1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
|
Return-Path: <pieter.wuille@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id E588C45A4
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 6 May 2019 17:58:11 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-oi1-f171.google.com (mail-oi1-f171.google.com
[209.85.167.171])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 0686D7DB
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 6 May 2019 17:58:09 +0000 (UTC)
Received: by mail-oi1-f171.google.com with SMTP id y25so3196530oih.11
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 06 May 2019 10:58:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:from:date:message-id:subject:to;
bh=ByoM+fE2nb9xvBTDELZg89oXi3eoDyW1nO71lukmh7M=;
b=Mvuuqqa+wYx9Qj8MTTlsGgFpkmmGdZa4w4hTUtGWhs/urmtQbFaMgLuKDEizIll4oN
c+I1NFXmUyTOSF5pyZF84hikPNDyNL0v5v2QgcbUnC7npeEINXH4iw5rp0pNW7xtYK2g
EZgT6zQsZW/YcyLsyIZbwmaY2NgJEbQd+rb/By+HWy0mBsrwVQBdRUKM5C4oSssnvnUp
A7gA3ztqAGbwnq+j72fJilkvbTx15OCtV5hKZtd4pTZ07NqOdB2jHj7iOopKHmfQZH1W
DLeuq0/+VfoKGgh/Gu6CFV1r8zQUXrB8i6rpzbKfMQ4kIawhfuS+SJe1yZgPT2q1BWdX
GfdA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
bh=ByoM+fE2nb9xvBTDELZg89oXi3eoDyW1nO71lukmh7M=;
b=FVsybbkkkIQsxu+VoOIhVt0jICUKG7rWsyWiLt7dBZFH4S/SrpJ550jlMnAdTKrQsV
zZ7JDigdnI2x2brjWUe4R47jhZ67swpnHLAmuVfq7Ek7ViQRYuwFyd3jCLlX4+2u0vNR
f/hIvj51LjoG01Df7FnT8gEi4TNKknMdAGkR2zpv2mwZw/h93ZKNQ97RTEFd4uUJSQLj
L9EDIye0EgMditLvMdy3XZ38HamR35FoPBhTKetCDXx70H2hUV76Or0qogItC/bCaH/G
zZDQfTUxPn7jWL56ThTjK6n0erKwRtOB67fC+pSAg+6Mw83P2h2pj/MWhTrLzbkcDVhQ
0Hkg==
X-Gm-Message-State: APjAAAXT10v03pzi0NEGWCO0+s0bdJ/8RBDT+EDofUz4l9M4qor0WEEG
3yVreO1B1c6fYDKJs5gvQTiEmDMZqidFz/W4H1Xaw3Wzyjs=
X-Google-Smtp-Source: APXvYqw5DY6VlP8VPLE4OkknaPOHq1V1y23RalBLGVYlcWFiNTGZhZEjqj5so6h9/9ORYyhknWiSi0ERm3ALZLuTalQ=
X-Received: by 2002:aca:ba0b:: with SMTP id k11mr2025737oif.57.1557165488620;
Mon, 06 May 2019 10:58:08 -0700 (PDT)
MIME-Version: 1.0
From: Pieter Wuille <pieter.wuille@gmail.com>
Date: Mon, 6 May 2019 10:57:57 -0700
Message-ID: <CAPg+sBg6Gg8b7hPogC==fehY3ZTHHpQReqym2fb4XXWFpMM-pQ@mail.gmail.com>
To: Bitcoin Dev <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Mon, 06 May 2019 18:35:59 +0000
Subject: [bitcoin-dev] Taproot proposal
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 06 May 2019 17:58:12 -0000
Hello everyone,
Here are two BIP drafts that specify a proposal for a Taproot
softfork. A number of ideas are included:
* Taproot to make all outputs and cooperative spends indistinguishable
from eachother.
* Merkle branches to hide the unexecuted branches in scripts.
* Schnorr signatures enable wallet software to use key
aggregation/thresholds within one input.
* Improvements to the signature hashing algorithm (including signing
all input amounts).
* Replacing OP_CHECKMULTISIG(VERIFY) with OP_CHECKSIGADD, to support
batch validation.
* Tagged hashing for domain separation (avoiding issues like
CVE-2012-2459 in Merkle trees).
* Extensibility through leaf versions, OP_SUCCESS opcodes, and
upgradable pubkey types.
The BIP drafts can be found here:
* https://github.com/sipa/bips/blob/bip-schnorr/bip-taproot.mediawiki
specifies the transaction input spending rules.
* https://github.com/sipa/bips/blob/bip-schnorr/bip-tapscript.mediawiki
specifies the changes to Script inside such spends.
* https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki
is the Schnorr signature proposal that was discussed earlier on this
list (See https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-July/016203.html)
An initial reference implementation of the consensus changes, plus
preliminary construction/signing tests in the Python framework can be
found on https://github.com/sipa/bitcoin/commits/taproot. All
together, excluding the Schnorr signature module in libsecp256k1, the
consensus changes are around 520 LoC.
While many other ideas exist, not everything is incorporated. This
includes several ideas that can be implemented separately without loss
of effectiveness. One such idea is a way to integrate SIGHASH_NOINPUT,
which we're working on as an independent proposal.
The document explains basic wallet operations, such as constructing
outputs and signing. However, a wide variety of more complex
constructions exist. Standardizing these is useful, but out of scope
for now. It is likely also desirable to define extensions to PSBT
(BIP174) for interacting with Taproot. That too is not included here.
Cheers,
--
Pieter
|
