more schnorr tricks for bitcoin
play

More Schnorr Tricks for Bitcoin Yannick Seurin Agence nationale de - PowerPoint PPT Presentation

Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion More Schnorr Tricks for Bitcoin Yannick Seurin Agence nationale de la scurit des systmes dinformation November 22, 2018 BlockSem Seminar


  1. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Example: Pay-to-Public-Key-Hash (P2PKH) � pubKeyHash’ � � pubKey � � sig � � sig � � pubKey � OP_DUP OP_HASH160 � pubKeyHash � OP_EQUALVERIFY OP_CHECKSIG � �� � � �� � scriptSig scriptPubKey Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 7 / 40

  2. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Example: Pay-to-Public-Key-Hash (P2PKH) � pubKeyHash � � pubKeyHash’ � � pubKey � � sig � � sig � � pubKey � OP_DUP OP_HASH160 � pubKeyHash � OP_EQUALVERIFY OP_CHECKSIG � �� � � �� � scriptSig scriptPubKey Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 7 / 40

  3. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Example: Pay-to-Public-Key-Hash (P2PKH) � pubKey � � sig � � sig � � pubKey � OP_DUP OP_HASH160 � pubKeyHash � OP_EQUALVERIFY OP_CHECKSIG � �� � � �� � scriptSig scriptPubKey Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 7 / 40

  4. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Example: Pay-to-Public-Key-Hash (P2PKH) � � sig � � pubKey � OP_DUP OP_HASH160 � pubKeyHash � OP_EQUALVERIFY OP_CHECKSIG � �� � � �� � scriptSig scriptPubKey Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 7 / 40

  5. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Example: Pay-to-Public-Key-Hash (P2PKH) � sig � � pubKey � OP_DUP OP_HASH160 � pubKeyHash � OP_EQUALVERIFY OP_CHECKSIG � �� � � �� � scriptSig scriptPubKey • Bitcoin “address” = RIPEMD-160(SHA-256(public key)) encoded in Base58Check format (starts with a ’1’) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 7 / 40

  6. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Other useful instructions • m -of- n MULTISIG: • scriptPubKey contains n public keys • scriptSig must provide m ≤ n valid signatures for m out of n of these public keys • many applications (multi-authentication wallet, escrow, etc.) • OP_RETURN: • makes output unspendable • used to put arbitrary data in the blockchain • Lock-time: • output unspendable until some time in the future • absolute (CLTV) or relative (CSV) • application: payment channels, Lightning Network Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 8 / 40

  7. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Other useful instructions • m -of- n MULTISIG: • scriptPubKey contains n public keys • scriptSig must provide m ≤ n valid signatures for m out of n of these public keys • many applications (multi-authentication wallet, escrow, etc.) • OP_RETURN: • makes output unspendable • used to put arbitrary data in the blockchain • Lock-time: • output unspendable until some time in the future • absolute (CLTV) or relative (CSV) • application: payment channels, Lightning Network Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 8 / 40

  8. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Other useful instructions • m -of- n MULTISIG: • scriptPubKey contains n public keys • scriptSig must provide m ≤ n valid signatures for m out of n of these public keys • many applications (multi-authentication wallet, escrow, etc.) • OP_RETURN: • makes output unspendable • used to put arbitrary data in the blockchain • Lock-time: • output unspendable until some time in the future • absolute (CLTV) or relative (CSV) • application: payment channels, Lightning Network Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 8 / 40

  9. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Other useful instructions • m -of- n MULTISIG: • scriptPubKey contains n public keys • scriptSig must provide m ≤ n valid signatures for m out of n of these public keys • many applications (multi-authentication wallet, escrow, etc.) • OP_RETURN: • makes output unspendable • used to put arbitrary data in the blockchain • Lock-time: • output unspendable until some time in the future • absolute (CLTV) or relative (CSV) • application: payment channels, Lightning Network Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 8 / 40

  10. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Other useful instructions • m -of- n MULTISIG: • scriptPubKey contains n public keys • scriptSig must provide m ≤ n valid signatures for m out of n of these public keys • many applications (multi-authentication wallet, escrow, etc.) • OP_RETURN: • makes output unspendable • used to put arbitrary data in the blockchain • Lock-time: • output unspendable until some time in the future • absolute (CLTV) or relative (CSV) • application: payment channels, Lightning Network Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 8 / 40

  11. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Other useful instructions • m -of- n MULTISIG: • scriptPubKey contains n public keys • scriptSig must provide m ≤ n valid signatures for m out of n of these public keys • many applications (multi-authentication wallet, escrow, etc.) • OP_RETURN: • makes output unspendable • used to put arbitrary data in the blockchain • Lock-time: • output unspendable until some time in the future • absolute (CLTV) or relative (CSV) • application: payment channels, Lightning Network Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 8 / 40

  12. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Other useful instructions • m -of- n MULTISIG: • scriptPubKey contains n public keys • scriptSig must provide m ≤ n valid signatures for m out of n of these public keys • many applications (multi-authentication wallet, escrow, etc.) • OP_RETURN: • makes output unspendable • used to put arbitrary data in the blockchain • Lock-time: • output unspendable until some time in the future • absolute (CLTV) or relative (CSV) • application: payment channels, Lightning Network Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 8 / 40

  13. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Other useful instructions • m -of- n MULTISIG: • scriptPubKey contains n public keys • scriptSig must provide m ≤ n valid signatures for m out of n of these public keys • many applications (multi-authentication wallet, escrow, etc.) • OP_RETURN: • makes output unspendable • used to put arbitrary data in the blockchain • Lock-time: • output unspendable until some time in the future • absolute (CLTV) or relative (CSV) • application: payment channels, Lightning Network Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 8 / 40

