1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
|
Return-Path: <johanth@gmail.com>
Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])
by lists.linuxfoundation.org (Postfix) with ESMTP id 9E6E8C002A
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 4 May 2023 08:34:21 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp3.osuosl.org (Postfix) with ESMTP id 65237614CC
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 4 May 2023 08:34:21 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 65237614CC
Authentication-Results: smtp3.osuosl.org;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.a=rsa-sha256 header.s=20221208 header.b=sHCfZcIY
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
Received: from smtp3.osuosl.org ([127.0.0.1])
by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id fmZzcjEYGxhr
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 4 May 2023 08:34:20 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.8.0
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 44A56614CB
Received: from mail-yb1-xb33.google.com (mail-yb1-xb33.google.com
[IPv6:2607:f8b0:4864:20::b33])
by smtp3.osuosl.org (Postfix) with ESMTPS id 44A56614CB
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 4 May 2023 08:34:20 +0000 (UTC)
Received: by mail-yb1-xb33.google.com with SMTP id
3f1490d57ef6-b9ef06cb784so315967276.0
for <bitcoin-dev@lists.linuxfoundation.org>;
Thu, 04 May 2023 01:34:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20221208; t=1683189259; x=1685781259;
h=content-transfer-encoding:to:subject:message-id:date:from
:in-reply-to:references:mime-version:from:to:cc:subject:date
:message-id:reply-to;
bh=Ell834/LCSWAI8Hl0su7Fp5Khka3IWdLL0XCVlvyek8=;
b=sHCfZcIYUQuehiKowt1wvPPE2JP6hMoziFNr1knAiWdZxmq7XEeqEObJ6fbYXocmyN
TO0SKhI7CxZNaMX9N6BN/5y7nsT3z3aWo5++Wlg1RNKleYPy37giyWXh2RmVwxATk+HO
A/18AIjBWnSRnwy4lp6c/PvtRJ4ohca1JAr/AZ0UQxv2M4zN1sBJCp4zzfMpM22NMUlK
IMskHSoOEWiZIidk7yp0voSru71BuU1KspH6rQPUYlDnw+Nhas4qldoWfMs4ONj97rmr
JqFD8cVbbqXZ4clPbaKIKxiQMajY6H8lAnsXhifunNktUBNt0m38DnSv9hP2xWidFnhY
+mxA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20221208; t=1683189259; x=1685781259;
h=content-transfer-encoding:to:subject:message-id:date:from
:in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
:subject:date:message-id:reply-to;
bh=Ell834/LCSWAI8Hl0su7Fp5Khka3IWdLL0XCVlvyek8=;
b=IVEBiuSbtKTCsXKvX3JBzQmsQq3uxiZhdrDowl7H9/1BMU+b95AVL+3RGlha78YeSt
CqUuzMJNmdQbZzdOdP/QUyV+PblALXn3tkpxYrDbB95G/vzaUiED43VUvFblc3zNb+ql
WyZsOt66Nt3gX6U4P9+q3maND3K8uBtdh8RU9smwF2jafPUTJZIOm5m+Y3+v7PuOv6dU
XgXUQGBpoAo6rccUWikGcaPtK5vZaHhGIur6QZoDbQ+OiMg8FqlILOXIU9cmQ6h3Aelq
KGMp+fEMSqUnoWdpufTOeY+g+gLEb0fbkyE9fgAKh5yiThhMOFhE8Pd4w2c4reU4QHtH
CVvQ==
X-Gm-Message-State: AC+VfDwYw+/UYH+gqU2QqZIkaEkPeHpWX5oJJbdkDRxmX+kbDPnH5gCd
eaSXfKjKzoz8mCrwQ3cIkPMOF7BL8bDC0AGXA2aEMKovK/ICLzpG
X-Google-Smtp-Source: ACHHUZ7VCbE5sIfOW56oQBo1/otdoZnqtWqDL4dp2YJnsK7DtbBqPObMi4WRMSCdE2ubgLbzauzL8n6eIYPKgi9CW1w=
X-Received: by 2002:a25:cfd0:0:b0:b9e:74b9:e97f with SMTP id
f199-20020a25cfd0000000b00b9e74b9e97fmr8375346ybg.61.1683189258989; Thu, 04
May 2023 01:34:18 -0700 (PDT)
MIME-Version: 1.0
References: <CAMhCMoH9uZPeAE_2tWH6rf0RndqV+ypjbNzazpFwFnLUpPsZ7g@mail.gmail.com>
<CALZpt+GVe0XTdWqV=LAcOj=nq+k2DEFqc+sKyxAujLDBR7bYbQ@mail.gmail.com>
<CAMhCMoEONv3jriBU3qwm0pt75iF_sgra1H2Z4rOF8u+e7hs_cw@mail.gmail.com>
<0f352f70-c93a-614f-e443-67d198ec2c26@protonmail.com>
<7f3674d1-c1ad-9a82-e30f-7cf24d697faf@protonmail.com>
<CAMhCMoGabEASO9CGc1hAMpYZn4nWH5D8XFs3eFcSSFAitSFUGA@mail.gmail.com>
<CAGpPWDZkUYW=Qb763TPzUa6yUf217nh0Bo+O9Qyf=WS2pUQUYA@mail.gmail.com>
<CAD3i26AXZKDCH3odhCjpMwzOTGQKSFqH9S+5N9UXNTb7CJHONA@mail.gmail.com>
