more schnorr tricks for bitcoin
play

More Schnorr Tricks for Bitcoin Yannick Seurin Agence nationale de - PowerPoint PPT Presentation

Nov 12, 2022 •1.84k likes •3.68k views

Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion More Schnorr Tricks for Bitcoin Yannick Seurin Agence nationale de la scurit des systmes dinformation November 22, 2018 BlockSem Seminar

  1. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Example: Pay-to-Public-Key-Hash (P2PKH) � pubKeyHash’ � � pubKey � � sig � � sig � � pubKey � OP_DUP OP_HASH160 � pubKeyHash � OP_EQUALVERIFY OP_CHECKSIG � �� � � �� � scriptSig scriptPubKey Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 7 / 40

  2. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Example: Pay-to-Public-Key-Hash (P2PKH) � pubKeyHash � � pubKeyHash’ � � pubKey � � sig � � sig � � pubKey � OP_DUP OP_HASH160 � pubKeyHash � OP_EQUALVERIFY OP_CHECKSIG � �� � � �� � scriptSig scriptPubKey Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 7 / 40

  3. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Example: Pay-to-Public-Key-Hash (P2PKH) � pubKey � � sig � � sig � � pubKey � OP_DUP OP_HASH160 � pubKeyHash � OP_EQUALVERIFY OP_CHECKSIG � �� � � �� � scriptSig scriptPubKey Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 7 / 40

  4. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Example: Pay-to-Public-Key-Hash (P2PKH) � � sig � � pubKey � OP_DUP OP_HASH160 � pubKeyHash � OP_EQUALVERIFY OP_CHECKSIG � �� � � �� � scriptSig scriptPubKey Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 7 / 40

  5. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Example: Pay-to-Public-Key-Hash (P2PKH) � sig � � pubKey � OP_DUP OP_HASH160 � pubKeyHash � OP_EQUALVERIFY OP_CHECKSIG � �� � � �� � scriptSig scriptPubKey • Bitcoin “address” = RIPEMD-160(SHA-256(public key)) encoded in Base58Check format (starts with a ’1’) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 7 / 40

  6. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Other useful instructions • m -of- n MULTISIG: • scriptPubKey contains n public keys • scriptSig must provide m ≤ n valid signatures for m out of n of these public keys • many applications (multi-authentication wallet, escrow, etc.) • OP_RETURN: • makes output unspendable • used to put arbitrary data in the blockchain • Lock-time: • output unspendable until some time in the future • absolute (CLTV) or relative (CSV) • application: payment channels, Lightning Network Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 8 / 40

  7. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Other useful instructions • m -of- n MULTISIG: • scriptPubKey contains n public keys • scriptSig must provide m ≤ n valid signatures for m out of n of these public keys • many applications (multi-authentication wallet, escrow, etc.) • OP_RETURN: • makes output unspendable • used to put arbitrary data in the blockchain • Lock-time: • output unspendable until some time in the future • absolute (CLTV) or relative (CSV) • application: payment channels, Lightning Network Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 8 / 40

  8. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Other useful instructions • m -of- n MULTISIG: • scriptPubKey contains n public keys • scriptSig must provide m ≤ n valid signatures for m out of n of these public keys • many applications (multi-authentication wallet, escrow, etc.) • OP_RETURN: • makes output unspendable • used to put arbitrary data in the blockchain • Lock-time: • output unspendable until some time in the future • absolute (CLTV) or relative (CSV) • application: payment channels, Lightning Network Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 8 / 40

  9. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Other useful instructions • m -of- n MULTISIG: • scriptPubKey contains n public keys • scriptSig must provide m ≤ n valid signatures for m out of n of these public keys • many applications (multi-authentication wallet, escrow, etc.) • OP_RETURN: • makes output unspendable • used to put arbitrary data in the blockchain • Lock-time: • output unspendable until some time in the future • absolute (CLTV) or relative (CSV) • application: payment channels, Lightning Network Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 8 / 40

  10. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Other useful instructions • m -of- n MULTISIG: • scriptPubKey contains n public keys • scriptSig must provide m ≤ n valid signatures for m out of n of these public keys • many applications (multi-authentication wallet, escrow, etc.) • OP_RETURN: • makes output unspendable • used to put arbitrary data in the blockchain • Lock-time: • output unspendable until some time in the future • absolute (CLTV) or relative (CSV) • application: payment channels, Lightning Network Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 8 / 40

  11. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Other useful instructions • m -of- n MULTISIG: • scriptPubKey contains n public keys • scriptSig must provide m ≤ n valid signatures for m out of n of these public keys • many applications (multi-authentication wallet, escrow, etc.) • OP_RETURN: • makes output unspendable • used to put arbitrary data in the blockchain • Lock-time: • output unspendable until some time in the future • absolute (CLTV) or relative (CSV) • application: payment channels, Lightning Network Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 8 / 40

  12. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Other useful instructions • m -of- n MULTISIG: • scriptPubKey contains n public keys • scriptSig must provide m ≤ n valid signatures for m out of n of these public keys • many applications (multi-authentication wallet, escrow, etc.) • OP_RETURN: • makes output unspendable • used to put arbitrary data in the blockchain • Lock-time: • output unspendable until some time in the future • absolute (CLTV) or relative (CSV) • application: payment channels, Lightning Network Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 8 / 40

  13. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Other useful instructions • m -of- n MULTISIG: • scriptPubKey contains n public keys • scriptSig must provide m ≤ n valid signatures for m out of n of these public keys • many applications (multi-authentication wallet, escrow, etc.) • OP_RETURN: • makes output unspendable • used to put arbitrary data in the blockchain • Lock-time: • output unspendable until some time in the future • absolute (CLTV) or relative (CSV) • application: payment channels, Lightning Network Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 8 / 40

  14. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Other useful instructions • m -of- n MULTISIG: • scriptPubKey contains n public keys • scriptSig must provide m ≤ n valid signatures for m out of n of these public keys • many applications (multi-authentication wallet, escrow, etc.) • OP_RETURN: • makes output unspendable • used to put arbitrary data in the blockchain • Lock-time: • output unspendable until some time in the future • absolute (CLTV) or relative (CSV) • application: payment channels, Lightning Network Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 8 / 40

  15. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Other useful instructions • m -of- n MULTISIG: • scriptPubKey contains n public keys • scriptSig must provide m ≤ n valid signatures for m out of n of these public keys • many applications (multi-authentication wallet, escrow, etc.) • OP_RETURN: • makes output unspendable • used to put arbitrary data in the blockchain • Lock-time: • output unspendable until some time in the future • absolute (CLTV) or relative (CSV) • application: payment channels, Lightning Network Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 8 / 40

  16. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Other useful instructions • m -of- n MULTISIG: • scriptPubKey contains n public keys • scriptSig must provide m ≤ n valid signatures for m out of n of these public keys • many applications (multi-authentication wallet, escrow, etc.) • OP_RETURN: • makes output unspendable • used to put arbitrary data in the blockchain • Lock-time: • output unspendable until some time in the future • absolute (CLTV) or relative (CSV) • application: payment channels, Lightning Network Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 8 / 40

  17. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Hash Time-Lock Contract (HTLC) • Hash Time-Locked Contracts HTLC( h , X 1 , τ, X 2 ): OP_IF OP_SHA256 � h � OP_EQUALVERIFY � X 1 � OP_CHECKSIG OP_ELSE � τ � OP_CLTV OP_DROP � X 2 � OP_CHECKSIG OP_ENDIF • in words, such a output can be spent either • with y such that SHA256( y ) = h and a signature under X 1 • OR after time τ with a signature under X 2 • used in the Lightning Network for payment channels and routing Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 9 / 40

  18. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Hash Time-Lock Contract (HTLC) • Hash Time-Locked Contracts HTLC( h , X 1 , τ, X 2 ): OP_IF OP_SHA256 � h � OP_EQUALVERIFY � X 1 � OP_CHECKSIG OP_ELSE � τ � OP_CLTV OP_DROP � X 2 � OP_CHECKSIG OP_ENDIF • in words, such a output can be spent either • with y such that SHA256( y ) = h and a signature under X 1 • OR after time τ with a signature under X 2 • used in the Lightning Network for payment channels and routing Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 9 / 40

  19. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Hash Time-Lock Contract (HTLC) • Hash Time-Locked Contracts HTLC( h , X 1 , τ, X 2 ): OP_IF OP_SHA256 � h � OP_EQUALVERIFY � X 1 � OP_CHECKSIG OP_ELSE � τ � OP_CLTV OP_DROP � X 2 � OP_CHECKSIG OP_ENDIF • in words, such a output can be spent either • with y such that SHA256( y ) = h and a signature under X 1 • OR after time τ with a signature under X 2 • used in the Lightning Network for payment channels and routing Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 9 / 40

  20. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Atomic (cross-chain) swaps [Nol13] • allows trading without a trusted party • suppose Alice wants to trade 1 bitcoin for 100 litecoins with Bob • Alice (public key X A ) and Bob (public key X B ) proceed as follows: • Bob chooses random y and sends h = SHA256( y ) to Alice • Bob sends 100 litecoins to HTLC( X A , h , X B , τ B ) • Alice sends 1 bitcoin to HTLC( X B , h , X A , τ A ) • Bob claims Alice’s bitcoin, revealing y • Alice can claim Bob’s 100 litecoins using y • if anything goes wrong, parties can get funds back after τ A / τ B • τ B must be significantly later than τ A (otherwise Bob could claim both HTLC outputs between τ B and τ A ) • problem: not private at all, the payments can be linked with y Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 10 / 40

  21. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Atomic (cross-chain) swaps [Nol13] • allows trading without a trusted party • suppose Alice wants to trade 1 bitcoin for 100 litecoins with Bob • Alice (public key X A ) and Bob (public key X B ) proceed as follows: • Bob chooses random y and sends h = SHA256( y ) to Alice • Bob sends 100 litecoins to HTLC( X A , h , X B , τ B ) • Alice sends 1 bitcoin to HTLC( X B , h , X A , τ A ) • Bob claims Alice’s bitcoin, revealing y • Alice can claim Bob’s 100 litecoins using y • if anything goes wrong, parties can get funds back after τ A / τ B • τ B must be significantly later than τ A (otherwise Bob could claim both HTLC outputs between τ B and τ A ) • problem: not private at all, the payments can be linked with y Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 10 / 40

  22. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Atomic (cross-chain) swaps [Nol13] • allows trading without a trusted party • suppose Alice wants to trade 1 bitcoin for 100 litecoins with Bob • Alice (public key X A ) and Bob (public key X B ) proceed as follows: • Bob chooses random y and sends h = SHA256( y ) to Alice • Bob sends 100 litecoins to HTLC( X A , h , X B , τ B ) • Alice sends 1 bitcoin to HTLC( X B , h , X A , τ A ) • Bob claims Alice’s bitcoin, revealing y • Alice can claim Bob’s 100 litecoins using y • if anything goes wrong, parties can get funds back after τ A / τ B • τ B must be significantly later than τ A (otherwise Bob could claim both HTLC outputs between τ B and τ A ) • problem: not private at all, the payments can be linked with y Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 10 / 40

  23. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Atomic (cross-chain) swaps [Nol13] • allows trading without a trusted party • suppose Alice wants to trade 1 bitcoin for 100 litecoins with Bob • Alice (public key X A ) and Bob (public key X B ) proceed as follows: • Bob chooses random y and sends h = SHA256( y ) to Alice • Bob sends 100 litecoins to HTLC( X A , h , X B , τ B ) • Alice sends 1 bitcoin to HTLC( X B , h , X A , τ A ) • Bob claims Alice’s bitcoin, revealing y • Alice can claim Bob’s 100 litecoins using y • if anything goes wrong, parties can get funds back after τ A / τ B • τ B must be significantly later than τ A (otherwise Bob could claim both HTLC outputs between τ B and τ A ) • problem: not private at all, the payments can be linked with y Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 10 / 40

  24. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Atomic (cross-chain) swaps [Nol13] • allows trading without a trusted party • suppose Alice wants to trade 1 bitcoin for 100 litecoins with Bob • Alice (public key X A ) and Bob (public key X B ) proceed as follows: • Bob chooses random y and sends h = SHA256( y ) to Alice • Bob sends 100 litecoins to HTLC( X A , h , X B , τ B ) • Alice sends 1 bitcoin to HTLC( X B , h , X A , τ A ) • Bob claims Alice’s bitcoin, revealing y • Alice can claim Bob’s 100 litecoins using y • if anything goes wrong, parties can get funds back after τ A / τ B • τ B must be significantly later than τ A (otherwise Bob could claim both HTLC outputs between τ B and τ A ) • problem: not private at all, the payments can be linked with y Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 10 / 40

  25. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Atomic (cross-chain) swaps [Nol13] • allows trading without a trusted party • suppose Alice wants to trade 1 bitcoin for 100 litecoins with Bob • Alice (public key X A ) and Bob (public key X B ) proceed as follows: • Bob chooses random y and sends h = SHA256( y ) to Alice • Bob sends 100 litecoins to HTLC( X A , h , X B , τ B ) • Alice sends 1 bitcoin to HTLC( X B , h , X A , τ A ) • Bob claims Alice’s bitcoin, revealing y • Alice can claim Bob’s 100 litecoins using y • if anything goes wrong, parties can get funds back after τ A / τ B • τ B must be significantly later than τ A (otherwise Bob could claim both HTLC outputs between τ B and τ A ) • problem: not private at all, the payments can be linked with y Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 10 / 40

  26. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Atomic (cross-chain) swaps [Nol13] • allows trading without a trusted party • suppose Alice wants to trade 1 bitcoin for 100 litecoins with Bob • Alice (public key X A ) and Bob (public key X B ) proceed as follows: • Bob chooses random y and sends h = SHA256( y ) to Alice • Bob sends 100 litecoins to HTLC( X A , h , X B , τ B ) • Alice sends 1 bitcoin to HTLC( X B , h , X A , τ A ) • Bob claims Alice’s bitcoin, revealing y • Alice can claim Bob’s 100 litecoins using y • if anything goes wrong, parties can get funds back after τ A / τ B • τ B must be significantly later than τ A (otherwise Bob could claim both HTLC outputs between τ B and τ A ) • problem: not private at all, the payments can be linked with y Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 10 / 40