  14. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Other useful instructions • m -of- n MULTISIG: • scriptPubKey contains n public keys • scriptSig must provide m ≤ n valid signatures for m out of n of these public keys • many applications (multi-authentication wallet, escrow, etc.) • OP_RETURN: • makes output unspendable • used to put arbitrary data in the blockchain • Lock-time: • output unspendable until some time in the future • absolute (CLTV) or relative (CSV) • application: payment channels, Lightning Network Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 8 / 40

  15. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Other useful instructions • m -of- n MULTISIG: • scriptPubKey contains n public keys • scriptSig must provide m ≤ n valid signatures for m out of n of these public keys • many applications (multi-authentication wallet, escrow, etc.) • OP_RETURN: • makes output unspendable • used to put arbitrary data in the blockchain • Lock-time: • output unspendable until some time in the future • absolute (CLTV) or relative (CSV) • application: payment channels, Lightning Network Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 8 / 40

  16. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Other useful instructions • m -of- n MULTISIG: • scriptPubKey contains n public keys • scriptSig must provide m ≤ n valid signatures for m out of n of these public keys • many applications (multi-authentication wallet, escrow, etc.) • OP_RETURN: • makes output unspendable • used to put arbitrary data in the blockchain • Lock-time: • output unspendable until some time in the future • absolute (CLTV) or relative (CSV) • application: payment channels, Lightning Network Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 8 / 40

  17. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Hash Time-Lock Contract (HTLC) • Hash Time-Locked Contracts HTLC( h , X 1 , τ, X 2 ): OP_IF OP_SHA256 � h � OP_EQUALVERIFY � X 1 � OP_CHECKSIG OP_ELSE � τ � OP_CLTV OP_DROP � X 2 � OP_CHECKSIG OP_ENDIF • in words, such a output can be spent either • with y such that SHA256( y ) = h and a signature under X 1 • OR after time τ with a signature under X 2 • used in the Lightning Network for payment channels and routing Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 9 / 40

  18. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Hash Time-Lock Contract (HTLC) • Hash Time-Locked Contracts HTLC( h , X 1 , τ, X 2 ): OP_IF OP_SHA256 � h � OP_EQUALVERIFY � X 1 � OP_CHECKSIG OP_ELSE � τ � OP_CLTV OP_DROP � X 2 � OP_CHECKSIG OP_ENDIF • in words, such a output can be spent either • with y such that SHA256( y ) = h and a signature under X 1 • OR after time τ with a signature under X 2 • used in the Lightning Network for payment channels and routing Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 9 / 40

  19. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Hash Time-Lock Contract (HTLC) • Hash Time-Locked Contracts HTLC( h , X 1 , τ, X 2 ): OP_IF OP_SHA256 � h � OP_EQUALVERIFY � X 1 � OP_CHECKSIG OP_ELSE � τ � OP_CLTV OP_DROP � X 2 � OP_CHECKSIG OP_ENDIF • in words, such a output can be spent either • with y such that SHA256( y ) = h and a signature under X 1 • OR after time τ with a signature under X 2 • used in the Lightning Network for payment channels and routing Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 9 / 40

  20. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Atomic (cross-chain) swaps [Nol13] • allows trading without a trusted party • suppose Alice wants to trade 1 bitcoin for 100 litecoins with Bob • Alice (public key X A ) and Bob (public key X B ) proceed as follows: • Bob chooses random y and sends h = SHA256( y ) to Alice • Bob sends 100 litecoins to HTLC( X A , h , X B , τ B ) • Alice sends 1 bitcoin to HTLC( X B , h , X A , τ A ) • Bob claims Alice’s bitcoin, revealing y • Alice can claim Bob’s 100 litecoins using y • if anything goes wrong, parties can get funds back after τ A / τ B • τ B must be significantly later than τ A (otherwise Bob could claim both HTLC outputs between τ B and τ A ) • problem: not private at all, the payments can be linked with y Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 10 / 40

  21. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Atomic (cross-chain) swaps [Nol13] • allows trading without a trusted party • suppose Alice wants to trade 1 bitcoin for 100 litecoins with Bob • Alice (public key X A ) and Bob (public key X B ) proceed as follows: • Bob chooses random y and sends h = SHA256( y ) to Alice • Bob sends 100 litecoins to HTLC( X A , h , X B , τ B ) • Alice sends 1 bitcoin to HTLC( X B , h , X A , τ A ) • Bob claims Alice’s bitcoin, revealing y • Alice can claim Bob’s 100 litecoins using y • if anything goes wrong, parties can get funds back after τ A / τ B • τ B must be significantly later than τ A (otherwise Bob could claim both HTLC outputs between τ B and τ A ) • problem: not private at all, the payments can be linked with y Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 10 / 40

  22. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Atomic (cross-chain) swaps [Nol13] • allows trading without a trusted party • suppose Alice wants to trade 1 bitcoin for 100 litecoins with Bob • Alice (public key X A ) and Bob (public key X B ) proceed as follows: • Bob chooses random y and sends h = SHA256( y ) to Alice • Bob sends 100 litecoins to HTLC( X A , h , X B , τ B ) • Alice sends 1 bitcoin to HTLC( X B , h , X A , τ A ) • Bob claims Alice’s bitcoin, revealing y • Alice can claim Bob’s 100 litecoins using y • if anything goes wrong, parties can get funds back after τ A / τ B • τ B must be significantly later than τ A (otherwise Bob could claim both HTLC outputs between τ B and τ A ) • problem: not private at all, the payments can be linked with y Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 10 / 40

