比特币(BSV)知识库:脚本-R-Puzzle脚本(R-Puzzles)

BSV知识库 专栏收录该内容
82 篇文章 3 订阅

特别提示:

比特币(BSV)知识库-Bitcoin wiki-目前为全英文内容,暂无中文译文,并且仍在持续编写和补充中。欢迎中国的开发者在文章底部评论,进行阐述和探讨。

R-Puzzles

An R-Puzzle is a new type of script that allows for the spending party to sign the input UTXO using any valid Bitcoin keypair. This can be used to sign Metanet node addresses or addresses that hold tokens, or be randomly generated.

k

In an R-puzzle, a knowledge proof of a value called 'k' is used to allow coins to be spent. 'k' is from the same mathematical set as Bitcoin Private Keys and must be known to the spender and used to generate 'r', which is the x-coordinate of k multiplied by the Generator point. 'r' is extracted from the signature used in the transaction and tested against a hash stored in the ScriptPubKey. k-chains can be managed using the same deterministic techniques as Bitcoin keychains.

Generating an ECDSA signature involves a few steps.

Inputs to the signature:

  1. k value 'k'
  2. keypair 'P1' = 'S1' · G
  3. Message 'm'

Method:

  1. Calculate R = k · G
  2. Define r = x-coordinate of R
  3. Calculate s = k-1(H(m) + S1 * r)mod n

Signature is <r, s> plus 5 bytes of formatting and a SIGHASH type

Signature Structure

Data StructureLengthData (hex)
Sequence Identifier130
Length of Sequence146
Integer Identifier102
Byte-length of r121
Needed when left(r, 1) > 7f100 NOTE: This byte is not always needed
r32e9d34347e597e8b335745c6f8353580f4cbdb4bcde2794ef7aab915d996642
Integer identifier102
Byte-length of s121
Needed when left(s, 1) > 7f100
s df2ccb52c7243c55bde34934bd55efbdac21c74a20bb7b438d1b6de3311f
Sighash type101

When serialised the signature looks like this:

3046022100e9d34347e597e8b335745c6f8353580f4cbdb4bcde2794ef7aab915d996642022100df2ccb52c7243c55bde34934bd55efbdac21c74a20bb7b438d1b6de3311f01

Extracting r

The following piece of script pulls r out of the signature string by extracting first the length of R which is the 4th byte of the packet, and then using it to split r from the signature.

OP_3 OP_SPLIT OP_NIP OP_1 OP_SPLIT OP_SWAP OP_SPLIT OP_DROP

StackScriptDescription
<sig>OP_3 OP_SPLIT OP_NIP OP_1 OP_SPLIT OP_SWAP OP_SPLIT OP_DROPscriptSig is loaded, signature on the stack
<3 bytes> <sig'>OP_NIP OP_1 OP_SPLIT OP_SWAP OP_SPLIT OP_DROPFirst 3 bytes of signature are split
<sig'>OP_1 OP_SPLIT OP_SWAP OP_SPLIT OP_DROP3 byte data item is removed
<r Length> <sig">OP_SWAP OP_SPLIT OP_DROP1 byte containing r length is split from sig'
<sig"> <r Length>OP_SPLIT OP_DROPr Length parameter is moved to top of stack
<r> <sig'">OP_DROPr is split from sig"
<r> sig'"== is dropped from stack, leaving r

P2RPH

Packaging this subscript into the following gives a Pay to R-Puzzle Hash script: OP_OVER OP_3 OP_SPLIT OP_NIP OP_1 OP_SPLIT OP_SWAP OP_SPLIT OP_DROP OP_HASH160 <Hash(r)> OP_EQUALVERIFY OP_CHECKSIG

Security Considerations

Protecting Private Keys

If two signatures are published using the same k then anyone who knows the value of k can derive the secret key used to create the signatures.

To mitigate this issue, ensure that the same k value and private key are never used to create more than one signature.

Signature Forgeability

Given an R-puzzle signature <r, s>, a public key P, and a message m, a forger can create a different message m', and calculate a new public key P' such that:

P' = P + [ r -1 [ H(m) - H(m') ] ] · G

Then signature <r, s> is a valid signature on message m' with respect to the public key P'. Note that, the forger does not know and does not need to know the private key corresponding to P' in this forgery.

When implementing R-puzzle, it is important to take this into account.

One way to mitigate this is to require another signature to prove that the signer knows the private key corresponding to the public key used in the R-puzzle. That is, two signatures in the unlocking script, <r, s> and <r', s'>, and one public key P. It is important to have r not equal r' for the first security consideration. Both signatures should be valid subject to the same public key P.

This solution would propose the following input solution:

<sig'> <pubkey> <sigr>

which spends outputs with the following script:

OP_DUP OP_3 OP_SPLIT OP_NIP OP_1 OP_SPLIT OP_SWAP OP_SPLIT OP_DROP OP_HASH160 <rhash> OP_EQUALVERIFY OP_OVER OP_CHECKSIGVERIFY OP_CHECKSIG

R-Puzzle Use Cases

  • Delegation of authority
  • Tokens
  • Multi-signature schemes (with advanced scripting)

声明:

比特币(BSV)知识库项目由比特币协会(Bitcoin Association)发起并支持,更多信息请参见知识库官网:https://wiki.bitcoinsv.io/


  • 对比特币区块链开发感兴趣的朋友可以通过CSDN站内私信联系我们,申请加入BSV开发者交流群。
  • 同时,您也可以扫描下方二维码,关注比特币协会官方微信公众号——BA资讯,了解更多区块链领域的实时资讯。

 

  • 0
    点赞
  • 1
    评论
  • 0
    收藏
  • 扫一扫,分享海报

评论 1 您还未登录,请先 登录 后发表或查看评论
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、C币套餐、付费专栏及课程。

余额充值