  27. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Atomic (cross-chain) swaps [Nol13] • allows trading without a trusted party • suppose Alice wants to trade 1 bitcoin for 100 litecoins with Bob • Alice (public key X A ) and Bob (public key X B ) proceed as follows: • Bob chooses random y and sends h = SHA256( y ) to Alice • Bob sends 100 litecoins to HTLC( X A , h , X B , τ B ) • Alice sends 1 bitcoin to HTLC( X B , h , X A , τ A ) • Bob claims Alice’s bitcoin, revealing y • Alice can claim Bob’s 100 litecoins using y • if anything goes wrong, parties can get funds back after τ A / τ B • τ B must be significantly later than τ A (otherwise Bob could claim both HTLC outputs between τ B and τ A ) • problem: not private at all, the payments can be linked with y Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 10 / 40

  28. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Atomic (cross-chain) swaps [Nol13] • allows trading without a trusted party • suppose Alice wants to trade 1 bitcoin for 100 litecoins with Bob • Alice (public key X A ) and Bob (public key X B ) proceed as follows: • Bob chooses random y and sends h = SHA256( y ) to Alice • Bob sends 100 litecoins to HTLC( X A , h , X B , τ B ) • Alice sends 1 bitcoin to HTLC( X B , h , X A , τ A ) • Bob claims Alice’s bitcoin, revealing y • Alice can claim Bob’s 100 litecoins using y • if anything goes wrong, parties can get funds back after τ A / τ B • τ B must be significantly later than τ A (otherwise Bob could claim both HTLC outputs between τ B and τ A ) • problem: not private at all, the payments can be linked with y Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 10 / 40

  29. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Atomic (cross-chain) swaps [Nol13] • allows trading without a trusted party • suppose Alice wants to trade 1 bitcoin for 100 litecoins with Bob • Alice (public key X A ) and Bob (public key X B ) proceed as follows: • Bob chooses random y and sends h = SHA256( y ) to Alice • Bob sends 100 litecoins to HTLC( X A , h , X B , τ B ) • Alice sends 1 bitcoin to HTLC( X B , h , X A , τ A ) • Bob claims Alice’s bitcoin, revealing y • Alice can claim Bob’s 100 litecoins using y • if anything goes wrong, parties can get funds back after τ A / τ B • τ B must be significantly later than τ A (otherwise Bob could claim both HTLC outputs between τ B and τ A ) • problem: not private at all, the payments can be linked with y Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 10 / 40

  30. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Atomic (cross-chain) swaps [Nol13] • allows trading without a trusted party • suppose Alice wants to trade 1 bitcoin for 100 litecoins with Bob • Alice (public key X A ) and Bob (public key X B ) proceed as follows: • Bob chooses random y and sends h = SHA256( y ) to Alice • Bob sends 100 litecoins to HTLC( X A , h , X B , τ B ) • Alice sends 1 bitcoin to HTLC( X B , h , X A , τ A ) • Bob claims Alice’s bitcoin, revealing y • Alice can claim Bob’s 100 litecoins using y • if anything goes wrong, parties can get funds back after τ A / τ B • τ B must be significantly later than τ A (otherwise Bob could claim both HTLC outputs between τ B and τ A ) • problem: not private at all, the payments can be linked with y Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 10 / 40

  31. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Automated bounties • What does the following scriptPubKey? OP_2DUP OP_EQUAL OP_NOT OP_VERIFY OP_SHA1 OP_SWAP OP_SHA1 OP_EQUAL Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 11 / 40

  32. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Automated bounties • What does the following scriptPubKey? OP_2DUP OP_EQUAL OP_NOT OP_VERIFY OP_SHA1 OP_SWAP OP_SHA1 OP_EQUAL • scriptSig = � m 1 � � m 2 � returns True if m 1 � = m 2 and SHA1( m 1 ) = SHA1( m 2 ) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 11 / 40

  33. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Automated bounties • What does the following scriptPubKey? OP_2DUP OP_EQUAL OP_NOT OP_VERIFY OP_SHA1 OP_SWAP OP_SHA1 OP_EQUAL • scriptSig = � m 1 � � m 2 � returns True if m 1 � = m 2 and SHA1( m 1 ) = SHA1( m 2 ) • bounty created in Sept. 2013 by P. Todd ( https://bitcointalk.org/index.php?topic=293382.0 ) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 11 / 40

  34. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Outline Bitcoin Script Refresher: Schnorr Signatures and MuSig Taproot Scriptless Scripts Discreet Log Contracts Conclusion Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 12 / 40

  35. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Signature scheme: definition A signature scheme consists of three algorithms: 1. key generation algorithm Gen : • returns a public/secret key pair ( pk , sk ) 2. signature algorithm Sign : • takes as input a secret key sk and a message m • returns a signature σ 3. verification algorithm Ver : • takes as input a public key pk , a message m , and a signature σ • returns 1 if the signature is valid and 0 otherwise Correctness property: � = 1 � pk , m , Sign ( sk , m ) ∀ ( pk , sk ) ← Gen , ∀ m , Ver Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 13 / 40

  36. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Signature scheme: definition A signature scheme consists of three algorithms: 1. key generation algorithm Gen : • returns a public/secret key pair ( pk , sk ) 2. signature algorithm Sign : • takes as input a secret key sk and a message m • returns a signature σ 3. verification algorithm Ver : • takes as input a public key pk , a message m , and a signature σ • returns 1 if the signature is valid and 0 otherwise Correctness property: � = 1 � pk , m , Sign ( sk , m ) ∀ ( pk , sk ) ← Gen , ∀ m , Ver Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 13 / 40

  37. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Mathematical background Cyclic group and generator Let G be an abelian group of order p . An element G ∈ G is called a generator if def � G � = { 0 G , 1 G , 2 G , . . . } = G . If G is a generator, then for any X ∈ G , there exists a unique x ∈ { 0 , . . . , p − 1 } such that X = xG . Discrete logarithm problem Given X ∈ G , find x ∈ { 0 , . . . , p − 1 } such that X = xG . NB: with multiplicative notation, xG ∼ G x Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 14 / 40

  38. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Mathematical background Cyclic group and generator Let G be an abelian group of order p . An element G ∈ G is called a generator if def � G � = { 0 G , 1 G , 2 G , . . . } = G . If G is a generator, then for any X ∈ G , there exists a unique x ∈ { 0 , . . . , p − 1 } such that X = xG . Discrete logarithm problem Given X ∈ G , find x ∈ { 0 , . . . , p − 1 } such that X = xG . NB: with multiplicative notation, xG ∼ G x Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 14 / 40

  39. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Schnorr signatures [Sch89, Sch91] • public parameters: • a cyclic group G of prime order p and a generator G • a hash function H • key generation: • secret key x ← $ Z p • public key X = xG • signature: on input m and x , • draw r ← $ Z p and compute R = rG • compute c = H ( X , R , m ) and s = r + cx mod p • output σ = ( R , s ) • verification: on input X , m and σ = ( R , s ), ? • compute c = H ( X , R , m ) and check sG = R + cX • alternative: • signature σ = ( c , s ) ? • verification: compute R = sG − cX and check H ( X , R , m ) = c Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 15 / 40

