Skip to content

Instantly share code, notes, and snippets.

@AdamISZ

AdamISZ/998.md Secret

Last active October 10, 2022 12:03
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save AdamISZ/9b2395ddcb43890d9611df99287cfe6b to your computer and use it in GitHub Desktop.
Save AdamISZ/9b2395ddcb43890d9611df99287cfe6b to your computer and use it in GitHub Desktop.
Download ZIP
analysis of 998/999 p2tr tx
Raw
998.md

Tx: https://mempool.space/tx/7393096d97bfee8660f4100ffd61874d62f9a65de9fb6acf740c4c386990ef73

Witness consists of:

1 signature:

809edb01f5931cc992763731cda9e983d7e2030a0863352530907490ef2a289721358c386d0b23d82fe78aab1e2f7f3bcf9ae7409bb771c98e7222dc136209f9

repeated 998 times.

followed by the script, consisting of:

20 (length), then pubkey: 1ea539fd851574f6802e6cc0cda3b2bd60afcfca9cd72d9279c5dc8c2054f6b6

then OP_CHECKSIG

then the same pubkey: 20 1ea539fd851574f6802e6cc0cda3b2bd60afcfca9cd72d9279c5dc8c2054f6b6 OP_CHECKSIGADD

repeated a further 998 times (so 999 times in total for that pubkey)

then the script finishes with:

02e603a2

which unpacks to:

998 (02: how many bytes, e603 is little endian, 03 x 256 + 230 = 998)

and OP_GREATERTHANOREQUAL

the remaining section of the witness is the control block:

c11dae61a4a8f841952be3a511502d4f56e889ffa0685aa0098773ea2d4309f624

(minor point: no actual merkle root or proof needed in case there is only one script; in BIP341 it says we need 33 + x where x can be 0 as the length of the control block; this is basically: one version byte and 32 bytes of the internal key P)

So in summary, the transaction has used the same public key 999 times and required a signature to exist for at least 998 of 'them'. The fact that the signatures are all the same looks weird, but it's a result of this artificial choice.

Why use GREATERTHANOREQUAL? The idea there is, it means we can use any of the 999 possible sets of 998 keys, and it satisfies the same single script.

The alternative is to build a merkle tree with 998 leaves, each of which allows satisfaction of the script by a different subset of 998. This would mean the control block would need a merkle proof of depth ~ 10 of course, which is going to be a few hundred bytes more.

The tradeoff there is interesting: if you use GREATERTHANOREQUAL you can minimize the size of the control block; if you use all combos as leaves, you can in principle hide 1 of the 999 keys, if it never signs. Obviously this would be more interesting if you had a threshold like 1 of 999, because then, using GREATERTHANOREQUAL instead of EQUAL would unnecessarily have to reveal all of the keys.

The main point stands, whatever the details: you can make very large multisig thresholds with taproot, even discounting Musig or FROST etc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment