Skip to content

Instantly share code, notes, and snippets.

View RobinLinus's full-sized avatar

Robin Linus RobinLinus

View GitHub Profile
@RobinLinus
RobinLinus / cat_ecc.md
Last active November 22, 2023 23:20
OP_CAT Enables Scalar Multiplication for EC Points
View cat_ecc.md

OP_CAT Enables Scalar Multiplication for EC Points

CAT can reduce curve point scalar multiplication to a subtraction in the scalar field.

Subtraction of field elements can probably be emulated in less than 250 (?) opcodes. For now, let's assume we had an (emulated) opcode, op_scalar_sub, for subtracting two elements of the scalar field of secp256k1.

Given secp's generator G, we want to compute for some scalar r the point R = rG

That is possible by hacking it into a Schnorr signature (R,s) for the key P = xG = 1G = G

View schnorr-bit-commitment.md

Commit to a Bit Value using a Schnorr Signature

This is a bit commitment (e.g. for BitVM) which allows you to commit to the value of a 1-bit variable across two different UTXOs via Schnorr signatures. If Paul equivocates on the bit's value then he leaks his private key.

Surprisingly, the commitment script doesn't need to commit to anything specific. All semantics arise from the nonces in the partial signatures. That allows you to reprogram gates after compile time.

Commitment Script

The commitment script uses OP_CODESEPARATOR such that public key P can sign off on one of two execution branches in the script. Depending on which branch is signed, the script leaves 0 or 1 on the stack.

View 31-bit_commitment.md

31-bit Commitment

This is a 31-bit commitment in Bitcoin Script.

OP_DUP
OP_TOALTSTACK

OP_DUP
<1073741824>
View seed-splitting.html
<main>
<h1>Seed Splitting</h1>
<h3>Split your BIP39 seed phrase into two of three shards.</h3>
<div class="row-reverse">
<a onclick="example()">Example</a>
</div>
<textarea id="$seedphrase" placeholder="Enter 24 word seed phrase"></textarea>
<div class="row-reverse">
<button onclick="splitSeed()">Split</button>
</div>
@RobinLinus
RobinLinus / covenants_cat_ecdsa.md
Last active February 19, 2024 01:30
Emulate covenants using only OP_CAT and ECDSA signatures
View covenants_cat_ecdsa.md

Covenants with CAT and ECDSA

In his article, CAT and Schnorr Tricks I, Andrew Poelstra showed how to emulate OP_CHECKSIGFROMSTACK-like covenants using only OP_CATand Schnorr signatures.

Here, we show that a similar trick is possible to emulate covenants using only OP_CAT and ECDSA signatures.

The High-Level Idea

Recall the ECDSA Signature Equation

@RobinLinus
RobinLinus / threshold-encrypted-backup.py
Last active August 28, 2023 11:32
Threshold-encryption for multisig backups. This is a demo to backup the xpubs of a 3-of-5 multisig
View threshold-encrypted-backup.py
#
# This is a scheme to encrypt a backup of a t-of-n Multisig spending script
# such that any combination of t-of-n xpubkeys can recover the missing (n-t) xpubkeys.
#
#
# In this example, we encrypt the 5 xpubkeys of a 3-of-5 Multisig
# and demonstrate how to recover from any 3 xpubkeys the other 2 missing xpubkeys.
#
# The scheme is a simple variation of Shamir's secret sharing.
# It is nicely compact. The encrypted payload is only the size of 2 xpubkeys.
@RobinLinus
RobinLinus / modified-secret-sharing.py
Last active August 9, 2023 17:07
A variation of Shamir's t-of-n Secret Sharing scheme, which allows to use any given values as secret shares
View modified-secret-sharing.py
#
# A variation of Shamir's t-of-n Secret Sharing scheme,
# which allows to use any `n` values as secret shares
# at the expense of having to store `(n-t)` many public shares.
# This overcomes a drawback of the orginal scheme,
# which requires to use the secret shares resulting from the scheme.
#
# For example, for a 3-of-5 this requires to store 2 public points.
#
@RobinLinus
RobinLinus / some-day-peg.md
Last active September 10, 2023 20:27
A crazy two-way peg bridging BTC to other chains
View some-day-peg.md

Some Day Peg

A two-way peg bridging BTC to other chains. It works similar to a perpetual one-way peg; however, instead of burning the BTC they are locked up until a particular time in 20 years. Until then, the community has to figure out how to do peg-outs with, e.g., some sort of OP_ZKP_VERIFY or Simplicity.

We simply pretend that OP_NOP10 is OP_ZKP_VERIFY and let users lock BTC in the following script:

<program_hash> OP_NOP10
 OP_CLTV OP_2DROP
@RobinLinus
RobinLinus / bitcoin-txs.md
Created June 8, 2023 21:50
Raw Bitcoin transactions hand-parsed for educational purposes
View bitcoin-txs.md

Raw Bitcoin Transactions

P2PK

https://blockstream.info/block/00000000d1145790a8694403d4063f323d499e655c83426834d4ce2f8dd4a2ee

Raw

https://blockstream.info/tx/f4184fc596403b9d638783cf57adfe4c75c605f6356fbc91338530e9831e9e16

0100000001c997a5e56e104102fa209c6a852dd90660a20b2d9c352423edce25857fcd3704000000004847304402204e45e16932b8af514961a1d3a1a25fdf3f4f7732e9d624c6c61548ab5fb8cd410220181522ec8eca07de4860a4acdd12909d831cc56cbbac4622082221a8768d1d0901ffffffff0200ca9a3b00000000434104ae1a62fe09c5f51b13905f07f06b99a2f7159b2225f374cd378d71302fa28414e7aab37397f554a7df5f142c21c1b7303b8a0626f1baded5c72a704f7e6cd84cac00286bee0000000043410411db93e1dcdb8a016b49840f8c53bc1eb68a382e97b1482ecad7b148a6909a5cb2e0eaddfb84ccf9744464f82e160bfa9b8b64f9d4c03f999b8643f656b412a3ac00000000

Parsed

@RobinLinus
RobinLinus / secp256k1_to_pairing.md
Last active June 15, 2023 05:58
Mapping a Secret Scalar Value between Elliptic Curve Groups
View secp256k1_to_pairing.md

Mapping a Secret Scalar Value between Elliptic Curve Groups [broken]

This document outlines a method to map a secret scalar value x from one elliptic curve group (secp256k1) to another elliptic curve group (a pairing-friendly curve). This method leverages a variation of the Schnorr signature scheme to prove that the same secret scalar is used in both groups without revealing the value of x. This approach can be useful in applications where compatibility with different cryptographic groups is required. For example, in the context of using the Lightning Network to purchase in a PTLC a key to be used with pairing-based cryptography. In general, it is interesting for Adaptor Signatures, Scriptless Scripts, and Discreet Log Contracts.

Setup