<pre>=C2=A0
=C2=A0 BIP: <BIP number><= br>=C2=A0 Layer: Consensus (Soft fork)
=C2=A0 Title: OP_BRIBEVERIFY
= =C2=A0 Author: Chris Stewart <chr= is@suredbits.com>
=C2=A0 Status: Draft
=C2=A0 Type: Standards = Track
=C2=A0 Created: 2017-06-27
</pre>

=3D=3DAbstra= ct=3D=3D

This BIP describes a new opcode, OP_BRIBEVERIFY, for the Bi= tcoin
scripting system that allows for a user to bribe a miner to includ= e a hash
in the coinbase transaction's output.

=3D=3DSumm= ary=3D=3D

BRIBEVERIFY redefines the existing NOP4 opcode. When execu= ted, if the given
critical hash is included at the given vout index in t= he coinbase transaction
the script evaluates to true. Otherwise, the scr= ipt will fail.

This allows sidechains to be merged mined against bitcoin without burdening bitcoin miners with extra resource requirements.=

=3D=3DMotivation=3D=3D

The current political climate of bitc= oin is extremely contentious. Many community members
have different visi= ons of what bitcoin is. This op code is meant to
enable [http://www.truthcoin.info= /blog/blind-merged-mining/ Blind Merge Mining].
This enables sidech= ains in Bitcoin. With OP_BRIBEVERIFY, sidechains miners can
bribe bitco= in miners to to include their block hash in the bitcoin blockchain. If thei= r block

is included in the coinbase transaction's vout, it is = assumed that block is a mined block on the sidechain.

This will= allow various factions of the community to realize their vision on their o= wn separate
blockchain that is interoperable with the bitcoin blockchain= . This allows those factions to use
bitcoin as a 'reserve currency&#= 39; for their own network.

=3D=3D=3DCommitment Structure=3D=3D= =3D

A new block rule is added which requires that the miner's co= inbase reward be at index 0 in the coinbase transaction's output vector= .

It also fixes the witness commitment output to be at index 1 of th= e coinbase transaction's output vector.

This is needed so we can= reliably tell what vout corresponds to what drivechain. For instance, the = mimblewimble sidechain
could correspond to index 2 of the vector output= s on the coinbase transaction.

The commitment is recorded in a <= code>scriptPubKey</code> of the coinbase transaction. It must be a= t least 34 bytes in size
=C2=A0=C2=A0 1-byte - OP_RETURN (0x6a)
=C2= =A0=C2=A0 1-byte - Push the following 32 bytes (0x20)
=C2=A0 32-byte - b= lock hash

the 35th byte and onward have no consensus meaning.
=3D=3D=3DOP_BRIBEVERIFY op code=3D=3D=3D

This op code reads two ar= guments from the stack. The stack top is expected to be a sidechain id for = which this user attempting to blind merge mine for.
The next element on = the stack is expected to be a block hash. This op code looks into the coinb= ase transaction's output vector at the given index (which is derived fr= om the sidechain id) and checks
to see if the hash in the block matches= the hash inside of the BRIBEVERIFY program. If the hashes match, the OP_BR= IBEVERIFY acts as an OP_NOP. If the
comparison between the two hashes f= ail, the script fails.

=3D=3D=3DBRIBEVERIFY program=3D=3D=3D
A standard BRIBEVERIFY program has the format:
=C2=A0 1-byte - Push the= following 32 bytes (0x20)
=C2=A032-byte - block hash
=C2=A0 1 byte -= Push operation? (needed if number can't be encoded as OP_0 - OP_16)=C2=A0 1 byte - sidechain id
=C2=A0 1 byte - OP_BRIBEVERIFY op code
=
=3D=3DDetailed Specification=3D=3D

Refer to the reference implem= entation, reproduced below, for the precise
semantics and detailed ratio= nale for those semantics.

=C2=A0
=C2=A0case OP_NOP4:
=C2=A0{=C2=A0=C2=A0=C2=A0 //format: block_hash sidechain_id OP_BRIBEVERIFY
= =C2=A0=C2=A0=C2=A0 if (!(flags & SCRIPT_VERIFY_BRIBEVERIFY)) {
=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 // not enabled; treat as a NOP4
= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (flags & SCRIPT_VERIFY_DI= SCOURAGE_UPGRADABLE_NOPS) {
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 return set_error(serror, SCRIPT_ERR_DISCOURAGE_UPG= RADABLE_NOPS);
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 }
=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 break;
=C2=A0=C2=A0=C2=A0 }
=C2=A0= =C2=A0=C2=A0
=C2=A0=C2=A0=C2=A0 if (stack.size() < 2)
=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return set_error(serror, SCRIPT_ERR_INVAL= ID_STACK_OPERATION);
=C2=A0
=C2=A0=C2=A0=C2=A0 const CScriptNum scrip= tNumSidechainId(stacktop(-1),fRequireMinimal);
=C2=A0=C2=A0=C2=A0 uint8_= t nSidechainId;=C2=A0
=C2=A0=C2=A0=C2=A0 if (!checker.CheckSidechainId(= scriptNumSidechainId,nSidechainId)) {
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0 return set_error(serror, SCRIPT_ERR_UNKNOWN_SIDECHAIN);
=C2= =A0=C2=A0=C2=A0 }
=C2=A0
=C2=A0=C2=A0=C2=A0 // Check block hash
= =C2=A0=C2=A0=C2=A0 bool fHashCritical =3D checker.CheckCriticalHash(stackto= p(-2),nSidechainId);
=C2=A0=C2=A0=C2=A0 if (!fHashCritical) {
=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return set_error(serror, SCRIPT_ERR_UN= SATISFIED_BRIBE);
=C2=A0=C2=A0=C2=A0 }
=C2=A0=C2=A0=C2=A0 break;
= =C2=A0}

https://github.com/drivechain= -project/bitcoin/pull/13

=3D=3DDeployment=3D=3D

TODO
<= br>=3D=3DCredits=3D=3D

Credit to Paul Sztorc for the original idea o= f Blind Merge Mined sidechains.

Credit to CryptAxe for writing the f= oundational layer of software for drivechains so I could implement OP_BRIBE= VERIFY.

=3D=3DReferences=3D=3D

Blind Merge Mined Sidechai= ns - http:/= /www.truthcoin.info/blog/blind-merged-mining/

Mailing= list discussion - https://lists.linuxfoundation.org/pipermai= l/bitcoin-dev/2017-May/014408.html

=3D=3DCopyright=3D= =3D

This document is placed in the public domain.