1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
|
Delivery-date: Sun, 24 Nov 2024 13:26:28 -0800
Received: from mail-qt1-f191.google.com ([209.85.160.191])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBDSJ7DXSQ4PRB6VTR25AMGQEPIL7Q5A@googlegroups.com>)
id 1tFK7f-0005Br-Hx
for bitcoindev@gnusha.org; Sun, 24 Nov 2024 13:26:27 -0800
Received: by mail-qt1-f191.google.com with SMTP id d75a77b69052e-460aaa683eesf69572601cf.2
for <bitcoindev@gnusha.org>; Sun, 24 Nov 2024 13:26:26 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1732483581; cv=pass;
d=google.com; s=arc-20240605;
b=b3Gwcm35wAhBSCcUmSftjzLbLpU5oEJIdrwUcQ8TR63hcRDEvoDiSXLjsb04U+tjFk
pYmvo6h+TCSGVTXrUfJVRGMV5jog3jb6ZYFPxbZ2iGVfX1qo0KXc6M/dQHszd+C3ntjW
R/6GXZJGFI1BD3n4pAlwwe/7QaMTFAuSqbJb2/bD4YFHG5ah0Bb7ygCkVSgohcUG24CD
0l9njW7dvXOUJQxMsp+52OWl+14ur/RHm4YO07Rf/lqmT5WpOG1LnoRtEdt+ZLf39+q5
PNakAqALAejX/28EjjQ4r07SECDsyBnd2Hc5p2jrZDmvsQ/cDA8WZplZ2Xd1wVA066Bl
verA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:content-transfer-encoding:to
:subject:message-id:date:from:mime-version:sender:dkim-signature
:dkim-signature;
bh=MJXpeLxSfcbbsCQXid6RDlWz0cZl6x+jc1KztpcMA+I=;
fh=c9cVwLnz37f0ocRyZz0LkF7ReRF2acv4+uB8LL2WmRk=;
b=JBxWfFX5rvunb8Scw9DmhYSckKL5pT0gJ7RIXDCWbYeSud9w/MY8rNiqWsP4hvQWuy
o7VcGcIW0/QVGS1Q5zwzIquzEiGnPvVh+x1qo+Qf6PvDxoJRhdJ5lcLWuU0wSJZjpiB0
SOfFV7r0Hp+7cHIMxlmangM9r2WDYMLSmirLug7pnMUWtlTxYhoAIDpxQq20yyiB41ZJ
Sm/W4us+e2x3NRpPCzV2L9oBaZcA+/ypWTaiuLBC9VUu93HaOqXN3cri0iZ5i+Yqtrvv
irNa9P1ZhrbefMtYCNuCgWL1F6nUDiuqj2P1mO5NUFMkOGYOi2ki/2/0QPChg1DPWxWH
zqmQ==;
darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
dkim=pass header.i=@gmail.com header.s=20230601 header.b=k2H4E2YK;
spf=pass (google.com: domain of eth3rs@gmail.com designates 2a00:1450:4864:20::535 as permitted sender) smtp.mailfrom=eth3rs@gmail.com;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
dara=pass header.i=@googlegroups.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1732483581; x=1733088381; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:content-transfer-encoding:to:subject:message-id
:date:from:mime-version:sender:from:to:cc:subject:date:message-id
:reply-to;
bh=MJXpeLxSfcbbsCQXid6RDlWz0cZl6x+jc1KztpcMA+I=;
b=BUILJMLaYwyXPL4RaRq3R2l7PZ/hq8k9m8buDsfCh9UrXXaNr8hjLQXC0+5MjooRbj
36piTThIn/NaMS+CoAmnkfMQI5yAcerRUrJ8PWycrJS22smGLQo11lRxNAL043eojL1/
PxqDD23It72R+NLQ0b95rCqV0XgVkq8JIEJRwzKrwcRbeZoOUH+XcD1trWbDVdllxT7s
nnPNkTpeuiE3fGsW2zPGfQWbCwGh+7gCl+vrpwpDsd5wkBt5ApKppWLSW+4WIa9AcHkG
OhiInR8I8rOUgIqy8IGE2dRVV6tc5wjpYV60KvxmZKFVDj7iM1wVurlM0P2gdtpA12Cd
37Pg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1732483581; x=1733088381; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:content-transfer-encoding:to:subject:message-id
:date:from:mime-version:from:to:cc:subject:date:message-id:reply-to;
bh=MJXpeLxSfcbbsCQXid6RDlWz0cZl6x+jc1KztpcMA+I=;
b=T/vjUM6uXQ+LnKFkWYqIHQFK+sQ8BRldMyNHk9ICKuvgV+LW6GnlToar7P33Grm4ev
Gg4PZNz9J1syFuWG4i75ye2cJ8N6+ezMFFDWx3YL2+0Fu/7dhLyAtYb9F+vgv7cg68he
KxWBcfMNPJvnhxiaUmCAFSkPsdC+ynYCu2ztzpUAwFpbOOgRdlE09BZqwdRE2uoMsNRw
aDVGU2GbJr6s/rhrBW3ZZBe7lKMp/Mq0m2oUSwtB/F+gvXzzeXIs1tiKeNpQKdigw1EU
sDbF6sR75ezr1b1XclEO2scuuYBz7EXlFWIWMiOcFeaN3C+J9WSJzg7NLg7Ae5p2wFiF
2OXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1732483581; x=1733088381;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:content-transfer-encoding:to:subject:message-id
:date:from:mime-version:x-beenthere:x-gm-message-state:sender:from
:to:cc:subject:date:message-id:reply-to;
bh=MJXpeLxSfcbbsCQXid6RDlWz0cZl6x+jc1KztpcMA+I=;
b=cclP0vr0N3sGZR9k2xc9YOW6VQJ2Vd/47+yrlcekIMcXxudA/yrw55ve7fo8CiFgZ5
BHwtQEA9t3gKMjAoWjuTbMDJ6okQFDrdKi3/yXyNhx8c0fuBrJTFkDF3q1gyvHKSdcvN
zkdE2Kf5ECH4mIABArncL0hycqUYhLhT7HWeXyqe2flZ+qDdUzPRoLuvXmpkwOWF5axi
5EoUZUmcS9I5DFFkgN+vo2xvqux39OSb9IDFx2wR6lUv5lwoue1nKfLVdX+i2lVU8A8h
13YaQ+utdFN04cjv8y2x1v2GCtM44PYcKejkOH4EMtzCSGx0Og70cPpiM9Jju+0qjDgx
lKEw==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=2; AJvYcCX2FjEPUSH+FyIhXHfi3UXoTU+SRNt1eHscexY+RU6UDwV0BfeoAESYtTFP522Nqa/Hndpsp2peacYL@gnusha.org
X-Gm-Message-State: AOJu0Yykj2fE5vrKKiLFye5I5Z5+R+MJnkCoEAvujvXWQB2o5Nlv/EDK
RoAKn0YRVAtejK343W3X41RMIo+Y/Qxv2kxe7YmURW/xC7h2rl03
X-Google-Smtp-Source: AGHT+IHZQdO6BIlbrbYDZXZ6I6JT1x4fifeMUDxnnWx4HeenCjWoWLeBNoHBbQ/lMpSeTs8sp7kGrA==
X-Received: by 2002:ac8:5f11:0:b0:463:7886:a143 with SMTP id d75a77b69052e-4653d5e6932mr178472721cf.33.1732483580653;
Sun, 24 Nov 2024 13:26:20 -0800 (PST)
X-BeenThere: bitcoindev@googlegroups.com
Received: by 2002:a05:622a:ce:b0:462:c59c:a884 with SMTP id
d75a77b69052e-4652f643de5ls58775351cf.2.-pod-prod-02-us; Sun, 24 Nov 2024
13:26:18 -0800 (PST)
X-Received: by 2002:a05:620a:319b:b0:7b1:4b2e:3c0 with SMTP id af79cd13be357-7b514500e00mr1640812685a.14.1732483578155;
Sun, 24 Nov 2024 13:26:18 -0800 (PST)
Received: by 2002:a05:620a:70cb:b0:7b6:67a8:4fcd with SMTP id af79cd13be357-7b667a8583ams85a;
Sun, 24 Nov 2024 13:13:39 -0800 (PST)
X-Received: by 2002:a05:600c:1d99:b0:432:c774:2e24 with SMTP id 5b1f17b1804b1-433ce420e50mr95364495e9.9.1732482817480;
Sun, 24 Nov 2024 13:13:37 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1732482817; cv=none;
d=google.com; s=arc-20240605;
b=I+rW0ddCOxw8mG2Sklj3n3fwueoelF5h4iuCp9HsOMOfsDJaVnUl/Z++Toz6YpIXKr
FYmhuSgFZSFUI2iIVjk4Rxy/0TY14Byouz+Q7BkGBmkzkG441wnozOoxaNeip2xWtSKW
p+tJWH3Sp+twHbJuFGQmkuZx7cSChSyYZ9nO3xuK3icJWHYVHGcs9k4BGiB/WbfAIy93
OgKaevmNf1+x+gDy/l6F+gM0NBhRNHei/0Xgsey8v1JbXZwWT0+ugP4+P7lLSgDscZIL
7FVNBBlVd8hgU2o+uWa/sFZD9ltAXJnUG5/oY4rWCDIW/PqfqClSdgwxZ8Td5wUmNxxd
+K2w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=content-transfer-encoding:to:subject:message-id:date:from
:mime-version:dkim-signature;
bh=kT3qSE9nJx2+og6piD8FRSwaGUcrt4bJ/0DrqKTwHac=;
fh=DMP0F9ULS1guKiqimntQRCN8ZraraesEgQuVcn7F0Z0=;
b=OXGJgmotlN+0tfTOTuYAiD43Ou7OOujVUn3fKmaLPbMIcMxV8ibXDoL+NVuLz32z+s
sHXqZRsaDcndI7tZFdNKmSVjKe8oxmNLJRWioVbfGvGvndh/fzhlw25eR6EoATT3jH+1
nwGcaldFU3TokMHtWEKfd/CDMTPilnkKYwZpTrFPhIhQJYs17cBpgZR4sYLgQHF3Df0N
/dLhmI5WCF8xvGmL6hjyQcIHPjHguCDpwG18x7UDLneBrn+U2lvBD44R5567+Y74LzjX
ZvjiYYDYKsUfV0XQmlAwbNi6fN5yooviBmQpXoqgo/3suQ2A709XRmmrSyB6Zayx4ulx
6hzw==;
dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
dkim=pass header.i=@gmail.com header.s=20230601 header.b=k2H4E2YK;
spf=pass (google.com: domain of eth3rs@gmail.com designates 2a00:1450:4864:20::535 as permitted sender) smtp.mailfrom=eth3rs@gmail.com;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com;
dara=pass header.i=@googlegroups.com
Received: from mail-ed1-x535.google.com (mail-ed1-x535.google.com. [2a00:1450:4864:20::535])
by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-432f643e68csi6436045e9.0.2024.11.24.13.13.37
for <bitcoindev@googlegroups.com>
(version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
Sun, 24 Nov 2024 13:13:37 -0800 (PST)
Received-SPF: pass (google.com: domain of eth3rs@gmail.com designates 2a00:1450:4864:20::535 as permitted sender) client-ip=2a00:1450:4864:20::535;
Received: by mail-ed1-x535.google.com with SMTP id 4fb4d7f45d1cf-5cfddc94c83so4861692a12.3
for <bitcoindev@googlegroups.com>; Sun, 24 Nov 2024 13:13:37 -0800 (PST)
X-Gm-Gg: ASbGncvJ3Q2HnMFkl0SWfeftpdL4/rYx2T6c1bDkChOqWJzjS7mx6bJa57u07zEvntG
5RDItFmSMAuJx2+A274pWcII6TxKWTXo=
X-Received: by 2002:a17:906:1bb1:b0:aa5:2bab:69f6 with SMTP id
a640c23a62f3a-aa52bab6a41mr530761066b.8.1732482816676; Sun, 24 Nov 2024
13:13:36 -0800 (PST)
MIME-Version: 1.0
From: Ethan Heilman <eth3rs@gmail.com>
Date: Sun, 24 Nov 2024 16:13:00 -0500
Message-ID: <CAEM=y+V_jUoupVRBPqwzOQaUVNdJj5uJy3LK9JjD7ixuCYEt-A@mail.gmail.com>
Subject: [bitcoindev] Slashing covenants
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Original-Sender: eth3rs@gmail.com
X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass
header.i=@gmail.com header.s=20230601 header.b=k2H4E2YK; spf=pass
(google.com: domain of eth3rs@gmail.com designates 2a00:1450:4864:20::535 as
permitted sender) smtp.mailfrom=eth3rs@gmail.com; dmarc=pass (p=NONE
sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.5 (/)
Slashing covenants is a protocol for covenants in Bitcoin via
incentives. A covenant is a set of rules about what transactions can
spend a Bitcoin output which is encumbered by that covenant. Typically
a covenant is enforced by preventing someone from spending that
output. In this protocol we instead allow the spending of the output
and then punish the spender by a loss of funds, i.e. we slash them, if
they do not follow the rules of the covenant. This is less secure than
a covenant enforced by an opcode, FE or ColliderScript, because it
relies on incentives over enforcement. The advantage of this approach
is that it is efficient, does not add new cryptographic assumptions
and is possible on Bitcoin today.