<CAMhCMoFgto3Bu5+yEoqn1Jf8fNd+EQK-t_H3TKR2=3RXe8FdcQ@mail.gmail.com>
<CAMhCMoGdZsDO2eZYMf+G36gc5=-SB0HxHXbRSPx5OaCOjo5_Dw@mail.gmail.com>
In-Reply-To: <CAMhCMoGdZsDO2eZYMf+G36gc5=-SB0HxHXbRSPx5OaCOjo5_Dw@mail.gmail.com>
From: =?UTF-8?Q?Johan_Tor=C3=A5s_Halseth?= <johanth@gmail.com>
Date: Thu, 4 May 2023 10:34:07 +0200
Message-ID: <CAD3i26BoasDQGg1VOxaHJzoXXKnYKuBdXOq+wVZ=QhKbycobPA@mail.gmail.com>
To: Salvatore Ingala <salvatore.ingala@gmail.com>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Thu, 04 May 2023 10:08:59 +0000
Subject: Re: [bitcoin-dev] Merkleize All The Things
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Thu, 04 May 2023 08:34:21 -0000
Thank you for the example.
It sounds like we can generalize the description of the construct to:
Access to (the hash of) embedded data of inputs and outputs, and the
enforcement of output keys and (static) taptrees. In other words, as
long as you can dynamically compute the output embedded data in
Script, you can enforce more or less anything (since you can make the
output script enforce presenting a witness "satisfying" the embedded
data).
Does that sound about right?
For instance, I believe you could simulate coin pools pretty easily:
Commit to the set of pubkeys and amounts owned by the participants in
the pool, and an output taptree where each participant has their own
spending path. Now, to exit the pool unilaterally, the participant
must present a proof that their pubkey+amount is committed to in the
input and an output where it is no longer committed.
A question that arises is how one would efficiently (in Script) prove
the inclusion/exclusion of the data in the commitment. One could
naively hash all the data twice during script execution (once for the
input, once for the output), but that is costly. It would be natural
to show merkle tree inclusion/exclusion in script, but perhaps there
are more efficient ways to prove it?
- Johan
On Tue, May 2, 2023 at 12:44=E2=80=AFAM Salvatore Ingala via bitcoin-dev
<bitcoin-dev@lists.linuxfoundation.org> wrote:
>
> Hi all,
>
> I apologize for a couple of oversights in my last e-mail.
>
> The first is that m_B can't be committed as-is in the contract's
> embedded data, with the current semantics of OP_COCV, which
> only allows 32-byte values. A solution could be to store its
> hash SHA256(m_B), instead.
>
> (I didn't test the Scripts, so there could be other bugs =E2=88=92 hopefu=
lly the
> general idea is clear, anyway)
>
> On Mon, 1 May 2023 at 15:11, Salvatore Ingala <salvatore.ingala@gmail.com=
> wrote:
>>
>> If the internal_pubkey is a musig-aggregated key of Alice and Bob,
>> the game can be settled entirely offline after the first transaction.
>> Simply, Bob communicates his move to Alice, Alice reveals her move to
>> Bob, and they can settle the bet. The game would be played without
>> any script being executed, therefore all transactions could look like
>> any other P2TR, with the only possible fingerprinting being due to the
>> input amounts.
>
>
> This is incomplete: Alice can't trust Bob by revealing her move, as
> he could then cheat on-chain and play a different move.
>
> The fix should be straightforward, after adding the requirement that the
> internal pubkey of [S1] is a musig2 of both players.
> After Bob reveals his move (say, Rock), Alice will only agree to continue
> the game off-chain if Bob pre-signs transactions for the state [S1] (wher=
e
> m_B =3D Paper, and m_B =3D Scissors) that send all the money to Alice.
> This guarantees that a cheating Bob is punished.
>
> Best,
> Salvatore Ingala
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
|
