From: Ethan Heilman <eth3rs@gmail•com>
To: Xiaohui Liu <x.liu@scrypt•io>
Cc: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Subject: Re: [bitcoindev] Signing a Bitcoin Transaction with Lamport Signatures (no changes needed)
Date: Sun, 17 Nov 2024 16:59:06 -0500 [thread overview]
Message-ID: <CAEM=y+Veb=TWPBYtK4v7gQm8L9L+zMo6DE-zi6ygP+YJ0XKk_Q@mail.gmail.com> (raw)
In-Reply-To: <CAMrCH3hCN0KAiE0AdLTA8i004-R9FACpMZvQTiM_78RAxf1zbA@mail.gmail.com>
Using Collider Script or Functional Encryption you can do
introspection on Bitcoin today, i.e., without OP_CAT. These approaches
both have downsides, Collider script costs millions of dollars in
compute per spend, Functional Encryption requires fancy cryptography
that we only have candidate constructions for (see Bitcoin PIPEs).
I wish to amend my earlier statement "I don't think it is clear how to
turn this into a covenant. The bits you are extracting using OP_SIZE
are only related to the sighash via a random function." I believe that
with no opcode limit in Bitcoin pre-tapscript, we can use OP_SIZE to
enforce covenants and do arbitrary introspection of Bitcoin's
blockchain.
1. Use OP_SIZE to extract bits related to the sighash via a random
function from the spending ECDSA signature s1, we will call these B =
<b1, b2, ..., bn>.
2. Write a Small Script function that takes the ECDSA signature s2
encoded as a list of 32-bit values and also takes the bits B. This
function reruns the OP_SIZE bit extraction process on the ECDSA
signature encoded as a list of 32-bit values to learn B' = <b1', b2',
..., bn'>. If B == B' then the two ECDSA signatures are the same
signature: s1 = s2.
3. Small Script can extract the sighash from the ECDSA spending
signature and then check if it matches a set of values and rules also
encoded as 32-bit elements.
For background on the Small Script, Big Script divide in Bitcoin
Script see https://bitcoinmagazine.com/technical/script-state-from-lamport-signatures-
Small script can perform any computation on values encoded as lists of
32-bit elements, including OP_CAT, it is only bound by opcode limit
and the ability to check equivalence between Small Script encoded
values and Big Script stake elements.
Andrew Poelstra noted this earlier in the thread when he said: "IMO
it's a pretty big deal that size limits are now the only reason that
Bitcoin doesn't have covenants."
On Sat, Nov 16, 2024 at 8:16 PM Xiaohui Liu <x.liu@scrypt•io> wrote:
>
> Introspection using SPV requires OP_CAT, besides hashing, IMO.
>
> On Sat, Nov 16, 2024 at 6:56 AM Ethan Heilman <eth3rs@gmail•com> wrote:
>>
>> I don't think it is clear how to turn this into a covenant. The bits you are extracting using OP_SIZE are only related to the sighash via a random function.
>>
>> That said, I don't see any reason that with an unlimited number of opcodes you can build an small script that's uses SPV to introspect into the entire blockchains and enforce anything without having to use OP_SIZE or OP_CAT. You could build snarks in small script so the size of the small script would be large but constant in the size of the blockchains.
>>
>> On Fri, Nov 15, 2024, 5:02 PM Xiaohui Liu <x.liu@scrypt•io> wrote:
>>>
>>> Hi,
>>>
>>> How does covenant work without OP_CAT here, assuming no size limit? Don't you still need OP_CAT to parse/introspect fields (e.g., input/output) of the spending transaction?
>>>
>>> Regards,
>>> sCrypt
>>>
>>> On Tuesday, April 30, 2024 at 7:22:54 AM UTC-7 Andrew Poelstra wrote:
>>>>
>>>> On Tue, Apr 30, 2024 at 08:32:42AM -0400, Matthew Zipkin wrote:
>>>> > > if an attacker managed to grind a 23-byte r-value at a cost of 2^72
>>>> > computations, it would provide the attacker some advantage.