This protocol uses very similar mechanisms to BitVM, originally I
thought this was how BitVM worked, which is why I didn=E2=80=99t publish it=
.
After talking to many people it appears this technique is not used in
BitVM.
Notation
=3D=3D=3D=3D
By <x>32 we denote a value, x, in Bitcoin Script which is encoded as a
list of 32-bit stack elements. We can perform arbitrary computation on
such values using Bitcoin=E2=80=99s math opcodes, a.k.a., Small Script.
Protocol
=3D=3D=3D=3D
The essential problem for enforcing covenants in Bitcoin outputs is
showing that a signature s1 that will pass CHECKSIGVERIFY is equal to
a signature s2 encoded for Small Script. This is because once we get a
signature into Small Script, we extract the sighash and do transaction
introspection. ColliderScript gets us covenants by using hash
collisions to check equality between s1 and <s2>32. CAT gets us
covenants by simply concatenating all the <s2>32 and then comparing
against s1 using EQUAL:
s2 =3D CAT(<s2>32 [0], <s2>32 [1], <s2>32 [2], =E2=80=A6 <s2>32 [15])
EQUAL s1, s2
Slashing covenants works by removing the requirement for this equality
check, but instead providing a fraud proof ifs1!=3Ds2, and posting that
fraud proof to punish the spending party. To do this we construct a
Bitcoin script output which takes as input:
s1 - the spending signature.
<s2>32 - the spending signature encoded in small script. An honest
spender will set s1 =3D s2.
L - a Lamport signature on <s2>32.
<txn data>32 - data about the spending transaction that we use to open
the sighash
The Bitcoin script covenant output then:
1. checks s1 is a valid spending signature.
2. Checks that <s2>32 is validly signed by the Lamport signature L
3. Supplies <s2>32 and <txn data>32 to Small Script which enforces the
covenant under the assumption that s1=3Ds2.
Covenant output (s1, <s2>32, L, <txn data>32):
CHECKSIGVERIFY s1
Lamport-Verify <s2>32, L
SmallScript Enforce-Cov <s2>32, <txn data>32
As long as s1=3Ds2 the covenant is enforced. However if s1!=3Ds2 the
covenant can be broken. To punish spenders who set s1!=3Ds2, we create
an output that allows anyone to burn/slash the coins of the rule
breaker if and only if they spent a covenant and supplied s1 and s2
such that s1!=3Ds2.
The Bitcoin script slash output takes as input: <s1>32, <s2>32, and L.
Slashing output (<s1>32, <s2>32, L):
SmallScript CHECKSIGVERIFY <s1>32
Lamport-Verify <s2>32, L
IF <s1>32 !=3D <s2>32: Verify
Thus the slashing output can only be spent if the rule breaker spent
the covenant with s1!=3Ds2. SmallScript CHECKSIGVERIFY is used to prove
the rule breaker signed s1, the lamport signature is used to prove the
rule breaker signed s2. Thus, we have a fraud proof that the rule
breaker signed s1!=3Ds2. The Lamport signature is only used here to
avoid having to do ECC math in Small Script in the covenant.
Note that because we are doing CHECKSIGVERIFY in Small Script, the
spending transaction will be massive. The slashing occurs because of
the fees incurred by spending the slashing transaction. Note that such
a slashing output could also be done on ethereum. This would simplify
the construction.
For the purposes of explanation, we assumed the spender is also the
party who is slashed. In actual practice it is more likely you could
have a set of N slashable cosigners who could attest to a spend not
violating the covenant. Using pre-signed transactions you could
recover an output if all n slashable cosigners were indefinitely
offline. If you could fit a SNARKS in Small Script, you could have
people join and leave the cosigner set dynamically for already posted
covenant outputs by simply proving they have posted slash outputs and
that the value in covenants < value in slash outputs.
--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
CAEM%3Dy%2BV_jUoupVRBPqwzOQaUVNdJj5uJy3LK9JjD7ixuCYEt-A%40mail.gmail.com.
|