1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
|
Return-Path: <sjors@sprovoost.nl>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id C79D3DD4
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 7 May 2019 20:50:25 +0000 (UTC)
X-Greylist: delayed 00:07:18 by SQLgrey-1.7.6
Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com
[64.147.123.19])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 71EE6FD
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 7 May 2019 20:50:21 +0000 (UTC)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41])
by mailout.west.internal (Postfix) with ESMTP id 1EA5446F;
Tue, 7 May 2019 16:43:02 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
by compute1.internal (MEProxy); Tue, 07 May 2019 16:43:02 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sprovoost.nl; h=
content-type:mime-version:subject:from:in-reply-to:date:cc
:content-transfer-encoding:message-id:references:to; s=fm2; bh=W
xhZp8VJJ2OJmG+29fC4oxDyE3N7Dgd4td4Id7B6VOs=; b=QIqa0yngDZg6Q8Yfc
SoeBK9cOYBobFtKHAYgMl6wDHbPOiialBmW9ELFmTrenLqdLfcPxTd3kYiBav/nZ
X+YGRIp6ZxbFOKCyH4EIeaCu1i4x0/qXwFQRb9/kLZzWiAiAcg6Iv9Jk1uj5NHCt
lh9B9lcMvR/naLjpwrC7Ag7/r3ynCIDz7KKgT6UqtW8tklxncAZ/2F8tyRBQV35J
MIwncp8XUZOV7JIxSazTqVEnQFXrjNz9BEecLhsvRzxdIMPxMY9pd65b462t3Of4
DCqY/HbFJ9J0Nqg6If6CFPVd2QpoQMEccFKcCHdJK+CfdVlUuMmkiyzbbYpsVS/H
JaBsg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
messagingengine.com; h=cc:content-transfer-encoding:content-type
:date:from:in-reply-to:message-id:mime-version:references
:subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
:x-sasl-enc; s=fm2; bh=WxhZp8VJJ2OJmG+29fC4oxDyE3N7Dgd4td4Id7B6V
Os=; b=nUwWCIPU8MovYfAIOogT0esGY5nogIDhAn8uXK7Z94F4V2bzn1BAl/LnB
8beZkCd23auHMJ9axxv6CoyuD3sI+GH9ByIe5iw+qzqzWvhiEhFiS9h0PYAAhq7u
ddfcQ0XDyTAfiyz/4Uu2m4lr4GMGRFqCBQKtawIz2kXHStVJUYd2JWN+N1yf0Slg
jhn7gHgBTbxrHwyDkBzYExISp8mFH9W5ypMhX+gwlmKHzzakch3csKRUP6sINN8z
F6wzga4ctXR3h/OZVLk85zGFH5iJ+VMlFxvTBqR7zPARj96fD4v0V1lmFOVWVBS3
/nQMO7danJ1JBKpDxumRIrIETS54g==
X-ME-Sender: <xms:1e3RXCh4eUUZTS-JVvHn_4abzfgggB4nRGxBCYEyn_8qYtow1nGAJQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduuddrkedtgdduheejucetufdoteggodetrfdotf
fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
cujfgurheptggguffhjgffgffkfhfvofesthhqmhdthhdtvdenucfhrhhomhepufhjohhr
shcurfhrohhvohhoshhtuceoshhjohhrshesshhprhhovhhoohhsthdrnhhlqeenucffoh
hmrghinhepghhithhhuhgsrdgtohhmpdhlihhnuhigfhhouhhnuggrthhiohhnrdhorhhg
necukfhppeekgedruddthedriedurdduheenucfrrghrrghmpehmrghilhhfrhhomhepsh
hjohhrshesshhprhhovhhoohhsthdrnhhlnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:1e3RXI7Y0Sv5vv78DY9xu_oNRK677MyxrL0tQJOwmitRNBWj54apsg>
<xmx:1e3RXMjomJNMu04hrORjNocYYO0O9UkMVrcRsim670zXfpTGzIAJqQ>
<xmx:1e3RXMaS83p2Ctd84gaucyWAgSXkFQTDrx0oJ-dljqx3hTFq8tlhpQ>
<xmx:1e3RXLYLiFCn6TZ7bNRgQAAUd4VaS3UibY-Q30eUcu9sAKvIRr6Ueg>
Received: from [192.168.178.143] (84-105-61-15.cable.dynamic.v4.ziggo.nl
[84.105.61.15])
by mail.messagingengine.com (Postfix) with ESMTPA id 8373E103D2;
Tue, 7 May 2019 16:43:00 -0400 (EDT)
Content-Type: text/plain;
charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
From: Sjors Provoost <sjors@sprovoost.nl>
In-Reply-To: <201905062017.11396.luke@dashjr.org>
Date: Tue, 7 May 2019 22:42:58 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <34827F16-9061-4317-B91F-250734850EE6@sprovoost.nl>
References: <CAPg+sBg6Gg8b7hPogC==fehY3ZTHHpQReqym2fb4XXWFpMM-pQ@mail.gmail.com>
<201905062017.11396.luke@dashjr.org>
To: Pieter Wuille <pieter.wuille@gmail.com>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
