Delivery-date: Sun, 24 Nov 2024 13:26:28 -0800 Received: from mail-qt1-f191.google.com ([209.85.160.191]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1tFK7f-0005Br-Hx for bitcoindev@gnusha.org; Sun, 24 Nov 2024 13:26:27 -0800 Received: by mail-qt1-f191.google.com with SMTP id d75a77b69052e-460aaa683eesf69572601cf.2 for ; Sun, 24 Nov 2024 13:26:26 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1732483581; cv=pass; d=google.com; s=arc-20240605; b=b3Gwcm35wAhBSCcUmSftjzLbLpU5oEJIdrwUcQ8TR63hcRDEvoDiSXLjsb04U+tjFk pYmvo6h+TCSGVTXrUfJVRGMV5jog3jb6ZYFPxbZ2iGVfX1qo0KXc6M/dQHszd+C3ntjW R/6GXZJGFI1BD3n4pAlwwe/7QaMTFAuSqbJb2/bD4YFHG5ah0Bb7ygCkVSgohcUG24CD 0l9njW7dvXOUJQxMsp+52OWl+14ur/RHm4YO07Rf/lqmT5WpOG1LnoRtEdt+ZLf39+q5 PNakAqALAejX/28EjjQ4r07SECDsyBnd2Hc5p2jrZDmvsQ/cDA8WZplZ2Xd1wVA066Bl verA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:content-transfer-encoding:to :subject:message-id:date:from:mime-version:sender:dkim-signature :dkim-signature; bh=MJXpeLxSfcbbsCQXid6RDlWz0cZl6x+jc1KztpcMA+I=; fh=c9cVwLnz37f0ocRyZz0LkF7ReRF2acv4+uB8LL2WmRk=; b=JBxWfFX5rvunb8Scw9DmhYSckKL5pT0gJ7RIXDCWbYeSud9w/MY8rNiqWsP4hvQWuy o7VcGcIW0/QVGS1Q5zwzIquzEiGnPvVh+x1qo+Qf6PvDxoJRhdJ5lcLWuU0wSJZjpiB0 SOfFV7r0Hp+7cHIMxlmangM9r2WDYMLSmirLug7pnMUWtlTxYhoAIDpxQq20yyiB41ZJ Sm/W4us+e2x3NRpPCzV2L9oBaZcA+/ypWTaiuLBC9VUu93HaOqXN3cri0iZ5i+Yqtrvv irNa9P1ZhrbefMtYCNuCgWL1F6nUDiuqj2P1mO5NUFMkOGYOi2ki/2/0QPChg1DPWxWH zqmQ==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=k2H4E2YK; spf=pass (google.com: domain of eth3rs@gmail.com designates 2a00:1450:4864:20::535 as permitted sender) smtp.mailfrom=eth3rs@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1732483581; x=1733088381; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:to:subject:message-id :date:from:mime-version:sender:from:to:cc:subject:date:message-id :reply-to; bh=MJXpeLxSfcbbsCQXid6RDlWz0cZl6x+jc1KztpcMA+I=; b=BUILJMLaYwyXPL4RaRq3R2l7PZ/hq8k9m8buDsfCh9UrXXaNr8hjLQXC0+5MjooRbj 36piTThIn/NaMS+CoAmnkfMQI5yAcerRUrJ8PWycrJS22smGLQo11lRxNAL043eojL1/ PxqDD23It72R+NLQ0b95rCqV0XgVkq8JIEJRwzKrwcRbeZoOUH+XcD1trWbDVdllxT7s nnPNkTpeuiE3fGsW2zPGfQWbCwGh+7gCl+vrpwpDsd5wkBt5ApKppWLSW+4WIa9AcHkG OhiInR8I8rOUgIqy8IGE2dRVV6tc5wjpYV60KvxmZKFVDj7iM1wVurlM0P2gdtpA12Cd 37Pg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1732483581; x=1733088381; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:to:subject:message-id :date:from:mime-version:from:to:cc:subject:date:message-id:reply-to; bh=MJXpeLxSfcbbsCQXid6RDlWz0cZl6x+jc1KztpcMA+I=; b=T/vjUM6uXQ+LnKFkWYqIHQFK+sQ8BRldMyNHk9ICKuvgV+LW6GnlToar7P33Grm4ev Gg4PZNz9J1syFuWG4i75ye2cJ8N6+ezMFFDWx3YL2+0Fu/7dhLyAtYb9F+vgv7cg68he KxWBcfMNPJvnhxiaUmCAFSkPsdC+ynYCu2ztzpUAwFpbOOgRdlE09BZqwdRE2uoMsNRw aDVGU2GbJr6s/rhrBW3ZZBe7lKMp/Mq0m2oUSwtB/F+gvXzzeXIs1tiKeNpQKdigw1EU sDbF6sR75ezr1b1XclEO2scuuYBz7EXlFWIWMiOcFeaN3C+J9WSJzg7NLg7Ae5p2wFiF 2OXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1732483581; x=1733088381; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:content-transfer-encoding:to:subject:message-id :date:from:mime-version:x-beenthere:x-gm-message-state:sender:from :to:cc:subject:date:message-id:reply-to; bh=MJXpeLxSfcbbsCQXid6RDlWz0cZl6x+jc1KztpcMA+I=; b=cclP0vr0N3sGZR9k2xc9YOW6VQJ2Vd/47+yrlcekIMcXxudA/yrw55ve7fo8CiFgZ5 BHwtQEA9t3gKMjAoWjuTbMDJ6okQFDrdKi3/yXyNhx8c0fuBrJTFkDF3q1gyvHKSdcvN zkdE2Kf5ECH4mIABArncL0hycqUYhLhT7HWeXyqe2flZ+qDdUzPRoLuvXmpkwOWF5axi 5EoUZUmcS9I5DFFkgN+vo2xvqux39OSb9IDFx2wR6lUv5lwoue1nKfLVdX+i2lVU8A8h 13YaQ+utdFN04cjv8y2x1v2GCtM44PYcKejkOH4EMtzCSGx0Og70cPpiM9Jju+0qjDgx lKEw== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCX2FjEPUSH+FyIhXHfi3UXoTU+SRNt1eHscexY+RU6UDwV0BfeoAESYtTFP522Nqa/Hndpsp2peacYL@gnusha.org X-Gm-Message-State: AOJu0Yykj2fE5vrKKiLFye5I5Z5+R+MJnkCoEAvujvXWQB2o5Nlv/EDK RoAKn0YRVAtejK343W3X41RMIo+Y/Qxv2kxe7YmURW/xC7h2rl03 X-Google-Smtp-Source: AGHT+IHZQdO6BIlbrbYDZXZ6I6JT1x4fifeMUDxnnWx4HeenCjWoWLeBNoHBbQ/lMpSeTs8sp7kGrA== X-Received: by 2002:ac8:5f11:0:b0:463:7886:a143 with SMTP id d75a77b69052e-4653d5e6932mr178472721cf.33.1732483580653; Sun, 24 Nov 2024 13:26:20 -0800 (PST) X-BeenThere: bitcoindev@googlegroups.com Received: by 2002:a05:622a:ce:b0:462:c59c:a884 with SMTP id d75a77b69052e-4652f643de5ls58775351cf.2.-pod-prod-02-us; Sun, 24 Nov 2024 13:26:18 -0800 (PST) X-Received: by 2002:a05:620a:319b:b0:7b1:4b2e:3c0 with SMTP id af79cd13be357-7b514500e00mr1640812685a.14.1732483578155; Sun, 24 Nov 2024 13:26:18 -0800 (PST) Received: by 2002:a05:620a:70cb:b0:7b6:67a8:4fcd with SMTP id af79cd13be357-7b667a8583ams85a; Sun, 24 Nov 2024 13:13:39 -0800 (PST) X-Received: by 2002:a05:600c:1d99:b0:432:c774:2e24 with SMTP id 5b1f17b1804b1-433ce420e50mr95364495e9.9.1732482817480; Sun, 24 Nov 2024 13:13:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1732482817; cv=none; d=google.com; s=arc-20240605; b=I+rW0ddCOxw8mG2Sklj3n3fwueoelF5h4iuCp9HsOMOfsDJaVnUl/Z++Toz6YpIXKr FYmhuSgFZSFUI2iIVjk4Rxy/0TY14Byouz+Q7BkGBmkzkG441wnozOoxaNeip2xWtSKW p+tJWH3Sp+twHbJuFGQmkuZx7cSChSyYZ9nO3xuK3icJWHYVHGcs9k4BGiB/WbfAIy93 OgKaevmNf1+x+gDy/l6F+gM0NBhRNHei/0Xgsey8v1JbXZwWT0+ugP4+P7lLSgDscZIL 7FVNBBlVd8hgU2o+uWa/sFZD9ltAXJnUG5/oY4rWCDIW/PqfqClSdgwxZ8Td5wUmNxxd +K2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:to:subject:message-id:date:from :mime-version:dkim-signature; bh=kT3qSE9nJx2+og6piD8FRSwaGUcrt4bJ/0DrqKTwHac=; fh=DMP0F9ULS1guKiqimntQRCN8ZraraesEgQuVcn7F0Z0=; b=OXGJgmotlN+0tfTOTuYAiD43Ou7OOujVUn3fKmaLPbMIcMxV8ibXDoL+NVuLz32z+s sHXqZRsaDcndI7tZFdNKmSVjKe8oxmNLJRWioVbfGvGvndh/fzhlw25eR6EoATT3jH+1 nwGcaldFU3TokMHtWEKfd/CDMTPilnkKYwZpTrFPhIhQJYs17cBpgZR4sYLgQHF3Df0N /dLhmI5WCF8xvGmL6hjyQcIHPjHguCDpwG18x7UDLneBrn+U2lvBD44R5567+Y74LzjX ZvjiYYDYKsUfV0XQmlAwbNi6fN5yooviBmQpXoqgo/3suQ2A709XRmmrSyB6Zayx4ulx 6hzw==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=k2H4E2YK; spf=pass (google.com: domain of eth3rs@gmail.com designates 2a00:1450:4864:20::535 as