  23. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Atomic (cross-chain) swaps [Nol13] • allows trading without a trusted party • suppose Alice wants to trade 1 bitcoin for 100 litecoins with Bob • Alice (public key X A ) and Bob (public key X B ) proceed as follows: • Bob chooses random y and sends h = SHA256( y ) to Alice • Bob sends 100 litecoins to HTLC( X A , h , X B , τ B ) • Alice sends 1 bitcoin to HTLC( X B , h , X A , τ A ) • Bob claims Alice’s bitcoin, revealing y • Alice can claim Bob’s 100 litecoins using y • if anything goes wrong, parties can get funds back after τ A / τ B • τ B must be significantly later than τ A (otherwise Bob could claim both HTLC outputs between τ B and τ A ) • problem: not private at all, the payments can be linked with y Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 10 / 40

  24. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Atomic (cross-chain) swaps [Nol13] • allows trading without a trusted party • suppose Alice wants to trade 1 bitcoin for 100 litecoins with Bob • Alice (public key X A ) and Bob (public key X B ) proceed as follows: • Bob chooses random y and sends h = SHA256( y ) to Alice • Bob sends 100 litecoins to HTLC( X A , h , X B , τ B ) • Alice sends 1 bitcoin to HTLC( X B , h , X A , τ A ) • Bob claims Alice’s bitcoin, revealing y • Alice can claim Bob’s 100 litecoins using y • if anything goes wrong, parties can get funds back after τ A / τ B • τ B must be significantly later than τ A (otherwise Bob could claim both HTLC outputs between τ B and τ A ) • problem: not private at all, the payments can be linked with y Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 10 / 40

  25. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Atomic (cross-chain) swaps [Nol13] • allows trading without a trusted party • suppose Alice wants to trade 1 bitcoin for 100 litecoins with Bob • Alice (public key X A ) and Bob (public key X B ) proceed as follows: • Bob chooses random y and sends h = SHA256( y ) to Alice • Bob sends 100 litecoins to HTLC( X A , h , X B , τ B ) • Alice sends 1 bitcoin to HTLC( X B , h , X A , τ A ) • Bob claims Alice’s bitcoin, revealing y • Alice can claim Bob’s 100 litecoins using y • if anything goes wrong, parties can get funds back after τ A / τ B • τ B must be significantly later than τ A (otherwise Bob could claim both HTLC outputs between τ B and τ A ) • problem: not private at all, the payments can be linked with y Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 10 / 40

  26. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Atomic (cross-chain) swaps [Nol13] • allows trading without a trusted party • suppose Alice wants to trade 1 bitcoin for 100 litecoins with Bob • Alice (public key X A ) and Bob (public key X B ) proceed as follows: • Bob chooses random y and sends h = SHA256( y ) to Alice • Bob sends 100 litecoins to HTLC( X A , h , X B , τ B ) • Alice sends 1 bitcoin to HTLC( X B , h , X A , τ A ) • Bob claims Alice’s bitcoin, revealing y • Alice can claim Bob’s 100 litecoins using y • if anything goes wrong, parties can get funds back after τ A / τ B • τ B must be significantly later than τ A (otherwise Bob could claim both HTLC outputs between τ B and τ A ) • problem: not private at all, the payments can be linked with y Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 10 / 40

  27. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Atomic (cross-chain) swaps [Nol13] • allows trading without a trusted party • suppose Alice wants to trade 1 bitcoin for 100 litecoins with Bob • Alice (public key X A ) and Bob (public key X B ) proceed as follows: • Bob chooses random y and sends h = SHA256( y ) to Alice • Bob sends 100 litecoins to HTLC( X A , h , X B , τ B ) • Alice sends 1 bitcoin to HTLC( X B , h , X A , τ A ) • Bob claims Alice’s bitcoin, revealing y • Alice can claim Bob’s 100 litecoins using y • if anything goes wrong, parties can get funds back after τ A / τ B • τ B must be significantly later than τ A (otherwise Bob could claim both HTLC outputs between τ B and τ A ) • problem: not private at all, the payments can be linked with y Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 10 / 40

  28. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Atomic (cross-chain) swaps [Nol13] • allows trading without a trusted party • suppose Alice wants to trade 1 bitcoin for 100 litecoins with Bob • Alice (public key X A ) and Bob (public key X B ) proceed as follows: • Bob chooses random y and sends h = SHA256( y ) to Alice • Bob sends 100 litecoins to HTLC( X A , h , X B , τ B ) • Alice sends 1 bitcoin to HTLC( X B , h , X A , τ A ) • Bob claims Alice’s bitcoin, revealing y • Alice can claim Bob’s 100 litecoins using y • if anything goes wrong, parties can get funds back after τ A / τ B • τ B must be significantly later than τ A (otherwise Bob could claim both HTLC outputs between τ B and τ A ) • problem: not private at all, the payments can be linked with y Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 10 / 40

  29. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Atomic (cross-chain) swaps [Nol13] • allows trading without a trusted party • suppose Alice wants to trade 1 bitcoin for 100 litecoins with Bob • Alice (public key X A ) and Bob (public key X B ) proceed as follows: • Bob chooses random y and sends h = SHA256( y ) to Alice • Bob sends 100 litecoins to HTLC( X A , h , X B , τ B ) • Alice sends 1 bitcoin to HTLC( X B , h , X A , τ A ) • Bob claims Alice’s bitcoin, revealing y • Alice can claim Bob’s 100 litecoins using y • if anything goes wrong, parties can get funds back after τ A / τ B • τ B must be significantly later than τ A (otherwise Bob could claim both HTLC outputs between τ B and τ A ) • problem: not private at all, the payments can be linked with y Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 10 / 40

  30. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Atomic (cross-chain) swaps [Nol13] • allows trading without a trusted party • suppose Alice wants to trade 1 bitcoin for 100 litecoins with Bob • Alice (public key X A ) and Bob (public key X B ) proceed as follows: • Bob chooses random y and sends h = SHA256( y ) to Alice • Bob sends 100 litecoins to HTLC( X A , h , X B , τ B ) • Alice sends 1 bitcoin to HTLC( X B , h , X A , τ A ) • Bob claims Alice’s bitcoin, revealing y • Alice can claim Bob’s 100 litecoins using y • if anything goes wrong, parties can get funds back after τ A / τ B • τ B must be significantly later than τ A (otherwise Bob could claim both HTLC outputs between τ B and τ A ) • problem: not private at all, the payments can be linked with y Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 10 / 40

  31. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Automated bounties • What does the following scriptPubKey? OP_2DUP OP_EQUAL OP_NOT OP_VERIFY OP_SHA1 OP_SWAP OP_SHA1 OP_EQUAL Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 11 / 40

  32. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Automated bounties • What does the following scriptPubKey? OP_2DUP OP_EQUAL OP_NOT OP_VERIFY OP_SHA1 OP_SWAP OP_SHA1 OP_EQUAL • scriptSig = � m 1 � � m 2 � returns True if m 1 � = m 2 and SHA1( m 1 ) = SHA1( m 2 ) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 11 / 40

  33. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Automated bounties • What does the following scriptPubKey? OP_2DUP OP_EQUAL OP_NOT OP_VERIFY OP_SHA1 OP_SWAP OP_SHA1 OP_EQUAL • scriptSig = � m 1 � � m 2 � returns True if m 1 � = m 2 and SHA1( m 1 ) = SHA1( m 2 ) • bounty created in Sept. 2013 by P. Todd ( https://bitcointalk.org/index.php?topic=293382.0 ) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 11 / 40

  34. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Outline Bitcoin Script Refresher: Schnorr Signatures and MuSig Taproot Scriptless Scripts Discreet Log Contracts Conclusion Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 12 / 40

  35. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Signature scheme: definition A signature scheme consists of three algorithms: 1. key generation algorithm Gen : • returns a public/secret key pair ( pk , sk ) 2. signature algorithm Sign : • takes as input a secret key sk and a message m • returns a signature σ 3. verification algorithm Ver : • takes as input a public key pk , a message m , and a signature σ • returns 1 if the signature is valid and 0 otherwise Correctness property: � = 1 � pk , m , Sign ( sk , m ) ∀ ( pk , sk ) ← Gen , ∀ m , Ver Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 13 / 40

  36. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Signature scheme: definition A signature scheme consists of three algorithms: 1. key generation algorithm Gen : • returns a public/secret key pair ( pk , sk ) 2. signature algorithm Sign : • takes as input a secret key sk and a message m • returns a signature σ 3. verification algorithm Ver : • takes as input a public key pk , a message m , and a signature σ • returns 1 if the signature is valid and 0 otherwise Correctness property: � = 1 � pk , m , Sign ( sk , m ) ∀ ( pk , sk ) ← Gen , ∀ m , Ver Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 13 / 40

  37. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Mathematical background Cyclic group and generator Let G be an abelian group of order p . An element G ∈ G is called a generator if def � G � = { 0 G , 1 G , 2 G , . . . } = G . If G is a generator, then for any X ∈ G , there exists a unique x ∈ { 0 , . . . , p − 1 } such that X = xG . Discrete logarithm problem Given X ∈ G , find x ∈ { 0 , . . . , p − 1 } such that X = xG . NB: with multiplicative notation, xG ∼ G x Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 14 / 40

  38. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Mathematical background Cyclic group and generator Let G be an abelian group of order p . An element G ∈ G is called a generator if def � G � = { 0 G , 1 G , 2 G , . . . } = G . If G is a generator, then for any X ∈ G , there exists a unique x ∈ { 0 , . . . , p − 1 } such that X = xG . Discrete logarithm problem Given X ∈ G , find x ∈ { 0 , . . . , p − 1 } such that X = xG . NB: with multiplicative notation, xG ∼ G x Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 14 / 40

  39. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Schnorr signatures [Sch89, Sch91] • public parameters: • a cyclic group G of prime order p and a generator G • a hash function H • key generation: • secret key x ← $ Z p • public key X = xG • signature: on input m and x , • draw r ← $ Z p and compute R = rG • compute c = H ( X , R , m ) and s = r + cx mod p • output σ = ( R , s ) • verification: on input X , m and σ = ( R , s ), ? • compute c = H ( X , R , m ) and check sG = R + cX • alternative: • signature σ = ( c , s ) ? • verification: compute R = sG − cX and check H ( X , R , m ) = c Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 15 / 40

  40. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Schnorr signatures [Sch89, Sch91] • public parameters: • a cyclic group G of prime order p and a generator G • a hash function H • key generation: • secret key x ← $ Z p • public key X = xG • signature: on input m and x , • draw r ← $ Z p and compute R = rG • compute c = H ( X , R , m ) and s = r + cx mod p • output σ = ( R , s ) • verification: on input X , m and σ = ( R , s ), ? • compute c = H ( X , R , m ) and check sG = R + cX • alternative: • signature σ = ( c , s ) ? • verification: compute R = sG − cX and check H ( X , R , m ) = c Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 15 / 40

  41. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Schnorr signatures [Sch89, Sch91] • public parameters: • a cyclic group G of prime order p and a generator G • a hash function H • key generation: • secret key x ← $ Z p • public key X = xG • signature: on input m and x , • draw r ← $ Z p and compute R = rG • compute c = H ( X , R , m ) and s = r + cx mod p • output σ = ( R , s ) • verification: on input X , m and σ = ( R , s ), ? • compute c = H ( X , R , m ) and check sG = R + cX • alternative: • signature σ = ( c , s ) ? • verification: compute R = sG − cX and check H ( X , R , m ) = c Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 15 / 40

