Review markups for chapter 2.2

jnewbery · jnewbery · commit 407792b0629b · 2020-01-03T17:21:04.000-05:00
diff --git a/2.2-taptweak.ipynb b/2.2-taptweak.ipynb
@@ -7,6 +7,7 @@
    "outputs": [],
    "source": [
     "import random\n",
+    "from io import BytesIO\n",
     "\n",
     "import util\n",
     "from test_framework.address import program_to_witness\n",
@@ -22,11 +23,11 @@
    "source": [
     "# 2.2 TapTweak\n",
     "\n",
-    "* Part 1: Tweaking the public key and commitment schemes with tweaks\n",
+    "* Part 1: Tweaking the public key; commitment schemes with tweaks\n",
     "* Part 2: Spending a (tweaked) taproot output along the key path\n",
-    "* Part 3 (Case Study): Contract commitments\n",
+    "* Part 3 (Case Study): contract commitments\n",
     "\n",
-    "The linear property of bip-schnorr means that we can encode a commitment into a public key, and then reveal that commitment when signing with the private key. We do that by _tweaking_ the private key with the commitment, and using the associated _tweaked_ pubkey. When signing, we can reveal that the original private key was tweaked by the commitment.\n",
+    "The linear property of bip-schnorr means that we can encode a commitment into a public key, and then reveal that commitment when signing with the private key. We do that by _tweaking_ the private key with the commitment, and using the associated _tweaked_ pubkey. When signing, we can reveal that the original keys were tweaked by the commitment.\n",
     "\n",
     "In part 1, we'll learn about how private/public key pairs can be tweaked, and how we can use that to create a secure commitment scheme. In part 2, we'll create a segwit v1 output and spend it along the key path, using a tweaked private and public key. Part 3 of this chapter is a case study, showing how pay-to-contract with tweaked keys can be used instead of OP_RETURN outputs to create timestamped commitments."
    ]
@@ -77,9 +78,9 @@
     "\n",
     "print(\"Private key: {}\\nPublic key: {}\\n\".format(privkey.secret, pubkey.get_bytes().hex()))\n",
     "\n",
-    "# Generate a random tweak 0 < t < SECP256K1_ORDER and its associated point\n",
+    "# Generate a random tweak scalar 0 < t < SECP256K1_ORDER and derive its associated tweak point\n",
     "tweak = random.randrange(1, SECP256K1_ORDER)\n",
-    "tweak_private = ECKey().set(tweak, True)\n",
+    "tweak_private = ECKey().set(tweak)\n",
     "tweak_point = tweak_private.get_pubkey()\n",
     "print(\"Tweak scalar: {}\\nTweak point: {}\\n\".format(tweak_private.secret, tweak_point.get_bytes().hex()))\n",
     "\n",
@@ -103,7 +104,7 @@
     "\n",
     "In this exercise, we tweak an MuSig aggregate pubkey, and then sign for it using the individual participant keys. The MuSig pubkey aggregation step is done for you.\n",
     "\n",
-    "_Question: Which participant(s) need to tweak their private keys?_"
+    "_Question: How is the tweak incorporated into the final signature?_"
    ]
   },
   {
@@ -172,7 +173,7 @@
    "source": [
     "#### Example 2.2.3: Tweaking a public key Q with commitment data\n",
     "\n",
-    "In this example we demonstrate an insecure commitment scheme. The committed value `c` can be trivially modified to `c'`. The public key point equation `Q = x'G + c'G` still holds and is equal to the same point Q. An alternative secret `x` can also be solved for.\n",
+    "In this example we demonstrate an insecure commitment scheme. The committed value `c` can be trivially modified to `c'`, and by setting `x'` to `x + c - c'`, the public key point equation `Q = x'G + c'G` still holds.\n",
