more schnorr tricks for bitcoin
play

More Schnorr Tricks for Bitcoin Yannick Seurin Agence nationale de - PowerPoint PPT Presentation

Nov 12, 2022 •1.84k likes •3.68k views

Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion More Schnorr Tricks for Bitcoin Yannick Seurin Agence nationale de la scurit des systmes dinformation November 22, 2018 BlockSem Seminar

  1. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Example: Pay-to-Public-Key-Hash (P2PKH) � pubKeyHash’ � � pubKey � � sig � � sig � � pubKey � OP_DUP OP_HASH160 � pubKeyHash � OP_EQUALVERIFY OP_CHECKSIG � �� � � �� � scriptSig scriptPubKey Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 7 / 40

  2. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Example: Pay-to-Public-Key-Hash (P2PKH) � pubKeyHash � � pubKeyHash’ � � pubKey � � sig � � sig � � pubKey � OP_DUP OP_HASH160 � pubKeyHash � OP_EQUALVERIFY OP_CHECKSIG � �� � � �� � scriptSig scriptPubKey Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 7 / 40

  3. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Example: Pay-to-Public-Key-Hash (P2PKH) � pubKey � � sig � � sig � � pubKey � OP_DUP OP_HASH160 � pubKeyHash � OP_EQUALVERIFY OP_CHECKSIG � �� � � �� � scriptSig scriptPubKey Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 7 / 40

  4. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Example: Pay-to-Public-Key-Hash (P2PKH) � � sig � � pubKey � OP_DUP OP_HASH160 � pubKeyHash � OP_EQUALVERIFY OP_CHECKSIG � �� � � �� � scriptSig scriptPubKey Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 7 / 40

  5. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Example: Pay-to-Public-Key-Hash (P2PKH) � sig � � pubKey � OP_DUP OP_HASH160 � pubKeyHash � OP_EQUALVERIFY OP_CHECKSIG � �� � � �� � scriptSig scriptPubKey • Bitcoin “address” = RIPEMD-160(SHA-256(public key)) encoded in Base58Check format (starts with a ’1’) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 7 / 40

  6. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Other useful instructions • m -of- n MULTISIG: • scriptPubKey contains n public keys • scriptSig must provide m ≤ n valid signatures for m out of n of these public keys • many applications (multi-authentication wallet, escrow, etc.) • OP_RETURN: • makes output unspendable • used to put arbitrary data in the blockchain • Lock-time: • output unspendable until some time in the future • absolute (CLTV) or relative (CSV) • application: payment channels, Lightning Network Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 8 / 40

  7. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Other useful instructions • m -of- n MULTISIG: • scriptPubKey contains n public keys • scriptSig must provide m ≤ n valid signatures for m out of n of these public keys • many applications (multi-authentication wallet, escrow, etc.) • OP_RETURN: • makes output unspendable • used to put arbitrary data in the blockchain • Lock-time: • output unspendable until some time in the future • absolute (CLTV) or relative (CSV) • application: payment channels, Lightning Network Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 8 / 40

  8. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Other useful instructions • m -of- n MULTISIG: • scriptPubKey contains n public keys • scriptSig must provide m ≤ n valid signatures for m out of n of these public keys • many applications (multi-authentication wallet, escrow, etc.) • OP_RETURN: • makes output unspendable • used to put arbitrary data in the blockchain • Lock-time: • output unspendable until some time in the future • absolute (CLTV) or relative (CSV) • application: payment channels, Lightning Network Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 8 / 40

  9. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Other useful instructions • m -of- n MULTISIG: • scriptPubKey contains n public keys • scriptSig must provide m ≤ n valid signatures for m out of n of these public keys • many applications (multi-authentication wallet, escrow, etc.) • OP_RETURN: • makes output unspendable • used to put arbitrary data in the blockchain • Lock-time: • output unspendable until some time in the future • absolute (CLTV) or relative (CSV) • application: payment channels, Lightning Network Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 8 / 40

  10. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Other useful instructions • m -of- n MULTISIG: • scriptPubKey contains n public keys • scriptSig must provide m ≤ n valid signatures for m out of n of these public keys • many applications (multi-authentication wallet, escrow, etc.) • OP_RETURN: • makes output unspendable • used to put arbitrary data in the blockchain • Lock-time: • output unspendable until some time in the future • absolute (CLTV) or relative (CSV) • application: payment channels, Lightning Network Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 8 / 40

  11. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Other useful instructions • m -of- n MULTISIG: • scriptPubKey contains n public keys • scriptSig must provide m ≤ n valid signatures for m out of n of these public keys • many applications (multi-authentication wallet, escrow, etc.) • OP_RETURN: • makes output unspendable • used to put arbitrary data in the blockchain • Lock-time: • output unspendable until some time in the future • absolute (CLTV) or relative (CSV) • application: payment channels, Lightning Network Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 8 / 40

  12. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Other useful instructions • m -of- n MULTISIG: • scriptPubKey contains n public keys • scriptSig must provide m ≤ n valid signatures for m out of n of these public keys • many applications (multi-authentication wallet, escrow, etc.) • OP_RETURN: • makes output unspendable • used to put arbitrary data in the blockchain • Lock-time: • output unspendable until some time in the future • absolute (CLTV) or relative (CSV) • application: payment channels, Lightning Network Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 8 / 40

  13. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Other useful instructions • m -of- n MULTISIG: • scriptPubKey contains n public keys • scriptSig must provide m ≤ n valid signatures for m out of n of these public keys • many applications (multi-authentication wallet, escrow, etc.) • OP_RETURN: • makes output unspendable • used to put arbitrary data in the blockchain • Lock-time: • output unspendable until some time in the future • absolute (CLTV) or relative (CSV) • application: payment channels, Lightning Network Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 8 / 40

  14. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Other useful instructions • m -of- n MULTISIG: • scriptPubKey contains n public keys • scriptSig must provide m ≤ n valid signatures for m out of n of these public keys • many applications (multi-authentication wallet, escrow, etc.) • OP_RETURN: • makes output unspendable • used to put arbitrary data in the blockchain • Lock-time: • output unspendable until some time in the future • absolute (CLTV) or relative (CSV) • application: payment channels, Lightning Network Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 8 / 40

  15. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Other useful instructions • m -of- n MULTISIG: • scriptPubKey contains n public keys • scriptSig must provide m ≤ n valid signatures for m out of n of these public keys • many applications (multi-authentication wallet, escrow, etc.) • OP_RETURN: • makes output unspendable • used to put arbitrary data in the blockchain • Lock-time: • output unspendable until some time in the future • absolute (CLTV) or relative (CSV) • application: payment channels, Lightning Network Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 8 / 40

  16. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Other useful instructions • m -of- n MULTISIG: • scriptPubKey contains n public keys • scriptSig must provide m ≤ n valid signatures for m out of n of these public keys • many applications (multi-authentication wallet, escrow, etc.) • OP_RETURN: • makes output unspendable • used to put arbitrary data in the blockchain • Lock-time: • output unspendable until some time in the future • absolute (CLTV) or relative (CSV) • application: payment channels, Lightning Network Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 8 / 40

