcoZOQpFQlsbnSXOY8hFJS0NjfUpYQy-HI3h
  6 2017-02-19 19:22:04 <arubi> last time I tried I couldn't commit to a pubkey + sig in the same script, but that was because I was using the signature's hash160, and not the signature itself
  7 2017-02-19 19:22:23 <waxwing> what am  i looking at :)
  8 2017-02-19 19:22:48 <waxwing> is the quoted string the return value from signrawtransaction? i haven't used that for ages
  9 2017-02-19 19:22:53 <arubi> the scriptpubkey for redeeming that input is the pubkey + signature + checksig
 10 2017-02-19 19:23:10 <arubi> nope, it's the inputs
 11 2017-02-19 19:23:14 <arubi> input*
 12 2017-02-19 19:23:22 <arubi> anyway, get this
 13 2017-02-19 19:23:42 <arubi> seems like there's a very little documented "feature" in checksig stuff
 14 2017-02-19 19:23:58 <arubi> it's called "find and delete", at least I think that's the name
 15 2017-02-19 19:24:15 <waxwing> sure, heard of it, apparently it's weird somehow
 16 2017-02-19 19:24:32 <arubi> if checksig spots a proper signature in its sighash, it deletes it
 17 2017-02-19 19:24:49 <waxwing> so can you write those scriptpubkey and redeemscripts?
 18 2017-02-19 19:24:54 <arubi> so '<signature> checksig' as a scriptpubkey becomes '<checksig>
 19 2017-02-19 19:25:14 <waxwing> i see; so only in scriptPubKey?
 20 2017-02-19 19:25:55 <arubi> only when a scriptcode is used in a checksig operation
 21 2017-02-19 19:26:55 <arubi> so you can send to a p2sh of 'pubkey codesep <sig> checksig', but when checksig is done, it only checks 'checksig'
 22 2017-02-19 19:27:37 <arubi> so, you can actually commit to a pubkey in the scriptpbukey itself, and sign a transaction to specific outputs... but!  you still have to sign specific inputs
 23 2017-02-19 19:28:23 <arubi> er, s/<sig> checksig/<sig> swap checksig/g'
 24 2017-02-19 19:31:01 <arubi> waxwing, stack trace:  https://paste.debian.net/plainh/eae9018c
 25 2017-02-19 19:32:26 <arubi> it kinda does a lot of ROLLs where a single swap is enough, but originally it was a 2-of-2 multisig and I just trimmed it down again to make sure I have to actually break sha256 to make it work :P
 26 2017-02-19 19:34:22 <arubi> I mean, the real issue is that you make the signature only after you know the input txid, and the input txid depends on the scriptpubkey that you used, and the scriptpubkey is a hash160 that includes the signature + pubkey..  even if you have the private key for that pubkey, you still can't sign it
 27 2017-02-19 19:35:25 <arubi> only if you don't commit to a pubkey, and then anyone can spend it as it's redeemed
 28 2017-02-19 19:36:22 <arubi> I /could/ make it work live if I used sighash single bug, but then again I haven't committed to anything.  any hash is '1'
 29 2017-02-19 19:39:34 <waxwing> arubi: i'm not following, but maybe just write out the simplest example of a scriptPubkey for this? might help a bit.
 30 2017-02-19 19:40:09 <arubi> suppose I send funds to '<pubkey> codesep <sig> swap checksig'
 31 2017-02-19 19:40:36 <waxwing> right so findanddelete means the sig is deleted?
 32 2017-02-19 19:40:59 <arubi> when checksig is executed, what is checked as scriptsig is 'swap checksig'
 33 2017-02-19 19:41:00 <MeoowWoof> good evening
 34 2017-02-19 19:41:27 <arubi> sig is deleted because of find and delete, pubkey is gone because of op_codesep
 35 2017-02-19 19:42:14 <arubi> so really, the signature is made for some tx metadata like version, num inputs, num outputs, outputs themselves, and an nlocktime
 36 2017-02-19 19:42:35 <arubi> but what's missing is the input txid (and index, but meh)
 37 2017-02-19 19:43:00 <waxwing> i've probably forgotten some basics, but what you wrote there was the scriptpubkey write? what is used as scriptsig when spending?
 38 2017-02-19 19:43:10 <waxwing> s/write/right/
 39 2017-02-19 19:43:57 <arubi> right, checksig will use the scriptpubkey up to the leftmost code separator and up to the end to the right, deleting all code separators
 40 2017-02-19 19:44:23 <arubi> so here the pubkey is to the left of the codesep, so it's not in scriptsig when checksig is executed
 41 2017-02-19 19:44:49 <waxwing> sorry i still don't get what is used as scriptsig when spending? what you wrote above was the scriptpubkey, no?
 42 2017-02-19 19:45:14 <waxwing> you wrote "suppose I send funds to '<pubkey> codesep <sig> swap checksig'", so i assumed that was the scriptpubkey?
 43 2017-02-19 19:45:16 <arubi> oh I see where I'm confusing you here
 44 2017-02-19 19:46:18 <arubi> '<pubkey> codesep <sig> swap checksig' is the redeemscript of a p2sh which scriptpubkey is '<script hash160> equal', and when I send funds to that script, I send it to the p2sh script.  this is clear, right?
 45 2017-02-19 19:46:52 <waxwing> ok, i didn't realise it was p2sh, got it
 46 2017-02-19 19:47:32 <arubi> right, so '<pubkey> codesep <sig> swap checksig' is what's executed
 47 2017-02-19 19:47:33 <waxwing> so i get that FAD removes the sig, but then you have 'swap op checksig' is that right?
 48 2017-02-19 19:47:48 <arubi> yea, and that's easy to sign "in advance"
 49 2017-02-19 19:48:07 <waxwing> i'm still lost because i thought you had to have two arguments to op checksig
 50 2017-02-19 19:48:17 <arubi> the pubkey and the sig
 51 2017-02-19 19:48:26 <waxwing> doesn't the codeseparator remove the pubkey from the stack or something?
 52 2017-02-19 19:48:35 <arubi> nope :)
 53 2017-02-19 19:48:51 <arubi> just used as a sighash "tweak"
 54 2017-02-19 19:48:55 <waxwing> i never really knew about codeseparator. what's it for? for sighashing?
 55 2017-02-19 19:48:56 <waxwing> ok yeah
 56 2017-02-19 19:49:02 <waxwing> that makes sense i think
 57 2017-02-19 19:49:05 <arubi> the pubkey and sig are already consumed by checksig when that happens
 58 2017-02-19 19:50:12 <arubi> so assuming I'm setting up a mock transaction that uses that scriptpubkey as a redeemscript from an unknown transaction to pay some predetermined outputs
 59 2017-02-19 19:51:18 <arubi> and for that signature I put in some mock "AAAAAAAAAAAAAAAAAA..." and index 0 as the txid and index, now if at any time there is a txid AAAAAAAAAAAA... that pays this scriptpubkey as output 0, then you have a guarantee to get paid by this transaction
 60 2017-02-19 19:51:54 <arubi> but of course, getting a transaction to get a txid of AAAAAAAA.. is.. /difficult/
 61 2017-02-19 19:52:18 <waxwing> hang on, slow progress for me here, i have to re-read the op-checksig page
 62 2017-02-19 19:53:49 <arubi> in the case where it's a single input and output, it looks just like the spend transaction but instead of having redeemscript pushed as a single vale (followed by signatures), it has the redeemscript as an actual script
 63 2017-02-19 19:55:20 <waxwing> so the gist of it is, you're creating an output whose spending is conditional on the tx metadata and input txids, something like that
 64 2017-02-19 19:56:38 <arubi> everything is set in stone once the scriptpubkey is made, even the input txid
 65 2017-02-19 19:56:45 <waxwing> if sighash_single i guess that narrows it a bit. but yeah seems academic without tx preimage somehow or other.
