I’m getting into the world of bitcoin lately and at the moment I’m learning the broad space of covenants (which might be gaining extra consideration from the group lately, see 1). On this context, definitely the BIP-0118 is related.
Assume hypothetically that BIP-118 is lively, suppose {that a} payee desires to precompile a transaction tx with ANYPREVOUT. The transaction tx makes no express reference to any enter to be spent and can be offered later to the payer to be signed. Assume that tx is constructed to devour an unspent output of the payer and the quantity is totally transferred to the payee, with out change. So, tx may have one enter and one output. I wish to perceive how this transaction tx ought to appear like and the way this needs to be utilized in follow. I focus on beneath my thought about, hope to search out somebody that corrects me or enhance my understanding. Within the following, we assume that the charges are zero.
As I understood, tx produces a P2TR output that’s spendable solely by way of the script-path (see taproot BIPs 3, 4 and 5 or 6 for a short anatomy of P2TR outputs or inputs). The receiver deal with is a brand new sort of deal with, that has this two doable kinds:
0x01or0x01A
the place A is a 32-bytes string. I feel that A is a Schorr tweaked public key, particularly the x-axis element of the purposeQ=P+hash(P||h)⋅P, the place P is a Schnorr public key (see 7 for an outline on tweaked key) andhis the hash of some scripts(typically,his the Merkel root of some Merkel tree, however I suppose that in our case the Merkel tree consists in only one level/leaf, is that this right?). Namexthe non-public key, soxG=P, the placeGis a generator of the elliptic curve.
Suppose for now that we take care of addresses of the shape as in 2. So the payee deal with is model 1 segwit, and the witness program (the output of tx) has kind of the next type:
<h1> <h2> 0x01 <h3>
the place h1 (int 64) is the quantity in sat, h2 (var int) is the size of the next merchandise and h3 is a 32-bytes string that represents the x-axis of the tweaked pubkey Q.
For spending the tx output is critical to current a witness, that, by development, has (strictly) greater than 2 parts, see 8. Particularly, the witness has the shape:
<n> <d> <s> <c>
the place n is the variety of witness parts, d is the information for the the next for s, that’s the script (such hashed provides the h used to tweak the the pubkey) and c is the management block. The management block is of the shape
0xc0 <p> <b>
the place 0xc0 is the leaf model (did not actually perceive it, has one thing to do with the concept “go away chance to future upgrades”, just like the model byte of segwit?), p is the inner pub key, particularly the x-axis of P and b needs to be a sequence of hashes which might be used to reconstruct the merkel tree. So, in our case, b=h?
To date, hasn’t appeared but something that tells us that the a part of the transaction that’s signed (by x, the inner non-public key of the payee?) doesn’t embrace any reference to a earlier enter (despite the fact that it ought to embrace the enter quantity, the operate that calculates this a part of the message signed needs to be SigMsg118(hash_type,ext_flag) ). So, I suppose that the script s does the ANYPREVOUT-job within the following means.
- A signature
(R,S)(made by inside non-public keyxthat corresponds top) seems within the halfdabove. This signature commits to all outputs, to all inputs’ quantities however to not any reference to the earlier inputs; thehash_typeof the signature needs to be0xc0, that corresponds toSIGHASH_ANYPREVOUTANYSCRIPT(really,SIGHASH_ANYPREVOUTcommits to the inputs’ references, as I understood; see 9). - Now, within the script
sought to seem a type ofOP_CHECKSIG, that checks the signature(R,S)in opposition to the inner pubkeyp.
Nonetheless, p seems within the management block c, that’s after s, and truly the pubkey p is an information for the script and may seem additionally in d. There’s something that I’m lacking within the logic.
To date, I mentioned easy methods to spend the output of the transaction tx that makes use of ANYPREVOUT. However earlier than this, tx needs to be validated and for doing so, it should devour some enter. As talked about to start with of the query, as soon as tx is created as above, it’s despatched to the the payer, that places the inputs’s lacking knowledge. So, he provides to tx the next:
- the inputs’ reference, particularly a earlier transaction hash and the index of the unspent output that it’s going to be consumed;
- the signature of the enter with sighash-type
SIGHASH_NONE|ANYONECANPAY. For example, the unlocking script with a signatureSIGHASH_NONE|ANYONECANPAYwithin the case that the enter is P2PKH, or the witness, if the enter is segwit, that ought to include once more someSIGHASH_NONE|ANYONECANPAY-part (really it may be any king of enter, not simply P2PKH or P2WPKH)
Now, there may be yet another drawback, particularly that the payer is meant to have an unspent output of the precise worth of the funds he desires to ship to the payee. Suppose that this isn’t the case and the payer has solely unspent outputs of bigger quantities. So, a change is required and the transaction tx may have two outputs as earlier than. The change is an output as earlier than, that requires the equipment of BIP-118 to be spent. So, it’s right to say that the payer indicators the transaction provided that his pockets is BIP-118-aware?
One final query. In 10, Michael Folkson kindly defined me how BIP-118 offers with addresses of the shape 0x01. However how they’re imagined to work in all on this context? How all of the equipment I mentioned above works with BIP-118 1-byte addresses?
I’m conscious that I wrote a form of lengthy query, with particulars, and this exposes me to a excessive threat of errors. I ask to whoever solutions to right me if vital, that is useful to me and can assist people who battle with this context sooner or later. Thanks for the eye.
