summaryrefslogtreecommitdiff
path: root/73/cc12fc049bf03f9a21f85ab19b95e1074017a7
blob: ef2a7a5e364cb01fb6d337ebf508363214a2722c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
Return-Path: <jlrubin@mit.edu>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 9C2D114F5
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Thu,  3 Oct 2019 23:23:04 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 554FD89D
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Thu,  3 Oct 2019 23:23:02 +0000 (UTC)
Received: from mail-io1-f53.google.com (mail-io1-f53.google.com
	[209.85.166.53]) (authenticated bits=0)
	(User authenticated as jlrubin@ATHENA.MIT.EDU)
	by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x93NN0eL010696
	(version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT)
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Thu, 3 Oct 2019 19:23:00 -0400
Received: by mail-io1-f53.google.com with SMTP id b136so9534247iof.3
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Thu, 03 Oct 2019 16:23:00 -0700 (PDT)
X-Gm-Message-State: APjAAAXIMGh6w+kC1Wm5R7FV+sxK1v5BXzusk8wTnwPd9z7cUrj9AoIA
	dohkwFXRIjV3xvIND7c1CudDka2KGtd3n/yztBo=
X-Google-Smtp-Source: APXvYqwY65f0eJU0eNVQAn277omG9ge0jXSzXIfn2q2IDY426EX9yqj5OzTqC36EV6UYuAwvHhAAMIjEX2nih7y8Qpc=
X-Received: by 2002:a92:5bc4:: with SMTP id c65mr12564623ilg.90.1570144980034; 
	Thu, 03 Oct 2019 16:23:00 -0700 (PDT)
MIME-Version: 1.0
References: <CAD5xwhjSj82YYuQHHbwgSLvUNV2RDY0b=yMYeLj-p6j7PpS9-Q@mail.gmail.com>
	<20190605093039.xfo7lcylqkhsfncv@erisian.com.au>
	<im0q8670MxshmvMLmoJU0dv4rFhwWZNvQeQYv7i4fBWJOx0ghAdH8fYuQSqNxO2z8uxXGV-kurinUDfl0FsLWD0knw_U_h3zVZ0xy7vmn8o=@protonmail.com>
	<CAMZUoK=ZB06jwAbuX2D=aN8ztAqr_jSgEXS1z1ABjQYVawKCBQ@mail.gmail.com>
	<20190620220552.metrqaul3iporwma@erisian.com.au>
	<CAD5xwhgEQKdTCSLQn4-X_atT5_aE-1hEKk0xd1wm1m0qotwYXQ@mail.gmail.com>
	<20190708152624.39c33985@simplexum.com>
In-Reply-To: <20190708152624.39c33985@simplexum.com>
From: Jeremy <jlrubin@mit.edu>
Date: Thu, 3 Oct 2019 16:22:47 -0700
X-Gmail-Original-Message-ID: <CAD5xwhiUe1H+4mHzHyFH9dOr68nTSP4iVv4gHOf5h_+1FjM-zQ@mail.gmail.com>
Message-ID: <CAD5xwhiUe1H+4mHzHyFH9dOr68nTSP4iVv4gHOf5h_+1FjM-zQ@mail.gmail.com>
To: Dmitry Petukhov <dp@simplexum.com>
Content-Type: multipart/alternative; boundary="000000000000c7ec98059409dd22"
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,HTML_MESSAGE,
	RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Cc: Bitcoin development mailing list <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] OP_SECURETHEBAG (supersedes OP_CHECKOUTPUTSVERIFY)
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Oct 2019 23:23:04 -0000

--000000000000c7ec98059409dd22
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

I've updated the BIP to no longer be based on Taproot, and instead based on
a OP_NOP upgrade. The example implementation and tests have also been
updated.

BIP:
https://github.com/JeremyRubin/bips/blob/op-secure-the-bag/bip-secure-the-b=
ag.mediawiki
Implementation:
https://github.com/bitcoin/bitcoin/compare/master...JeremyRubin:securetheba=
g_master

The BIP defines OP_NOP4 with the same semantics as previously presented.
This enables OP_SECURETHEBAG for segwit and bare script, but not p2sh
(because of hash cycle, it's impossible to put the redeemscript on the
scriptSig without changing the bag hash). The implementation also makes a
bare OP_SECURETHEBAG script standard as that is a common use case.

To address Russel's feedback, once Tapscript is fully prepared (with more
thorough script parsing improvements), multibyte opcodes can be more
cleanly specified.

Best,

Jeremy

n.b. the prior BIP version remains at
https://github.com/JeremyRubin/bips/blob/op-secure-the-bag-taproot/bip-secu=
re-the-bag.mediawiki
--
@JeremyRubin <https://twitter.com/JeremyRubin>
<https://twitter.com/JeremyRubin>


On Mon, Jul 8, 2019 at 3:25 AM Dmitry Petukhov <dp@simplexum.com> wrote:

> If you make ANYPREVOUTANYSCRIPT signature not the only signature that
> controls this UTXO, but use it solely for restricting the spending
> conditions such as the set of outputs, and require another signature
> that would commit to the whole transaction, you can eliminate
> malleability, for the price of additional signature, of course.
>
> <control-sig> <control-P> CHECKSIG <P> CHECKSIG
>
> (CHECKMULTISIG/CHECKSIGADD might be used instead)
>
> where control-P can even be a pubkey of a key that is publicly known,
> and the whole purpose of control-sig would be to restrict the outputs
> (control-sig would be created with flags meaning ANYPREVOUTANYSCRIPT).
> Because control-sig does not depend on the script and on the current
> input, there should be no circular dependency, and it can be part of
> the redeem script.
>
> P would be the pubkey of the actual key that is needed to spend this
> UTXO, and the signature of P can commit to all the inputs and outputs,
> preventing malleability.
>
> I would like to add that it may make sense to just have 2 additional
> flags for sighash: NOPREVOUT and NOSCRIPT.
>
> NOPREVOUT would mean that previous output is not committed to, and when
> combined with ANYONECANPAY, this will mean ANYPREVOUT/NOINPUT:
> ANYONECANPAY means exclude all inputs except the current, and NOPREVOUT
> means exclude the current input. Thus NOPREVOUT|ANYONECANPAY =3D NOINPUT
>
> With NOPREVOUT|ANYONECANPAY|NOSCRIPT you would have ANYPREVOUTANYSCRIPT
>
> with NOPREVOUT|NOSCRIPT you can commit to "all the inputs beside the
> current one", which would allow to create a spending restriction like
> "this UTXO, and also one (or more) other UTXO", which might be useful
> to retroactively revoke or transfer the rights to spend certain UTXO
> without actually moving it:
>
> think 'vault' UTXO that is controlled by Alice, but requires additional
> 'control' UTXO to spend. Alice have keys for both 'vault' UTXO, and
> 'control' UTXO, but Bob have only key for 'control' UTXO.
>
> If Bob learnsthat Alice's vault UTXO key is at risk of compromize,
> he spends the control UTXO, and then Alice's ability to spend vault
> UTXO vanishes.
>
> You can use this mechanism to transfer this right to spend if you
> prepare a number of taproot branches with different pairs of (vault,
