1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
|
Delivery-date: Sun, 17 Nov 2024 14:08:33 -0800
Received: from mail-qv1-f55.google.com ([209.85.219.55])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBDSJ7DXSQ4PRBWGS5G4QMGQEEXZB4EI@googlegroups.com>)
id 1tCnRZ-00024n-3S
for bitcoindev@gnusha.org; Sun, 17 Nov 2024 14:08:33 -0800
Received: by mail-qv1-f55.google.com with SMTP id 6a1803df08f44-6d4173d329fsf21471926d6.2
for <bitcoindev@gnusha.org>; Sun, 17 Nov 2024 14:08:32 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1731881306; cv=pass;
d=google.com; s=arc-20240605;
b=dxmG4d4noV3dlTDUKguguAaNRSvVUj5sEqc+rGqrV4smVztE6Q5jVxuYvuaVwhRxPk
4rtASJf2NO3VNHjG/xz9elvxlGhaHDKa8QRPO70n1E6Bn9xh2E6vFrVZv/IlyoBwNeD4
ker5ZuDD4SQ4OE8d9N/hPU2kmags2sDykjh27+y1E6d2dfOrtmll1/4vWyBYdCgAuXf1
/upw0/I9IyKKoQT9ysEveA4wqSFdPtK7HP5hM/XU7KjIx3o3sbzWSL35n2OpP/JdlaTa
pOzcmlEDjAQnRHUH1qlA1dOAMT2+7LWpYBAtwrxCagX+tim7l5D4CbphAXjfBEnQCGlK
avqA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:content-transfer-encoding:cc:to
:subject:message-id:date:from:in-reply-to:references:mime-version
:sender:dkim-signature:dkim-signature;
bh=LNQnicCF+5QIiJ6HPZhQcQ5WYnYlzXEormXREr050V4=;
fh=FsBJ3TB7Pn+l4DkBpGJvBF6N7H0ttrgk0WC6ubFH3Ac=;
b=Q1GTel8UXcVKhBnup7KbeyVPXF/ZdikvUY3DPCgcJR4114ckiNUpwzVk8SCDsmD4oo
onqhmQuioGGTndrCdAdFPnX89nlcI8avYUfWDQ78/k4wKMnovlWN9oJYljTjgIzA4kMd
Buv9QRO9eu8TyjPPxYC0wuR8SRlZe1B+hq/0VpQmAkmgrx0nI+Fs9icu8lN+rtB68Bk/
gKGeuX+PJ0BN6hZ2FsHz1ne/FPTcugCUic+0DLRI/0l56jIXhwmBpxUD/VRCZV6cW//M
PI45r2zpuLp69FSjNr3wXRS0J0ooJK8Ejgx0QddvcdbTglgAXM+ZEIiDmTBNvTnX6MEM
SLXQ==;
darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
dkim=pass header.i=@gmail.com header.s=20230601 header.b=KaqKNfX0;
spf=pass (google.com: domain of eth3rs@gmail.com designates 2a00:1450:4864:20::636 as permitted sender) smtp.mailfrom=eth3rs@gmail.com;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
dara=pass header.i=@googlegroups.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1731881306; x=1732486106; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:content-transfer-encoding:cc:to:subject
:message-id:date:from:in-reply-to:references:mime-version:sender
:from:to:cc:subject:date:message-id:reply-to;
bh=LNQnicCF+5QIiJ6HPZhQcQ5WYnYlzXEormXREr050V4=;
b=D4OMgCTJfgbcmd+QAF/xGvVcJZsi+GngE0Y6np8Q1ehyLI5AQyRL3YOqfxvtkhKONs
FcWy2EOFxd6S/86oeY7Lr0iWUzBSb4rAA7avTepAHplJYFuVkWDvULQu2IBeDWpmlOK+
OFIWNssqGRpBSBPAwKse75qQgIzKAKzYyzed2cycDOjNcZ0geuJ7pyyqoHr7xn+LICsw
Kzs4t9cRS723EhCsKxo0Y83SoHdvgApgWFX/U1++mMXgpwRJDPMDdwI7kvEiErfmVV7F
apBFzcFmpG2aKaaD+UdLXz37diFWR9gTw0vVIqfd+dJeRuWzXfK6TjFSuKhIfC7yqCUb
