From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id E588C45A4 for ; Mon, 6 May 2019 17:58:11 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-oi1-f171.google.com (mail-oi1-f171.google.com [209.85.167.171]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 0686D7DB for ; Mon, 6 May 2019 17:58:09 +0000 (UTC) Received: by mail-oi1-f171.google.com with SMTP id y25so3196530oih.11 for ; Mon, 06 May 2019 10:58:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=ByoM+fE2nb9xvBTDELZg89oXi3eoDyW1nO71lukmh7M=; b=Mvuuqqa+wYx9Qj8MTTlsGgFpkmmGdZa4w4hTUtGWhs/urmtQbFaMgLuKDEizIll4oN c+I1NFXmUyTOSF5pyZF84hikPNDyNL0v5v2QgcbUnC7npeEINXH4iw5rp0pNW7xtYK2g EZgT6zQsZW/YcyLsyIZbwmaY2NgJEbQd+rb/By+HWy0mBsrwVQBdRUKM5C4oSssnvnUp A7gA3ztqAGbwnq+j72fJilkvbTx15OCtV5hKZtd4pTZ07NqOdB2jHj7iOopKHmfQZH1W DLeuq0/+VfoKGgh/Gu6CFV1r8zQUXrB8i6rpzbKfMQ4kIawhfuS+SJe1yZgPT2q1BWdX GfdA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=ByoM+fE2nb9xvBTDELZg89oXi3eoDyW1nO71lukmh7M=; b=FVsybbkkkIQsxu+VoOIhVt0jICUKG7rWsyWiLt7dBZFH4S/SrpJ550jlMnAdTKrQsV zZ7JDigdnI2x2brjWUe4R47jhZ67swpnHLAmuVfq7Ek7ViQRYuwFyd3jCLlX4+2u0vNR f/hIvj51LjoG01Df7FnT8gEi4TNKknMdAGkR2zpv2mwZw/h93ZKNQ97RTEFd4uUJSQLj L9EDIye0EgMditLvMdy3XZ38HamR35FoPBhTKetCDXx70H2hUV76Or0qogItC/bCaH/G zZDQfTUxPn7jWL56ThTjK6n0erKwRtOB67fC+pSAg+6Mw83P2h2pj/MWhTrLzbkcDVhQ 0Hkg== X-Gm-Message-State: APjAAAXT10v03pzi0NEGWCO0+s0bdJ/8RBDT+EDofUz4l9M4qor0WEEG 3yVreO1B1c6fYDKJs5gvQTiEmDMZqidFz/W4H1Xaw3Wzyjs= X-Google-Smtp-Source: APXvYqw5DY6VlP8VPLE4OkknaPOHq1V1y23RalBLGVYlcWFiNTGZhZEjqj5so6h9/9ORYyhknWiSi0ERm3ALZLuTalQ= X-Received: by 2002:aca:ba0b:: with SMTP id k11mr2025737oif.57.1557165488620; Mon, 06 May 2019 10:58:08 -0700 (PDT) MIME-Version: 1.0 From: Pieter Wuille Date: Mon, 6 May 2019 10:57:57 -0700 Message-ID: To: Bitcoin Dev Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Mon, 06 May 2019 18:35:59 +0000 Subject: [bitcoin-dev] Taproot proposal X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 May 2019 17:58:12 -0000 Hello everyone, Here are two BIP drafts that specify a proposal for a Taproot softfork. A number of ideas are included: * Taproot to make all outputs and cooperative spends indistinguishable from eachother. * Merkle branches to hide the unexecuted branches in scripts. * Schnorr signatures enable wallet software to use key aggregation/thresholds within one input. * Improvements to the signature hashing algorithm (including signing all input amounts). * Replacing OP_CHECKMULTISIG(VERIFY) with OP_CHECKSIGADD, to support batch validation. * Tagged hashing for domain separation (avoiding issues like CVE-2012-2459 in Merkle trees). * Extensibility through leaf versions, OP_SUCCESS opcodes, and upgradable pubkey types. The BIP drafts can be found here: * https://github.com/sipa/bips/blob/bip-schnorr/bip-taproot.mediawiki specifies the transaction input spending rules. * https://github.com/sipa/bips/blob/bip-schnorr/bip-tapscript.mediawiki specifies the changes to Script inside such spends. * https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki is the Schnorr signature proposal that was discussed earlier on this list (See https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-July/016203.html) An initial reference implementation of the consensus changes, plus preliminary construction/signing tests in the Python framework can be found on https://github.com/sipa/bitcoin/commits/taproot. All together, excluding the Schnorr signature module in libsecp256k1, the consensus changes are around 520 LoC. While many other ideas exist, not everything is incorporated. This includes several ideas that can be implemented separately without loss of effectiveness. One such idea is a way to integrate SIGHASH_NOINPUT, which we're working on as an independent proposal. The document explains basic wallet operations, such as constructing outputs and signing. However, a wide variety of more complex constructions exist. Standardizing these is useful, but out of scope for now. It is likely also desirable to define extensions to PSBT (BIP174) for interacting with Taproot. That too is not included here. Cheers, -- Pieter