  17. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Hash Time-Lock Contract (HTLC) • Hash Time-Locked Contracts HTLC( h , X 1 , τ, X 2 ): OP_IF OP_SHA256 � h � OP_EQUALVERIFY � X 1 � OP_CHECKSIG OP_ELSE � τ � OP_CLTV OP_DROP � X 2 � OP_CHECKSIG OP_ENDIF • in words, such a output can be spent either • with y such that SHA256( y ) = h and a signature under X 1 • OR after time τ with a signature under X 2 • used in the Lightning Network for payment channels and routing Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 9 / 40

  18. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Hash Time-Lock Contract (HTLC) • Hash Time-Locked Contracts HTLC( h , X 1 , τ, X 2 ): OP_IF OP_SHA256 � h � OP_EQUALVERIFY � X 1 � OP_CHECKSIG OP_ELSE � τ � OP_CLTV OP_DROP � X 2 � OP_CHECKSIG OP_ENDIF • in words, such a output can be spent either • with y such that SHA256( y ) = h and a signature under X 1 • OR after time τ with a signature under X 2 • used in the Lightning Network for payment channels and routing Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 9 / 40

  19. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Hash Time-Lock Contract (HTLC) • Hash Time-Locked Contracts HTLC( h , X 1 , τ, X 2 ): OP_IF OP_SHA256 � h � OP_EQUALVERIFY � X 1 � OP_CHECKSIG OP_ELSE � τ � OP_CLTV OP_DROP � X 2 � OP_CHECKSIG OP_ENDIF • in words, such a output can be spent either • with y such that SHA256( y ) = h and a signature under X 1 • OR after time τ with a signature under X 2 • used in the Lightning Network for payment channels and routing Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 9 / 40

  20. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Atomic (cross-chain) swaps [Nol13] • allows trading without a trusted party • suppose Alice wants to trade 1 bitcoin for 100 litecoins with Bob • Alice (public key X A ) and Bob (public key X B ) proceed as follows: • Bob chooses random y and sends h = SHA256( y ) to Alice • Bob sends 100 litecoins to HTLC( X A , h , X B , τ B ) • Alice sends 1 bitcoin to HTLC( X B , h , X A , τ A ) • Bob claims Alice’s bitcoin, revealing y • Alice can claim Bob’s 100 litecoins using y • if anything goes wrong, parties can get funds back after τ A / τ B • τ B must be significantly later than τ A (otherwise Bob could claim both HTLC outputs between τ B and τ A ) • problem: not private at all, the payments can be linked with y Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 10 / 40

  21. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Atomic (cross-chain) swaps [Nol13] • allows trading without a trusted party • suppose Alice wants to trade 1 bitcoin for 100 litecoins with Bob • Alice (public key X A ) and Bob (public key X B ) proceed as follows: • Bob chooses random y and sends h = SHA256( y ) to Alice • Bob sends 100 litecoins to HTLC( X A , h , X B , τ B ) • Alice sends 1 bitcoin to HTLC( X B , h , X A , τ A ) • Bob claims Alice’s bitcoin, revealing y • Alice can claim Bob’s 100 litecoins using y • if anything goes wrong, parties can get funds back after τ A / τ B • τ B must be significantly later than τ A (otherwise Bob could claim both HTLC outputs between τ B and τ A ) • problem: not private at all, the payments can be linked with y Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 10 / 40

  22. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Atomic (cross-chain) swaps [Nol13] • allows trading without a trusted party • suppose Alice wants to trade 1 bitcoin for 100 litecoins with Bob • Alice (public key X A ) and Bob (public key X B ) proceed as follows: • Bob chooses random y and sends h = SHA256( y ) to Alice • Bob sends 100 litecoins to HTLC( X A , h , X B , τ B ) • Alice sends 1 bitcoin to HTLC( X B , h , X A , τ A ) • Bob claims Alice’s bitcoin, revealing y • Alice can claim Bob’s 100 litecoins using y • if anything goes wrong, parties can get funds back after τ A / τ B • τ B must be significantly later than τ A (otherwise Bob could claim both HTLC outputs between τ B and τ A ) • problem: not private at all, the payments can be linked with y Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 10 / 40

  23. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Atomic (cross-chain) swaps [Nol13] • allows trading without a trusted party • suppose Alice wants to trade 1 bitcoin for 100 litecoins with Bob • Alice (public key X A ) and Bob (public key X B ) proceed as follows: • Bob chooses random y and sends h = SHA256( y ) to Alice • Bob sends 100 litecoins to HTLC( X A , h , X B , τ B ) • Alice sends 1 bitcoin to HTLC( X B , h , X A , τ A ) • Bob claims Alice’s bitcoin, revealing y • Alice can claim Bob’s 100 litecoins using y • if anything goes wrong, parties can get funds back after τ A / τ B • τ B must be significantly later than τ A (otherwise Bob could claim both HTLC outputs between τ B and τ A ) • problem: not private at all, the payments can be linked with y Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 10 / 40

  24. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Atomic (cross-chain) swaps [Nol13] • allows trading without a trusted party • suppose Alice wants to trade 1 bitcoin for 100 litecoins with Bob • Alice (public key X A ) and Bob (public key X B ) proceed as follows: • Bob chooses random y and sends h = SHA256( y ) to Alice • Bob sends 100 litecoins to HTLC( X A , h , X B , τ B ) • Alice sends 1 bitcoin to HTLC( X B , h , X A , τ A ) • Bob claims Alice’s bitcoin, revealing y • Alice can claim Bob’s 100 litecoins using y • if anything goes wrong, parties can get funds back after τ A / τ B • τ B must be significantly later than τ A (otherwise Bob could claim both HTLC outputs between τ B and τ A ) • problem: not private at all, the payments can be linked with y Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 10 / 40

  25. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Atomic (cross-chain) swaps [Nol13] • allows trading without a trusted party • suppose Alice wants to trade 1 bitcoin for 100 litecoins with Bob • Alice (public key X A ) and Bob (public key X B ) proceed as follows: • Bob chooses random y and sends h = SHA256( y ) to Alice • Bob sends 100 litecoins to HTLC( X A , h , X B , τ B ) • Alice sends 1 bitcoin to HTLC( X B , h , X A , τ A ) • Bob claims Alice’s bitcoin, revealing y • Alice can claim Bob’s 100 litecoins using y • if anything goes wrong, parties can get funds back after τ A / τ B • τ B must be significantly later than τ A (otherwise Bob could claim both HTLC outputs between τ B and τ A ) • problem: not private at all, the payments can be linked with y Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 10 / 40

  26. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Atomic (cross-chain) swaps [Nol13] • allows trading without a trusted party • suppose Alice wants to trade 1 bitcoin for 100 litecoins with Bob • Alice (public key X A ) and Bob (public key X B ) proceed as follows: • Bob chooses random y and sends h = SHA256( y ) to Alice • Bob sends 100 litecoins to HTLC( X A , h , X B , τ B ) • Alice sends 1 bitcoin to HTLC( X B , h , X A , τ A ) • Bob claims Alice’s bitcoin, revealing y • Alice can claim Bob’s 100 litecoins using y • if anything goes wrong, parties can get funds back after τ A / τ B • τ B must be significantly later than τ A (otherwise Bob could claim both HTLC outputs between τ B and τ A ) • problem: not private at all, the payments can be linked with y Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 10 / 40

  27. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Atomic (cross-chain) swaps [Nol13] • allows trading without a trusted party • suppose Alice wants to trade 1 bitcoin for 100 litecoins with Bob • Alice (public key X A ) and Bob (public key X B ) proceed as follows: • Bob chooses random y and sends h = SHA256( y ) to Alice • Bob sends 100 litecoins to HTLC( X A , h , X B , τ B ) • Alice sends 1 bitcoin to HTLC( X B , h , X A , τ A ) • Bob claims Alice’s bitcoin, revealing y • Alice can claim Bob’s 100 litecoins using y • if anything goes wrong, parties can get funds back after τ A / τ B • τ B must be significantly later than τ A (otherwise Bob could claim both HTLC outputs between τ B and τ A ) • problem: not private at all, the payments can be linked with y Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 10 / 40

  28. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Atomic (cross-chain) swaps [Nol13] • allows trading without a trusted party • suppose Alice wants to trade 1 bitcoin for 100 litecoins with Bob • Alice (public key X A ) and Bob (public key X B ) proceed as follows: • Bob chooses random y and sends h = SHA256( y ) to Alice • Bob sends 100 litecoins to HTLC( X A , h , X B , τ B ) • Alice sends 1 bitcoin to HTLC( X B , h , X A , τ A ) • Bob claims Alice’s bitcoin, revealing y • Alice can claim Bob’s 100 litecoins using y • if anything goes wrong, parties can get funds back after τ A / τ B • τ B must be significantly later than τ A (otherwise Bob could claim both HTLC outputs between τ B and τ A ) • problem: not private at all, the payments can be linked with y Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 10 / 40

  29. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Atomic (cross-chain) swaps [Nol13] • allows trading without a trusted party • suppose Alice wants to trade 1 bitcoin for 100 litecoins with Bob • Alice (public key X A ) and Bob (public key X B ) proceed as follows: • Bob chooses random y and sends h = SHA256( y ) to Alice • Bob sends 100 litecoins to HTLC( X A , h , X B , τ B ) • Alice sends 1 bitcoin to HTLC( X B , h , X A , τ A ) • Bob claims Alice’s bitcoin, revealing y • Alice can claim Bob’s 100 litecoins using y • if anything goes wrong, parties can get funds back after τ A / τ B • τ B must be significantly later than τ A (otherwise Bob could claim both HTLC outputs between τ B and τ A ) • problem: not private at all, the payments can be linked with y Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 10 / 40

  30. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Atomic (cross-chain) swaps [Nol13] • allows trading without a trusted party • suppose Alice wants to trade 1 bitcoin for 100 litecoins with Bob • Alice (public key X A ) and Bob (public key X B ) proceed as follows: • Bob chooses random y and sends h = SHA256( y ) to Alice • Bob sends 100 litecoins to HTLC( X A , h , X B , τ B ) • Alice sends 1 bitcoin to HTLC( X B , h , X A , τ A ) • Bob claims Alice’s bitcoin, revealing y • Alice can claim Bob’s 100 litecoins using y • if anything goes wrong, parties can get funds back after τ A / τ B • τ B must be significantly later than τ A (otherwise Bob could claim both HTLC outputs between τ B and τ A ) • problem: not private at all, the payments can be linked with y Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 10 / 40

  31. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Automated bounties • What does the following scriptPubKey? OP_2DUP OP_EQUAL OP_NOT OP_VERIFY OP_SHA1 OP_SWAP OP_SHA1 OP_EQUAL Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 11 / 40

  32. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Automated bounties • What does the following scriptPubKey? OP_2DUP OP_EQUAL OP_NOT OP_VERIFY OP_SHA1 OP_SWAP OP_SHA1 OP_EQUAL • scriptSig = � m 1 � � m 2 � returns True if m 1 � = m 2 and SHA1( m 1 ) = SHA1( m 2 ) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 11 / 40

  33. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Automated bounties • What does the following scriptPubKey? OP_2DUP OP_EQUAL OP_NOT OP_VERIFY OP_SHA1 OP_SWAP OP_SHA1 OP_EQUAL • scriptSig = � m 1 � � m 2 � returns True if m 1 � = m 2 and SHA1( m 1 ) = SHA1( m 2 ) • bounty created in Sept. 2013 by P. Todd ( https://bitcointalk.org/index.php?topic=293382.0 ) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 11 / 40

  34. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Outline Bitcoin Script Refresher: Schnorr Signatures and MuSig Taproot Scriptless Scripts Discreet Log Contracts Conclusion Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 12 / 40

  35. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Signature scheme: definition A signature scheme consists of three algorithms: 1. key generation algorithm Gen : • returns a public/secret key pair ( pk , sk ) 2. signature algorithm Sign : • takes as input a secret key sk and a message m • returns a signature σ 3. verification algorithm Ver : • takes as input a public key pk , a message m , and a signature σ • returns 1 if the signature is valid and 0 otherwise Correctness property: � = 1 � pk , m , Sign ( sk , m ) ∀ ( pk , sk ) ← Gen , ∀ m , Ver Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 13 / 40

  36. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Signature scheme: definition A signature scheme consists of three algorithms: 1. key generation algorithm Gen : • returns a public/secret key pair ( pk , sk ) 2. signature algorithm Sign : • takes as input a secret key sk and a message m • returns a signature σ 3. verification algorithm Ver : • takes as input a public key pk , a message m , and a signature σ • returns 1 if the signature is valid and 0 otherwise Correctness property: � = 1 � pk , m , Sign ( sk , m ) ∀ ( pk , sk ) ← Gen , ∀ m , Ver Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 13 / 40

  37. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Mathematical background Cyclic group and generator Let G be an abelian group of order p . An element G ∈ G is called a generator if def � G � = { 0 G , 1 G , 2 G , . . . } = G . If G is a generator, then for any X ∈ G , there exists a unique x ∈ { 0 , . . . , p − 1 } such that X = xG . Discrete logarithm problem Given X ∈ G , find x ∈ { 0 , . . . , p − 1 } such that X = xG . NB: with multiplicative notation, xG ∼ G x Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 14 / 40

  38. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Mathematical background Cyclic group and generator Let G be an abelian group of order p . An element G ∈ G is called a generator if def � G � = { 0 G , 1 G , 2 G , . . . } = G . If G is a generator, then for any X ∈ G , there exists a unique x ∈ { 0 , . . . , p − 1 } such that X = xG . Discrete logarithm problem Given X ∈ G , find x ∈ { 0 , . . . , p − 1 } such that X = xG . NB: with multiplicative notation, xG ∼ G x Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 14 / 40

  39. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Schnorr signatures [Sch89, Sch91] • public parameters: • a cyclic group G of prime order p and a generator G • a hash function H • key generation: • secret key x ← $ Z p • public key X = xG • signature: on input m and x , • draw r ← $ Z p and compute R = rG • compute c = H ( X , R , m ) and s = r + cx mod p • output σ = ( R , s ) • verification: on input X , m and σ = ( R , s ), ? • compute c = H ( X , R , m ) and check sG = R + cX • alternative: • signature σ = ( c , s ) ? • verification: compute R = sG − cX and check H ( X , R , m ) = c Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 15 / 40

  40. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Schnorr signatures [Sch89, Sch91] • public parameters: • a cyclic group G of prime order p and a generator G • a hash function H • key generation: • secret key x ← $ Z p • public key X = xG • signature: on input m and x , • draw r ← $ Z p and compute R = rG • compute c = H ( X , R , m ) and s = r + cx mod p • output σ = ( R , s ) • verification: on input X , m and σ = ( R , s ), ? • compute c = H ( X , R , m ) and check sG = R + cX • alternative: • signature σ = ( c , s ) ? • verification: compute R = sG − cX and check H ( X , R , m ) = c Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 15 / 40

  41. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Schnorr signatures [Sch89, Sch91] • public parameters: • a cyclic group G of prime order p and a generator G • a hash function H • key generation: • secret key x ← $ Z p • public key X = xG • signature: on input m and x , • draw r ← $ Z p and compute R = rG • compute c = H ( X , R , m ) and s = r + cx mod p • output σ = ( R , s ) • verification: on input X , m and σ = ( R , s ), ? • compute c = H ( X , R , m ) and check sG = R + cX • alternative: • signature σ = ( c , s ) ? • verification: compute R = sG − cX and check H ( X , R , m ) = c Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 15 / 40

  42. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Schnorr signatures [Sch89, Sch91] • public parameters: • a cyclic group G of prime order p and a generator G • a hash function H • key generation: • secret key x ← $ Z p • public key X = xG • signature: on input m and x , • draw r ← $ Z p and compute R = rG • compute c = H ( X , R , m ) and s = r + cx mod p • output σ = ( R , s ) • verification: on input X , m and σ = ( R , s ), ? • compute c = H ( X , R , m ) and check sG = R + cX • alternative: • signature σ = ( c , s ) ? • verification: compute R = sG − cX and check H ( X , R , m ) = c Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 15 / 40

  43. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Schnorr signatures [Sch89, Sch91] • public parameters: • a cyclic group G of prime order p and a generator G • a hash function H • key generation: • secret key x ← $ Z p • public key X = xG • signature: on input m and x , • draw r ← $ Z p and compute R = rG • compute c = H ( X , R , m ) and s = r + cx mod p • output σ = ( R , s ) • verification: on input X , m and σ = ( R , s ), ? • compute c = H ( X , R , m ) and check sG = R + cX • alternative: • signature σ = ( c , s ) ? • verification: compute R = sG − cX and check H ( X , R , m ) = c Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 15 / 40

  44. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • assume n signers with public keys { X 1 = x 1 G , . . . , X n = x n G } want to sign the same message m • they compute an aggregate key n � � X := µ i X i with µ i = H ( { X 1 , . . . , X n } , X i ) i =1 • signature protocol: • signers draw nonces R i = r i G and send commitments h i = H ′ ( R i ) • signers exchange nonces R i • signers compute R = � n i =1 R i and c = H ( � X , R , m ) • signers compute and exchange partial signatures s i = r i + c µ i x i • signers compute s = � n i =1 s i mod p • the multi-signature is σ = ( R , s ) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 16 / 40

  45. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • assume n signers with public keys { X 1 = x 1 G , . . . , X n = x n G } want to sign the same message m • they compute an aggregate key n � � X := µ i X i with µ i = H ( { X 1 , . . . , X n } , X i ) i =1 • signature protocol: • signers draw nonces R i = r i G and send commitments h i = H ′ ( R i ) • signers exchange nonces R i • signers compute R = � n i =1 R i and c = H ( � X , R , m ) • signers compute and exchange partial signatures s i = r i + c µ i x i • signers compute s = � n i =1 s i mod p • the multi-signature is σ = ( R , s ) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 16 / 40

  46. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • assume n signers with public keys { X 1 = x 1 G , . . . , X n = x n G } want to sign the same message m • they compute an aggregate key n � � X := µ i X i with µ i = H ( { X 1 , . . . , X n } , X i ) i =1 • signature protocol: • signers draw nonces R i = r i G and send commitments h i = H ′ ( R i ) • signers exchange nonces R i • signers compute R = � n i =1 R i and c = H ( � X , R , m ) • signers compute and exchange partial signatures s i = r i + c µ i x i • signers compute s = � n i =1 s i mod p • the multi-signature is σ = ( R , s ) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 16 / 40

  47. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • assume n signers with public keys { X 1 = x 1 G , . . . , X n = x n G } want to sign the same message m • they compute an aggregate key n � � X := µ i X i with µ i = H ( { X 1 , . . . , X n } , X i ) i =1 • signature protocol: • signers draw nonces R i = r i G and send commitments h i = H ′ ( R i ) • signers exchange nonces R i • signers compute R = � n i =1 R i and c = H ( � X , R , m ) • signers compute and exchange partial signatures s i = r i + c µ i x i • signers compute s = � n i =1 s i mod p • the multi-signature is σ = ( R , s ) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 16 / 40

  48. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • assume n signers with public keys { X 1 = x 1 G , . . . , X n = x n G } want to sign the same message m • they compute an aggregate key n � � X := µ i X i with µ i = H ( { X 1 , . . . , X n } , X i ) i =1 • signature protocol: • signers draw nonces R i = r i G and send commitments h i = H ′ ( R i ) • signers exchange nonces R i • signers compute R = � n i =1 R i and c = H ( � X , R , m ) • signers compute and exchange partial signatures s i = r i + c µ i x i • signers compute s = � n i =1 s i mod p • the multi-signature is σ = ( R , s ) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 16 / 40

  49. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • assume n signers with public keys { X 1 = x 1 G , . . . , X n = x n G } want to sign the same message m • they compute an aggregate key n � � X := µ i X i with µ i = H ( { X 1 , . . . , X n } , X i ) i =1 • signature protocol: • signers draw nonces R i = r i G and send commitments h i = H ′ ( R i ) • signers exchange nonces R i • signers compute R = � n i =1 R i and c = H ( � X , R , m ) • signers compute and exchange partial signatures s i = r i + c µ i x i • signers compute s = � n i =1 s i mod p • the multi-signature is σ = ( R , s ) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 16 / 40

  50. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • assume n signers with public keys { X 1 = x 1 G , . . . , X n = x n G } want to sign the same message m • they compute an aggregate key n � � X := µ i X i with µ i = H ( { X 1 , . . . , X n } , X i ) i =1 • signature protocol: • signers draw nonces R i = r i G and send commitments h i = H ′ ( R i ) • signers exchange nonces R i • signers compute R = � n i =1 R i and c = H ( � X , R , m ) • signers compute and exchange partial signatures s i = r i + c µ i x i • signers compute s = � n i =1 s i mod p • the multi-signature is σ = ( R , s ) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 16 / 40

  51. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • assume n signers with public keys { X 1 = x 1 G , . . . , X n = x n G } want to sign the same message m • they compute an aggregate key n � � X := µ i X i with µ i = H ( { X 1 , . . . , X n } , X i ) i =1 • signature protocol: • signers draw nonces R i = r i G and send commitments h i = H ′ ( R i ) • signers exchange nonces R i • signers compute R = � n i =1 R i and c = H ( � X , R , m ) • signers compute and exchange partial signatures s i = r i + c µ i x i • signers compute s = � n i =1 s i mod p • the multi-signature is σ = ( R , s ) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 16 / 40

  52. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • assume n signers with public keys { X 1 = x 1 G , . . . , X n = x n G } want to sign the same message m • they compute an aggregate key n � � X := µ i X i with µ i = H ( { X 1 , . . . , X n } , X i ) i =1 • signature protocol: • signers draw nonces R i = r i G and send commitments h i = H ′ ( R i ) • signers exchange nonces R i • signers compute R = � n i =1 R i and c = H ( � X , R , m ) • signers compute and exchange partial signatures s i = r i + c µ i x i • signers compute s = � n i =1 s i mod p • the multi-signature is σ = ( R , s ) Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 16 / 40

  53. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • verification: ( R , s ) is a valid signature for m under � X if sG = R + H ( � X , R , m ) � X • correctness proof: n � � � + H ( � sG = s i G = X , R , m ) r i G µ i x i G � �� � � �� � i =1 R � X • same as standard Schnorr signature for public key � X ! • secure in the plain public key model: • no assumption on how participants choose their public keys • multipliers µ i = H ( { X 1 , . . . , X n } , X i ) prevent rogue key attacks Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 17 / 40

  54. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • verification: ( R , s ) is a valid signature for m under � X if sG = R + H ( � X , R , m ) � X • correctness proof: n � � � + H ( � sG = s i G = X , R , m ) r i G µ i x i G � �� � � �� � i =1 R � X • same as standard Schnorr signature for public key � X ! • secure in the plain public key model: • no assumption on how participants choose their public keys • multipliers µ i = H ( { X 1 , . . . , X n } , X i ) prevent rogue key attacks Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 17 / 40

  55. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • verification: ( R , s ) is a valid signature for m under � X if sG = R + H ( � X , R , m ) � X • correctness proof: n � � � + H ( � sG = s i G = X , R , m ) r i G µ i x i G � �� � � �� � i =1 R � X • same as standard Schnorr signature for public key � X ! • secure in the plain public key model: • no assumption on how participants choose their public keys • multipliers µ i = H ( { X 1 , . . . , X n } , X i ) prevent rogue key attacks Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 17 / 40

  56. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • verification: ( R , s ) is a valid signature for m under � X if sG = R + H ( � X , R , m ) � X • correctness proof: n � � � + H ( � sG = s i G = X , R , m ) r i G µ i x i G � �� � � �� � i =1 R � X • same as standard Schnorr signature for public key � X ! • secure in the plain public key model: • no assumption on how participants choose their public keys • multipliers µ i = H ( { X 1 , . . . , X n } , X i ) prevent rogue key attacks Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 17 / 40

  57. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • verification: ( R , s ) is a valid signature for m under � X if sG = R + H ( � X , R , m ) � X • correctness proof: n � � � + H ( � sG = s i G = X , R , m ) r i G µ i x i G � �� � � �� � i =1 R � X • same as standard Schnorr signature for public key � X ! • secure in the plain public key model: • no assumption on how participants choose their public keys • multipliers µ i = H ( { X 1 , . . . , X n } , X i ) prevent rogue key attacks Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 17 / 40

  58. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MuSig: Multi-signatures supporting key aggregation • verification: ( R , s ) is a valid signature for m under � X if sG = R + H ( � X , R , m ) � X • correctness proof: n � � � + H ( � sG = s i G = X , R , m ) r i G µ i x i G � �� � � �� � i =1 R � X • same as standard Schnorr signature for public key � X ! • secure in the plain public key model: • no assumption on how participants choose their public keys • multipliers µ i = H ( { X 1 , . . . , X n } , X i ) prevent rogue key attacks Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 17 / 40

  59. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Application: replacing OP_CHECKMULTISIG • using MuSig, an n -of- n multisig output for public keys { X 1 , . . . , X n } can be replaced by a standard P2PKH output for the aggregate key � X • this improves both efficiency and privacy • one public key and one signature to store and verify (versus n pk and n sigs) • individual public keys are never revealed • the multisig output is indistinguishable from a standard P2PKH output Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 18 / 40

  60. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Application: replacing OP_CHECKMULTISIG • using MuSig, an n -of- n multisig output for public keys { X 1 , . . . , X n } can be replaced by a standard P2PKH output for the aggregate key � X • this improves both efficiency and privacy • one public key and one signature to store and verify (versus n pk and n sigs) • individual public keys are never revealed • the multisig output is indistinguishable from a standard P2PKH output Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 18 / 40

  61. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Application: replacing OP_CHECKMULTISIG • using MuSig, an n -of- n multisig output for public keys { X 1 , . . . , X n } can be replaced by a standard P2PKH output for the aggregate key � X • this improves both efficiency and privacy • one public key and one signature to store and verify (versus n pk and n sigs) • individual public keys are never revealed • the multisig output is indistinguishable from a standard P2PKH output Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 18 / 40

  62. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Application: replacing OP_CHECKMULTISIG • using MuSig, an n -of- n multisig output for public keys { X 1 , . . . , X n } can be replaced by a standard P2PKH output for the aggregate key � X • this improves both efficiency and privacy • one public key and one signature to store and verify (versus n pk and n sigs) • individual public keys are never revealed • the multisig output is indistinguishable from a standard P2PKH output Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 18 / 40

  63. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Application: replacing OP_CHECKMULTISIG • using MuSig, an n -of- n multisig output for public keys { X 1 , . . . , X n } can be replaced by a standard P2PKH output for the aggregate key � X • this improves both efficiency and privacy • one public key and one signature to store and verify (versus n pk and n sigs) • individual public keys are never revealed • the multisig output is indistinguishable from a standard P2PKH output Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 18 / 40

  64. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Outline Bitcoin Script Refresher: Schnorr Signatures and MuSig Taproot Scriptless Scripts Discreet Log Contracts Conclusion Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 19 / 40

  65. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion P2SH (Pay-to-Script-Hash) • new type of transaction activated in 2012 (BIP 16) • output only contains a hash of the actual scriptPubKey ( redeem script ) acting as a (binding) commitment • spending the output requires the redeem script and a valid signature script • advantages: • the sender does not need to know the redeem script when creating the transaction (only the hash) • all P2SH addresses “look the same” • redeem scripts not contained in the UTXO set anymore (only revealed when spending an output) • P2SH addresses start with a ’3’ Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 20 / 40

  66. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion P2SH (Pay-to-Script-Hash) • new type of transaction activated in 2012 (BIP 16) • output only contains a hash of the actual scriptPubKey ( redeem script ) acting as a (binding) commitment • spending the output requires the redeem script and a valid signature script • advantages: • the sender does not need to know the redeem script when creating the transaction (only the hash) • all P2SH addresses “look the same” • redeem scripts not contained in the UTXO set anymore (only revealed when spending an output) • P2SH addresses start with a ’3’ Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 20 / 40

  67. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion P2SH (Pay-to-Script-Hash) • new type of transaction activated in 2012 (BIP 16) • output only contains a hash of the actual scriptPubKey ( redeem script ) acting as a (binding) commitment • spending the output requires the redeem script and a valid signature script • advantages: • the sender does not need to know the redeem script when creating the transaction (only the hash) • all P2SH addresses “look the same” • redeem scripts not contained in the UTXO set anymore (only revealed when spending an output) • P2SH addresses start with a ’3’ Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 20 / 40

  68. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion P2SH (Pay-to-Script-Hash) • new type of transaction activated in 2012 (BIP 16) • output only contains a hash of the actual scriptPubKey ( redeem script ) acting as a (binding) commitment • spending the output requires the redeem script and a valid signature script • advantages: • the sender does not need to know the redeem script when creating the transaction (only the hash) • all P2SH addresses “look the same” • redeem scripts not contained in the UTXO set anymore (only revealed when spending an output) • P2SH addresses start with a ’3’ Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 20 / 40

  69. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion P2SH (Pay-to-Script-Hash) • new type of transaction activated in 2012 (BIP 16) • output only contains a hash of the actual scriptPubKey ( redeem script ) acting as a (binding) commitment • spending the output requires the redeem script and a valid signature script • advantages: • the sender does not need to know the redeem script when creating the transaction (only the hash) • all P2SH addresses “look the same” • redeem scripts not contained in the UTXO set anymore (only revealed when spending an output) • P2SH addresses start with a ’3’ Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 20 / 40

  70. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion P2SH (Pay-to-Script-Hash) • new type of transaction activated in 2012 (BIP 16) • output only contains a hash of the actual scriptPubKey ( redeem script ) acting as a (binding) commitment • spending the output requires the redeem script and a valid signature script • advantages: • the sender does not need to know the redeem script when creating the transaction (only the hash) • all P2SH addresses “look the same” • redeem scripts not contained in the UTXO set anymore (only revealed when spending an output) • P2SH addresses start with a ’3’ Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 20 / 40

  71. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion P2SH (Pay-to-Script-Hash) • new type of transaction activated in 2012 (BIP 16) • output only contains a hash of the actual scriptPubKey ( redeem script ) acting as a (binding) commitment • spending the output requires the redeem script and a valid signature script • advantages: • the sender does not need to know the redeem script when creating the transaction (only the hash) • all P2SH addresses “look the same” • redeem scripts not contained in the UTXO set anymore (only revealed when spending an output) • P2SH addresses start with a ’3’ Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 20 / 40

  72. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion P2SH (Pay-to-Script-Hash) • new type of transaction activated in 2012 (BIP 16) • output only contains a hash of the actual scriptPubKey ( redeem script ) acting as a (binding) commitment • spending the output requires the redeem script and a valid signature script • advantages: • the sender does not need to know the redeem script when creating the transaction (only the hash) • all P2SH addresses “look the same” • redeem scripts not contained in the UTXO set anymore (only revealed when spending an output) • P2SH addresses start with a ’3’ Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 20 / 40

  73. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MAST (Merkelized Abstract Syntax Trees) [RNS14] • credited to R. O’Connor and P. Wuille, not deployed yet • scripts are usually an OR of several conditions • put all disjunctions in a Merkel tree • output contains the Merkle root • to spend a MAST output, the input must contain one of the disjunctions S i , a Merkle proof, and a valid scriptSig for S i Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 21 / 40

  74. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MAST (Merkelized Abstract Syntax Trees) [RNS14] • credited to R. O’Connor and P. Wuille, not deployed yet • scripts are usually an OR of several conditions • put all disjunctions in a Merkel tree • output contains the Merkle root • to spend a MAST output, the input must contain one of the disjunctions S i , a Merkle proof, and a valid scriptSig for S i Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 21 / 40

  75. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MAST (Merkelized Abstract Syntax Trees) [RNS14] • credited to R. O’Connor and P. Wuille, not deployed yet • scripts are usually an OR of several conditions • put all disjunctions in a Merkel tree • output contains the Merkle root • to spend a MAST output, the input must contain one of the disjunctions S i , a Merkle proof, and a valid scriptSig for S i Root Hash 0 , 1 Hash 2 , 3 Hash 0 Hash 1 Hash 2 Hash 3 S 0 S 1 S 2 S 3 Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 21 / 40

  76. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MAST (Merkelized Abstract Syntax Trees) [RNS14] • credited to R. O’Connor and P. Wuille, not deployed yet • scripts are usually an OR of several conditions • put all disjunctions in a Merkel tree • output contains the Merkle root • to spend a MAST output, the input must contain one of the disjunctions S i , a Merkle proof, and a valid scriptSig for S i Root Hash 0 , 1 Hash 2 , 3 Hash 0 Hash 1 Hash 2 Hash 3 S 0 S 1 S 2 S 3 Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 21 / 40

  77. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MAST (Merkelized Abstract Syntax Trees) [RNS14] • credited to R. O’Connor and P. Wuille, not deployed yet • scripts are usually an OR of several conditions • put all disjunctions in a Merkel tree • output contains the Merkle root • to spend a MAST output, the input must contain one of the disjunctions S i , a Merkle proof, and a valid scriptSig for S i Root Hash 0 , 1 Hash 2 , 3 Hash 0 Hash 1 Hash 2 Hash 3 S 0 S 1 S 2 S 3 Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 21 / 40

  78. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion MAST (Merkelized Abstract Syntax Trees) [RNS14] • credited to R. O’Connor and P. Wuille, not deployed yet • scripts are usually an OR of several conditions • put all disjunctions in a Merkel tree • output contains the Merkle root • to spend a MAST output, the input must contain one of the disjunctions S i , a Merkle proof, and a valid scriptSig for S i Root Hash 0 , 1 Hash 2 , 3 Hash 0 Hash 1 Hash 2 Hash 3 S 0 S 1 S 2 S 3 Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 21 / 40

  79. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Taproot: description • propose by G. Maxwell [Max18] • in practice, redeem scripts often have a unanimity clause: ( n parties agree to sign) OR (some more complex conditions) � �� � � �� � n -of- n multisig script S • can be achieved indistinguishably from a standard P2PKH output • let � X be the MuSig aggregate key for the n parties • output uses public key Y = � X + H ( � X , S ) G • two ways to spend the output: • the n parties agree to sign with Y (one of them simply adds a corrective term cH ( � X , S ) to its partial signature s i ) ⇒ looks like a normal P2PKH spending, S remains forever private X and S are revealed and a scriptSig S ′ is provided; valid if • � X + H ( � � X , S ) G = Y and S ′ � S returns True Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 22 / 40

  80. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Taproot: description • propose by G. Maxwell [Max18] • in practice, redeem scripts often have a unanimity clause: ( n parties agree to sign) OR (some more complex conditions) � �� � � �� � n -of- n multisig script S • can be achieved indistinguishably from a standard P2PKH output • let � X be the MuSig aggregate key for the n parties • output uses public key Y = � X + H ( � X , S ) G • two ways to spend the output: • the n parties agree to sign with Y (one of them simply adds a corrective term cH ( � X , S ) to its partial signature s i ) ⇒ looks like a normal P2PKH spending, S remains forever private X and S are revealed and a scriptSig S ′ is provided; valid if • � X + H ( � � X , S ) G = Y and S ′ � S returns True Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 22 / 40