X-Mailer: Apple Mail (2.3445.104.8)
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Tue, 07 May 2019 21:08:09 +0000
Subject: Re: [bitcoin-dev] Taproot proposal
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 07 May 2019 20:50:25 -0000
Hey Pieter,
I think this is a reasonable collection of changes that make sense in =
combination. Some initial feedback and questions.
=46rom the BIP:
> If one or more of the spending conditions consist of just a single key =
(after aggregation),
> he most likely one should be made the internal key. If no such =
condition exists, it may
> be worthwhile adding one that consists of an aggregation of all keys =
participating in all
> scripts combined; effectively adding an "everyone agrees" branch. If =
that is inacceptable,
> pick as internal key a point with unknown discrete logarithm (TODO).
I assume Luke Dashjr referred to the above when saying:
> Is there any way to use the Taproot construct here while retaining =
external=20
> script limitations that the involved party(ies) *cannot* agree to =
override?=20
> For example, it is conceivable that one might wish to have an =
unconditional=20
> CLTV enforced in all circumstances.
One reason why someone would want to avoid a "everone agrees" branch, is =
duress (or self-discipline, or limiting powers of a trustee). In =
particular with respect to time-locks.
Can this "unknown discrete logarithm" be made provably unknown, so all =
signers are assured of this property? Bonus points if the outside world =
can't tell. The exact mechanism could be outside the scope of the BIP, =
but knowing that it's possible is useful.
Perhaps Lightning devs have an opinion on "everyone agrees" with respect =
to hash pre-images. I suspect there is no benefit in guaranteeing that a =
pre-image must be revealed or a timeout must be waited for and there's =
no way around that condition.
Regarding usage of Schnorr: do I understand correctly that the "everyone =
agrees" internal key MUST use Schnorr, and that individual branches MAY =
use Schnorr, but only if they're marked as tapscript spend?
Why is tapscript not mandatory?
Misc details:
In the Design section under "Merkle branches" I suggest adding bullet =
points with short descriptions of "various known mechanisms for =
implementing this". In addition to "space savings" maybe also briefly =
mention a few other pros and cons, like implementation complexity and =
privacy. And then point out which one you picked.
In the Design section, explicitly point out you're no longer using the =
hash of a public key (can move some explanation up from rationale =
section). This is a significant change, even if you have good reason to =
believe it's perfectly safe.
Regarding the 64 byte SHA256(tag) || SHA256(tag) 64-byte long =
context-specific constant: maybe add that sha-2 block size is 512 bits
"Conceptually every Taproot output corresponds to" -> some of this =
conceptual stuff belongs in or before the Specification section. Try =
briefly explaining how tagged hashes and script validation (stack) =
interact, before specifying them in detail. The figure (without the =
pseudo-code) can be helpful for that.=20
In the figure with the merkle tree, the description says there's "3 =
script leaves.". So what's going on in leaf D? If it's a way to indicate =
an unused leaf, why is E different (or is also TapLeaf)? Maybe emphasize =
that "TapLeaf" tag is there so prove to all signers there's no secret =
conditions (the CVE-2012-2459 protection you refer to).
Sjors
> Op 6 mei 2019, om 22:17 heeft Luke Dashjr via bitcoin-dev =
<bitcoin-dev@lists.linuxfoundation.org> het volgende geschreven:
>=20
> There are multiple references to "space savings", but no rationale for=20=
> treating "space" as something to save or even define. The costs are in =
CPU=20
> time and I/O (which "space saving" doesn't necessarily reduce) and =
bandwidth=20
> (which can often be reduced without "space saving" in commitments). =
The=20
> proposal can apparently be made simpler by ignoring this irrelevant =
"space=20
> saving" goal.
>=20
> Tagged hashes put the tagging at the start of the hash input. This =
means=20
> implementations can pre-cache SHA2 states, but it also means they =
can't reuse=20
> states to produce data for different contexts. (I'm not sure if there =
is a=20
> use for doing so... but maybe as part of further hiding MAST =
branches?)
>=20
> Is there any way to use the Taproot construct here while retaining =
external=20
> script limitations that the involved party(ies) *cannot* agree to =
override?=20
> For example, it is conceivable that one might wish to have an =
unconditional=20
> CLTV enforced in all circumstances.
>=20
> It may be useful to have a way to add a salt to tap branches.
>=20
> Some way to sign an additional script (not committed to by the witness=20=
> program) seems like it could be a trivial addition.
>=20
>=20
> On Monday 06 May 2019 17:57:57 Pieter Wuille via bitcoin-dev wrote:
>> Hello everyone,
>>=20
>> Here are two BIP drafts that specify a proposal for a Taproot
>> softfork. A number of ideas are included:
>>=20
>> * Taproot to make all outputs and cooperative spends =
indistinguishable
>> from eachother.
>> * Merkle branches to hide the unexecuted branches in scripts.
>> * Schnorr signatures enable wallet software to use key
>> aggregation/thresholds within one input.
>> * Improvements to the signature hashing algorithm (including signing
>> all input amounts).
>> * Replacing OP_CHECKMULTISIG(VERIFY) with OP_CHECKSIGADD, to support
>> batch validation.
>> * Tagged hashing for domain separation (avoiding issues like
>> CVE-2012-2459 in Merkle trees).
>> * Extensibility through leaf versions, OP_SUCCESS opcodes, and
>> upgradable pubkey types.
>>=20
>> The BIP drafts can be found here:
>> * https://github.com/sipa/bips/blob/bip-schnorr/bip-taproot.mediawiki
>> specifies the transaction input spending rules.
>> * =
https://github.com/sipa/bips/blob/bip-schnorr/bip-tapscript.mediawiki
>> specifies the changes to Script inside such spends.
>> * https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki
>> is the Schnorr signature proposal that was discussed earlier on this
>> list (See
>> =
https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-July/016203.h=
t
>> ml)
>>=20
>> An initial reference implementation of the consensus changes, plus
>> preliminary construction/signing tests in the Python framework can be
>> found on https://github.com/sipa/bitcoin/commits/taproot. All
>> together, excluding the Schnorr signature module in libsecp256k1, the
>> consensus changes are around 520 LoC.
>>=20
>> While many other ideas exist, not everything is incorporated. This
>> includes several ideas that can be implemented separately without =
loss
>> of effectiveness. One such idea is a way to integrate =
SIGHASH_NOINPUT,
>> which we're working on as an independent proposal.
>>=20
>> The document explains basic wallet operations, such as constructing
>> outputs and signing. However, a wide variety of more complex
>> constructions exist. Standardizing these is useful, but out of scope
>> for now. It is likely also desirable to define extensions to PSBT
>> (BIP174) for interacting with Taproot. That too is not included here.
>>=20
>> Cheers,
>=20
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
|