📅 Original date posted:2022-07-08
📝 Original message:Hi aj,
I think there's another workaround for the x-only issue with
TAPLEAF_UPDATE_VERIFY.
So the opcode will need a function f that ensures that the new internal
key f(P'), where P' = P + X, has even y. You describe what happens for
the canonical choice of
f(P') = if has_even_y(P') then P' else -P'.
This leads to issues because negation turns around the signs of A and B
if say P' = A + B. Or more generally, negation is multiplicative
tweaking with a tweak -1, and that changes the coefficients of A und B.
But what if we use additive tweaking, which won't change the
coefficients? For example, you could try adding the generator until you
hit an even point, i.e.,
f(P') = if has_even_y(P') then P' else f(P' + G).
Then you may get a chain like
* Pabc = A + B + C
* Pab = A + B + 2G
* Pa = A + 2G + 1G = A + 3G
Pool members will simply need to track the accumulated tweak t and take
the tweak into account when signing. For example, A and B would sign
with t = 2 and A alone would sign with t = 3.
This choice of f will succeed after 1 addition on average. (I don't
know if this can be proven but even if not, experiments show that it's
true and that's good enough.) So the actual running time is
probabilistic. I don't think that's an issue but if it is an issue,
other choices of f are possible, e.g., let the spender provide the
tweak t explicitly and set
f(P',t) = if 0 <= t < 128 and has_even_y(P'+tG) then P'+tG else fail.
This workaround is not exactly elegant either but it may be better than
the other suggestions.
Best,
Tim
On Thu, 2021-09-09 at 16:53 +1000, Anthony Towns via bitcoin-dev wrote:
> Moving on to the pooled scheme and actually updating the internal
> pubkey
> is, unfortunately, where things start to come apart. In particular,
> since taproot uses 32-byte x-only pubkeys (with implicit even-y) for
> the
> scriptPubKey and the internal public key, we have to worry about what
> happens if, eg, A,B,C and A+B+C all have even-more elegy, but
> (A+B)=(A+B+C)-C does
> not have even-y. In that case allowing C to remove herself from the
> pool,
> might result in switching from the scriptPubKey Qabc to the
> scriptPubKey
> Qab as follows:
>
> Qabc = (A+B+C) + H(A+B+C, (Sa, (Sb, Sc)))*G
> Qab = -(A+B) + H( -(A+B), (Sa, Sb)*G
>
> That's fine so far, but what happens if B then removes himself from
> the
> pool? You take the internal public key, which turns out to be -(A+B)
> since (A+B) did not have even y, and then subtract B, but that gives
> you
> -A-2B instead of just A. So B obtains his funds, but B's signature
> hasn't
> been cancelled out from the internal public key, so is still required
> in order to do key path spends, which is definitely not what we want.
>
Tim Ruffing [ARCHIVE] /
npub1cm…dwkls
2023-06-07 23:11:21
in reply to nevent1q…pka0
Author Public Key
npub1cmt6gqyfw3sdngkq0wadtpe3kmgyyeld6ad0g2h5tar3kpzcrmpqddwklsPublished at
2023-06-07 23:11:21Event JSON
{
"id": "7eebcbcb4982b80f03a35ffcd959f6696b0be1830229e0f46807b8e8515298d4",
"pubkey": "c6d7a400897460d9a2c07bbad58731b6d04267edd75af42af45f471b04581ec2",
"created_at": 1686179481,
"kind": 1,
"tags": [
[
"e",
"56014360190055aca6df787fa779ac8f9f3546fc294769db88a97fde9d7f9985",
"",
"reply"
],
[
"p",
"a23dbf6c6cc83e14cc3df4e56cc71845f611908084cfe620e83e40c06ccdd3d0"
]
],
"content": "📅 Original date posted:2022-07-08\n📝 Original message:Hi aj,\n\nI think there's another workaround for the x-only issue with\nTAPLEAF_UPDATE_VERIFY.\n\nSo the opcode will need a function f that ensures that the new internal\nkey f(P'), where P' = P + X, has even y. You describe what happens for\nthe canonical choice of\nf(P') = if has_even_y(P') then P' else -P'.\n\nThis leads to issues because negation turns around the signs of A and B\nif say P' = A + B. Or more generally, negation is multiplicative\ntweaking with a tweak -1, and that changes the coefficients of A und B.\n\nBut what if we use additive tweaking, which won't change the\ncoefficients? For example, you could try adding the generator until you\nhit an even point, i.e., \nf(P') = if has_even_y(P') then P' else f(P' + G).\n\nThen you may get a chain like\n * Pabc = A + B + C\n * Pab = A + B + 2G\n* Pa = A + 2G + 1G = A + 3G\n\nPool members will simply need to track the accumulated tweak t and take\nthe tweak into account when signing. For example, A and B would sign\nwith t = 2 and A alone would sign with t = 3. \n\nThis choice of f will succeed after 1 addition on average. (I don't\nknow if this can be proven but even if not, experiments show that it's\ntrue and that's good enough.) So the actual running time is\nprobabilistic. I don't think that's an issue but if it is an issue,\nother choices of f are possible, e.g., let the spender provide the\ntweak t explicitly and set\nf(P',t) = if 0 \u003c= t \u003c 128 and has_even_y(P'+tG) then P'+tG else fail.\n\nThis workaround is not exactly elegant either but it may be better than\nthe other suggestions.\n\nBest,\nTim\n\nOn Thu, 2021-09-09 at 16:53 +1000, Anthony Towns via bitcoin-dev wrote:\n\u003e Moving on to the pooled scheme and actually updating the internal\n\u003e pubkey\n\u003e is, unfortunately, where things start to come apart. In particular,\n\u003e since taproot uses 32-byte x-only pubkeys (with implicit even-y) for\n\u003e the\n\u003e scriptPubKey and the internal public key, we have to worry about what\n\u003e happens if, eg, A,B,C and A+B+C all have even-more elegy, but\n\u003e (A+B)=(A+B+C)-C does\n\u003e not have even-y. In that case allowing C to remove herself from the\n\u003e pool,\n\u003e might result in switching from the scriptPubKey Qabc to the\n\u003e scriptPubKey\n\u003e Qab as follows:\n\u003e \n\u003e Qabc = (A+B+C) + H(A+B+C, (Sa, (Sb, Sc)))*G\n\u003e Qab = -(A+B) + H( -(A+B), (Sa, Sb)*G\n\u003e \n\u003e That's fine so far, but what happens if B then removes himself from\n\u003e the\n\u003e pool? You take the internal public key, which turns out to be -(A+B)\n\u003e since (A+B) did not have even y, and then subtract B, but that gives\n\u003e you\n\u003e -A-2B instead of just A. So B obtains his funds, but B's signature\n\u003e hasn't\n\u003e been cancelled out from the internal public key, so is still required\n\u003e in order to do key path spends, which is definitely not what we want.\n\u003e",
"sig": "9b0d94798550df5bbff2513177086cefae0e02656cf7c4153256de2e2f322eea33627dd7bcd6be4d2bca78f05fa72171f2eefdeb02850ccf009a07bc54f3d6f8"
}