Restructure motivation/design and add informal summary #871

pull sipa wants to merge 230 commits into bitcoin:master from sipa:201912_reorder_motivation changing 8 files +1131 −0
  1. sipa commented at 12:30 AM on December 15, 2019: member

    This aims to address #138.

  2. Add draft for Schnorr BIP
    Includes squashed contributions by GitHub users jonasnick,
real-or-random, AustinWilliams, JustinTArthur, ysangkok,
RCassatta, Sjors, tnakagawa, and guggero.
    aeffa07527
  3. Add taproot/tapscript bips drafts 6733024595
  4. Clarify what 'reduced' means in tests and use word 'message' instead of 'message hash' e9ea1710ef
  5. Merge pull request #30 from jonasnick/clarify-reduce
    Clarify what 'reduced' means in tests and use word 'message' instead of 'message hash'
    271e5db6d7
  6. remove duplicate warning
    Though perhaps, the emphasis is warranted given its importance. :-)
    d194620af9
  7. Merge pull request #40 from markblundeberg/patch-1
    remove duplicate warning
    27e61d61e6
  8. taproot_output_script: first returned byte should be OP_1 (0x51)
    If we look at

  def IsPayToTaproot(script):
      return len(script) == 35 and script[0] == OP_1 and script[1] == 33 and script[2] >= 0 and script[2] <= 1

First byte is is checked for OP_1. OP_1 is 0x51

But the example code in this BIP returns  

`bytes([0x01, 0x21, output_pubkey[0] & 1]) + output_pubkey[1:]`

First byte 0x01, but it should be 0x51
    0c49346c87
  9. Merge pull request #41 from dgpv/patch-1
    taproot_output_script: first returned byte should be OP_1 (0x51)
    b55fed9f86
  10. Clarify diagram 04b844540e
  11. Merge pull request #42 from jonasnick/clarify-diagram
    Clarify description of diagram
    084dee847d
  12. Fix point_from_bytes in bip-schnorr reference implementation 1faf705388
  13. Switch to 32 byte public keys in bip-schnorr ed01c1a776
  14. Use short public keys for taproot output keys 5793d3d735
  15. Clarify how to disable key path spending 9795b7081a
  16. Address Tim's comments 112d9c150a
  17. Update bip-schnorr.mediawiki
    Co-Authored-By: Tim Ruffing <tim@timruffing.de>
    30fdc87599
  18. Update bip-schnorr/test-vectors.py
    Co-Authored-By: Tim Ruffing <tim@timruffing.de>
    ae96228913
  19. Address sipa's feedback 0d28b3c37b
  20. Merge pull request #55 from jonasnick/bip-schnorr32
    Completely switch to 32-byte public keys in bip-schnorr/taproot/tapscript
    28dc94f36c
  21. Merge pull request #43 from jonasnick/script-path-only
    Clarify how to disable key path spending
    4fef743de7
  22. Define c in lift_x(x) ad91099b8f
  23. Return a point from lift_x() a462876b9a
  24. Replace 'quadratic residue of...' 8492968f34
  25. Merge pull request #48 from jnewbery/2019-05-quadratic-residue
    Reword 'quadratic residue of...'
    de9bc9c72c
  26. Merge pull request #58 from sipa/201908_computec
    Clarify pseudocode of lift_x
    abe79d81e3
  27. Use key path spend terminology more consistently in taproot/tapscript 16bdfcf534
  28. Prescribe that a taproot output key should always have a taproot commitment ed0bb5b0c2
  29. Merge pull request #56 from jonasnick/keypath
    Use key path spend terminology more consistently in taproot/tapscript
    de990a1128
  30. Use a tagged hash in bip-schnorr nonce derivation 7cd53f6eec
  31. Tag signature hashes, improve rationale and update test vectors 775cb2fd90
  32. Address sipa's comments dc6b91c1a9
  33. Merge pull request #61 from jonasnick/tagged-derive
    Use a tagged hash in bip-schnorr nonce derivation
    e1f199989b
  34. public keys aren't identical e9600e6ed8
  35. pk not p 01e1f6e6b2
  36. make secret key a 32-byte array called sk, introduce pubkey() 4643538d4f
  37. use p for taproot internal key d3951f63f3
  38. key gen, verify, sign in intro fc74ec6b35
  39. note about pubkey collision 30bc716add
  40. Fix privkey negation in taproot_sign_key 02bdf88ef9
  41. Merge pull request #63 from jonasnick/fix-sign-key
    Fix privkey negation in taproot_sign_key
    51a84fd407
  42. Merge pull request #59 from ajtowns/201908-schnorr32-nits
    32 byte pubkey nits
    6653f9f883
  43. Rework Applications section 6d99e45126
  44. Add a footnote about 32-byte security 4a383064fb
  45. Merge pull request #64 from real-or-random/patch-7
    Add a footnote about 32-byte security
    eabf7c9a6d
  46. Move plain public key in output rationale to design section
    Rebased by Pieter Wuille
    0995c8a5b5
  47. Merge pull request #49 from jonasnick/key-aggregation-security
    Prescribe that an output key should always have a taproot commitment
    a02dbdc850
  48. Merge pull request #65 from real-or-random/patch-6
    Rework Applications section
    10073d1ca5
  49. Address some nits fa423aced9
  50. Merge pull request #66 from sipa/jonasnick_design
    Move plain public key in output rationale to design section (rebase of #44)
    9424700d78
  51. Merge pull request #68 from sipa/nits_real-or-random_patch-6
    Address some nits
    7c37e721de
  52. Mention SHA256 block size
    Rebased by Pieter Wuille
    87fa069b8f
  53. Merge pull request #67 from sipa/jonasnick_small-fixes
    Mention SHA256 block size (rebase of #45)
    463a55935b
  54. Removed reference to 0xc1 leaf version.
    No longer necessary with 32B pubkeys.
    d191359e75
  55. bip-taproot: fix small typo (is does not) 1a8818a446
  56. Merge pull request #70 from kanzure/bip-taproot-fix-typo
    bip-taproot: Fix minor grammar issue
    849580166a
  57. Merge pull request #69 from jachiang/2019-09-leaf-version
    Removed reference to 0xc1 leaf version.
    55beff3376
  58. Move/reword tagged hashes motivation 77dad346ec
  59. Rework resource limits section f2899666f8
  60. Remove P2SH support 1ee15f7dd9
  61. Euler's Criterion prime only nit aa463b8193
  62. Merge pull request #74 from elichai/patch-2
    Euler's Criterion prime only nit
    b9927356aa
  63. Merge pull request #72 from sipa/201909_no_p2sh
    Remove P2SH support
    2d2e268ee8
  64. Merge pull request #73 from sipa/201909_limits
    Rework resource limits section
    6aa933b178
  65. Fixups 079ae4b048
  66. Merge pull request #71 from sipa/201909_fix_tag_rationale
    Move/reword tagged hashes motivation
    05efb5de84
  67. Merge pull request #76 from sipa/201909_tapscript_resource_fixups
    Fixups
    d51109a03f
  68. Extend codeseparator_position from 16 to 32 bits 4c2eb9a600
  69. Extend input_index from 16 to 32 bits 0d5ac28f2c
  70. typo 7ce33c01ec
  71. separate p2sh wrapped security rationale f831386103
  72. Merge pull request #78 from ajtowns/201909-p2sh80b
    minor wording fixes
    9033e43001
  73. Remove 0xc1 479fe5f365
  74. Merge pull request #79 from jonasnick/0xc1
    Remove 0xc1
    8d893f9c06
  75. Accept seckey in the form of bytes and not int in the reference BIP-schnorr code to match the spec. 472911379c
  76. Add x() and y() functions for points to bip-schnorr 7e273fbda6
  77. Standardize on secret key in bip-schnorr 5c52872fe0
  78. Add is_quad function to bip-schnorr reference code 1882aa7b8f
  79. Add taproot_tweak_pubkey and taproot_tweak_privkey functions to bip-taproot wallet section 398897cd29
  80. Replace taproot_tweak_pubkey assertion with exception and add it to taproot_tweak_seckey too a6e5c16821
  81. Link to Schnorr's paper instead of Wikipedia 3f61b2b1e7
  82. Merge pull request #81 from jonasnick/tweaks
    Improve readability of bip-taproot wallet section
    730feed75a
  83. Merge pull request #82 from real-or-random/patch-8
    Link to Schnorr's paper instead of Wikipedia
    90d9e21825
  84. Merge pull request #80 from jonasnick/bytes
    Accept seckey in the form of bytes and not int in the reference BIP-schnorr code...
    00f941b8c7
  85. Merge pull request #77 from sipa/201909_bigger_opspos
    Extend codeseparator_position and input_index from 16 to 32 bits
    4aa889e6ac
  86. Fix formula 15d5aa2732
  87. Increase max Merkle path length 6b72dfff51
  88. Merge pull request #83 from sipa/branch_limit
    Increase max Merkle path length
    e5888935ca
  89. Small fix: 0xc1 is possible as first control block byte 9413cc1f07
  90. Merge pull request #85 from sipa/201910_c1
    Small fix: 0xc1 is possible as first control block byte
    c8e82957a2
  91. Small fixes from review with real-or-random 69f1c93d92
  92. HTTPS links where possible 3c7fd7a830
  93. Merge pull request #86 from sipa/201910_simple_fixes
    Small fixes from review with real-or-random
    5ecd376cac
  94. Use is_square/is_positive and introduce algorithm names 0655cc3c64
  95. Formulate claims about BatchVerify more accurately 1442d4dabc
  96. Apply suggestions from code review
    Co-Authored-By: Tim Ruffing <tim@timruffing.de>
    1e00d6ef6a
  97. Prefix infinite with is_ 8c0b29cc94
  98. Drop other curve comment cdf7dd8cca
  99. Typo 348110ec52
  100. Merge pull request #87 from sipa/201910_square_positive
    Use is_square/is_positive and introduce algorithm names
    ad539ef432
  101. bip-schnorr: more on provable security
    I'll try to get a link to the CCS paper that does not have a paywall...
    e139975eff
  102. bip-schnorr: more on (e,s) 2d9877e6e1
  103. Merge pull request #94 from real-or-random/patch-9
    bip-schnorr: incorporate results of Neven, Smart, Warinschi
    80c6129cee
  104. Explain that MuSig needs key prefixing 59ac6a9683
  105. Update bip-schnorr.mediawiki
    Co-Authored-By: Tim Ruffing <tim@timruffing.de>
    d434c18af8
  106. Clarify interaction x-only keys with verification 0a45ecbf04
  107. Merge pull request #92 from sipa/201910_musig_needs_keyprefix
    Explain that MuSig needs key prefixing
    0c7bbf83c6
  108. More on key generation 2a9a70c92a
  109. Merge pull request #93 from sipa/201910_clarify_keygen
    Clarify interaction x-only keys with verification
    ae32d243cd
  110. annex is bit 0 of spend_type 01e0c43023
  111. Merge pull request #96 from ajtowns/201910-annexbit
    annex is bit 0 of spend_type
    87caa68a8f
  112. Change reference for ECDSA proofs
    Refer to Manuel Fersch's dissertation for provable security of ECDSA. It's freely accessible and multiple results put well in context.