SZxw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1731881306; x=1732486106; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:content-transfer-encoding:cc:to:subject
:message-id:date:from:in-reply-to:references:mime-version:from:to:cc
:subject:date:message-id:reply-to;
bh=LNQnicCF+5QIiJ6HPZhQcQ5WYnYlzXEormXREr050V4=;
b=KWK2pCTPKoRc+893CX8UE2jCfSVo9EIBA2rg/rhXa1XaepEaogp+6ktAHa8wxkYip9
VnqOM32AD0yJzKy+gWAM1AHdX7JYvbAMm6I80DxhF3mbABunSa9+LTrdhU7cZ6XIb40x
m3NHmt5oxxIZwF+O+lhkfiV/BG4cG73pg2NGnIrKrIn4yBvLUjicSuIec+NzWSVu7yTj
Lr07Yw4IrqwhOSxKJ50gImsQgkK39GTpKfAMsRjJyuYj91SxiVSeBS5F6pI6CddIsYU7
VyXwZUeAjJ49AAvydaBXU7yVfBiBnT7WQH2+QYhEkLCuvCWqzKkH+SFlAru9ykVMUpmD
mB+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1731881306; x=1732486106;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:content-transfer-encoding:cc:to:subject
:message-id:date:from:in-reply-to:references:mime-version
:x-beenthere:x-gm-message-state:sender:from:to:cc:subject:date
:message-id:reply-to;
bh=LNQnicCF+5QIiJ6HPZhQcQ5WYnYlzXEormXREr050V4=;
b=m0gQuv+oUIbkq3luJuwQjuRsi3biwd+fQbiJRLDSPMfvvn0BkGtp9zZI8GP1iGcvs7
XMNYBW/jAwQRhdw2fi9ygMsQnS5M+yIXwizj6a42tkv9li8+dZh8niqMWQLFKQSasNkP
qAuVY4Nqd7HxNSNSq9GnNJvs7Hy1Ij8pMWx8K8LJjIR+k6xDVCOrbUjJn1CDdM7xEQgQ
cMk2LNMnsbaC/AqFy6m3YauDxThN//rcv/Yo5/170DvWdqDUt9TI61PvXy6yJ3QaeGcN
AGLM3s56UshEhTkyE2IkpP4uumDi+cZVzcOY6XuUF5jJygEY8lE7fC5TQdleGJnhHbCM
oCOQ==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=2; AJvYcCV5xEmKI8tS5yMuTCt4DeA7JK2gzVUotQ3qpcB9fxBFtZuYP3R9Fv+ct5QEKLTk3LqZ9XrNhdP8XDR9@gnusha.org
X-Gm-Message-State: AOJu0Yykdpeu4JdcE9WeH9h+tLOp6hJ1LHJqvsYPNW59I25V/Y2UwCAs
SyVJDpNuFfbq1dt+Ej5A9mqS2WGA5HOrMS1mXKXo16F/zV+9tpKm
X-Google-Smtp-Source: AGHT+IGJ7Ia5bnj4IC/h4a2VmhUScY0FVTqhZ+j6QpULotHhgjA1mlEQcb43tPeL46zXiF00Z78a6g==
X-Received: by 2002:a05:6214:194d:b0:6d4:2044:e942 with SMTP id 6a1803df08f44-6d42044ec9dmr34375826d6.6.1731881306377;
Sun, 17 Nov 2024 14:08:26 -0800 (PST)
X-BeenThere: bitcoindev@googlegroups.com
Received: by 2002:ad4:5ce6:0:b0:6cb:d4f7:64e0 with SMTP id 6a1803df08f44-6d41e907ff2ls15192406d6.2.-pod-prod-09-us;
Sun, 17 Nov 2024 14:08:23 -0800 (PST)
X-Received: by 2002:a05:620a:1722:b0:7b1:557c:666f with SMTP id af79cd13be357-7b3622bed23mr1455982585a.25.1731881303799;
Sun, 17 Nov 2024 14:08:23 -0800 (PST)
Received: by 2002:ae9:c002:0:b0:7b1:4744:32d3 with SMTP id af79cd13be357-7b35b0a1849ms85a;
Sun, 17 Nov 2024 13:59:45 -0800 (PST)
X-Received: by 2002:a5d:47a4:0:b0:37d:46fa:d1d3 with SMTP id ffacd0b85a97d-38225a931abmr8801879f8f.34.1731880783533;