> control) keys and a chain of transactions that each spend the previous
> control UTXO such that the newly created UTXO becomes controlled by the
> control key of the next pair, together with vault key in that pair.
>
> =D0=92 Sat, 22 Jun 2019 23:43:22 -0700
> Jeremy via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
>
> > This is insufficient: sequences must be committed to because they
> > affect TXID. As with scriptsigs (witness data fine to ignore). NUM_IN
> > too.
> >
> > Any malleability makes this much less useful.
> > --
> > @JeremyRubin <https://twitter.com/JeremyRubin>
> > <https://twitter.com/JeremyRubin>
> >
> >
> > On Fri, Jun 21, 2019 at 10:31 AM Anthony Towns via bitcoin-dev <
> > bitcoin-dev@lists.linuxfoundation.org> wrote:
> >
> > > On Tue, Jun 18, 2019 at 04:57:34PM -0400, Russell O'Connor wrote:
> > > > So with regards to OP_SECURETHEBAG, I am also "not really seeing
> > > > any
> > > reason to
> > > > complicate the spec to ensure the digest is precommitted as part
> > > > of the opcode."
> > >
> > > Also, I think you can simulate OP_SECURETHEBAG with an ANYPREVOUT
> > > (NOINPUT) sighash (Johnson Lau's mentioned this before, but not
> > > sure if it's been spelled out anywhere); ie instead of constructing
> > >
> > >   X =3D Hash_BagHash( version, locktime, [outputs], [sequences],
> > > num_in )
> > >
> > > and having the script be "<X> OP_SECURETHEBAG" you calculate an
> > > ANYPREVOUT sighash for SIGHASH_ANYPREVOUTANYSCRIPT | SIGHASH_ALL:
> > >
> > >   Y =3D Hash_TapSighash( 0, 0xc1, version, locktime, [outputs], 0,
> > >                        amount, sequence)
> > >
> > > and calculate a signature sig =3D Schnorr(P,m) for some pubkey P, and
> > > make your script be "<sig> <P> CHECKSIG".
> > >
> > > That loses the ability to commit to the number of inputs or restrict
> > > the nsequence of other inputs, and requires a bigger script (sig
> > > and P are ~96 bytes instead of X's 32 bytes), but is otherwise
> > > pretty much the same as far as I can tell. Both scripts are
> > > automatically satisfied when revealed (with the correct set of
> > > outputs), and don't need any additional witness data.
> > >
> > > If you wanted to construct "X" via script instead of hardcoding a
> > > value because it got you generalised covenants or whatever; I think
> > > you could get the same effect with CAT,LEFT, and RIGHT: you'd
> > > construct Y in much the same way you construct X, but you'd then
> > > need to turn that into a signature. You could do so by using pubkey
> > > P=3DG and nonce R=3DG, which means you need to calculate
> > > s=3D1+hash(G,G,Y)*1 -- calculating the hash part is easy, multiplying
> > > it by 1 is easy, and to add 1 you can probably do something along
> > > the lines of:
> > >
> > >     OP_DUP 4 OP_RIGHT 1 OP_ADD OP_SWAP 28 OP_LEFT OP_SWAP OP_CAT
> > >
> > > (ie, take the last 4 bytes, increment it using 4-byte arithmetic,
> > > then cat the first 28 bytes and the result. There's overflow issues,
> > > but I think they can be worked around either by allowing you to
> > > choose different locktimes, or by more complicated script)
> > >
> > > Cheers,
> > > aj
> > >
> > > _______________________________________________
> > > bitcoin-dev mailing list
> > > bitcoin-dev@lists.linuxfoundation.org
> > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
> > >
>
>