    0176ed1871
  113. Merge pull request #108 from real-or-random/patch-10
    bip-schnorr: Change reference for ECDSA proofs
    da1bc18ce9
  114. Improve section on alternatives to OP_CHECKMULTISIG 474d214d03
  115. Address aj comments 6ad79bcd46
  116. Explain why CMS is not turned into SUCCESSx 2973e09a88
  117. Merge pull request #109 from sipa/201910_multisig
    Improve section on alternatives to OP_CHECKMULTISIG
    852951276f
  118. Merge pull request #111 from sipa/201910_whynocmssuccess
    Explain why CMS is not turned into SUCCESSx
    436f14d9d7
  119. Consistently mention resource limits in bip-tapscript 6d6b9c6940
  120. Elaborate on default and alternative signing f95ac70606
  121. Update bip-schnorr.mediawiki
    Co-Authored-By: Tim Ruffing <tim@timruffing.de>
    322ce53625
  122. Update bip-schnorr.mediawiki
    Co-Authored-By: Tim Ruffing <tim@timruffing.de>
    da4721cdc6
  123. Merge pull request #113 from sipa/201910_altsigning
    Elaborate on default and alternative signing
    89b32a095d
  124. Merge pull request #112 from sipa/201910_success_above_all_else
    Consistently mention resource limits in bip-tapscript
    cf43d29fff
  125. typos 73b8e3aeeb
  126. improve rationale for key prefixing db1973ffba
  127. Merge pull request #115 from real-or-random/patch-12
    typos
    e174022b36
  128. use bytes() instead of b'' - avoid markdown issue 
    Currently github markdown renders `b''` inside `<source>` tags incorrectly. This makes `h = b''` show as `h = b` and creates some confusion.
The issue can be avoided by using bytes() to create empty byte array
    12d8d5baa8
  129. Merge pull request #122 from dgpv/patch-3
    bip-taproot: use bytes() instead of b'' - avoid markdown issue
    fda77055c7
  130. fix docstring in taproot_output_script
    the final "-None" line in the docstring of `taproot_output_script` example function was actually outside of the docstring
    db8d6d426f
  131. Merge pull request #120 from dgpv/patch-2
    bip-taproot: fix docstring in taproot_output_script
    eacf0c6533
  132. Settle on notation: is_square(y), has_square_y(P) 0c6a9cffad
  133. Merge pull request #124 from sipa/square_terminology
    Settle on notation: is_square(y), has_square_y(P)
    2f1c4d80ae
  134. Fix test vector generation code after changing schnorrsig_sign api 854a33ab48
  135. Adjust test vector generation code to latest terminology 220df7da78
  136. Check infinity in is_positive c0f0c8d43d
  137. Make more clear that signing function in test vectors generation code isn't intended to be used anywhere else 35f1fface5
  138. Fix typo in reference code comment 0ec01e9255
  139. Merge pull request #116 from jonasnick/test-vec-terminology
    Adjust reference code and test vectors to latest bip
    1bb025aa22
  140. Fix point_from_bytes accepting out-of-range pubkeys and add test vector 8e7aef083e
  141. Merge pull request #114 from real-or-random/patch-11
    improve rationale for key prefixing
    857dd625b5
  142. Update test-vectors.csv 8a8a35bfc5
  143. Link design section of BIP Schnorr in Specification 08622c9494
  144. Merge pull request #121 from jonasnick/add-test-vector
    Fix point_from_bytes accepting out-of-range pubkeys and add test vector
    3f62751809
  145. fix: script spend, not key spend
    For the key spend the script tree depth is not revealed, it is only done for script spends. This sentence makes sense only for the script spend.
    78eb015f63
  146. Merge pull request #126 from MaxHillebrand/patch-1
    fix: script spend, not key spend reveals tree depth
    73ade2d61b
  147. Merge pull request #125 from fjahr/patch-1
    Link design section of BIP Schnorr in Specification
    230f6cb734
  148. Internal pubkey calculation fixed in taproot_tweak_pubkey() de82b3ad26
  149. Merge pull request #128 from codeShark149/tweak_pubkey_change
    Internal pubkey calculation fixed in taproot_tweak_pubkey()
    3700e18055
  150. Fxied typo in taproot_sign_script() ad4156a394
  151. tapscript: fix minor typo 5ceb42b48b
  152. Merge pull request #130 from LaurentMT/patch-1
    Fxied typo in taproot_sign_script()
    c9931d156c
  153. Fix typo af1638ce18
  154. Merge pull request #132 from agis/patch-2
    Fix typo
    c936a9bc4b
  155. G refers to secp256k1 base point rather generator 7e98e2fd84
  156. ADD: Require Schnorr BIP for Taproot
    Per https://github.com/bitcoin/bips/blob/master/bip-0001.mediawiki:

"BIPs may have a Requires header, indicating the BIP numbers that this BIP depends on"
    5abcbca343
  157. BIP16 has no relation to bip-taproot/tapscript
    Previously did.
    c98970085d
  158. Merge pull request #136 from instagibbs/patch-10
    BIP16 has no relation to bip-taproot/tapscript
    b79935a883
  159. Add clarification of semantics of 0x00 hash type e5918b3b29
  160. ADD: Require Schnorr and Taproot BIPs for Tapscript
    https://github.com/sipa/bips/pull/135#issuecomment-552754867
    0af4a35295
  161. FIX: BIPs should be specified as lowercase to match filenames f620c87eb7
  162. bip-taproot: clarify bip-schnorr reference code
    - update the paragraph in question to more clearly convey that the helper
  functions, and not the Python3 example code, are from the bip-schnorr
  reference code

- add a link to the reference code in
  https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr/reference.py
    8b92d05be9
  163. Replace R with P in taproot_tweak_seckey 7bce5a0930
  164. Merge pull request #142 from OrfeasLitos/python-typo
    Replace R with P in taproot_tweak_seckey
    1e27c4e307
  165. Add links to unlinked BIPs
    Only first mention of each BIP is made into a link
    b417bb3c50
  166. clarify 211 hash bytes and non-reuse of keys 1a9c7f948a
  167. tweak 211 bytes text b8cbd419e6
  168. remind reader where [:] is defined
    in addition to `point`. This caused confusion for one reader who expected inclusive at end of range.
    8861bd503a
  169. Merge pull request #145 from instagibbs/patch-11
    remind reader where [:] is defined
    e5d6ee25e9
  170. Merge pull request #144 from devrandom/wording
    Clarify 211 hash bytes and non-reuse of keys
    bc0c57e1fd
  171. Merge pull request #135 from pyskell/patch-1
    ADD: Require BIPs for Taproot and Tapscript
    5dab10b0b6
  172. Merge pull request #134 from hebasto/20191111-base-point
    G refers to the secp256k1 base point rather generator
    aa337b9fbb
  173. Merge pull request #137 from AdamISZ/hash-0-meaning
    Add clarification of semantics of 0x00 hash type
    a6d7059ce0
  174. Merge pull request #143 from OrfeasLitos/link-to-other-bips
    Add links to unlinked BIPs
    a00c4a3dc9
  175. Merge pull request #140 from jonatack/clarify-and-link-to-bip-schnorr-reference-code
     bip-taproot: clarify bip-schnorr reference code
    3e3ac64b53
  176. Merge pull request #131 from afk11/fix-typo-bip-tapscript
    tapscript: fix minor typo
    c5a7332ea3
  177. make clear it's script branch
    In this context we are talking about the script branch, not the Merkle tree branch, right? If so, then this should clear things up a little.
    de14bad4dc
  178. Fix typo in schnorr, footnote 2 cacb82fc6d
  179. Merge pull request #146 from MaxHillebrand/patch-1
    make clear it's script branch
    b9d12f79fb
  180. Merge pull request #147 from OrfeasLitos/fix-typo-sig
    Fix typo in schnorr, footnote 2
    6b906253b1
  181. Link to proof sketch of security of implicit Y
    Thanks to @ajtowns for providing the link
    e544fc66ba
  182. Add missing quote 314e9fd904
  183. Merge pull request #149 from OrfeasLitos/add-missing-quote
    Add missing quote
    34a37231e7
  184. grammar typo fix: inserted "be" 09c12e4052
  185. Add missing dots that denote multiplication
    Throughout the document, elliptic curve multiplication is denoted with dots,
as in `d'⋅G` as opposed to `d'G`.
This is not the case in one place in the 'Default Signing' section,
and one place in 'Adaptor Signatures' section