>>>> >
>>>> > If we are assuming discrete log is still hard, why do we need Lamport
>>>> > signatures at all? In a post-quantum world, finding k such that r is 21
>>>> > bytes or less is efficient for the attacker.
>>>> >
>>>>
>>>> Aside from Ethan's point that a variant of this technique is still
>>>> secure in the case that discrete log is totally broken (or even
>>>> partially broken...all we need is that _somebody_ is able to find the
>>>> discrete log of the x=1 point and for them to publish this).
>>>>
>>>> Another reason this is useful is that if you have a Lamport signature on
>>>> the stack which is composed of SIZE values, all of which are small
>>>> enough to be manipulated with the numeric script opcodes, then you can
>>>> do covenants in Script.
>>>>
>>>> (Sadly(?), I think none of this works in the context of the 201-opcode
>>>> limit...and absent BitVM challenge-response tricks it's unlikely you can
>>>> do much in the context of the 4MWu block size limit..), but IMO it's a
>>>> pretty big deal that size limits are now the only reason that Bitcoin
>>>> doesn't have covenants.)
>>>>
>>>> --
>>>> Andrew Poelstra
>>>> Director, Blockstream Research
>>>> Email: apoelstra at wpsoftware.net
>>>> Web: https://www.wpsoftware.net/andrew
>>>>
>>>> The sun is always shining in space
>>>> -Justin Lewis-Webster
>>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
>>> To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/129a9605-7a91-42a7-a9ef-07de6662ca7en%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAEM%3Dy%2BVeb%3DTWPBYtK4v7gQm8L9L%2BzMo6DE-zi6ygP%2BYJ0XKk_Q%40mail.gmail.com.
prev parent reply other threads:[~2024-11-17 22:08 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-29 0:30 Ethan Heilman
2024-04-30 12:32 ` Matthew Zipkin
2024-04-30 13:25 ` Ethan Heilman
2024-04-30 14:21 ` Andrew Poelstra
2024-04-30 20:43 ` Ethan Heilman
2024-05-01 3:46 ` Antoine Riard
2024-05-01 20:02 ` Ethan Heilman
2024-05-06 7:39 ` David A. Harding
2024-05-06 16:48 ` Andrew Poelstra
2024-05-06 18:56 ` David A. Harding
2024-05-06 19:06 ` Andrew Poelstra
2024-05-07 0:55 ` Antoine Riard
2024-05-07 16:05 ` Ethan Heilman
2024-05-07 4:11 ` David A. Harding
2024-05-07 14:34 ` Andrew Poelstra
2024-05-09 0:31 ` Ben Carman
2024-05-09 12:46 ` Andrew Poelstra
2024-05-11 2:53 ` Antoine Riard
[not found] ` <91ba7058-776d-4ff0-a179-bb2917ef03ffn@googlegroups.com>
[not found] ` <CAEM=y+UKgDRtaV5uveiX_Hn1dTDEF-DSHw0SjRu+j0s3fmp78Q@mail.gmail.com>
[not found] ` <CAOY=fzk+nKBw4kpLJLe=EngNfD5iEsWVsa5sMyPaXKp9cDAqdQ@mail.gmail.com>
[not found] ` <CAOY=fz=bcun5U75PUJJGuuB7p5dHtghrYf9gfOvj4zpiWdM_Tg@mail.gmail.com>
2024-10-25 0:20 ` Vicky
2024-10-25 9:58 ` Garlo Nicon
2024-11-15 21:54 ` Xiaohui Liu
2024-11-16 14:55 ` Ethan Heilman
[not found] ` <CAMrCH3hCN0KAiE0AdLTA8i004-R9FACpMZvQTiM_78RAxf1zbA@mail.gmail.com>
2024-11-17 21:59 ` Ethan Heilman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAEM=y+Veb=TWPBYtK4v7gQm8L9L+zMo6DE-zi6ygP+YJ0XKk_Q@mail.gmail.com' \
--to=eth3rs@gmail$(echo .)com \
--cc=bitcoindev@googlegroups.com \
--cc=x.liu@scrypt$(echo .)io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox