š
Original date posted:2013-07-27
š Original message:On Sat, Jul 27, 2013 at 07:49:18PM -0400, Peter Todd wrote:
> Implementation
> ==============
>
> Savings use P2SH outputs matching the following scriptPubKey form:
>
> HASH160 <H(nonce_i)> EQUALVERIFY <pubkey> CHECKSIG
>
> spent with:
>
> <sig> <nonce_i>
FWIW with some minor scripting language additions such as access to txin
and txout contents, along with merklized abstract syntax tree (MAST)
support, we can even implement a version where scriptPubKey's can be
reused:
<pubkey> CHECKSIGVERIFY
// Verify we aren't spending more than the maximum spend amount
0 GET-TXIN-VALUE // relative indexing
0 GET-TXOUT-VALUE
SUB
<max-spend-amount>
LESSTHAN
VERIFY
// If the txout is greater than the maximum spend amount force it to
// also follow these same rules.
0 GET-TXOUT-VALUE
<max-spend-amount>
LESSTHAN
IFNOT
GET-THIS-SCRIPT
MAST-HASH
<serialized script "MAST-HASH MAST-EVAL">
CAT
GET-TXOUT-SCRIPT
EQUALVERIFY
ENDIF
// Hash the provided oracle nonce, saving original for later.
DUP
HASH160
// Use the txid:vout nonce as an index to a table, embedded with MAST
// script compression.
0 GET-TXIN-TXID
0 GET-TXIN-VOUT
CAT
HASH160
// The table, n=64 levels deep, not all levels shown for brevity.
DUP
1
AND
IF
1
RSHIFT
DUP
1
AND
IF
1
RSHIFT
DUP
1
AND
IF
<MAST digest, not executed>
ELSE
1
RSHIFT
DUP
1
AND
IF
// Lowest level contains the following pushdata,
// with 0 <= i < 2^64
<HASH160(HASH160(nonce-secret + i))>
ELSE
<MAST digest, not executed>
ENDIF
ELSE
<MAST digest, not executed>
ENDIF
ELSE
<MAST digest, not executed>
ENDIF
// Drop the txid:vout nonce
SWAP
DROP
// Verify that the hash of the nonce and the pre-committed value in
// the H(nonce) table match.
EQUALVERIFY
// Stack now only contains the nonce preceeded by a merkle path linking
// that nonce to the tip of a merkle tree over all nonces.
//
// Verify that path.
SWAP // Move direction flag to the top
IF
SWAP
ENDIF
HASH160
(repeat above five lines 63 more times)
<nonce-merkle-tree-tip-digest>
EQUAL
The scriptPubKey is spent by the following scriptSig:
<nonce-merkle-path-0>...<nonce-merkle-path-63>
<nonce>
<signature>
<serialized-script>
(note that I've left off a number of possible optimizations for clarity)
Now when the user wishes to spend a txout greather than their spending
limit their wallet software will first give them a short 6 word string
calculated from the last 64-bits of H(txid:vout). They simply enter this
string into their phone, ideally via convenient qr-code or voice/thought
recognition, and their phone provides a second short 6 word string to
enter into the wallet software on their computer, authorizing the
payment. If they opt for a paper-based one-time-password table they
simply use the 6 word string as an index to their pre-printed OTP
encyclopedia set.
Like the previously described version the security level is still a
healthy 2^64 - again the attacker needs to find a 64-bit pre-image,
considered to be a highly difficult task for any attacker unable to
count from 0 to 2^64 or store a table containing 2^64 values.
There is the disadvantage of the large storage requirements for both
wallets, however because of the double hashed construction,
H(H(nonce-secret+i)), neither table needs to be kept secret. Thus
without loss of security both tables can be easily stored in a
distributed hash table in the cloud and queried as needed.
--
'peter'[:-1]@petertodd.org
0000000000000012199fe3f1f54921e8e11c0b0d318ed6245dee22a4ad55bc65
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20130727/3cfc9e58/attachment.sig>;
Peter Todd [ARCHIVE] /
npub1m2ā¦a2np2
2023-06-07 15:05:15
in reply to nevent1qā¦qv36
Author Public Key
npub1m230cem2yh3mtdzkg32qhj73uytgkyg5ylxsu083n3tpjnajxx4qqa2np2Published at
2023-06-07 15:05:15Event JSON
{
"id": "d6067ae96b4af8335ace6c441c708ac0d35be88602c547c4442f3c1360b9ec1c",
"pubkey": "daa2fc676a25e3b5b45644540bcbd1e1168b111427cd0e3cf19c56194fb231aa",
"created_at": 1686150315,
"kind": 1,
"tags": [
[
"e",
"4f9aa973cf078f73a5317b0273a6095a0a2010e9afb2f04b468af2d0acd4da1a",
"",
"root"
],
[
"e",
"f54cdee090c358d5a90014c0d63b9eda5cd3f55a4af4d0a674581ac3a7a39631",
"",
"reply"
],
[
"p",
"daa2fc676a25e3b5b45644540bcbd1e1168b111427cd0e3cf19c56194fb231aa"
]
],
"content": "š
Original date posted:2013-07-27\nš Original message:On Sat, Jul 27, 2013 at 07:49:18PM -0400, Peter Todd wrote:\n\u003e Implementation\n\u003e ==============\n\u003e \n\u003e Savings use P2SH outputs matching the following scriptPubKey form:\n\u003e \n\u003e HASH160 \u003cH(nonce_i)\u003e EQUALVERIFY \u003cpubkey\u003e CHECKSIG\n\u003e \n\u003e spent with:\n\u003e \n\u003e \u003csig\u003e \u003cnonce_i\u003e\n\nFWIW with some minor scripting language additions such as access to txin\nand txout contents, along with merklized abstract syntax tree (MAST)\nsupport, we can even implement a version where scriptPubKey's can be\nreused:\n\n \u003cpubkey\u003e CHECKSIGVERIFY\n\n // Verify we aren't spending more than the maximum spend amount\n 0 GET-TXIN-VALUE // relative indexing\n 0 GET-TXOUT-VALUE\n SUB\n \u003cmax-spend-amount\u003e\n LESSTHAN\n VERIFY\n\n // If the txout is greater than the maximum spend amount force it to\n // also follow these same rules.\n 0 GET-TXOUT-VALUE\n \u003cmax-spend-amount\u003e\n LESSTHAN\n IFNOT\n GET-THIS-SCRIPT\n MAST-HASH\n \u003cserialized script \"MAST-HASH MAST-EVAL\"\u003e\n CAT\n GET-TXOUT-SCRIPT\n EQUALVERIFY\n ENDIF\n\n // Hash the provided oracle nonce, saving original for later.\n DUP\n HASH160\n\n // Use the txid:vout nonce as an index to a table, embedded with MAST\n // script compression.\n 0 GET-TXIN-TXID\n 0 GET-TXIN-VOUT\n CAT\n HASH160\n\n // The table, n=64 levels deep, not all levels shown for brevity.\n DUP\n 1\n AND\n IF\n 1\n RSHIFT\n DUP\n 1\n AND\n IF\n 1\n RSHIFT\n DUP\n 1\n AND\n IF\n \u003cMAST digest, not executed\u003e\n ELSE\n 1\n RSHIFT\n DUP\n 1\n AND\n IF\n // Lowest level contains the following pushdata,\n // with 0 \u003c= i \u003c 2^64\n \u003cHASH160(HASH160(nonce-secret + i))\u003e\n ELSE\n \u003cMAST digest, not executed\u003e\n ENDIF\n ELSE\n \u003cMAST digest, not executed\u003e\n ENDIF\n ELSE\n \u003cMAST digest, not executed\u003e\n ENDIF\n\n // Drop the txid:vout nonce\n SWAP\n DROP\n\n // Verify that the hash of the nonce and the pre-committed value in\n // the H(nonce) table match.\n EQUALVERIFY\n\n // Stack now only contains the nonce preceeded by a merkle path linking\n // that nonce to the tip of a merkle tree over all nonces.\n //\n // Verify that path.\n SWAP // Move direction flag to the top\n IF\n SWAP\n ENDIF\n HASH160\n (repeat above five lines 63 more times)\n\n \u003cnonce-merkle-tree-tip-digest\u003e\n EQUAL\n\nThe scriptPubKey is spent by the following scriptSig:\n\n \u003cnonce-merkle-path-0\u003e...\u003cnonce-merkle-path-63\u003e\n \u003cnonce\u003e\n \u003csignature\u003e\n \u003cserialized-script\u003e\n\n(note that I've left off a number of possible optimizations for clarity)\n\nNow when the user wishes to spend a txout greather than their spending\nlimit their wallet software will first give them a short 6 word string\ncalculated from the last 64-bits of H(txid:vout). They simply enter this\nstring into their phone, ideally via convenient qr-code or voice/thought\nrecognition, and their phone provides a second short 6 word string to\nenter into the wallet software on their computer, authorizing the\npayment. If they opt for a paper-based one-time-password table they\nsimply use the 6 word string as an index to their pre-printed OTP\nencyclopedia set.\n\nLike the previously described version the security level is still a\nhealthy 2^64 - again the attacker needs to find a 64-bit pre-image,\nconsidered to be a highly difficult task for any attacker unable to\ncount from 0 to 2^64 or store a table containing 2^64 values.\n\nThere is the disadvantage of the large storage requirements for both\nwallets, however because of the double hashed construction,\nH(H(nonce-secret+i)), neither table needs to be kept secret. Thus\nwithout loss of security both tables can be easily stored in a\ndistributed hash table in the cloud and queried as needed.\n\n-- \n'peter'[:-1]@petertodd.org\n0000000000000012199fe3f1f54921e8e11c0b0d318ed6245dee22a4ad55bc65\n-------------- next part --------------\nA non-text attachment was scrubbed...\nName: signature.asc\nType: application/pgp-signature\nSize: 490 bytes\nDesc: Digital signature\nURL: \u003chttp://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20130727/3cfc9e58/attachment.sig\u003e",
"sig": "e0da6468138d1ab789e8c1fb1ea4e82c1597cd78caefd3ba189cfee4342471794045bb8df3fe8890b1381f92f6faf978009ed6a834c4051106108319bce6929f"
}