  42. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Schnorr signatures [Sch89, Sch91] • public parameters: • a cyclic group G of prime order p and a generator G • a hash function H • key generation: • secret key x ← $ Z p • public key X = xG • signature: on input m and x , • draw r ← $ Z p and compute R = rG • compute c = H ( X , R , m ) and s = r + cx mod p • output σ = ( R , s ) • verification: on input X , m and σ = ( R , s ), ? • compute c = H ( X , R , m ) and check sG = R + cX • alternative: • signature σ = ( c , s ) ? • verification: compute R = sG − cX and check H ( X , R , m ) = c Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 15 / 40

  43. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Schnorr signatures [Sch89, Sch91] • public parameters: • a cyclic group G of prime order p and a generator G • a hash function H • key generation: • secret key x ← $ Z p • public key X = xG • signature: on input m and x , • draw r ← $ Z p and compute R = rG • compute c = H ( X , R , m ) and s = r + cx mod p • output σ = ( R , s ) • verification: on input X , m and σ = ( R , s ), ? • compute c = H ( X , R , m ) and check sG = R + cX • alternative: • signature σ = ( c , s ) ? • verification: compute R = sG − cX and check H ( X , R , m ) = c Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 15 / 40

  44. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • assume n signers with public keys { X 1 = x 1 G , . . . , X n = x n G } want to sign the same message m • they compute an aggregate key n � � X := µ i X i with µ i = H ( { X 1 , . . . , X n } , X i ) i =1 • signature protocol: • signers draw nonces R i = r i G and send commitments h i = H ′ ( R i ) • signers exchange nonces R i • signers compute R = � n i =1 R i and c = H ( � X , R , m ) • signers compute and exchange partial signatures s i = r i + c µ i x i • signers compute s = � n i =1 s i mod p • the multi-signature is σ = ( R , s ) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 16 / 40

  45. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • assume n signers with public keys { X 1 = x 1 G , . . . , X n = x n G } want to sign the same message m • they compute an aggregate key n � � X := µ i X i with µ i = H ( { X 1 , . . . , X n } , X i ) i =1 • signature protocol: • signers draw nonces R i = r i G and send commitments h i = H ′ ( R i ) • signers exchange nonces R i • signers compute R = � n i =1 R i and c = H ( � X , R , m ) • signers compute and exchange partial signatures s i = r i + c µ i x i • signers compute s = � n i =1 s i mod p • the multi-signature is σ = ( R , s ) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 16 / 40

  46. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • assume n signers with public keys { X 1 = x 1 G , . . . , X n = x n G } want to sign the same message m • they compute an aggregate key n � � X := µ i X i with µ i = H ( { X 1 , . . . , X n } , X i ) i =1 • signature protocol: • signers draw nonces R i = r i G and send commitments h i = H ′ ( R i ) • signers exchange nonces R i • signers compute R = � n i =1 R i and c = H ( � X , R , m ) • signers compute and exchange partial signatures s i = r i + c µ i x i • signers compute s = � n i =1 s i mod p • the multi-signature is σ = ( R , s ) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 16 / 40

  47. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • assume n signers with public keys { X 1 = x 1 G , . . . , X n = x n G } want to sign the same message m • they compute an aggregate key n � � X := µ i X i with µ i = H ( { X 1 , . . . , X n } , X i ) i =1 • signature protocol: • signers draw nonces R i = r i G and send commitments h i = H ′ ( R i ) • signers exchange nonces R i • signers compute R = � n i =1 R i and c = H ( � X , R , m ) • signers compute and exchange partial signatures s i = r i + c µ i x i • signers compute s = � n i =1 s i mod p • the multi-signature is σ = ( R , s ) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 16 / 40

  48. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • assume n signers with public keys { X 1 = x 1 G , . . . , X n = x n G } want to sign the same message m • they compute an aggregate key n � � X := µ i X i with µ i = H ( { X 1 , . . . , X n } , X i ) i =1 • signature protocol: • signers draw nonces R i = r i G and send commitments h i = H ′ ( R i ) • signers exchange nonces R i • signers compute R = � n i =1 R i and c = H ( � X , R , m ) • signers compute and exchange partial signatures s i = r i + c µ i x i • signers compute s = � n i =1 s i mod p • the multi-signature is σ = ( R , s ) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 16 / 40

  49. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • assume n signers with public keys { X 1 = x 1 G , . . . , X n = x n G } want to sign the same message m • they compute an aggregate key n � � X := µ i X i with µ i = H ( { X 1 , . . . , X n } , X i ) i =1 • signature protocol: • signers draw nonces R i = r i G and send commitments h i = H ′ ( R i ) • signers exchange nonces R i • signers compute R = � n i =1 R i and c = H ( � X , R , m ) • signers compute and exchange partial signatures s i = r i + c µ i x i • signers compute s = � n i =1 s i mod p • the multi-signature is σ = ( R , s ) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 16 / 40

  50. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • assume n signers with public keys { X 1 = x 1 G , . . . , X n = x n G } want to sign the same message m • they compute an aggregate key n � � X := µ i X i with µ i = H ( { X 1 , . . . , X n } , X i ) i =1 • signature protocol: • signers draw nonces R i = r i G and send commitments h i = H ′ ( R i ) • signers exchange nonces R i • signers compute R = � n i =1 R i and c = H ( � X , R , m ) • signers compute and exchange partial signatures s i = r i + c µ i x i • signers compute s = � n i =1 s i mod p • the multi-signature is σ = ( R , s ) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 16 / 40