--000000000000c7ec98059409dd22
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_default" style=3D"font-family:arial,he=
lvetica,sans-serif;font-size:small;color:#000000">I&#39;ve updated the BIP =
to no longer be based on Taproot, and instead based on a OP_NOP upgrade. Th=
e example implementation and tests have also been updated.<br></div><div cl=
ass=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif;font-=
size:small;color:#000000"><br></div><div class=3D"gmail_default" style=3D"f=
ont-family:arial,helvetica,sans-serif;font-size:small;color:#000000">BIP: <=
a href=3D"https://github.com/JeremyRubin/bips/blob/op-secure-the-bag/bip-se=
cure-the-bag.mediawiki">https://github.com/JeremyRubin/bips/blob/op-secure-=
the-bag/bip-secure-the-bag.mediawiki</a></div><div class=3D"gmail_default" =
style=3D"font-family:arial,helvetica,sans-serif;font-size:small;color:#0000=
00">Implementation: <a href=3D"https://github.com/bitcoin/bitcoin/compare/m=
aster...JeremyRubin:securethebag_master">https://github.com/bitcoin/bitcoin=
/compare/master...JeremyRubin:securethebag_master</a></div><div class=3D"gm=
ail_default" style=3D"font-family:arial,helvetica,sans-serif;font-size:smal=
l;color:#000000"><br></div><div class=3D"gmail_default" style=3D"font-famil=
y:arial,helvetica,sans-serif;font-size:small;color:#000000">The BIP defines=
 OP_NOP4 with the same semantics as previously presented. This enables OP_S=
ECURETHEBAG for segwit and bare script, but not p2sh (because of hash cycle=
, it&#39;s impossible to put the redeemscript on the scriptSig without chan=
ging the bag hash).  The implementation also makes a bare OP_SECURETHEBAG s=
cript standard as that is a common use case.</div><div class=3D"gmail_defau=
lt" style=3D"font-family:arial,helvetica,sans-serif;font-size:small;color:#=
000000"><br></div><div class=3D"gmail_default" style=3D"font-family:arial,h=
elvetica,sans-serif;font-size:small;color:#000000">To address Russel&#39;s =
feedback, once Tapscript is fully prepared (with more thorough script parsi=
ng improvements), multibyte opcodes can be more cleanly specified.<br></div=
><div class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-ser=
if;font-size:small;color:#000000"><br></div><div class=3D"gmail_default" st=
yle=3D"font-family:arial,helvetica,sans-serif;font-size:small;color:#000000=
">Best,</div><div class=3D"gmail_default" style=3D"font-family:arial,helvet=
ica,sans-serif;font-size:small;color:#000000"><br></div><div class=3D"gmail=
_default" style=3D"font-family:arial,helvetica,sans-serif;font-size:small;c=
olor:#000000">Jeremy</div><div class=3D"gmail_default" style=3D"font-family=
:arial,helvetica,sans-serif;font-size:small;color:#000000"><br></div><div c=
lass=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif;font=
-size:small;color:#000000">n.b. the prior BIP version remains at <a href=3D=
"https://github.com/JeremyRubin/bips/blob/op-secure-the-bag-taproot/bip-sec=
ure-the-bag.mediawiki">https://github.com/JeremyRubin/bips/blob/op-secure-t=
he-bag-taproot/bip-secure-the-bag.mediawiki</a></div><div><div dir=3D"ltr" =
class=3D"gmail_signature" data-smartmail=3D"gmail_signature"><div dir=3D"lt=
r">--<br><a href=3D"https://twitter.com/JeremyRubin" target=3D"_blank">@Jer=
emyRubin</a><a href=3D"https://twitter.com/JeremyRubin" target=3D"_blank"><=
/a></div></div></div><br></div><br><div class=3D"gmail_quote"><div dir=3D"l=
tr" class=3D"gmail_attr">On Mon, Jul 8, 2019 at 3:25 AM Dmitry Petukhov &lt=
;<a href=3D"mailto:dp@simplexum.com">dp@simplexum.com</a>&gt; wrote:<br></d=
iv><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bord=