 66 2017-02-19 19:56:53 <waxwing> sorry hash preimage
 67 2017-02-19 19:57:10 <arubi> sighash single bug, where the signature will only have to sign 0x01
 68 2017-02-19 19:57:14 <arubi> 0100000001AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA000000004976A9143EED3148939D0C00549EFE8358E1A3EADE9FCA7A88AB0028302502205C4DE957015B013284B8BDD48074E176D80F6D831209F79E410F8C6B8E69FABA02010101537A537A51AEFDFFFFFF01C09EE605000000001976A914C00310F39283CCFE5AD84F152D14B85532A483F088AC0000000001000000
 69 2017-02-19 19:57:24 <arubi> is how it looks like for sighash, I hope I got that right
 70 2017-02-19 19:57:46 <waxwing> right so do i understand you're saying it can be done with single due to that bug (i never really looked into it)
 71 2017-02-19 19:58:13 <arubi> yea, but it loses all meaning because the hash is always 1
 72 2017-02-19 19:58:25 <waxwing> maybe you can play some games with zk proofs of hash preimage
 73 2017-02-19 19:59:08 <arubi> way too advanced for me..  I'm trying MAST right now, I think it has op codes that can be used to make it work
 74 2017-02-19 19:59:28 <waxwing> oh really? you think that could make it possible?
 75 2017-02-19 19:59:47 <waxwing> oh does mast have more op codes
 76 2017-02-19 20:00:14 <arubi> invert, xor, cat, substr..  really lots of possibilities to work on a signature
 77 2017-02-19 20:00:23 <waxwing> well re advanced: you could start by considering a spherical preimage :)
 78 2017-02-19 20:00:48 <arubi> is that like chameleon hashes?
 79 2017-02-19 20:00:59 <arubi> that's the vibe I'm getting :)
 80 2017-02-19 20:01:00 <waxwing> heh, no, reference to spherical cows :)
 81 2017-02-19 20:01:03 <arubi> ohh!
 82 2017-02-19 20:01:09 <arubi> yea I just got it haha
 83 2017-02-19 20:01:48 <arubi> you can see how my brain has completely melted at this point.  I'm building some tools to let me debug mast scripts
 84 2017-02-19 20:01:48 <waxwing> i was just kind of saying, if you assumed that proof of hash preimage knowledge was available, maybe you could do something with it. but, on reflection probably not interesting.
 85 2017-02-19 20:02:21 <arubi> well, one of the examples on bip-mastopcodes is provably revealing a private key from a signature
 86 2017-02-19 20:02:37 <arubi> another example is zero trust lottery between two parties
 87 2017-02-19 20:02:38 <waxwing> bip # ?
 88 2017-02-19 20:02:59 <arubi> has no number, it's on jl2012's fork of the bips repo
 89 2017-02-19 20:03:12 <arubi> 'mastopcodes', really insane stuff
 90 2017-02-19 20:04:37 <waxwing> this one? https://github.com/jl2012/bips/blob/bip114v3/bip-0114.mediawiki
 91 2017-02-19 20:04:43 <arubi> https://github.com/jl2012/bips/blob/mastopcodes/bip-mastopcodes.mediawiki
 92 2017-02-19 20:04:52 <arubi> 114 is mast in general
 93 2017-02-19 20:05:29 <waxwing> thanks
 94 2017-02-19 20:07:01 <arubi> np, anyway, I'll be back after dinner for some more bitcoin, cya :)
 95 2017-02-19 20:23:14 <MeoowWoof> hey guys
 96 2017-02-19 20:23:20 <MeoowWoof> first time looking at the source
 97 2017-02-19 20:23:38 <MeoowWoof> can some one suggest which is a good point to put a breakpoint to follow a transaction.
 98 2017-02-19 20:23:58 <MeoowWoof> I cant seem to figure out where classes like coincontrol, wallet are init
 99 2017-02-19 21:22:23 <mryandao> bitcoind.cpp
100 2017-02-19 21:22:45 <mryandao> From acceptance into mempool onwards
101 2017-02-19 21:24:11 <arubi> he's gone :(
102 2017-02-19 22:01:06 <mryandao> Oh sad :(
103 2017-02-19 22:34:28 <luke-jr> mryandao: bitcoind.cpp is definitely the wrong answer..