Our AI writing assistant, WriteUp, can assist you in easily writing any text. Click here to experience its capabilities.

CAT and Schnorr Tricks I

View Original View Raw

Summary

This article is about how to use the math of Schnorr signatures to emulate the functionality of CHECKSIGFROMSTACK, an opcode which allows users to check signatures on arbitrary data. It discusses the challenges of creating covenants with the current Bitcoin Script and introduces the BIP340 signature, a variant of Schnorr signature which uses a simpler signing algorithm. It is possible to abuse the BIP340 signature to get non-signature behavior, by fixing the ephemeral key and public key to the group generator and then computing a hash of the transaction data. Lastly, the article discusses how to use auxiliary inputs and value-switching to construct Vaults, and how to develop software for these constructions in a maintainable way.

Q&As

What is a covenant in Bitcoin?
A covenant in Bitcoin is a hypothetical Script which restricts the form of the transaction spending the coins.

How is CAT and CHECKSIGFROMSTACK used to introduce transaction introspection into Bitcoin?
CAT and CHECKSIGFROMSTACK are used to bundle the user-provided transaction data into one item, which is then hashed and passed to CHECKSIGFROMSTACK to validate a signature on the data. The same signature and key are then passed to CHECKSIG. If both checks pass, the user-provided transaction data must have been the actual transaction data.

How does ECDSA work?
ECDSA works by generating an ephemeral keypair $(k, R = kG)$ then computing the value $r$ which is the first component of the point $R$, coerced from an integer modulo the non-scalar prime to an integer modulo the scalar prime. The signature is then computed as $s = k^{-1}(H + rx)$, where $H$ is the hash of the transaction data.

What is the purpose of BIP340 signatures?
The purpose of BIP340 signatures is to provide a simpler signing algorithm than ECDSA. The signature is computed as $s = k + xe$, where $e$ is a hash of the public key $P$, the ephemeral key $R$, and the transaction data.

What advantages does Taproot offer for covenant-style transactions?
Taproot offers the advantage of BIP340 signatures, which are more "covenant-proof" than the old-school ECDSA signatures. Taproot also allows for the use of auxiliary inputs to simulate SIGHASH_NOINPUT and enable constant-sized backups for Lightning channels, and the use of "value-switching" to construct Vaults.

AI Comments

👍 This article is a great exploration of the mathematical aspects of Schnorr tricks and CAT opcodes.

👎 This article is overly technical and hard to understand.

AI Discussion

Me: It talks about the use of CAT and Schnorr Tricks to enable covenants in Bitcoin. It explains how ECDSA and BIP340 Signatures can be used to get transaction data onto the stack, and how to use them to construct non-signature behavior.

Friend: That's interesting. What implications does this have?

Me: Well, it means that it is now possible to use Bitcoin Script to enforce constraints on the form of transactions that can spend coins. This could be used to enforce velocity limits, restrict coins to going to certain locations, or any other type of rule. Additionally, there are implications for Lightning Network applications, as this technique can be used to construct constant-sized backups for Lightning channels. Finally, it could lead to the development of more maintainable software for these constructions.

Action items

Research the SIGHASH_NOINPUT proposal and its implications for Bitcoin.
Explore the implications of Miniscript for Script development.
Experiment with CHECKSIGFROMSTACK to construct Vaults.

Technical terms

CAT: Concatenation opcode. An opcode in Bitcoin Script which takes two elements from the stack, concatenates them, and pushes the result onto the stack.
CHECKSIGFROMSTACK: An opcode which allows the user to check signatures on arbitrary data, unlike the CHECKSIG opcode which checks a signature on the spending transaction.
ECDSA: Elliptic Curve Digital Signature Algorithm. A digital signature algorithm which uses the mapping of scalars (integers modulo some large prime) to elliptic curve points (pairs of integers modulo some different prime, which satisfy some particular equation).
BIP340: A variant of Schnorr signature included in Taproot which uses the same keys, same elliptic curve, and same group of scalars, but the signing algorithm is much simpler.
SIGHASH_NOINPUT: A proposal which is popular in the Lightning Network world which allows users to sign transaction data that does not include data from the previous transaction.
Miniscript: A language for expressing Bitcoin Script programs which is designed to make it easier to reason about and construct Script.