er-left:1px solid rgb(204,204,204);padding-left:1ex">If you make ANYPREVOUT=
ANYSCRIPT signature not the only signature that<br>
controls this UTXO, but use it solely for restricting the spending<br>
conditions such as the set of outputs, and require another signature<br>
that would commit to the whole transaction, you can eliminate<br>
malleability, for the price of additional signature, of course.<br>
<br>
&lt;control-sig&gt; &lt;control-P&gt; CHECKSIG &lt;P&gt; CHECKSIG<br>
<br>
(CHECKMULTISIG/CHECKSIGADD might be used instead)<br>
<br>
where control-P can even be a pubkey of a key that is publicly known,<br>
and the whole purpose of control-sig would be to restrict the outputs<br>
(control-sig would be created with flags meaning ANYPREVOUTANYSCRIPT).<br>
Because control-sig does not depend on the script and on the current<br>
input, there should be no circular dependency, and it can be part of<br>
the redeem script.<br>
<br>
P would be the pubkey of the actual key that is needed to spend this<br>
UTXO, and the signature of P can commit to all the inputs and outputs,<br>
preventing malleability.<br>
<br>
I would like to add that it may make sense to just have 2 additional<br>
flags for sighash: NOPREVOUT and NOSCRIPT.<br>
<br>
NOPREVOUT would mean that previous output is not committed to, and when<br>
combined with ANYONECANPAY, this will mean ANYPREVOUT/NOINPUT:<br>
ANYONECANPAY means exclude all inputs except the current, and NOPREVOUT<br>
means exclude the current input. Thus NOPREVOUT|ANYONECANPAY =3D NOINPUT<br=
>
<br>
With NOPREVOUT|ANYONECANPAY|NOSCRIPT you would have ANYPREVOUTANYSCRIPT<br>
<br>
with NOPREVOUT|NOSCRIPT you can commit to &quot;all the inputs beside the<b=
r>
current one&quot;, which would allow to create a spending restriction like<=
br>
&quot;this UTXO, and also one (or more) other UTXO&quot;, which might be us=
eful<br>
to retroactively revoke or transfer the rights to spend certain UTXO<br>
without actually moving it:<br>
<br>
think &#39;vault&#39; UTXO that is controlled by Alice, but requires additi=
onal<br>
&#39;control&#39; UTXO to spend. Alice have keys for both &#39;vault&#39; U=
TXO, and<br>
&#39;control&#39; UTXO, but Bob have only key for &#39;control&#39; UTXO.<b=
r>
<br>
If Bob learnsthat Alice&#39;s vault UTXO key is at risk of compromize,<br>
he spends the control UTXO, and then Alice&#39;s ability to spend vault<br>
UTXO vanishes.<br>
<br>
You can use this mechanism to transfer this right to spend if you<br>
prepare a number of taproot branches with different pairs of (vault,<br>
control) keys and a chain of transactions that each spend the previous<br>
control UTXO such that the newly created UTXO becomes controlled by the<br>
control key of the next pair, together with vault key in that pair.<br>
<br>
=D0=92 Sat, 22 Jun 2019 23:43:22 -0700<br>
Jeremy via bitcoin-dev &lt;<a href=3D"mailto:bitcoin-dev@lists.linuxfoundat=
ion.org" target=3D"_blank">bitcoin-dev@lists.linuxfoundation.org</a>&gt; wr=
ote:<br>
<br>
&gt; This is insufficient: sequences must be committed to because they<br>
&gt; affect TXID. As with scriptsigs (witness data fine to ignore). NUM_IN<=
br>
&gt; too.<br>
&gt; <br>
&gt; Any malleability makes this much less useful.<br>
&gt; --<br>
&gt; @JeremyRubin &lt;<a href=3D"https://twitter.com/JeremyRubin" rel=3D"no=
referrer" target=3D"_blank">https://twitter.com/JeremyRubin</a>&gt;<br>
&gt; &lt;<a href=3D"https://twitter.com/JeremyRubin" rel=3D"noreferrer" tar=
get=3D"_blank">https://twitter.com/JeremyRubin</a>&gt;<br>
&gt; <br>
&gt; <br>
&gt; On Fri, Jun 21, 2019 at 10:31 AM Anthony Towns via bitcoin-dev &lt;<br=
>
