Return-Path: Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 9E6E8C002A for ; Thu, 4 May 2023 08:34:21 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 65237614CC for ; Thu, 4 May 2023 08:34:21 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 65237614CC Authentication-Results: smtp3.osuosl.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20221208 header.b=sHCfZcIY X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.099 X-Spam-Level: X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fmZzcjEYGxhr for ; Thu, 4 May 2023 08:34:20 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 44A56614CB Received: from mail-yb1-xb33.google.com (mail-yb1-xb33.google.com [IPv6:2607:f8b0:4864:20::b33]) by smtp3.osuosl.org (Postfix) with ESMTPS id 44A56614CB for ; Thu, 4 May 2023 08:34:20 +0000 (UTC) Received: by mail-yb1-xb33.google.com with SMTP id 3f1490d57ef6-b9ef06cb784so315967276.0 for ; Thu, 04 May 2023 01:34:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683189259; x=1685781259; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=Ell834/LCSWAI8Hl0su7Fp5Khka3IWdLL0XCVlvyek8=; b=sHCfZcIYUQuehiKowt1wvPPE2JP6hMoziFNr1knAiWdZxmq7XEeqEObJ6fbYXocmyN TO0SKhI7CxZNaMX9N6BN/5y7nsT3z3aWo5++Wlg1RNKleYPy37giyWXh2RmVwxATk+HO A/18AIjBWnSRnwy4lp6c/PvtRJ4ohca1JAr/AZ0UQxv2M4zN1sBJCp4zzfMpM22NMUlK IMskHSoOEWiZIidk7yp0voSru71BuU1KspH6rQPUYlDnw+Nhas4qldoWfMs4ONj97rmr JqFD8cVbbqXZ4clPbaKIKxiQMajY6H8lAnsXhifunNktUBNt0m38DnSv9hP2xWidFnhY +mxA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683189259; x=1685781259; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Ell834/LCSWAI8Hl0su7Fp5Khka3IWdLL0XCVlvyek8=; b=IVEBiuSbtKTCsXKvX3JBzQmsQq3uxiZhdrDowl7H9/1BMU+b95AVL+3RGlha78YeSt CqUuzMJNmdQbZzdOdP/QUyV+PblALXn3tkpxYrDbB95G/vzaUiED43VUvFblc3zNb+ql WyZsOt66Nt3gX6U4P9+q3maND3K8uBtdh8RU9smwF2jafPUTJZIOm5m+Y3+v7PuOv6dU XgXUQGBpoAo6rccUWikGcaPtK5vZaHhGIur6QZoDbQ+OiMg8FqlILOXIU9cmQ6h3Aelq KGMp+fEMSqUnoWdpufTOeY+g+gLEb0fbkyE9fgAKh5yiThhMOFhE8Pd4w2c4reU4QHtH CVvQ== X-Gm-Message-State: AC+VfDwYw+/UYH+gqU2QqZIkaEkPeHpWX5oJJbdkDRxmX+kbDPnH5gCd eaSXfKjKzoz8mCrwQ3cIkPMOF7BL8bDC0AGXA2aEMKovK/ICLzpG X-Google-Smtp-Source: ACHHUZ7VCbE5sIfOW56oQBo1/otdoZnqtWqDL4dp2YJnsK7DtbBqPObMi4WRMSCdE2ubgLbzauzL8n6eIYPKgi9CW1w= X-Received: by 2002:a25:cfd0:0:b0:b9e:74b9:e97f with SMTP id f199-20020a25cfd0000000b00b9e74b9e97fmr8375346ybg.61.1683189258989; Thu, 04 May 2023 01:34:18 -0700 (PDT) MIME-Version: 1.0 References: <0f352f70-c93a-614f-e443-67d198ec2c26@protonmail.com> <7f3674d1-c1ad-9a82-e30f-7cf24d697faf@protonmail.com> In-Reply-To: From: =?UTF-8?Q?Johan_Tor=C3=A5s_Halseth?= Date: Thu, 4 May 2023 10:34:07 +0200 Message-ID: To: Salvatore Ingala , Bitcoin Protocol Discussion Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Thu, 04 May 2023 10:08:59 +0000 Subject: Re: [bitcoin-dev] Merkleize All The Things X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 May 2023 08:34:21 -0000 Thank you for the example. It sounds like we can generalize the description of the construct to: Access to (the hash of) embedded data of inputs and outputs, and the enforcement of output keys and (static) taptrees. In other words, as long as you can dynamically compute the output embedded data in Script, you can enforce more or less anything (since you can make the output script enforce presenting a witness "satisfying" the embedded data). Does that sound about right? For instance, I believe you could simulate coin pools pretty easily: Commit to the set of pubkeys and amounts owned by the participants in the pool, and an output taptree where each participant has their own spending path. Now, to exit the pool unilaterally, the participant must present a proof that their pubkey+amount is committed to in the input and an output where it is no longer committed. A question that arises is how one would efficiently (in Script) prove the inclusion/exclusion of the data in the commitment. One could naively hash all the data twice during script execution (once for the input, once for the output), but that is costly. It would be natural to show merkle tree inclusion/exclusion in script, but perhaps there are more efficient ways to prove it? - Johan On Tue, May 2, 2023 at 12:44=E2=80=AFAM Salvatore Ingala via bitcoin-dev wrote: > > Hi all, > > I apologize for a couple of oversights in my last e-mail. > > The first is that m_B can't be committed as-is in the contract's > embedded data, with the current semantics of OP_COCV, which > only allows 32-byte values. A solution could be to store its > hash SHA256(m_B), instead. > > (I didn't test the Scripts, so there could be other bugs =E2=88=92 hopefu= lly the > general idea is clear, anyway) > > On Mon, 1 May 2023 at 15:11, Salvatore Ingala wrote: >> >> If the internal_pubkey is a musig-aggregated key of Alice and Bob, >> the game can be settled entirely offline after the first transaction. >> Simply, Bob communicates his move to Alice, Alice reveals her move to >> Bob, and they can settle the bet. The game would be played without >> any script being executed, therefore all transactions could look like >> any other P2TR, with the only possible fingerprinting being due to the >> input amounts. > > > This is incomplete: Alice can't trust Bob by revealing her move, as > he could then cheat on-chain and play a different move. > > The fix should be straightforward, after adding the requirement that the > internal pubkey of [S1] is a musig2 of both players. > After Bob reveals his move (say, Rock), Alice will only agree to continue > the game off-chain if Bob pre-signs transactions for the state [S1] (wher= e > m_B =3D Paper, and m_B =3D Scissors) that send all the money to Alice. > This guarantees that a cheating Bob is punished. > > Best, > Salvatore Ingala > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev