From 592cb6fa0c8e1484488cfc4e43fe1e4825c17132 Mon Sep 17 00:00:00 2001 From: "Dr. Maxim Orlovsky" Date: Sun, 7 Nov 2021 09:45:01 +0100 Subject: BIP-341: allow future softforks for leaf version signature verification Currently the BIP-341 and BIP-342 leave the question of how to verify signature for non-`0xC0` leaf version scripts undefined. I haven't checked the Bitcoin Core code for that matter yet, but (1) I think we need to cover signature validation of non-`0xC0` leaf version scripts in this standard and (2) the only way of doing that is "always succeed" rule for the future leaf version values (otherwise we will need a hard fork to introduce them). --- bip-0341.mediawiki | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'bip-0341.mediawiki') diff --git a/bip-0341.mediawiki b/bip-0341.mediawiki index ba3310f..23a20a6 100644 --- a/bip-0341.mediawiki +++ b/bip-0341.mediawiki @@ -78,7 +78,7 @@ The following rules only apply when such an output is being spent. Any other out ** If ''t ≥ 0xFFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141'' (order of secp256k1), fail. ** Let ''Q = P + int(t)G''. ** If ''q ≠ x(Q)'' or ''c[0] & 1 ≠ y(Q) mod 2'', fail'''Why is it necessary to reveal a bit in a script path spend and check that it matches the parity of the Y coordinate of ''Q''?''' The parity of the Y coordinate is necessary to lift the X coordinate ''q'' to a unique point. While this is not strictly necessary for verifying the taproot commitment as described above, it is necessary to allow batch verification. Alternatively, ''Q'' could be forced to have an even Y coordinate, but that would require retrying with different internal public keys (or different messages) until ''Q'' has that property. There is no downside to adding the parity bit because otherwise the control block bit would be unused.. -** Execute the script, according to the applicable script rules'''What are the applicable script rules in script path spends?''' [[bip-0342.mediawiki|BIP342]] specifies validity rules that apply for leaf version 0xc0, but future proposals can introduce rules for other leaf versions., using the witness stack elements excluding the script ''s'', the control block ''c'', and the annex ''a'' if present, as initial stack. +** Execute the script, according to the applicable script rules'''What are the applicable script rules in script path spends?''' [[bip-0342.mediawiki|BIP342]] specifies validity rules that apply for leaf version 0xc0, but future proposals can introduce rules for other leaf versions., using the witness stack elements excluding the script ''s'', the control block ''c'', and the annex ''a'' if present, as initial stack. This implies that for the future leaf versions (non-''0xC0'') the execution must succeed.'''Why we need to success on future leaf version validation''' This is required to enable future leaf versions as soft forks. ''q'' is referred to as ''taproot output key'' and ''p'' as ''taproot internal key''. -- cgit v1.2.3