Missing dots are added for consistency.
    75b464ad76
  186. Merge pull request #151 from dgpv/patch-5
    Nit: bip-schnorr: Add missing dots that denote multiplication
    51c2c12158
  187. Replace BIP66 link with BIP146
    BIP66 does not mention the inherent ECDSA malleability, but BIP146 does
    fbd304575f
  188. Rename is_y_square to is_negated in taproot signing 9208857b92
  189. Fix paragraph naming and typo 4fa7cba641
  190. Rephrase "previous design choice" to "list above" 8ca122e8fe
  191. Typo: max bytes hashed for sig is 210 75d753868c
  192. Replace signing with signature before validation 1e1795de46
  193. Typo: script signature max bytes unhashed are 247 633b52fbc0
  194. Merge pull request #155 from jonasnick/negate
    Rename is_y_square to is_negated in taproot signing
    88778d77e8
  195. Replace "both are not" with "neither is" 7ec4ce9a8d
  196. Mention hash_type malleability would change wtxid b44d5c9531
  197. Merge pull request #150 from stefanwouldgo/patch-1
    grammar typo fix: inserted "be"
    9648889b4f
  198. Merge pull request #160 from OrfeasLitos/clarify-choices
    Rephrase "previous design choice" to "list above"
    3d3bd7660c
  199. Merge pull request #156 from hebasto/20191123-grammar-and-reference
    Fix paragraph naming and typo
    1650cacac0
  200. Mention that miners could malleate signatures 2e79be9f72
  201. Add missing closing parenthesis and comma 83e886ce07
  202. Update bip-tapscript.mediawiki 6a72458bf9
  203. Merge pull request #169 from andrewtoth/patch-1
    Add missing closing parenthesis and comma
    075823bdd5
  204. Fix bip-schnorr footnote 7 by specifying that we're referring to P's y coordinate and not some undefined 'x' 3acb150829
  205. Replace references to Euler's criterion with Legendre symbol in bip-schnorr 382a1d19a0
  206. Merge pull request #164 from OrfeasLitos/neither-instead-of-both
    Replace "both are not" with "neither is"
    4c638b3843
  207. Clarify bip-taproot digest difference to bip143 regarding sub-hashes 2c6b472e9c
  208. Improve clarity of footnotes for lift_x 93e1921d83
  209. Nits adf4d78e6c
  210. Fix @jonasnick's comment fd898f118a
  211. Merge pull request #173 from kallerosenbaum/bip-schnorr
    Nits
    017ca0c69b
  212. Merge pull request #170 from jonasnick/footnote7
    Fix footnote 7 and remove references to Euler's criterion
    034e97bd6e
  213. Merge pull request #172 from jonasnick/footnote9
    Improve clarity of footnotes for lift_x
    a9190ff92b
  214. Merge pull request #171 from jonasnick/footnote16
    Clarify bip-taproot digest difference to bip143 regarding sub-hashes
    9194a7b582
  215. Merge pull request #165 from OrfeasLitos/wtxid-malleability
    Mention hash_type malleability would change wtxid
    2a738c6956
  216. Merge pull request #148 from OrfeasLitos/link-implicit-y-proof-sketch
    Link to proof sketch of security of implicit Y
    4b25ff7b92
  217. fix singular/plural ambiguity cc6fa25c79
  218. Fix reference formatting 2e0c9435a8
  219. Merge pull request #162 from OrfeasLitos/signing-validation
    Replace signing with signature before validation
    4b4c656790
  220. Merge pull request #166 from stefanwouldgo/patch-3
    fix singular/plural ambiguity
    16d34fafa1
  221. Merge pull request #154 from OrfeasLitos/replace-66-with-146
    Replace BIP66 link with BIP146
    2a2d4231ff
  222. Merge pull request #161 from OrfeasLitos/max-sig-unhashed-bytes
    Typo: max bytes hashed for sig is 210
    2d68aea170
  223. Merge pull request #174 from hebasto/patch-1
    Fix reference formatting
    b1d93cdd2c
  224. Clarify why we don't want short hashes
    This is supposed to supersede https://github.com/sipa/bips/pull/158.
I tried to say this carefully. I don't think that multiparty signing is in general broken with short hashes. For example the attack in #158 could be avoided by letting everybody not only commit to the nonce but also to the message. It's just that using a collision-resistant hash just eliminates the problem entirely...
    92582c2a33
  225. Merge pull request #175 from real-or-random/patch-13
    Clarify why we don't want short hashes
    993a1ccdf1
  226. Low-S ECDSA is non-malleable under nonstandard assumptions aa18fdb07e
  227. Replace private key with secret key 633cca9b1c
  228. Merge pull request #180 from jonasnick/secret-key
    Replace private key with secret key
    40eccd5d3c
  229. Merge pull request #177 from sipa/201912_lows_ecdsa_nonmalleable
    Low-S ECDSA is non-malleable under nonstandard assumptions
    431ebd2f44
  230. Improve and restructure motivation and design ba8b23b820
  231. Add an informal summary of the design a78a161b4b
  232. sipa closed this on Dec 15, 2019
Contributors
sipa
Linked (view graph)
#138 BIP66: Number Examples To Match Implementation Tests
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bips. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-21 13:10 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me