  40. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Schnorr signatures [Sch89, Sch91] • public parameters: • a cyclic group G of prime order p and a generator G • a hash function H • key generation: • secret key x ← $ Z p • public key X = xG • signature: on input m and x , • draw r ← $ Z p and compute R = rG • compute c = H ( X , R , m ) and s = r + cx mod p • output σ = ( R , s ) • verification: on input X , m and σ = ( R , s ), ? • compute c = H ( X , R , m ) and check sG = R + cX • alternative: • signature σ = ( c , s ) ? • verification: compute R = sG − cX and check H ( X , R , m ) = c Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 15 / 40

  41. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Schnorr signatures [Sch89, Sch91] • public parameters: • a cyclic group G of prime order p and a generator G • a hash function H • key generation: • secret key x ← $ Z p • public key X = xG • signature: on input m and x , • draw r ← $ Z p and compute R = rG • compute c = H ( X , R , m ) and s = r + cx mod p • output σ = ( R , s ) • verification: on input X , m and σ = ( R , s ), ? • compute c = H ( X , R , m ) and check sG = R + cX • alternative: • signature σ = ( c , s ) ? • verification: compute R = sG − cX and check H ( X , R , m ) = c Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 15 / 40

  42. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Schnorr signatures [Sch89, Sch91] • public parameters: • a cyclic group G of prime order p and a generator G • a hash function H • key generation: • secret key x ← $ Z p • public key X = xG • signature: on input m and x , • draw r ← $ Z p and compute R = rG • compute c = H ( X , R , m ) and s = r + cx mod p • output σ = ( R , s ) • verification: on input X , m and σ = ( R , s ), ? • compute c = H ( X , R , m ) and check sG = R + cX • alternative: • signature σ = ( c , s ) ? • verification: compute R = sG − cX and check H ( X , R , m ) = c Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 15 / 40

  43. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Schnorr signatures [Sch89, Sch91] • public parameters: • a cyclic group G of prime order p and a generator G • a hash function H • key generation: • secret key x ← $ Z p • public key X = xG • signature: on input m and x , • draw r ← $ Z p and compute R = rG • compute c = H ( X , R , m ) and s = r + cx mod p • output σ = ( R , s ) • verification: on input X , m and σ = ( R , s ), ? • compute c = H ( X , R , m ) and check sG = R + cX • alternative: • signature σ = ( c , s ) ? • verification: compute R = sG − cX and check H ( X , R , m ) = c Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 15 / 40

  44. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • assume n signers with public keys { X 1 = x 1 G , . . . , X n = x n G } want to sign the same message m • they compute an aggregate key n � � X := µ i X i with µ i = H ( { X 1 , . . . , X n } , X i ) i =1 • signature protocol: • signers draw nonces R i = r i G and send commitments h i = H ′ ( R i ) • signers exchange nonces R i • signers compute R = � n i =1 R i and c = H ( � X , R , m ) • signers compute and exchange partial signatures s i = r i + c µ i x i • signers compute s = � n i =1 s i mod p • the multi-signature is σ = ( R , s ) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 16 / 40

  45. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • assume n signers with public keys { X 1 = x 1 G , . . . , X n = x n G } want to sign the same message m • they compute an aggregate key n � � X := µ i X i with µ i = H ( { X 1 , . . . , X n } , X i ) i =1 • signature protocol: • signers draw nonces R i = r i G and send commitments h i = H ′ ( R i ) • signers exchange nonces R i • signers compute R = � n i =1 R i and c = H ( � X , R , m ) • signers compute and exchange partial signatures s i = r i + c µ i x i • signers compute s = � n i =1 s i mod p • the multi-signature is σ = ( R , s ) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 16 / 40

  46. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • assume n signers with public keys { X 1 = x 1 G , . . . , X n = x n G } want to sign the same message m • they compute an aggregate key n � � X := µ i X i with µ i = H ( { X 1 , . . . , X n } , X i ) i =1 • signature protocol: • signers draw nonces R i = r i G and send commitments h i = H ′ ( R i ) • signers exchange nonces R i • signers compute R = � n i =1 R i and c = H ( � X , R , m ) • signers compute and exchange partial signatures s i = r i + c µ i x i • signers compute s = � n i =1 s i mod p • the multi-signature is σ = ( R , s ) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 16 / 40

  47. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • assume n signers with public keys { X 1 = x 1 G , . . . , X n = x n G } want to sign the same message m • they compute an aggregate key n � � X := µ i X i with µ i = H ( { X 1 , . . . , X n } , X i ) i =1 • signature protocol: • signers draw nonces R i = r i G and send commitments h i = H ′ ( R i ) • signers exchange nonces R i • signers compute R = � n i =1 R i and c = H ( � X , R , m ) • signers compute and exchange partial signatures s i = r i + c µ i x i • signers compute s = � n i =1 s i mod p • the multi-signature is σ = ( R , s ) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 16 / 40

  48. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • assume n signers with public keys { X 1 = x 1 G , . . . , X n = x n G } want to sign the same message m • they compute an aggregate key n � � X := µ i X i with µ i = H ( { X 1 , . . . , X n } , X i ) i =1 • signature protocol: • signers draw nonces R i = r i G and send commitments h i = H ′ ( R i ) • signers exchange nonces R i • signers compute R = � n i =1 R i and c = H ( � X , R , m ) • signers compute and exchange partial signatures s i = r i + c µ i x i • signers compute s = � n i =1 s i mod p • the multi-signature is σ = ( R , s ) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 16 / 40

  49. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • assume n signers with public keys { X 1 = x 1 G , . . . , X n = x n G } want to sign the same message m • they compute an aggregate key n � � X := µ i X i with µ i = H ( { X 1 , . . . , X n } , X i ) i =1 • signature protocol: • signers draw nonces R i = r i G and send commitments h i = H ′ ( R i ) • signers exchange nonces R i • signers compute R = � n i =1 R i and c = H ( � X , R , m ) • signers compute and exchange partial signatures s i = r i + c µ i x i • signers compute s = � n i =1 s i mod p • the multi-signature is σ = ( R , s ) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 16 / 40

  50. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • assume n signers with public keys { X 1 = x 1 G , . . . , X n = x n G } want to sign the same message m • they compute an aggregate key n � � X := µ i X i with µ i = H ( { X 1 , . . . , X n } , X i ) i =1 • signature protocol: • signers draw nonces R i = r i G and send commitments h i = H ′ ( R i ) • signers exchange nonces R i • signers compute R = � n i =1 R i and c = H ( � X , R , m ) • signers compute and exchange partial signatures s i = r i + c µ i x i • signers compute s = � n i =1 s i mod p • the multi-signature is σ = ( R , s ) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 16 / 40

  51. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • assume n signers with public keys { X 1 = x 1 G , . . . , X n = x n G } want to sign the same message m • they compute an aggregate key n � � X := µ i X i with µ i = H ( { X 1 , . . . , X n } , X i ) i =1 • signature protocol: • signers draw nonces R i = r i G and send commitments h i = H ′ ( R i ) • signers exchange nonces R i • signers compute R = � n i =1 R i and c = H ( � X , R , m ) • signers compute and exchange partial signatures s i = r i + c µ i x i • signers compute s = � n i =1 s i mod p • the multi-signature is σ = ( R , s ) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 16 / 40

  52. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • assume n signers with public keys { X 1 = x 1 G , . . . , X n = x n G } want to sign the same message m • they compute an aggregate key n � � X := µ i X i with µ i = H ( { X 1 , . . . , X n } , X i ) i =1 • signature protocol: • signers draw nonces R i = r i G and send commitments h i = H ′ ( R i ) • signers exchange nonces R i • signers compute R = � n i =1 R i and c = H ( � X , R , m ) • signers compute and exchange partial signatures s i = r i + c µ i x i • signers compute s = � n i =1 s i mod p • the multi-signature is σ = ( R , s ) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 16 / 40

  53. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • verification: ( R , s ) is a valid signature for m under � X if sG = R + H ( � X , R , m ) � X • correctness proof: n � � � + H ( � sG = s i G = X , R , m ) r i G µ i x i G � �� � � �� � i =1 R � X • same as standard Schnorr signature for public key � X ! • secure in the plain public key model: • no assumption on how participants choose their public keys • multipliers µ i = H ( { X 1 , . . . , X n } , X i ) prevent rogue key attacks Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 17 / 40

  54. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • verification: ( R , s ) is a valid signature for m under � X if sG = R + H ( � X , R , m ) � X • correctness proof: n � � � + H ( � sG = s i G = X , R , m ) r i G µ i x i G � �� � � �� � i =1 R � X • same as standard Schnorr signature for public key � X ! • secure in the plain public key model: • no assumption on how participants choose their public keys • multipliers µ i = H ( { X 1 , . . . , X n } , X i ) prevent rogue key attacks Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 17 / 40

  55. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • verification: ( R , s ) is a valid signature for m under � X if sG = R + H ( � X , R , m ) � X • correctness proof: n � � � + H ( � sG = s i G = X , R , m ) r i G µ i x i G � �� � � �� � i =1 R � X • same as standard Schnorr signature for public key � X ! • secure in the plain public key model: • no assumption on how participants choose their public keys • multipliers µ i = H ( { X 1 , . . . , X n } , X i ) prevent rogue key attacks Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 17 / 40

  56. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • verification: ( R , s ) is a valid signature for m under � X if sG = R + H ( � X , R , m ) � X • correctness proof: n � � � + H ( � sG = s i G = X , R , m ) r i G µ i x i G � �� � � �� � i =1 R � X • same as standard Schnorr signature for public key � X ! • secure in the plain public key model: • no assumption on how participants choose their public keys • multipliers µ i = H ( { X 1 , . . . , X n } , X i ) prevent rogue key attacks Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 17 / 40

  57. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • verification: ( R , s ) is a valid signature for m under � X if sG = R + H ( � X , R , m ) � X • correctness proof: n � � � + H ( � sG = s i G = X , R , m ) r i G µ i x i G � �� � � �� � i =1 R � X • same as standard Schnorr signature for public key � X ! • secure in the plain public key model: • no assumption on how participants choose their public keys • multipliers µ i = H ( { X 1 , . . . , X n } , X i ) prevent rogue key attacks Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 17 / 40

  58. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • verification: ( R , s ) is a valid signature for m under � X if sG = R + H ( � X , R , m ) � X • correctness proof: n � � � + H ( � sG = s i G = X , R , m ) r i G µ i x i G � �� � � �� � i =1 R � X • same as standard Schnorr signature for public key � X ! • secure in the plain public key model: • no assumption on how participants choose their public keys • multipliers µ i = H ( { X 1 , . . . , X n } , X i ) prevent rogue key attacks Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 17 / 40

  59. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Application: replacing OP_CHECKMULTISIG • using MuSig, an n -of- n multisig output for public keys { X 1 , . . . , X n } can be replaced by a standard P2PKH output for the aggregate key � X • this improves both efficiency and privacy • one public key and one signature to store and verify (versus n pk and n sigs) • individual public keys are never revealed • the multisig output is indistinguishable from a standard P2PKH output Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 18 / 40

  60. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Application: replacing OP_CHECKMULTISIG • using MuSig, an n -of- n multisig output for public keys { X 1 , . . . , X n } can be replaced by a standard P2PKH output for the aggregate key � X • this improves both efficiency and privacy • one public key and one signature to store and verify (versus n pk and n sigs) • individual public keys are never revealed • the multisig output is indistinguishable from a standard P2PKH output Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 18 / 40

  61. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Application: replacing OP_CHECKMULTISIG • using MuSig, an n -of- n multisig output for public keys { X 1 , . . . , X n } can be replaced by a standard P2PKH output for the aggregate key � X • this improves both efficiency and privacy • one public key and one signature to store and verify (versus n pk and n sigs) • individual public keys are never revealed • the multisig output is indistinguishable from a standard P2PKH output Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 18 / 40

  62. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Application: replacing OP_CHECKMULTISIG • using MuSig, an n -of- n multisig output for public keys { X 1 , . . . , X n } can be replaced by a standard P2PKH output for the aggregate key � X • this improves both efficiency and privacy • one public key and one signature to store and verify (versus n pk and n sigs) • individual public keys are never revealed • the multisig output is indistinguishable from a standard P2PKH output Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 18 / 40

  63. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Application: replacing OP_CHECKMULTISIG • using MuSig, an n -of- n multisig output for public keys { X 1 , . . . , X n } can be replaced by a standard P2PKH output for the aggregate key � X • this improves both efficiency and privacy • one public key and one signature to store and verify (versus n pk and n sigs) • individual public keys are never revealed • the multisig output is indistinguishable from a standard P2PKH output Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 18 / 40

  64. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Outline Bitcoin Script Refresher: Schnorr Signatures and MuSig Taproot Scriptless Scripts Discreet Log Contracts Conclusion Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 19 / 40

  65. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion P2SH (Pay-to-Script-Hash) • new type of transaction activated in 2012 (BIP 16) • output only contains a hash of the actual scriptPubKey ( redeem script ) acting as a (binding) commitment • spending the output requires the redeem script and a valid signature script • advantages: • the sender does not need to know the redeem script when creating the transaction (only the hash) • all P2SH addresses “look the same” • redeem scripts not contained in the UTXO set anymore (only revealed when spending an output) • P2SH addresses start with a ’3’ Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 20 / 40

  66. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion P2SH (Pay-to-Script-Hash) • new type of transaction activated in 2012 (BIP 16) • output only contains a hash of the actual scriptPubKey ( redeem script ) acting as a (binding) commitment • spending the output requires the redeem script and a valid signature script • advantages: • the sender does not need to know the redeem script when creating the transaction (only the hash) • all P2SH addresses “look the same” • redeem scripts not contained in the UTXO set anymore (only revealed when spending an output) • P2SH addresses start with a ’3’ Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 20 / 40

  67. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion P2SH (Pay-to-Script-Hash) • new type of transaction activated in 2012 (BIP 16) • output only contains a hash of the actual scriptPubKey ( redeem script ) acting as a (binding) commitment • spending the output requires the redeem script and a valid signature script • advantages: • the sender does not need to know the redeem script when creating the transaction (only the hash) • all P2SH addresses “look the same” • redeem scripts not contained in the UTXO set anymore (only revealed when spending an output) • P2SH addresses start with a ’3’ Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 20 / 40

  68. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion P2SH (Pay-to-Script-Hash) • new type of transaction activated in 2012 (BIP 16) • output only contains a hash of the actual scriptPubKey ( redeem script ) acting as a (binding) commitment • spending the output requires the redeem script and a valid signature script • advantages: • the sender does not need to know the redeem script when creating the transaction (only the hash) • all P2SH addresses “look the same” • redeem scripts not contained in the UTXO set anymore (only revealed when spending an output) • P2SH addresses start with a ’3’ Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 20 / 40

  69. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion P2SH (Pay-to-Script-Hash) • new type of transaction activated in 2012 (BIP 16) • output only contains a hash of the actual scriptPubKey ( redeem script ) acting as a (binding) commitment • spending the output requires the redeem script and a valid signature script • advantages: • the sender does not need to know the redeem script when creating the transaction (only the hash) • all P2SH addresses “look the same” • redeem scripts not contained in the UTXO set anymore (only revealed when spending an output) • P2SH addresses start with a ’3’ Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 20 / 40

  70. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion P2SH (Pay-to-Script-Hash) • new type of transaction activated in 2012 (BIP 16) • output only contains a hash of the actual scriptPubKey ( redeem script ) acting as a (binding) commitment • spending the output requires the redeem script and a valid signature script • advantages: • the sender does not need to know the redeem script when creating the transaction (only the hash) • all P2SH addresses “look the same” • redeem scripts not contained in the UTXO set anymore (only revealed when spending an output) • P2SH addresses start with a ’3’ Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 20 / 40

  71. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion P2SH (Pay-to-Script-Hash) • new type of transaction activated in 2012 (BIP 16) • output only contains a hash of the actual scriptPubKey ( redeem script ) acting as a (binding) commitment • spending the output requires the redeem script and a valid signature script • advantages: • the sender does not need to know the redeem script when creating the transaction (only the hash) • all P2SH addresses “look the same” • redeem scripts not contained in the UTXO set anymore (only revealed when spending an output) • P2SH addresses start with a ’3’ Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 20 / 40

  72. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion P2SH (Pay-to-Script-Hash) • new type of transaction activated in 2012 (BIP 16) • output only contains a hash of the actual scriptPubKey ( redeem script ) acting as a (binding) commitment • spending the output requires the redeem script and a valid signature script • advantages: • the sender does not need to know the redeem script when creating the transaction (only the hash) • all P2SH addresses “look the same” • redeem scripts not contained in the UTXO set anymore (only revealed when spending an output) • P2SH addresses start with a ’3’ Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 20 / 40

  73. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MAST (Merkelized Abstract Syntax Trees) [RNS14] • credited to R. O’Connor and P. Wuille, not deployed yet • scripts are usually an OR of several conditions • put all disjunctions in a Merkel tree • output contains the Merkle root • to spend a MAST output, the input must contain one of the disjunctions S i , a Merkle proof, and a valid scriptSig for S i Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 21 / 40

  74. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MAST (Merkelized Abstract Syntax Trees) [RNS14] • credited to R. O’Connor and P. Wuille, not deployed yet • scripts are usually an OR of several conditions • put all disjunctions in a Merkel tree • output contains the Merkle root • to spend a MAST output, the input must contain one of the disjunctions S i , a Merkle proof, and a valid scriptSig for S i Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 21 / 40

  75. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MAST (Merkelized Abstract Syntax Trees) [RNS14] • credited to R. O’Connor and P. Wuille, not deployed yet • scripts are usually an OR of several conditions • put all disjunctions in a Merkel tree • output contains the Merkle root • to spend a MAST output, the input must contain one of the disjunctions S i , a Merkle proof, and a valid scriptSig for S i Root Hash 0 , 1 Hash 2 , 3 Hash 0 Hash 1 Hash 2 Hash 3 S 0 S 1 S 2 S 3 Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 21 / 40

  76. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MAST (Merkelized Abstract Syntax Trees) [RNS14] • credited to R. O’Connor and P. Wuille, not deployed yet • scripts are usually an OR of several conditions • put all disjunctions in a Merkel tree • output contains the Merkle root • to spend a MAST output, the input must contain one of the disjunctions S i , a Merkle proof, and a valid scriptSig for S i Root Hash 0 , 1 Hash 2 , 3 Hash 0 Hash 1 Hash 2 Hash 3 S 0 S 1 S 2 S 3 Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 21 / 40

  77. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MAST (Merkelized Abstract Syntax Trees) [RNS14] • credited to R. O’Connor and P. Wuille, not deployed yet • scripts are usually an OR of several conditions • put all disjunctions in a Merkel tree • output contains the Merkle root • to spend a MAST output, the input must contain one of the disjunctions S i , a Merkle proof, and a valid scriptSig for S i Root Hash 0 , 1 Hash 2 , 3 Hash 0 Hash 1 Hash 2 Hash 3 S 0 S 1 S 2 S 3 Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 21 / 40

  78. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MAST (Merkelized Abstract Syntax Trees) [RNS14] • credited to R. O’Connor and P. Wuille, not deployed yet • scripts are usually an OR of several conditions • put all disjunctions in a Merkel tree • output contains the Merkle root • to spend a MAST output, the input must contain one of the disjunctions S i , a Merkle proof, and a valid scriptSig for S i Root Hash 0 , 1 Hash 2 , 3 Hash 0 Hash 1 Hash 2 Hash 3 S 0 S 1 S 2 S 3 Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 21 / 40

  79. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Taproot: description • propose by G. Maxwell [Max18] • in practice, redeem scripts often have a unanimity clause: ( n parties agree to sign) OR (some more complex conditions) � �� � � �� � n -of- n multisig script S • can be achieved indistinguishably from a standard P2PKH output • let � X be the MuSig aggregate key for the n parties • output uses public key Y = � X + H ( � X , S ) G • two ways to spend the output: • the n parties agree to sign with Y (one of them simply adds a corrective term cH ( � X , S ) to its partial signature s i ) ⇒ looks like a normal P2PKH spending, S remains forever private X and S are revealed and a scriptSig S ′ is provided; valid if • � X + H ( � � X , S ) G = Y and S ′ � S returns True Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 22 / 40

  80. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Taproot: description • propose by G. Maxwell [Max18] • in practice, redeem scripts often have a unanimity clause: ( n parties agree to sign) OR (some more complex conditions) � �� � � �� � n -of- n multisig script S • can be achieved indistinguishably from a standard P2PKH output • let � X be the MuSig aggregate key for the n parties • output uses public key Y = � X + H ( � X , S ) G • two ways to spend the output: • the n parties agree to sign with Y (one of them simply adds a corrective term cH ( � X , S ) to its partial signature s i ) ⇒ looks like a normal P2PKH spending, S remains forever private X and S are revealed and a scriptSig S ′ is provided; valid if • � X + H ( � � X , S ) G = Y and S ′ � S returns True Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 22 / 40

  81. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Taproot: description • propose by G. Maxwell [Max18] • in practice, redeem scripts often have a unanimity clause: ( n parties agree to sign) OR (some more complex conditions) � �� � � �� � n -of- n multisig script S • can be achieved indistinguishably from a standard P2PKH output • let � X be the MuSig aggregate key for the n parties • output uses public key Y = � X + H ( � X , S ) G • two ways to spend the output: • the n parties agree to sign with Y (one of them simply adds a corrective term cH ( � X , S ) to its partial signature s i ) ⇒ looks like a normal P2PKH spending, S remains forever private X and S are revealed and a scriptSig S ′ is provided; valid if • � X + H ( � � X , S ) G = Y and S ′ � S returns True Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 22 / 40

  82. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Taproot: description • propose by G. Maxwell [Max18] • in practice, redeem scripts often have a unanimity clause: ( n parties agree to sign) OR (some more complex conditions) � �� � � �� � n -of- n multisig script S • can be achieved indistinguishably from a standard P2PKH output • let � X be the MuSig aggregate key for the n parties • output uses public key Y = � X + H ( � X , S ) G • two ways to spend the output: • the n parties agree to sign with Y (one of them simply adds a corrective term cH ( � X , S ) to its partial signature s i ) ⇒ looks like a normal P2PKH spending, S remains forever private X and S are revealed and a scriptSig S ′ is provided; valid if • � X + H ( � � X , S ) G = Y and S ′ � S returns True Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 22 / 40

  83. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Taproot: description • propose by G. Maxwell [Max18] • in practice, redeem scripts often have a unanimity clause: ( n parties agree to sign) OR (some more complex conditions) � �� � � �� � n -of- n multisig script S • can be achieved indistinguishably from a standard P2PKH output • let � X be the MuSig aggregate key for the n parties • output uses public key Y = � X + H ( � X , S ) G • two ways to spend the output: • the n parties agree to sign with Y (one of them simply adds a corrective term cH ( � X , S ) to its partial signature s i ) ⇒ looks like a normal P2PKH spending, S remains forever private X and S are revealed and a scriptSig S ′ is provided; valid if • � X + H ( � � X , S ) G = Y and S ′ � S returns True Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 22 / 40

Recommend

Schnorr Signature & MimbleWimble Oct. 5, 2019 Overview of today Lack of Privacy in

Schnorr Signature & MimbleWimble Oct. 5, 2019 Overview of today Lack of Privacy in

Schnorr Signature & MimbleWimble Oct. 5, 2019 Overview of today Lack of Privacy in Bitcoin MimbleWimble cryptocurrency ECC math Schnorrs signatures scheme Pedersen Commitments Motivation Bitcoin is decentralized

430 views • 40 slides
Efficiency and Privacy Improvements for Bitcoin with Schnorr Signatures Yannick Seurin (Based on

Efficiency and Privacy Improvements for Bitcoin with Schnorr Signatures Yannick Seurin (Based on

Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Efficiency and Privacy Improvements for Bitcoin with Schnorr Signatures Yannick Seurin (Based on joint work with G. Maxwell, A. Poelstra, and P. Wuille)

1.82k views • 171 slides
Introduc)on to Bitcoin CONTENTS What is Bitcoin Who created it? Who prints it? How does Bitcoin

Introduc)on to Bitcoin CONTENTS What is Bitcoin Who created it? Who prints it? How does Bitcoin

Introduc)on to Bitcoin CONTENTS What is Bitcoin Who created it? Who prints it? How does Bitcoin work? The characteris5cs of Bitcoin WHAT IS BITCOIN Bitcoin is a form of digital currency, created and held electronically. No one controls it.

839 views • 17 slides
Mechanics of Bitcoin Bitcoin Transactions Bitcoin Scripts Applications of Bitcoin

Mechanics of Bitcoin Bitcoin Transactions Bitcoin Scripts Applications of Bitcoin

Cryptocurrency Technologies Mechanics of Bitcoin Mechanics of Bitcoin Bitcoin Transactions Bitcoin Scripts Applications of Bitcoin Scripts Bitcoin Blocks The Bitcoin Network Limitations and Improvements Mechanics of

695 views • 33 slides
Bitcoin vs. Bitcoin Cash: Coexistence or Downfall of Bitcoin Cash? Yujin Kwon* , Hyoungshick Kim

Bitcoin vs. Bitcoin Cash: Coexistence or Downfall of Bitcoin Cash? Yujin Kwon* , Hyoungshick Kim

Bitcoin vs. Bitcoin Cash: Coexistence or Downfall of Bitcoin Cash? Yujin Kwon* , Hyoungshick Kim , Jinwoo Shin*, Yongdae Kim* *KAIST, Sungkyunkwan University 1 Governance conflict The number of Bitcoin transaction per month Bad scala bility

731 views • 46 slides
Bitcoin as a Platform We have built Bitcoin. What can we build on top of it? Commitments

Bitcoin as a Platform We have built Bitcoin. What can we build on top of it? Commitments

Cryptocurrency Technologies Bitcoin as a Platform Bitcoin as a Platform We have built Bitcoin. What can we build on top of it? Commitments Token tracking Multiparty lotteries Public randomness Prediction markets A fine stew

714 views • 38 slides
Information Propagation in the Bitcoin Network Christian Decker ETH Zurich Distributed

Information Propagation in the Bitcoin Network Christian Decker ETH Zurich Distributed

Information Propagation in the Bitcoin Network Christian Decker ETH Zurich Distributed Computing Group www.disco.ethz.ch What is Bitcoin? What is Bitcoin? + What is Bitcoin? = + Whats it worth? USD / Bitcoin exchange price 300

752 views • 48 slides
Bitcoin Mining The Task of Bitcoin Miners Mining Hardware Energy Consumption &

Bitcoin Mining The Task of Bitcoin Miners Mining Hardware Energy Consumption &

Cryptocurrency Technologies Bitcoin Mining Bitcoin Mining The Task of Bitcoin Miners Mining Hardware Energy Consumption & Ecology Mining Pools Mining Incentives and Strategies Recap: Bitcoin Miners Bitcoin depends on

821 views • 35 slides
Bitcoin Tom Anderson Bitcoin Network of bitcoin peers (servers) run by volunteers Peers

Bitcoin Tom Anderson Bitcoin Network of bitcoin peers (servers) run by volunteers Peers

Bitcoin Tom Anderson Bitcoin Network of bitcoin peers (servers) run by volunteers Peers are not trusted: may be greedy or corrupt Each peer knows about all bitcoins and transactions Transaction (sender -> receiver): sender

958 views • 23 slides
Intro to Bitcoin Research or Why Bitcoin is a full employment act for security engineers

Intro to Bitcoin Research or Why Bitcoin is a full employment act for security engineers

Intro to Bitcoin Research or Why Bitcoin is a full employment act for security engineers Joseph Bonneau CITP, Princeton Thanks to Andrew Miller, Arvind Narayanan, Jeremy Clark, Joshua Kroll, Ed Felten Part I: Bitcoin in 6 easy steps

752 views • 32 slides
Bitcoin and Anonymity Anonymity Basics How to de-anonymize Bitcoin Mixing

Bitcoin and Anonymity Anonymity Basics How to de-anonymize Bitcoin Mixing

Cryptocurrency Technologies Bitcoin and Anonymity Bitcoin and Anonymity Anonymity Basics How to de-anonymize Bitcoin Mixing Decentralized Mixing Zerocoin and Zerocash Tor and the Silk Road Bitcoin and Anonymity

524 views • 39 slides
Regulation of Bitcoin Jerry Brito Coin Center coincenter.org Is Bitcoin regulated? Is Bitcoin

Regulation of Bitcoin Jerry Brito Coin Center coincenter.org Is Bitcoin regulated? Is Bitcoin

Regulation of Bitcoin Jerry Brito Coin Center coincenter.org Is Bitcoin regulated? Is Bitcoin regulated? The so far unregulated digital currency has courted controversy because of its volatile value and its popularity among

1.17k views • 51 slides
nix-bitcoin robust Lightning nodes for hackers github.com/fort-nix/nix-bitcoin 2019-06-01

nix-bitcoin robust Lightning nodes for hackers github.com/fort-nix/nix-bitcoin 2019-06-01

nix-bitcoin robust Lightning nodes for hackers github.com/fort-nix/nix-bitcoin 2019-06-01 @n1ckler A smart home A Bitcoin node A lonely datacenter Robustness Do you trust binaries from some cache or do you build from source? Do

411 views • 29 slides
Bitcoin CS 161: Computer Security Prof. Raluca Ada Poipa April 24, 2018 What is Bitcoin?

Bitcoin CS 161: Computer Security Prof. Raluca Ada Poipa April 24, 2018 What is Bitcoin?

Bitcoin CS 161: Computer Security Prof. Raluca Ada Poipa April 24, 2018 What is Bitcoin? Bitcoin is a cryptocurrency: a digital currency whose rules are enforced by cryptography and not by a trusted party (e.g., bank) Core ideal: avoid

1.02k views • 36 slides
A Technical Introduction to Bitcoin Niklas Fors, 2018-02-20 Bitcoin Decentralized digital

A Technical Introduction to Bitcoin Niklas Fors, 2018-02-20 Bitcoin Decentralized digital

A Technical Introduction to Bitcoin Niklas Fors, 2018-02-20 Bitcoin Decentralized digital currency Anyone can be part of the network Global distributed ledger called blockchain First Appearance Bitcoin: A Peer-to-Peer Electronic

4.02k views • 48 slides
Ethereum and Solidity Prof. Tom Austin San Jos State University Bitcoin (BTC) Protocol

Ethereum and Solidity Prof. Tom Austin San Jos State University Bitcoin (BTC) Protocol

Ethereum and Solidity Prof. Tom Austin San Jos State University Bitcoin (BTC) Protocol designed by Satoshi Nakamoto in 2008 https://bitcoin.org/bitcoin.pdf First Bitcoin client launched in 2009 Peer-to-peer no centralized

501 views • 31 slides
Threshold Schnorr with Stateless Deterministic Signing Franois Garillot, Yash vanth Kondi,

Threshold Schnorr with Stateless Deterministic Signing Franois Garillot, Yash vanth Kondi,

Threshold Schnorr with Stateless Deterministic Signing Franois Garillot, Yash vanth Kondi, Payman Mohassel, Valeria Nikolaenko Northeastern University Facebook Novi/Facebook Novi/Facebook Schnorr: Practical Issues SchnorrSign( , m )

485 views • 21 slides
Bitcoin Privacy : Bitcoin On- and Ofg-Chain On- and Ofg-Chain with Janine Janine Teacher

Bitcoin Privacy : Bitcoin On- and Ofg-Chain On- and Ofg-Chain with Janine Janine Teacher

Privacy : Bitcoin Privacy : Bitcoin On- and Ofg-Chain On- and Ofg-Chain with Janine Janine Teacher Independent investigative journalist Research focus: Bitcoin / cryptocurrencies, information security, privacy, surveillance, and

1.3k views • 85 slides
TEACHING OLD COMPILERS NEW TRICKS TEACHING OLD COMPILERS NEW TRICKS Transpiling C ++ 17 to C ++ 11

TEACHING OLD COMPILERS NEW TRICKS TEACHING OLD COMPILERS NEW TRICKS Transpiling C ++ 17 to C ++ 11

TEACHING OLD COMPILERS NEW TRICKS TEACHING OLD COMPILERS NEW TRICKS Transpiling C ++ 17 to C ++ 11 Tony Wasserka Meeting C ++ @ fail _ cluez 17 November 2018 WHO AM I ? WHO AM I ? Berlin - based consultant : Workflow optimization , Code

973 views • 24 slides
Bitcoin Arbitrage am Bitcoin-Markt 1 7 .07 .201 3 2 Agenda 1 Arbitrage 2 Arbitrage am

Bitcoin Arbitrage am Bitcoin-Markt 1 7 .07 .201 3 2 Agenda 1 Arbitrage 2 Arbitrage am

1 Abschlussprsentation Bitcoin Arbitrage am Bitcoin-Markt 1 7 .07 .201 3 2 Agenda 1 Arbitrage 2 Arbitrage am Bitcoin-Markt 3 Verhaltensmuster Arbitrageure 4 Arbitragetools 5 Ergebnisse und Fazit Was ist Arbitrage? Arbitrage

456 views • 33 slides
TRICKS AND TRAPS OF THE CO-OPS ACT TRICKS AND TRAPS OF THE CO-OPS ACT THE NAME TRAP a

TRICKS AND TRAPS OF THE CO-OPS ACT TRICKS AND TRAPS OF THE CO-OPS ACT THE NAME TRAP a

TRICKS AND TRAPS OF THE CO-OPS ACT TRICKS AND TRAPS OF THE CO-OPS ACT THE NAME TRAP a proposed name for a co-operative can be reserved for 90 days before incorporation if you dont incorporate within 90 days, you cannot reserve

604 views • 38 slides
Blockchain and secure computation Vassilis Zikas RPI Winter School on Cryptocurrency and

Blockchain and secure computation Vassilis Zikas RPI Winter School on Cryptocurrency and

Blockchain and secure computation Vassilis Zikas RPI Winter School on Cryptocurrency and Blockchain Technologies Shanghai Jiao Tong University 2017 Bitcoin Bitcoin What is bitcoin and how does it work? Bitcoin What is bitcoin and how

2.08k views • 178 slides
ACTUALLY WORKS Jan Mller Mycelium How Does Bitcoin Actually Work? This talk is not about

ACTUALLY WORKS Jan Mller Mycelium How Does Bitcoin Actually Work? This talk is not about

HOW THE BITCOIN PROTOCOL ACTUALLY WORKS Jan Mller Mycelium How Does Bitcoin Actually Work? This talk is not about the political or economical impact of Bitcoin. This talk is not about how to buy, sell, spend, or secure your bitcoins.

674 views • 36 slides
Half-fast A Bitcoin Miner for the FPGA Overview Objectives and Motivation Bitcoin

Half-fast A Bitcoin Miner for the FPGA Overview Objectives and Motivation Bitcoin

Half-fast A Bitcoin Miner for the FPGA Overview Objectives and Motivation Bitcoin System Overview Hardware Software Challenges and Difficulties Lessons learned Objectives and Motivation Build a Bitcoin

229 views • 21 slides

More recommend