&gt; <a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_bl=
ank">bitcoin-dev@lists.linuxfoundation.org</a>&gt; wrote:<br>
&gt; <br>
&gt; &gt; On Tue, Jun 18, 2019 at 04:57:34PM -0400, Russell O&#39;Connor wr=
ote:=C2=A0 <br>
&gt; &gt; &gt; So with regards to OP_SECURETHEBAG, I am also &quot;not real=
ly seeing<br>
&gt; &gt; &gt; any=C2=A0 <br>
&gt; &gt; reason to=C2=A0 <br>
&gt; &gt; &gt; complicate the spec to ensure the digest is precommitted as =
part<br>
&gt; &gt; &gt; of the opcode.&quot;=C2=A0 <br>
&gt; &gt;<br>
&gt; &gt; Also, I think you can simulate OP_SECURETHEBAG with an ANYPREVOUT=
<br>
&gt; &gt; (NOINPUT) sighash (Johnson Lau&#39;s mentioned this before, but n=
ot<br>
&gt; &gt; sure if it&#39;s been spelled out anywhere); ie instead of constr=
ucting<br>
&gt; &gt;<br>
&gt; &gt;=C2=A0 =C2=A0X =3D Hash_BagHash( version, locktime, [outputs], [se=
quences],<br>
&gt; &gt; num_in )<br>
&gt; &gt;<br>
&gt; &gt; and having the script be &quot;&lt;X&gt; OP_SECURETHEBAG&quot; yo=
u calculate an<br>
&gt; &gt; ANYPREVOUT sighash for SIGHASH_ANYPREVOUTANYSCRIPT | SIGHASH_ALL:=
<br>
&gt; &gt;<br>
&gt; &gt;=C2=A0 =C2=A0Y =3D Hash_TapSighash( 0, 0xc1, version, locktime, [o=
utputs], 0,<br>
&gt; &gt;=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 amount, sequence)<br>
&gt; &gt;<br>
&gt; &gt; and calculate a signature sig =3D Schnorr(P,m) for some pubkey P,=
 and<br>
&gt; &gt; make your script be &quot;&lt;sig&gt; &lt;P&gt; CHECKSIG&quot;.<b=
r>
&gt; &gt;<br>
&gt; &gt; That loses the ability to commit to the number of inputs or restr=
ict<br>
&gt; &gt; the nsequence of other inputs, and requires a bigger script (sig<=
br>
&gt; &gt; and P are ~96 bytes instead of X&#39;s 32 bytes), but is otherwis=
e<br>
&gt; &gt; pretty much the same as far as I can tell. Both scripts are<br>
&gt; &gt; automatically satisfied when revealed (with the correct set of<br=
>
&gt; &gt; outputs), and don&#39;t need any additional witness data.<br>
&gt; &gt;<br>
&gt; &gt; If you wanted to construct &quot;X&quot; via script instead of ha=
rdcoding a<br>
&gt; &gt; value because it got you generalised covenants or whatever; I thi=
nk<br>
&gt; &gt; you could get the same effect with CAT,LEFT, and RIGHT: you&#39;d=
<br>
&gt; &gt; construct Y in much the same way you construct X, but you&#39;d t=
hen<br>
&gt; &gt; need to turn that into a signature. You could do so by using pubk=
ey<br>
&gt; &gt; P=3DG and nonce R=3DG, which means you need to calculate<br>
&gt; &gt; s=3D1+hash(G,G,Y)*1 -- calculating the hash part is easy, multipl=
ying<br>
&gt; &gt; it by 1 is easy, and to add 1 you can probably do something along=
<br>
&gt; &gt; the lines of:<br>
&gt; &gt;<br>
&gt; &gt;=C2=A0 =C2=A0 =C2=A0OP_DUP 4 OP_RIGHT 1 OP_ADD OP_SWAP 28 OP_LEFT =
OP_SWAP OP_CAT<br>
&gt; &gt;<br>
&gt; &gt; (ie, take the last 4 bytes, increment it using 4-byte arithmetic,=
<br>
&gt; &gt; then cat the first 28 bytes and the result. There&#39;s overflow =
issues,<br>
&gt; &gt; but I think they can be worked around either by allowing you to<b=
r>
&gt; &gt; choose different locktimes, or by more complicated script)<br>
&gt; &gt;<br>
&gt; &gt; Cheers,<br>
&gt; &gt; aj<br>
&gt; &gt;<br>
&gt; &gt; _______________________________________________<br>
&gt; &gt; bitcoin-dev mailing list<br>
&gt; &gt; <a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=
=3D"_blank">bitcoin-dev@lists.linuxfoundation.org</a><br>
&gt; &gt; <a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bit=
coin-dev" rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundatio=
n.org/mailman/listinfo/bitcoin-dev</a><br>
&gt; &gt;=C2=A0 <br>
<br>
</blockquote></div>

--000000000000c7ec98059409dd22--