  51. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • assume n signers with public keys { X 1 = x 1 G , . . . , X n = x n G } want to sign the same message m • they compute an aggregate key n � � X := µ i X i with µ i = H ( { X 1 , . . . , X n } , X i ) i =1 • signature protocol: • signers draw nonces R i = r i G and send commitments h i = H ′ ( R i ) • signers exchange nonces R i • signers compute R = � n i =1 R i and c = H ( � X , R , m ) • signers compute and exchange partial signatures s i = r i + c µ i x i • signers compute s = � n i =1 s i mod p • the multi-signature is σ = ( R , s ) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 16 / 40

  52. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • assume n signers with public keys { X 1 = x 1 G , . . . , X n = x n G } want to sign the same message m • they compute an aggregate key n � � X := µ i X i with µ i = H ( { X 1 , . . . , X n } , X i ) i =1 • signature protocol: • signers draw nonces R i = r i G and send commitments h i = H ′ ( R i ) • signers exchange nonces R i • signers compute R = � n i =1 R i and c = H ( � X , R , m ) • signers compute and exchange partial signatures s i = r i + c µ i x i • signers compute s = � n i =1 s i mod p • the multi-signature is σ = ( R , s ) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 16 / 40

  53. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • verification: ( R , s ) is a valid signature for m under � X if sG = R + H ( � X , R , m ) � X • correctness proof: n � � � + H ( � sG = s i G = X , R , m ) r i G µ i x i G � �� � � �� � i =1 R � X • same as standard Schnorr signature for public key � X ! • secure in the plain public key model: • no assumption on how participants choose their public keys • multipliers µ i = H ( { X 1 , . . . , X n } , X i ) prevent rogue key attacks Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 17 / 40

  54. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • verification: ( R , s ) is a valid signature for m under � X if sG = R + H ( � X , R , m ) � X • correctness proof: n � � � + H ( � sG = s i G = X , R , m ) r i G µ i x i G � �� � � �� � i =1 R � X • same as standard Schnorr signature for public key � X ! • secure in the plain public key model: • no assumption on how participants choose their public keys • multipliers µ i = H ( { X 1 , . . . , X n } , X i ) prevent rogue key attacks Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 17 / 40

  55. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • verification: ( R , s ) is a valid signature for m under � X if sG = R + H ( � X , R , m ) � X • correctness proof: n � � � + H ( � sG = s i G = X , R , m ) r i G µ i x i G � �� � � �� � i =1 R � X • same as standard Schnorr signature for public key � X ! • secure in the plain public key model: • no assumption on how participants choose their public keys • multipliers µ i = H ( { X 1 , . . . , X n } , X i ) prevent rogue key attacks Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 17 / 40

  56. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • verification: ( R , s ) is a valid signature for m under � X if sG = R + H ( � X , R , m ) � X • correctness proof: n � � � + H ( � sG = s i G = X , R , m ) r i G µ i x i G � �� � � �� � i =1 R � X • same as standard Schnorr signature for public key � X ! • secure in the plain public key model: • no assumption on how participants choose their public keys • multipliers µ i = H ( { X 1 , . . . , X n } , X i ) prevent rogue key attacks Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 17 / 40

  57. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • verification: ( R , s ) is a valid signature for m under � X if sG = R + H ( � X , R , m ) � X • correctness proof: n � � � + H ( � sG = s i G = X , R , m ) r i G µ i x i G � �� � � �� � i =1 R � X • same as standard Schnorr signature for public key � X ! • secure in the plain public key model: • no assumption on how participants choose their public keys • multipliers µ i = H ( { X 1 , . . . , X n } , X i ) prevent rogue key attacks Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 17 / 40

  58. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • verification: ( R , s ) is a valid signature for m under � X if sG = R + H ( � X , R , m ) � X • correctness proof: n � � � + H ( � sG = s i G = X , R , m ) r i G µ i x i G � �� � � �� � i =1 R � X • same as standard Schnorr signature for public key � X ! • secure in the plain public key model: • no assumption on how participants choose their public keys • multipliers µ i = H ( { X 1 , . . . , X n } , X i ) prevent rogue key attacks Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 17 / 40

  59. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Application: replacing OP_CHECKMULTISIG • using MuSig, an n -of- n multisig output for public keys { X 1 , . . . , X n } can be replaced by a standard P2PKH output for the aggregate key � X • this improves both efficiency and privacy • one public key and one signature to store and verify (versus n pk and n sigs) • individual public keys are never revealed • the multisig output is indistinguishable from a standard P2PKH output Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 18 / 40

  60. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Application: replacing OP_CHECKMULTISIG • using MuSig, an n -of- n multisig output for public keys { X 1 , . . . , X n } can be replaced by a standard P2PKH output for the aggregate key � X • this improves both efficiency and privacy • one public key and one signature to store and verify (versus n pk and n sigs) • individual public keys are never revealed • the multisig output is indistinguishable from a standard P2PKH output Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 18 / 40

  61. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Application: replacing OP_CHECKMULTISIG • using MuSig, an n -of- n multisig output for public keys { X 1 , . . . , X n } can be replaced by a standard P2PKH output for the aggregate key � X • this improves both efficiency and privacy • one public key and one signature to store and verify (versus n pk and n sigs) • individual public keys are never revealed • the multisig output is indistinguishable from a standard P2PKH output Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 18 / 40

  62. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Application: replacing OP_CHECKMULTISIG • using MuSig, an n -of- n multisig output for public keys { X 1 , . . . , X n } can be replaced by a standard P2PKH output for the aggregate key � X • this improves both efficiency and privacy • one public key and one signature to store and verify (versus n pk and n sigs) • individual public keys are never revealed • the multisig output is indistinguishable from a standard P2PKH output Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 18 / 40