Sun, 17 Nov 2024 13:59:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1731880783; cv=none;
d=google.com; s=arc-20240605;
b=NeBAU+zhLpblb5CmvifeRZROJ+qit0FBiCXjnGHE885C7scTD+iRB3KZpvO3/rZTmq
D/Cti2eGjWec3Wi39YLgeQR5NTGQexraQzU3FW6/J44YGK/BF7CbvSZavTQNLotlTkXN
Otq93eJdJAkII1C/jCAK3RmKDJ+vXukLmqVMt2fiIpOQ42ZQ8INnBc5IEoy89+Q0GceZ
t5DsqyNdKjvbNu8Z6Jp84UYkqABIxSkgycZjPb3PdJ7rZye73e0BeKuGEbwVrUDUlFdq
CE9SRY+DNxNBllku0AWPuohCZXGy5sR8f34va2GSw2hkswaGloqsDcmAUJtNBEMVBsPX
TdJQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=content-transfer-encoding:cc:to:subject:message-id:date:from
:in-reply-to:references:mime-version:dkim-signature;
bh=kxKKFEGAi48f8RDR3mFZL0rkYH3bCwdSkGj4Twh50sk=;
fh=Mxxh5v6Y61dVJ0YavHfeoN+CNs7ePV0Oa5JotjECrHg=;
b=FlHtlwlG4XgULyQ1F2DVy/m6nj7pZ67MFuPYEfcQuoxtZtLg0t7RFJfb05xrYRes4/
pS3rERdkVeKlc+lNufcJGPhKc1iJ78H02x7NiElh5karLBCslDJuPEoHXYOY/1SdoXxu
GOG2qR/d9zznym/rwrYmec8Ch4BsVuSJ98tJ4mlZZ9EbEQJGoSYloJrUvfX8dof6Oy0u
AyTNvUW8ID12qi3d5b7L7/VGETscj0PCxXSihXabaDZTqx/z8n6fPlt1G1EBfupvYRqZ
dHt4SEBMjLuXqU08k5DfzAqF9ZdK6sLq+UPgsdJnjwSbpeYh1gUVn4ZSGUUT2WUq9IlY
Fhqw==;
dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
dkim=pass header.i=@gmail.com header.s=20230601 header.b=KaqKNfX0;
spf=pass (google.com: domain of eth3rs@gmail.com designates 2a00:1450:4864:20::636 as permitted sender) smtp.mailfrom=eth3rs@gmail.com;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
dara=pass header.i=@googlegroups.com
Received: from mail-ej1-x636.google.com (mail-ej1-x636.google.com. [2a00:1450:4864:20::636])
by gmr-mx.google.com with ESMTPS id ffacd0b85a97d-3823e57923fsi49454f8f.6.2024.11.17.13.59.43
for <bitcoindev@googlegroups.com>
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Sun, 17 Nov 2024 13:59:43 -0800 (PST)
Received-SPF: pass (google.com: domain of eth3rs@gmail.com designates 2a00:1450:4864:20::636 as permitted sender) client-ip=2a00:1450:4864:20::636;
Received: by mail-ej1-x636.google.com with SMTP id a640c23a62f3a-aa4b439c5e8so74955566b.2
for <bitcoindev@googlegroups.com>; Sun, 17 Nov 2024 13:59:43 -0800 (PST)
X-Received: by 2002:a17:906:6a09:b0:a99:37f5:de59 with SMTP id
a640c23a62f3a-aa483553e70mr1004831466b.53.1731880782866; Sun, 17 Nov 2024
13:59:42 -0800 (PST)
MIME-Version: 1.0
References: <CAEM=y+XyW8wNOekw13C5jDMzQ-dOJpQrBC+qR8-uDot25tM=XA@mail.gmail.com>
<CA+x5asTOTai_4yNGEgtKEqAchuWJ0jGDEgMqHFYDwactPnrgyw@mail.gmail.com>
<ZjD-dMMGxoGNgzIg@camus> <129a9605-7a91-42a7-a9ef-07de6662ca7en@googlegroups.com>
<CAEM=y+WMqVLd_ujepgZiC+7hJAPxG3i0j+EOBFXTxfaaq38LSg@mail.gmail.com> <CAMrCH3hCN0KAiE0AdLTA8i004-R9FACpMZvQTiM_78RAxf1zbA@mail.gmail.com>