permitted sender) smtp.mailfrom=eth3rs@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Received: from mail-ed1-x535.google.com (mail-ed1-x535.google.com. [2a00:1450:4864:20::535]) by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-432f643e68csi6436045e9.0.2024.11.24.13.13.37 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 24 Nov 2024 13:13:37 -0800 (PST) Received-SPF: pass (google.com: domain of eth3rs@gmail.com designates 2a00:1450:4864:20::535 as permitted sender) client-ip=2a00:1450:4864:20::535; Received: by mail-ed1-x535.google.com with SMTP id 4fb4d7f45d1cf-5cfddc94c83so4861692a12.3 for ; Sun, 24 Nov 2024 13:13:37 -0800 (PST) X-Gm-Gg: ASbGncvJ3Q2HnMFkl0SWfeftpdL4/rYx2T6c1bDkChOqWJzjS7mx6bJa57u07zEvntG 5RDItFmSMAuJx2+A274pWcII6TxKWTXo= X-Received: by 2002:a17:906:1bb1:b0:aa5:2bab:69f6 with SMTP id a640c23a62f3a-aa52bab6a41mr530761066b.8.1732482816676; Sun, 24 Nov 2024 13:13:36 -0800 (PST) MIME-Version: 1.0 From: Ethan Heilman Date: Sun, 24 Nov 2024 16:13:00 -0500 Message-ID: Subject: [bitcoindev] Slashing covenants To: Bitcoin Development Mailing List Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Original-Sender: eth3rs@gmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=k2H4E2YK; spf=pass (google.com: domain of eth3rs@gmail.com designates 2a00:1450:4864:20::535 as permitted sender) smtp.mailfrom=eth3rs@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) Slashing covenants is a protocol for covenants in Bitcoin via incentives. A covenant is a set of rules about what transactions can spend a Bitcoin output which is encumbered by that covenant. Typically a covenant is enforced by preventing someone from spending that output. In this protocol we instead allow the spending of the output and then punish the spender by a loss of funds, i.e. we slash them, if they do not follow the rules of the covenant. This is less secure than a covenant enforced by an opcode, FE or ColliderScript, because it relies on incentives over enforcement. The advantage of this approach is that it is efficient, does not add new cryptographic assumptions and is possible on Bitcoin today. This protocol uses very similar mechanisms to BitVM, originally I thought this was how BitVM worked, which is why I didn=E2=80=99t publish it= . After talking to many people it appears this technique is not used in BitVM. Notation =3D=3D=3D=3D By 32 we denote a value, x, in Bitcoin Script which is encoded as a list of 32-bit stack elements. We can perform arbitrary computation on such values using Bitcoin=E2=80=99s math opcodes, a.k.a., Small Script. Protocol =3D=3D=3D=3D The essential problem for enforcing covenants in Bitcoin outputs is showing that a signature s1 that will pass CHECKSIGVERIFY is equal to a signature s2 encoded for Small Script. This is because once we get a signature into Small Script, we extract the sighash and do transaction introspection. ColliderScript gets us covenants by using hash collisions to check equality between s1 and 32. CAT gets us covenants by simply concatenating all the 32 and then comparing against s1 using EQUAL: s2 =3D CAT(32 [0], 32 [1], 32 [2], =E2=80=A6 32 [15]) EQUAL s1, s2 Slashing covenants works by removing the requirement for this equality check, but instead providing a fraud proof ifs1!