  63. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Application: replacing OP_CHECKMULTISIG • using MuSig, an n -of- n multisig output for public keys { X 1 , . . . , X n } can be replaced by a standard P2PKH output for the aggregate key � X • this improves both efficiency and privacy • one public key and one signature to store and verify (versus n pk and n sigs) • individual public keys are never revealed • the multisig output is indistinguishable from a standard P2PKH output Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 18 / 40

  64. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Outline Bitcoin Script Refresher: Schnorr Signatures and MuSig Taproot Scriptless Scripts Discreet Log Contracts Conclusion Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 19 / 40

  65. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion P2SH (Pay-to-Script-Hash) • new type of transaction activated in 2012 (BIP 16) • output only contains a hash of the actual scriptPubKey ( redeem script ) acting as a (binding) commitment • spending the output requires the redeem script and a valid signature script • advantages: • the sender does not need to know the redeem script when creating the transaction (only the hash) • all P2SH addresses “look the same” • redeem scripts not contained in the UTXO set anymore (only revealed when spending an output) • P2SH addresses start with a ’3’ Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 20 / 40

  66. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion P2SH (Pay-to-Script-Hash) • new type of transaction activated in 2012 (BIP 16) • output only contains a hash of the actual scriptPubKey ( redeem script ) acting as a (binding) commitment • spending the output requires the redeem script and a valid signature script • advantages: • the sender does not need to know the redeem script when creating the transaction (only the hash) • all P2SH addresses “look the same” • redeem scripts not contained in the UTXO set anymore (only revealed when spending an output) • P2SH addresses start with a ’3’ Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 20 / 40

  67. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion P2SH (Pay-to-Script-Hash) • new type of transaction activated in 2012 (BIP 16) • output only contains a hash of the actual scriptPubKey ( redeem script ) acting as a (binding) commitment • spending the output requires the redeem script and a valid signature script • advantages: • the sender does not need to know the redeem script when creating the transaction (only the hash) • all P2SH addresses “look the same” • redeem scripts not contained in the UTXO set anymore (only revealed when spending an output) • P2SH addresses start with a ’3’ Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 20 / 40

  68. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion P2SH (Pay-to-Script-Hash) • new type of transaction activated in 2012 (BIP 16) • output only contains a hash of the actual scriptPubKey ( redeem script ) acting as a (binding) commitment • spending the output requires the redeem script and a valid signature script • advantages: • the sender does not need to know the redeem script when creating the transaction (only the hash) • all P2SH addresses “look the same” • redeem scripts not contained in the UTXO set anymore (only revealed when spending an output) • P2SH addresses start with a ’3’ Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 20 / 40

  69. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion P2SH (Pay-to-Script-Hash) • new type of transaction activated in 2012 (BIP 16) • output only contains a hash of the actual scriptPubKey ( redeem script ) acting as a (binding) commitment • spending the output requires the redeem script and a valid signature script • advantages: • the sender does not need to know the redeem script when creating the transaction (only the hash) • all P2SH addresses “look the same” • redeem scripts not contained in the UTXO set anymore (only revealed when spending an output) • P2SH addresses start with a ’3’ Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 20 / 40

  70. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion P2SH (Pay-to-Script-Hash) • new type of transaction activated in 2012 (BIP 16) • output only contains a hash of the actual scriptPubKey ( redeem script ) acting as a (binding) commitment • spending the output requires the redeem script and a valid signature script • advantages: • the sender does not need to know the redeem script when creating the transaction (only the hash) • all P2SH addresses “look the same” • redeem scripts not contained in the UTXO set anymore (only revealed when spending an output) • P2SH addresses start with a ’3’ Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 20 / 40

  71. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion P2SH (Pay-to-Script-Hash) • new type of transaction activated in 2012 (BIP 16) • output only contains a hash of the actual scriptPubKey ( redeem script ) acting as a (binding) commitment • spending the output requires the redeem script and a valid signature script • advantages: • the sender does not need to know the redeem script when creating the transaction (only the hash) • all P2SH addresses “look the same” • redeem scripts not contained in the UTXO set anymore (only revealed when spending an output) • P2SH addresses start with a ’3’ Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 20 / 40

  72. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion P2SH (Pay-to-Script-Hash) • new type of transaction activated in 2012 (BIP 16) • output only contains a hash of the actual scriptPubKey ( redeem script ) acting as a (binding) commitment • spending the output requires the redeem script and a valid signature script • advantages: • the sender does not need to know the redeem script when creating the transaction (only the hash) • all P2SH addresses “look the same” • redeem scripts not contained in the UTXO set anymore (only revealed when spending an output) • P2SH addresses start with a ’3’ Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 20 / 40

  73. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MAST (Merkelized Abstract Syntax Trees) [RNS14] • credited to R. O’Connor and P. Wuille, not deployed yet • scripts are usually an OR of several conditions • put all disjunctions in a Merkel tree • output contains the Merkle root • to spend a MAST output, the input must contain one of the disjunctions S i , a Merkle proof, and a valid scriptSig for S i Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 21 / 40

  74. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MAST (Merkelized Abstract Syntax Trees) [RNS14] • credited to R. O’Connor and P. Wuille, not deployed yet • scripts are usually an OR of several conditions • put all disjunctions in a Merkel tree • output contains the Merkle root • to spend a MAST output, the input must contain one of the disjunctions S i , a Merkle proof, and a valid scriptSig for S i Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 21 / 40

