diff options
author | Jonas Nick <jonasd.nick@gmail.com> | 2019-08-26 20:46:08 +0000 |
---|---|---|
committer | Pieter Wuille <pieter.wuille@gmail.com> | 2020-01-19 14:47:33 -0800 |
commit | c33c7d0a0c78327e6ca78dd4f6a37296fa49fd2b (patch) | |
tree | 5aa2d1138c51648bc08c9bb85b0b5b44d5e8976e /bip-taproot.mediawiki | |
parent | 7f3611d2398f053d4c1a9889cb20d814bd6abedd (diff) |
Tag signature hashes, improve rationale and update test vectors
Diffstat (limited to 'bip-taproot.mediawiki')
-rw-r--r-- | bip-taproot.mediawiki | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/bip-taproot.mediawiki b/bip-taproot.mediawiki index 51fd45d..6d05610 100644 --- a/bip-taproot.mediawiki +++ b/bip-taproot.mediawiki @@ -41,7 +41,7 @@ As a result we choose this combination of technologies: * Taproot's advantages become apparent under the assumption that most applications involve outputs that could be spent by all parties agreeing. That's where '''Schnorr''' signatures come in, as they permit [https://eprint.iacr.org/2018/068 key aggregation]: a public key can be constructed from multiple participant public keys, and which requires cooperation between all participants to sign for. Such multi-party public keys and signatures are indistinguishable from their single-party equivalents. This means that under this Taproot assumption, the all-parties-agree case can be handled using the key-based spending path, which is both private and efficient using Taproot. This can be generalized to arbitrary M-of-N policies, as Schnorr signatures support threshold signing, at the cost of more complex setup protocols. * As Schnorr signatures also permit '''batch validation''', allowing multiple signatures to be validated together more efficiently than validating each one independently, we make sure all parts of the design are compatible with this. * Where unused bits appear as a result of the above changes, they are reserved for mechanisms for '''future extensions'''. As a result, every script in the Merkle tree has an associated version such that new script versions can be introduced with a soft fork while remaining compatible with bip-taproot. Additionally, future soft forks can make use of the currently unused <code>annex</code> in the witness (see [[#Rationale]]). -* While the core semantics of the '''signature hashing algorithm''' are not changed, a number of improvements are included in this proposal. The new signature hashing algorithm fixes the verification capabilities of offline signing devices by including amount and scriptPubKey in the digest, avoids unnecessary hashing, introduces '''tagged hashes''' and defines a default sighash byte. +* While the core semantics of the '''signature hashing algorithm''' are not changed, a number of improvements are included in this proposal. The new signature hashing algorithm fixes the verification capabilities of offline signing devices by including amount and scriptPubKey in the digest, avoids unnecessary hashing, uses '''tagged hashes''' and defines a default sighash byte. Not included in this proposal are additional features like new sighash modes or opcodes that can be included with no loss in effectiveness as a future extension. Also not included is cross-input aggregation, as it [https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-March/015838.html interacts] in complex ways with upgrade mechanisms and solutions to that are still [https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-October/016461.html in flux]. @@ -49,7 +49,9 @@ Not included in this proposal are additional features like new sighash modes or This section specifies the Taproot consensus rules. Validity is defined by exclusion: a block or transaction is valid if no condition exists that marks it failed. -The notation below follows that of bip-schnorr including the notion of tagged hashes. +The notation below follows that of bip-schnorr. +This includes the notion of tagged hashes which make collisions with existing uses of hash functions in Bitcoin infeasible. +The reason is that so far nowhere in the Bitcoin protocol are hashes used where the input of SHA256 starts with two (non-double) SHA256 hashes. === Script validation rules === |