Difference between revisions of "R-Puzzles"
(Created page with "An R-Puzzle is a new type of script that allows for the spending party to sign the input UTXO using any valid Bitcoin keypair. This can be used to sign Metanet node addresses...") |
|||
| Line 2: | Line 2: | ||
The R-puzzle itself uses a knowledge proof of a value called 'k' to allow the coins to be spent. 'k' must be known to the spender, and k-chains can be managed using the same deterministic techniques as Bitcoin keychains. | The R-puzzle itself uses a knowledge proof of a value called 'k' to allow the coins to be spent. 'k' must be known to the spender, and k-chains can be managed using the same deterministic techniques as Bitcoin keychains. | ||
| − | Generating an [[ECDSA]] signature involves a few steps. | + | Generating an [[Digital_Signatures_(ECDSA)|ECDSA]] signature involves a few steps. |
Inputs to the signature: | Inputs to the signature: | ||
| Line 14: | Line 14: | ||
#Calculate s = k<sup>-1</sup>(H(m) + S<sub>1</sub> * r)mod n | #Calculate s = k<sup>-1</sup>(H(m) + S<sub>1</sub> * r)mod n | ||
| − | Signature is (r, s) plus 6 bytes of formatting | + | Signature is (r, s) plus 6 bytes of formatting arranged as follows: |
| + | |||
| + | |||
| + | {| class="wikitable" | ||
| + | |- | ||
| + | ! Data Structure | ||
| + | ! Length | ||
| + | ! Data (hex) | ||
| + | |- | ||
| + | | Sequence Identifier| | ||
| + | | 1 | ||
| + | | 30 | ||
| + | |- | ||
| + | | Length of Sequence | ||
| + | | 1 | ||
| + | | 46 | ||
| + | |- | ||
| + | | Integer Identifier | ||
| + | | 1 | ||
| + | | 02 | ||
| + | |- | ||
| + | | Byte-length of r | ||
| + | | 1 | ||
| + | | 21 | ||
| + | |- | ||
| + | | Needed when left(r, 1) > 7f | ||
| + | | 1 | ||
| + | | 00 NOTE: This byte is not always needed | ||
| + | |- | ||
| + | | r | ||
| + | | 32 | ||
| + | | e9d34347e597e8b335745c6f8353580f4cbdb4bcde2794ef7aab915d996642 | ||
| + | |- | ||
| + | | Integer identifier | ||
| + | | 1 | ||
| + | | 02 | ||
| + | |- | ||
| + | | Byte-length of s | ||
| + | | 1 | ||
| + | | 21 | ||
| + | |- | ||
| + | | Needed when left(s, 1) > 7f | ||
| + | | 1 | ||
| + | | 00 | ||
| + | |- | ||
| + | | s | ||
| + | | 32| | ||
| + | | df2ccb52c7243c55bde34934bd55efbdac21c74a20bb7b438d1b6de3311f | ||
| + | |- Sighash type | ||
| + | | 1 | ||
| + | | 01 | ||
| + | |} | ||
| + | |||
| + | When serialised the signature looks like this: | ||
| + | |||
| + | ''3046022100e9d34347e597e8b335745c6f8353580f4cbdb4bcde2794ef7aab915d996642022100df2ccb52c7243c55bde34934bd55efbdac21c74a20bb7b438d1b6de3311f01'' | ||
| + | |||
| + | The following piece of script pulls R out of the signature string by extracting first the length of R which is the 4th byte of the packet, and then using it to split R from the signature. | ||
| + | |||
| + | ''OP_3 OP_SPLIT OP_NIP OP_1 OP_SPLIT OP_SWAP OP_SPLIT OP_DROP'' | ||
| + | |||
| + | INSERT R-PUZZLE SOLUTION HERE | ||
| + | |||
| + | Packaging this subscript into the following gives a Pay to R-Puzzle Hash script: | ||
| + | ''OP_OVER'' OP_3 OP_SPLIT OP_NIP OP_1 OP_SPLIT OP_SWAP OP_SPLIT OP_DROP ''OP_HASH160 <Hash(r)> OP_EQUALVERIFY OP_CHECKSIG'' | ||
Revision as of 05:48, 16 October 2019
An R-Puzzle is a new type of script that allows for the spending party to sign the input UTXO using any valid Bitcoin keypair. This can be used to sign Metanet node addresses or addresses that hold tokens, or be randomly generated. The R-puzzle itself uses a knowledge proof of a value called 'k' to allow the coins to be spent. 'k' must be known to the spender, and k-chains can be managed using the same deterministic techniques as Bitcoin keychains.
Generating an ECDSA signature involves a few steps.
Inputs to the signature:
- k value 'k'
- keypair 'P1' = 'S1' · G
- Message 'm'
Method:
- Calculate R = k · G
- Define r = x-coordinate of R
- Calculate s = k-1(H(m) + S1 * r)mod n
Signature is (r, s) plus 6 bytes of formatting arranged as follows:
| Data Structure | Length | Data (hex) |
|---|---|---|
| 1 | 30 | |
| Length of Sequence | 1 | 46 |
| Integer Identifier | 1 | 02 |
| Byte-length of r | 1 | 21 |
| Needed when left(r, 1) > 7f | 1 | 00 NOTE: This byte is not always needed |
| r | 32 | e9d34347e597e8b335745c6f8353580f4cbdb4bcde2794ef7aab915d996642 |
| Integer identifier | 1 | 02 |
| Byte-length of s | 1 | 21 |
| Needed when left(s, 1) > 7f | 1 | 00 |
| s | df2ccb52c7243c55bde34934bd55efbdac21c74a20bb7b438d1b6de3311f | |
| 1 | 01 |
When serialised the signature looks like this:
3046022100e9d34347e597e8b335745c6f8353580f4cbdb4bcde2794ef7aab915d996642022100df2ccb52c7243c55bde34934bd55efbdac21c74a20bb7b438d1b6de3311f01
The following piece of script pulls R out of the signature string by extracting first the length of R which is the 4th byte of the packet, and then using it to split R from the signature.
OP_3 OP_SPLIT OP_NIP OP_1 OP_SPLIT OP_SWAP OP_SPLIT OP_DROP
INSERT R-PUZZLE SOLUTION HERE
Packaging this subscript into the following gives a Pay to R-Puzzle Hash script: OP_OVER OP_3 OP_SPLIT OP_NIP OP_1 OP_SPLIT OP_SWAP OP_SPLIT OP_DROP OP_HASH160 <Hash(r)> OP_EQUALVERIFY OP_CHECKSIG