  81. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Taproot: description • propose by G. Maxwell [Max18] • in practice, redeem scripts often have a unanimity clause: ( n parties agree to sign) OR (some more complex conditions) � �� � � �� � n -of- n multisig script S • can be achieved indistinguishably from a standard P2PKH output • let � X be the MuSig aggregate key for the n parties • output uses public key Y = � X + H ( � X , S ) G • two ways to spend the output: • the n parties agree to sign with Y (one of them simply adds a corrective term cH ( � X , S ) to its partial signature s i ) ⇒ looks like a normal P2PKH spending, S remains forever private X and S are revealed and a scriptSig S ′ is provided; valid if • � X + H ( � � X , S ) G = Y and S ′ � S returns True Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 22 / 40

  82. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Taproot: description • propose by G. Maxwell [Max18] • in practice, redeem scripts often have a unanimity clause: ( n parties agree to sign) OR (some more complex conditions) � �� � � �� � n -of- n multisig script S • can be achieved indistinguishably from a standard P2PKH output • let � X be the MuSig aggregate key for the n parties • output uses public key Y = � X + H ( � X , S ) G • two ways to spend the output: • the n parties agree to sign with Y (one of them simply adds a corrective term cH ( � X , S ) to its partial signature s i ) ⇒ looks like a normal P2PKH spending, S remains forever private X and S are revealed and a scriptSig S ′ is provided; valid if • � X + H ( � � X , S ) G = Y and S ′ � S returns True Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 22 / 40

  83. Bitcoin Script Schnorr Taproot Scriptless Scripts Discreet Log Contracts Conclusion Taproot: description • propose by G. Maxwell [Max18] • in practice, redeem scripts often have a unanimity clause: ( n parties agree to sign) OR (some more complex conditions) � �� � � �� � n -of- n multisig script S • can be achieved indistinguishably from a standard P2PKH output • let � X be the MuSig aggregate key for the n parties • output uses public key Y = � X + H ( � X , S ) G • two ways to spend the output: • the n parties agree to sign with Y (one of them simply adds a corrective term cH ( � X , S ) to its partial signature s i ) ⇒ looks like a normal P2PKH spending, S remains forever private X and S are revealed and a scriptSig S ′ is provided; valid if • � X + H ( � � X , S ) G = Y and S ′ � S returns True Y. Seurin (ANSSI) More Schnorr Tricks for Bitcoin 22/11/2018 — BlockSem 22 / 40

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Schnorr Signature & MimbleWimble Oct. 5, 2019 Overview of today Lack of Privacy in

Schnorr Signature & MimbleWimble Oct. 5, 2019 Overview of today Lack of Privacy in

Schnorr Signature & MimbleWimble Oct. 5, 2019 Overview of today Lack of Privacy in Bitcoin MimbleWimble cryptocurrency ECC math Schnorrs signatures scheme Pedersen Commitments Motivation Bitcoin is decentralized

430 views • 40 slides
Efficiency and Privacy Improvements for Bitcoin with Schnorr Signatures Yannick Seurin (Based on

Efficiency and Privacy Improvements for Bitcoin with Schnorr Signatures Yannick Seurin (Based on

Digital Signature Schemes Signature and Key Aggregation Other Applications Conclusion Efficiency and Privacy Improvements for Bitcoin with Schnorr Signatures Yannick Seurin (Based on joint work with G. Maxwell, A. Poelstra, and P. Wuille)

1.82k views • 171 slides
Introduc)on to Bitcoin CONTENTS What is Bitcoin Who created it? Who prints it? How does Bitcoin

Introduc)on to Bitcoin CONTENTS What is Bitcoin Who created it? Who prints it? How does Bitcoin

Introduc)on to Bitcoin CONTENTS What is Bitcoin Who created it? Who prints it? How does Bitcoin work? The characteris5cs of Bitcoin WHAT IS BITCOIN Bitcoin is a form of digital currency, created and held electronically. No one controls it.

839 views • 17 slides
Mechanics of Bitcoin Bitcoin Transactions Bitcoin Scripts Applications of Bitcoin

Mechanics of Bitcoin Bitcoin Transactions Bitcoin Scripts Applications of Bitcoin

Cryptocurrency Technologies Mechanics of Bitcoin Mechanics of Bitcoin Bitcoin Transactions Bitcoin Scripts Applications of Bitcoin Scripts Bitcoin Blocks The Bitcoin Network Limitations and Improvements Mechanics of

695 views • 33 slides
Bitcoin vs. Bitcoin Cash: Coexistence or Downfall of Bitcoin Cash? Yujin Kwon* , Hyoungshick Kim

Bitcoin vs. Bitcoin Cash: Coexistence or Downfall of Bitcoin Cash? Yujin Kwon* , Hyoungshick Kim

Bitcoin vs. Bitcoin Cash: Coexistence or Downfall of Bitcoin Cash? Yujin Kwon* , Hyoungshick Kim , Jinwoo Shin*, Yongdae Kim* *KAIST, Sungkyunkwan University 1 Governance conflict The number of Bitcoin transaction per month Bad scala bility

731 views • 46 slides
Bitcoin as a Platform We have built Bitcoin. What can we build on top of it? Commitments

Bitcoin as a Platform We have built Bitcoin. What can we build on top of it? Commitments

Cryptocurrency Technologies Bitcoin as a Platform Bitcoin as a Platform We have built Bitcoin. What can we build on top of it? Commitments Token tracking Multiparty lotteries Public randomness Prediction markets A fine stew

714 views • 38 slides
Information Propagation in the Bitcoin Network Christian Decker ETH Zurich Distributed

Information Propagation in the Bitcoin Network Christian Decker ETH Zurich Distributed

Information Propagation in the Bitcoin Network Christian Decker ETH Zurich Distributed Computing Group www.disco.ethz.ch What is Bitcoin? What is Bitcoin? + What is Bitcoin? = + Whats it worth? USD / Bitcoin exchange price 300

752 views • 48 slides
Bitcoin Mining The Task of Bitcoin Miners Mining Hardware Energy Consumption &

Bitcoin Mining The Task of Bitcoin Miners Mining Hardware Energy Consumption &

Cryptocurrency Technologies Bitcoin Mining Bitcoin Mining The Task of Bitcoin Miners Mining Hardware Energy Consumption & Ecology Mining Pools Mining Incentives and Strategies Recap: Bitcoin Miners Bitcoin depends on

821 views • 35 slides
Bitcoin Tom Anderson Bitcoin Network of bitcoin peers (servers) run by volunteers Peers

Bitcoin Tom Anderson Bitcoin Network of bitcoin peers (servers) run by volunteers Peers

Bitcoin Tom Anderson Bitcoin Network of bitcoin peers (servers) run by volunteers Peers are not trusted: may be greedy or corrupt Each peer knows about all bitcoins and transactions Transaction (sender -> receiver): sender