=3Ds2, and posting that fraud proof to punish the spending party. To do this we construct a Bitcoin script output which takes as input: s1 - the spending signature. 32 - the spending signature encoded in small script. An honest spender will set s1 =3D s2. L - a Lamport signature on 32. 32 - data about the spending transaction that we use to open the sighash The Bitcoin script covenant output then: 1. checks s1 is a valid spending signature. 2. Checks that 32 is validly signed by the Lamport signature L 3. Supplies 32 and 32 to Small Script which enforces the covenant under the assumption that s1=3Ds2. Covenant output (s1, 32, L, 32): CHECKSIGVERIFY s1 Lamport-Verify 32, L SmallScript Enforce-Cov 32, 32 As long as s1=3Ds2 the covenant is enforced. However if s1!=3Ds2 the covenant can be broken. To punish spenders who set s1!=3Ds2, we create an output that allows anyone to burn/slash the coins of the rule breaker if and only if they spent a covenant and supplied s1 and s2 such that s1!=3Ds2. The Bitcoin script slash output takes as input: 32, 32, and L. Slashing output (32, 32, L): SmallScript CHECKSIGVERIFY 32 Lamport-Verify 32, L IF 32 !=3D 32: Verify Thus the slashing output can only be spent if the rule breaker spent the covenant with s1!=3Ds2. SmallScript CHECKSIGVERIFY is used to prove the rule breaker signed s1, the lamport signature is used to prove the rule breaker signed s2. Thus, we have a fraud proof that the rule breaker signed s1!=3Ds2. The Lamport signature is only used here to avoid having to do ECC math in Small Script in the covenant. Note that because we are doing CHECKSIGVERIFY in Small Script, the spending transaction will be massive. The slashing occurs because of the fees incurred by spending the slashing transaction. Note that such a slashing output could also be done on ethereum. This would simplify the construction. For the purposes of explanation, we assumed the spender is also the party who is slashed. In actual practice it is more likely you could have a set of N slashable cosigners who could attest to a spend not violating the covenant. Using pre-signed transactions you could recover an output if all n slashable cosigners were indefinitely offline. If you could fit a SNARKS in Small Script, you could have people join and leave the cosigner set dynamically for already posted covenant outputs by simply proving they have posted slash outputs and that the value in covenants < value in slash outputs. --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= CAEM%3Dy%2BV_jUoupVRBPqwzOQaUVNdJj5uJy3LK9JjD7ixuCYEt-A%40mail.gmail.com.