In-Reply-To: <CAMrCH3hCN0KAiE0AdLTA8i004-R9FACpMZvQTiM_78RAxf1zbA@mail.gmail.com>
From: Ethan Heilman <eth3rs@gmail.com>
Date: Sun, 17 Nov 2024 16:59:06 -0500
Message-ID: <CAEM=y+Veb=TWPBYtK4v7gQm8L9L+zMo6DE-zi6ygP+YJ0XKk_Q@mail.gmail.com>
Subject: Re: [bitcoindev] Signing a Bitcoin Transaction with Lamport
Signatures (no changes needed)
To: Xiaohui Liu <x.liu@scrypt.io>
Cc: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Original-Sender: eth3rs@gmail.com
X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass
header.i=@gmail.com header.s=20230601 header.b=KaqKNfX0; spf=pass
(google.com: domain of eth3rs@gmail.com designates 2a00:1450:4864:20::636 as
permitted sender) smtp.mailfrom=eth3rs@gmail.com; dmarc=pass (p=NONE
sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.5 (/)
Using Collider Script or Functional Encryption you can do
introspection on Bitcoin today, i.e., without OP_CAT. These approaches
both have downsides, Collider script costs millions of dollars in
compute per spend, Functional Encryption requires fancy cryptography
that we only have candidate constructions for (see Bitcoin PIPEs).
I wish to amend my earlier statement "I don't think it is clear how to
turn this into a covenant. The bits you are extracting using OP_SIZE
are only related to the sighash via a random function." I believe that
with no opcode limit in Bitcoin pre-tapscript, we can use OP_SIZE to
enforce covenants and do arbitrary introspection of Bitcoin's
blockchain.
1. Use OP_SIZE to extract bits related to the sighash via a random
function from the spending ECDSA signature s1, we will call these B =3D
<b1, b2, ..., bn>.
2. Write a Small Script function that takes the ECDSA signature s2
encoded as a list of 32-bit values and also takes the bits B. This
function reruns the OP_SIZE bit extraction process on the ECDSA
signature encoded as a list of 32-bit values to learn B' =3D <b1', b2',
..., bn'>. If B =3D=3D B' then the two ECDSA signatures are the same
signature: s1 =3D s2.
3. Small Script can extract the sighash from the ECDSA spending
signature and then check if it matches a set of values and rules also
encoded as 32-bit elements.
For background on the Small Script, Big Script divide in Bitcoin
Script see https://bitcoinmagazine.com/technical/script-state-from-lamport-=
signatures-
Small script can perform any computation on values encoded as lists of
32-bit elements, including OP_CAT, it is only bound by opcode limit
and the ability to check equivalence between Small Script encoded
values and Big Script stake elements.
Andrew Poelstra noted this earlier in the thread when he said: "IMO
it's a pretty big deal that size limits are now the only reason that
Bitcoin doesn't have covenants."
On Sat, Nov 16, 2024 at 8:16=E2=80=AFPM Xiaohui Liu <x.liu@scrypt.io> wrote=
:
>
> Introspection using SPV requires OP_CAT, besides hashing, IMO.
>
> On Sat, Nov 16, 2024 at 6:56=E2=80=AFAM Ethan Heilman <eth3rs@gmail.com> =
wrote:
>>
>> I don't think it is clear how to turn this into a covenant. The bits you=
are extracting using OP_SIZE are only related to the sighash via a random =
function.
>>
>> That said, I don't see any reason that with an unlimited number of opcod=
es you can build an small script that's uses SPV to introspect into the ent=
ire blockchains and enforce anything without having to use OP_SIZE or OP_CA=
T. You could build snarks in small script so the size of the small script w=
ould be large but constant in the size of the blockchains.
>>
>> On Fri, Nov 15, 2024, 5:02 PM Xiaohui Liu <x.liu@scrypt.io> wrote:
>>>
>>> Hi,
>>>
>>> How does covenant work without OP_CAT here, assuming no size limit? Don=
't you still need OP_CAT to parse/introspect fields (e.g., input/output) of=
the spending transaction?
>>>
>>> Regards,
>>> sCrypt
>>>
>>> On Tuesday, April 30, 2024 at 7:22:54=E2=80=AFAM UTC-7 Andrew Poelstra =
wrote:
>>>>
>>>> On Tue, Apr 30, 2024 at 08:32:42AM -0400, Matthew Zipkin wrote:
>>>> > > if an attacker managed to grind a 23-byte r-value at a cost of 2^7=
2
>>>> > computations, it would provide the attacker some advantage.
>>>> >
>>>> > If we are assuming discrete log is still hard, why do we need Lampor=
t
>>>> > signatures at all? In a post-quantum world, finding k such that r is=
21
>>>> > bytes or less is efficient for the attacker.
>>>> >
>>>>
>>>> Aside from Ethan's point that a variant of this technique is still
>>>> secure in the case that discrete log is totally broken (or even
>>>> partially broken...all we need is that _somebody_ is able to find the
>>>> discrete log of the x=3D1 point and for them to publish this).
>>>>
>>>> Another reason this is useful is that if you have a Lamport signature =
on
>>>> the stack which is composed of SIZE values, all of which are small
>>>> enough to be manipulated with the numeric script opcodes, then you can
>>>> do covenants in Script.
>>>>
>>>> (Sadly(?), I think none of this works in the context of the 201-opcode
>>>> limit...and absent BitVM challenge-response tricks it's unlikely you c=
an
>>>> do much in the context of the 4MWu block size limit..), but IMO it's a
>>>> pretty big deal that size limits are now the only reason that Bitcoin
>>>> doesn't have covenants.)
>>>>
>>>> --
>>>> Andrew Poelstra
>>>> Director, Blockstream Research
>>>> Email: apoelstra at wpsoftware.net
>>>> Web: https://www.wpsoftware.net/andrew
>>>>
>>>> The sun is always shining in space
>>>> -Justin Lewis-Webster
>>>>
>>> --
>>> You received this message because you are subscribed to the Google Grou=
ps "Bitcoin Development Mailing List" group.
>>> To unsubscribe from this group and stop receiving emails from it, send =
an email to bitcoindev+unsubscribe@googlegroups.com.
>>> To view this discussion visit https://groups.google.com/d/msgid/bitcoin=
dev/129a9605-7a91-42a7-a9ef-07de6662ca7en%40googlegroups.com.
--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
CAEM%3Dy%2BVeb%3DTWPBYtK4v7gQm8L9L%2BzMo6DE-zi6ygP%2BYJ0XKk_Q%40mail.gmail.=
com.
|