Return-Path: Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 7E733C002A for ; Mon, 1 May 2023 21:15:34 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 4AAC3410BD for ; Mon, 1 May 2023 21:15:34 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 4AAC3410BD Authentication-Results: smtp4.osuosl.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20221208 header.b=UKWk4sia X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.098 X-Spam-Level: X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DQ0zoKGkvo4p for ; Mon, 1 May 2023 21:15:33 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org BDD75410DE Received: from mail-oo1-xc29.google.com (mail-oo1-xc29.google.com [IPv6:2607:f8b0:4864:20::c29]) by smtp4.osuosl.org (Postfix) with ESMTPS id BDD75410DE for ; Mon, 1 May 2023 21:15:32 +0000 (UTC) Received: by mail-oo1-xc29.google.com with SMTP id 006d021491bc7-54ca586a3b4so340866eaf.0 for ; Mon, 01 May 2023 14:15:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1682975731; x=1685567731; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=vqEXm1kqYTOGrpikkkeRN+MLDOZ+4xj1o3qXkke3/XE=; b=UKWk4siasthTzOhrh6V98p/hIfgbQTo2uN5rwEXTN4qOy1wgf3Bq7zSCpRkhizL5xq rgjsJVGZoqrfhX8bskIY6DPysP3PUQqM6s8QVNhNi+A8H2WUAUUiibfoPKhAi5D2jdlR DnVSAnGilzR39OFIVl83X4XKG/MxsajC6YIKlqecAR1J674gWvxsZ4OsrqHNjxCsNP9N gxxtSJP+zArCJiNCX6BrICDdkH3W4SvJWnHq7DEVyPTn2nBRIuChgt+S4NFvYmoYpvgf XiHCHWb44bkX+Mk5ESFRqnvej83OfLNJghy2g769v2ZvLxtlSLSLvg6zxSkkAH0JhLri 3a1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682975731; x=1685567731; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=vqEXm1kqYTOGrpikkkeRN+MLDOZ+4xj1o3qXkke3/XE=; b=CtMJD/BJbmG0AEpbBzWFsBXx1eq2V4yorNuD2xKOqBKR/MqjS9CKr+J0hwEOq5xv6p W5cCeyV9d+MQcDf/zNt4Pm/ugaJM3EHmq3JsP9MCNGOHP2Ywhud9OzPSrloaIeokhMOI 5Wt1praecxKsEIOAUt631K9KKssRyRwWQZo+45zqXrebq055wmIEJaBS2we5kPiJRupK SLdtlFDW12TVjwZY2fsJOihoWFoi09/bvH8HwPNEnrK1J5vPYFNzuRlSzXWLNnmYRBue 4Mc3ijlhs9iytOnoKyhz4Nl+pFFMPs4WI5uC/RGRpeHL5OdCmdoTp1sFlluX32UqreKA ZsaA== X-Gm-Message-State: AC+VfDy0Rv5FW6K7WrxCppULzj5GCndRafNSOujGVIIXSWqchhBbIq0/ 4kbfC6cGbiQBKwopiXoiwqlFxEZXVdR8PmyosdGBEv/URUc= X-Google-Smtp-Source: ACHHUZ5cMmcuyTwr4dAGPtkUjNk5XEM3m2PqqySSqRqHdZr/UGQFiEVqfM8DJVO/x6PKpM7frK/X45TcMRqzNOhjASE= X-Received: by 2002:a4a:5810:0:b0:54c:ab6f:4b3 with SMTP id f16-20020a4a5810000000b0054cab6f04b3mr371555oob.5.1682975731348; Mon, 01 May 2023 14:15:31 -0700 (PDT) MIME-Version: 1.0 References: <0f352f70-c93a-614f-e443-67d198ec2c26@protonmail.com> <7f3674d1-c1ad-9a82-e30f-7cf24d697faf@protonmail.com> In-Reply-To: From: Salvatore Ingala Date: Mon, 1 May 2023 23:15:20 +0200 Message-ID: To: Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="000000000000a1f74305faa85255" X-Mailman-Approved-At: Mon, 01 May 2023 22:43:22 +0000 Subject: Re: [bitcoin-dev] Merkleize All The Things X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 May 2023 21:15:34 -0000 --000000000000a1f74305faa85255 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi all, I apologize for a couple of oversights in my last e-mail. The first is that m_B can't be committed as-is in the contract's embedded data, with the current semantics of OP_COCV, which only allows 32-byte values. A solution could be to store its hash SHA256(m_B), instead. (I didn't test the Scripts, so there could be other bugs =E2=88=92 hopefull= y the general idea is clear, anyway) On Mon, 1 May 2023 at 15:11, Salvatore Ingala wrote: > If the internal_pubkey is a musig-aggregated key of Alice and Bob, > the game can be settled entirely offline after the first transaction. > Simply, Bob communicates his move to Alice, Alice reveals her move to > Bob, and they can settle the bet. The game would be played without > any script being executed, therefore all transactions could look like > any other P2TR, with the only possible fingerprinting being due to the > input amounts. > This is incomplete: Alice can't trust Bob by revealing her move, as he could then cheat on-chain and play a different move. The fix should be straightforward, after adding the requirement that the internal pubkey of [S1] is a musig2 of both players. After Bob reveals his move (say, Rock), Alice will only agree to continue the game off-chain if Bob pre-signs transactions for the state [S1] (where m_B =3D Paper, and m_B =3D Scissors) that send all the money to Alice. This guarantees that a cheating Bob is punished. Best, Salvatore Ingala --000000000000a1f74305faa85255 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi all,

I apologize for a co= uple of oversights in my last e-mail.

The first is= that m_B can't be committed as-is in the contract's
embe= dded data, with the current semantics of OP_COCV, which
only allo= ws 32-byte values. A solution could be to store its
hash SHA256(m= _B), instead.

(I didn't test the Scripts, so t= here could be other bugs =E2=88=92 hopefully the
general idea is = clear, anyway)

On Mon, 1 May 2023 at 15:11, Salvatore Ingala <salvatore.ingala@gmail.com> w= rote:
If the internal_pubkey is a musig-aggregated key o= f Alice and Bob,
the game can be settled entirely offline after the firs= t transaction.
Simply, Bob communicates his move to Alice, Alice reveals= her move to
Bob, and they can settle the bet. The game would be played = without
any script being executed, therefore all transactions could look= like
any other P2TR,=C2=A0with the only possible fingerprinting = being due to the
input amounts.

This is incomplete: Alice can't trust Bob by revea= ling her move, as
he could then cheat on-chain and play a differe= nt move.

The fix should be straightforward, after = adding the requirement that the
internal pubkey of [S1] is a musi= g2 of both players.
After Bob reveals his move (say, Rock), Alice= will only agree to continue
the game off-chain if Bob pre-signs = transactions for the state [S1] (where
m_B =3D Paper, and m_B =3D= Scissors) that send all the money to Alice.
This guarantees that= a=C2=A0cheating Bob is punished.

Best,
<= div>Salvatore Ingala

--000000000000a1f74305faa85255--