diff options
| author | Gregory Sanders <gsanders87@gmail.com> | 2019-11-15 13:46:35 -0500 |
|---|---|---|
| committer | Pieter Wuille <pieter.wuille@gmail.com> | 2020-01-19 14:47:33 -0800 |
| commit | 758be14a2b1c61d7042d708564bed69ebfc66b62 (patch) | |
| tree | 4e2d7e07bbfe62df7ccb5e5c727e755e9192499b /bip-taproot.mediawiki | |
| parent | 4e88d4fae7c79abc2acd35f036daceacd8122da8 (diff) | |
| download | bips-758be14a2b1c61d7042d708564bed69ebfc66b62.tar.xz | |
remind reader where [:] is defined
in addition to `point`. This caused confusion for one reader who expected inclusive at end of range.
Diffstat (limited to 'bip-taproot.mediawiki')
| -rw-r--r-- | bip-taproot.mediawiki | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/bip-taproot.mediawiki b/bip-taproot.mediawiki index de266b9..7ae422b 100644 --- a/bip-taproot.mediawiki +++ b/bip-taproot.mediawiki @@ -65,7 +65,7 @@ The following rules only apply when such an output is being spent. Any other out * If there are at least two witness elements left, script path spending is used: ** Call the second-to-last stack element ''s'', the script. ** The last stack element is called the control block ''c'', and must have length ''33 + 32m'', for a value of ''m'' that is an integer between 0 and 128<ref>'''Why is the Merkle path length limited to 128?''' The optimally space-efficient Merkle tree can be constructed based on the probabilities of the scripts in the leaves, using the Huffman algorithm. This algorithm will construct branches with lengths approximately equal to ''log<sub>2</sub>(1/probability)'', but to have branches longer than 128 you would need to have scripts with an execution chance below 1 in ''2<sup>128</sup>''. As that is our security bound, scripts that truly have such a low chance can probably be removed entirely.</ref>, inclusive. Fail if it does not have such a length. -** Let ''p = c[1:33]'' and let ''P = point(p)'' where ''point'' is defined as in bip-schnorr. Fail if this point is not on the curve. +** Let ''p = c[1:33]'' and let ''P = point(p)'' where ''point'' and ''[:]'' are defined as in bip-schnorr. Fail if this point is not on the curve. ** Let ''l = c[0] & 0xfe'', the leaf version<ref>'''What is the purpose of the first byte of the control block?''' The first byte of the control block has three distinct functions: * The low bit is used to denote whether the ''has_square_y(Q)'' holds.<ref>'''Why is the squareness of the output public key's Y coordinate required in a script path spend?''' The ''point'' function always constructs a point with Y coordinate having that property, but because ''Q'' is constructed by adding the taproot tweak to the internal public key ''P'', it cannot easily be guaranteed that ''Q'' in fact has such a Y coordinate. We can not ignore the Y coordinate because it would prevent batch verification. Trying out multiple internal keys until there's such a ''Q'' is possible but undesirable and unnecessary since this information about the Y coordinate only consumes an unused bit.</ref> * By keeping the top two bits set to true, it can be guaranteed that scripts can be recognized without knowledge of the UTXO being spent, simplifying analysis. This is because such values cannot occur as first byte of the final stack element in either P2WPKH or P2WSH spends. |