958 views • 23 slides
Intro to Bitcoin Research or Why Bitcoin is a full employment act for security engineers

Intro to Bitcoin Research or Why Bitcoin is a full employment act for security engineers

Intro to Bitcoin Research or Why Bitcoin is a full employment act for security engineers Joseph Bonneau CITP, Princeton Thanks to Andrew Miller, Arvind Narayanan, Jeremy Clark, Joshua Kroll, Ed Felten Part I: Bitcoin in 6 easy steps

752 views • 32 slides
Bitcoin and Anonymity Anonymity Basics How to de-anonymize Bitcoin Mixing

Bitcoin and Anonymity Anonymity Basics How to de-anonymize Bitcoin Mixing

Cryptocurrency Technologies Bitcoin and Anonymity Bitcoin and Anonymity Anonymity Basics How to de-anonymize Bitcoin Mixing Decentralized Mixing Zerocoin and Zerocash Tor and the Silk Road Bitcoin and Anonymity

524 views • 39 slides
Regulation of Bitcoin Jerry Brito Coin Center coincenter.org Is Bitcoin regulated? Is Bitcoin

Regulation of Bitcoin Jerry Brito Coin Center coincenter.org Is Bitcoin regulated? Is Bitcoin

Regulation of Bitcoin Jerry Brito Coin Center coincenter.org Is Bitcoin regulated? Is Bitcoin regulated? The so far unregulated digital currency has courted controversy because of its volatile value and its popularity among

1.17k views • 51 slides
nix-bitcoin robust Lightning nodes for hackers github.com/fort-nix/nix-bitcoin 2019-06-01

nix-bitcoin robust Lightning nodes for hackers github.com/fort-nix/nix-bitcoin 2019-06-01

nix-bitcoin robust Lightning nodes for hackers github.com/fort-nix/nix-bitcoin 2019-06-01 @n1ckler A smart home A Bitcoin node A lonely datacenter Robustness Do you trust binaries from some cache or do you build from source? Do

411 views • 29 slides
Bitcoin CS 161: Computer Security Prof. Raluca Ada Poipa April 24, 2018 What is Bitcoin?

Bitcoin CS 161: Computer Security Prof. Raluca Ada Poipa April 24, 2018 What is Bitcoin?

Bitcoin CS 161: Computer Security Prof. Raluca Ada Poipa April 24, 2018 What is Bitcoin? Bitcoin is a cryptocurrency: a digital currency whose rules are enforced by cryptography and not by a trusted party (e.g., bank) Core ideal: avoid

1.02k views • 36 slides
A Technical Introduction to Bitcoin Niklas Fors, 2018-02-20 Bitcoin Decentralized digital

A Technical Introduction to Bitcoin Niklas Fors, 2018-02-20 Bitcoin Decentralized digital

A Technical Introduction to Bitcoin Niklas Fors, 2018-02-20 Bitcoin Decentralized digital currency Anyone can be part of the network Global distributed ledger called blockchain First Appearance Bitcoin: A Peer-to-Peer Electronic

4.02k views • 48 slides
Ethereum and Solidity Prof. Tom Austin San Jos State University Bitcoin (BTC) Protocol

Ethereum and Solidity Prof. Tom Austin San Jos State University Bitcoin (BTC) Protocol

Ethereum and Solidity Prof. Tom Austin San Jos State University Bitcoin (BTC) Protocol designed by Satoshi Nakamoto in 2008 https://bitcoin.org/bitcoin.pdf First Bitcoin client launched in 2009 Peer-to-peer no centralized

501 views • 31 slides
Briefing on Project Aim Maureen Wylie Chief Financial Officer Victor McCree Executive Director

Briefing on Project Aim Maureen Wylie Chief Financial Officer Victor McCree Executive Director

Briefing on Project Aim Maureen Wylie Chief Financial Officer Victor McCree Executive Director for Operations February 17, 2017 Agenda Overview Status of Implementation of Project Aim Strategies Operating Reactor Licensing Process

416 views • 37 slides
Homeostatic architectures for robust spatial computing David H. Ackley Lance Williams

Homeostatic architectures for robust spatial computing David H. Ackley Lance Williams

Homeostatic architectures for robust spatial computing David H. Ackley Lance Williams University of New Mexico Computer Science The Robust Physical Computation Group Spatial Computing Workshop 2011 Ann Arbor, MI October 3, 2011 Plan

209 views • 18 slides
P ROS AND C ONS OF O NLINE P AYMENTS (C REDIT C ARDS , P AYPAL , ETC .) + Works online + Somewhat

P ROS AND C ONS OF O NLINE P AYMENTS (C REDIT C ARDS , P AYPAL , ETC .) + Works online + Somewhat

C RYPTOCURRENCY Ellis Michael h/t Tom Anderson D ECENTRALIZED C ONTROL PBFT and similar protocols require public-key infrastructure and that the servers know who the other servers are. This must be setup by some central authority for the

386 views • 34 slides
Algorand: from Theory to Practice Jing Chen Algorand Inc., Boston, MA 02116 jing@algorand.com

Algorand: from Theory to Practice Jing Chen Algorand Inc., Boston, MA 02116 jing@algorand.com

Algorand: from Theory to Practice Jing Chen Algorand Inc., Boston, MA 02116 jing@algorand.com Abstract A summary of my talk at the ApPLIED Workshop at DISC 2019. Introduction Blockchains stand to revolutionize the way a modern society

492 views • 4 slides
Service Operations ShinMing Guo NKUST Management Department of Logistics Management office:

Service Operations ShinMing Guo NKUST Management Department of Logistics Management office:

Service Operations ShinMing Guo NKUST Management Department of Logistics Management office: C415, phone: 6011000 ext. 3216 email: smguo@nkust.edu.tw web: www2.nkfust.edu.tw/~smguo/teaching/service.htm Textbook Fitzsimmons and

440 views • 10 slides
Preparing for Preparing for the Next Generation the Next Generation Nuclear Power Plants

Preparing for Preparing for the Next Generation the Next Generation Nuclear Power Plants

Preparing for Preparing for the Next Generation the Next Generation Nuclear Power Plants Nuclear Power Plants Luis A. Reyes Luis A. Reyes Executive Director for Operations Executive Director for Operations U.S. Nuclear Regulatory

556 views • 12 slides
File Systems: Semantics & Structure What is a File a file is a named collection of

File Systems: Semantics & Structure What is a File a file is a named collection of

5/16/2018 File Systems: Semantics & Structure What is a File a file is a named collection of information 11A. File Semantics primary roles of file system: 11B. Namespace Semantics to store and retrieve data 11C. File

373 views • 13 slides
CPU Scheduling Questions Why is scheduling needed? CSCI [4|6] 730 What is

CPU Scheduling Questions Why is scheduling needed? CSCI [4|6] 730 What is

CPU Scheduling Questions Why is scheduling needed? CSCI [4|6] 730 What is preemptive scheduling? Operating Systems What are scheduling criteria? What are disadvantages and advantages of different scheduling

304 views • 9 slides

More recommend