  75. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MAST (Merkelized Abstract Syntax Trees) [RNS14] • credited to R. O’Connor and P. Wuille, not deployed yet • scripts are usually an OR of several conditions • put all disjunctions in a Merkel tree • output contains the Merkle root • to spend a MAST output, the input must contain one of the disjunctions S i , a Merkle proof, and a valid scriptSig for S i Root Hash 0 , 1 Hash 2 , 3 Hash 0 Hash 1 Hash 2 Hash 3 S 0 S 1 S 2 S 3 Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 21 / 40

  76. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MAST (Merkelized Abstract Syntax Trees) [RNS14] • credited to R. O’Connor and P. Wuille, not deployed yet • scripts are usually an OR of several conditions • put all disjunctions in a Merkel tree • output contains the Merkle root • to spend a MAST output, the input must contain one of the disjunctions S i , a Merkle proof, and a valid scriptSig for S i Root Hash 0 , 1 Hash 2 , 3 Hash 0 Hash 1 Hash 2 Hash 3 S 0 S 1 S 2 S 3 Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 21 / 40

  77. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MAST (Merkelized Abstract Syntax Trees) [RNS14] • credited to R. O’Connor and P. Wuille, not deployed yet • scripts are usually an OR of several conditions • put all disjunctions in a Merkel tree • output contains the Merkle root • to spend a MAST output, the input must contain one of the disjunctions S i , a Merkle proof, and a valid scriptSig for S i Root Hash 0 , 1 Hash 2 , 3 Hash 0 Hash 1 Hash 2 Hash 3 S 0 S 1 S 2 S 3 Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 21 / 40

  78. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MAST (Merkelized Abstract Syntax Trees) [RNS14] • credited to R. O’Connor and P. Wuille, not deployed yet • scripts are usually an OR of several conditions • put all disjunctions in a Merkel tree • output contains the Merkle root • to spend a MAST output, the input must contain one of the disjunctions S i , a Merkle proof, and a valid scriptSig for S i Root Hash 0 , 1 Hash 2 , 3 Hash 0 Hash 1 Hash 2 Hash 3 S 0 S 1 S 2 S 3 Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 21 / 40

  79. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Taproot: description • propose by G. Maxwell [Max18] • in practice, redeem scripts often have a unanimity clause: ( n parties agree to sign) OR (some more complex conditions) � �� � � �� � n -of- n multisig script S • can be achieved indistinguishably from a standard P2PKH output • let � X be the MuSig aggregate key for the n parties • output uses public key Y = � X + H ( � X , S ) G • two ways to spend the output: • the n parties agree to sign with Y (one of them simply adds a corrective term cH ( � X , S ) to its partial signature s i ) ⇒ looks like a normal P2PKH spending, S remains forever private X and S are revealed and a scriptSig S ′ is provided; valid if • � X + H ( � � X , S ) G = Y and S ′ � S returns True Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 22 / 40

  80. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Taproot: description • propose by G. Maxwell [Max18] • in practice, redeem scripts often have a unanimity clause: ( n parties agree to sign) OR (some more complex conditions) � �� � � �� � n -of- n multisig script S • can be achieved indistinguishably from a standard P2PKH output • let � X be the MuSig aggregate key for the n parties • output uses public key Y = � X + H ( � X , S ) G • two ways to spend the output: • the n parties agree to sign with Y (one of them simply adds a corrective term cH ( � X , S ) to its partial signature s i ) ⇒ looks like a normal P2PKH spending, S remains forever private X and S are revealed and a scriptSig S ′ is provided; valid if • � X + H ( � � X , S ) G = Y and S ′ � S returns True Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 22 / 40

  81. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Taproot: description • propose by G. Maxwell [Max18] • in practice, redeem scripts often have a unanimity clause: ( n parties agree to sign) OR (some more complex conditions) � �� � � �� � n -of- n multisig script S • can be achieved indistinguishably from a standard P2PKH output • let � X be the MuSig aggregate key for the n parties • output uses public key Y = � X + H ( � X , S ) G • two ways to spend the output: • the n parties agree to sign with Y (one of them simply adds a corrective term cH ( � X , S ) to its partial signature s i ) ⇒ looks like a normal P2PKH spending, S remains forever private X and S are revealed and a scriptSig S ′ is provided; valid if • � X + H ( � � X , S ) G = Y and S ′ � S returns True Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 22 / 40

  82. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Taproot: description • propose by G. Maxwell [Max18] • in practice, redeem scripts often have a unanimity clause: ( n parties agree to sign) OR (some more complex conditions) � �� � � �� � n -of- n multisig script S • can be achieved indistinguishably from a standard P2PKH output • let � X be the MuSig aggregate key for the n parties • output uses public key Y = � X + H ( � X , S ) G • two ways to spend the output: • the n parties agree to sign with Y (one of them simply adds a corrective term cH ( � X , S ) to its partial signature s i ) ⇒ looks like a normal P2PKH spending, S remains forever private X and S are revealed and a scriptSig S ′ is provided; valid if • � X + H ( � � X , S ) G = Y and S ′ � S returns True Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 22 / 40

  83. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Taproot: description • propose by G. Maxwell [Max18] • in practice, redeem scripts often have a unanimity clause: ( n parties agree to sign) OR (some more complex conditions) � �� � � �� � n -of- n multisig script S • can be achieved indistinguishably from a standard P2PKH output • let � X be the MuSig aggregate key for the n parties • output uses public key Y = � X + H ( � X , S ) G • two ways to spend the output: • the n parties agree to sign with Y (one of them simply adds a corrective term cH ( � X , S ) to its partial signature s i ) ⇒ looks like a normal P2PKH spending, S remains forever private X and S are revealed and a scriptSig S ′ is provided; valid if • � X + H ( � � X , S ) G = Y and S ′ � S returns True Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 22 / 40

Recommend


More recommend