     "\n",
     "First, we commit a contract between Alice and Bob and then demonstrate how this unsafe commitment can be changed.\n",
     "\n",
@@ -340,7 +341,7 @@
    "outputs": [],
    "source": [
     "# Example key pair\n",
-    "privkey = ECKey().set(102118636618570133408735518698955378316807974995033705330357303547139065928052, True)\n",
+    "privkey = ECKey().set(102118636618570133408735518698955378316807974995033705330357303547139065928052)\n",
     "internal_pubkey = privkey.get_pubkey()\n",
     "\n",
     "# Example tweak\n",
@@ -513,7 +514,9 @@
     "\n",
     "# Fetch the oldest unspent outpoint in the Bitcoin Core wallet\n",
     "unspent_txid = node.listunspent(1)[-1][\"txid\"]\n",
-    "unspent_outpoint = COutPoint(int(unspent_txid,16), 0)"
+    "unspent_outpoint = COutPoint(int(unspent_txid,16), 0)\n",
+    "\n",
+    "print(\"Unspent coin: txid:{}, n:{}\".format(unspent_outpoint.hash, unspent_outpoint.n))"
    ]
   },
   {
@@ -522,7 +525,7 @@
    "source": [
     "#### Example 2.2.12: Create and broadcast a transaction with an OP_RETURN output\n",
     "\n",
-    "We now construct a OP_RETURN output which contains the commitment data of Alice's contract with Bob, and then add it to a transaction with a regular P2WPKH output. This way, the commitment can be done more efficiently, by sharing transaction data with another spendable output."
+    "We now construct a zero-value OP_RETURN output which contains the commitment data of Alice's contract with Bob. We also add a regular P2WPKH output back to Alice to return the funds from the transaction input (less the transaction fee)."
    ]
   },
   {
@@ -538,10 +541,10 @@
     "op_return_tx_in = CTxIn(outpoint=unspent_outpoint, nSequence=0)\n",
     "op_return_tx.vin = [op_return_tx_in]\n",
     "\n",
-    "# Output 0) Alice's destination address\n",
+    "# Output 0) Alice's change address\n",
     "address_alice = node.getnewaddress(address_type=\"bech32\")\n",
     "p2wpkh_output_script = bytes.fromhex(node.getaddressinfo(address_alice)['scriptPubKey'])\n",
-    "p2wpkh_output_amount_sat = 100_000_000\n",
+    "p2wpkh_output_amount_sat = 4_950_000_000  # remove transaction fee from output amount\n",
     "p2wpkh_output = CTxOut(nValue=p2wpkh_output_amount_sat, scriptPubKey=p2wpkh_output_script)\n",
     "\n",
     "# Output 1) OP_RETURN with Alice's commitment\n",
@@ -562,6 +565,7 @@
     "print(\"The total transaction weight is: {}\\n\".format(op_return_tx_decoded['weight']))\n",
     "\n",
     "# Test mempool acceptance\n",
+    "print(node.testmempoolaccept(rawtxs=[op_return_tx_hex_signed], maxfeerate=0))\n",
     "assert node.testmempoolaccept(rawtxs=[op_return_tx_hex_signed], maxfeerate=0)[0]['allowed']\n",
     "print(\"Success!\")"
    ]
diff --git a/solutions/2.2-taptweak-solutions.ipynb b/solutions/2.2-taptweak-solutions.ipynb
@@ -50,6 +50,8 @@
     "# needs to be added to the list of partial signatures\n",
     "# Method: sign_musig(private_key, nonce_key, nonce_point, public_key, msg)\n",
     "# Method: aggregate_musig_signatures(partial_signature_list, aggregate nonce)\n",
+    "# Note: The tweak multiplied by the musig_digest is added to the partial signature list.\n",
+    "#       This is equivalent to tweaking the private key for a single signer.\n",
     "e = musig_digest(R_agg, agg_pubkey_tweaked, msg)\n",
     "s1 = sign_musig(privkey1_c, k1, R_agg, agg_pubkey_tweaked, msg)\n",
     "s2 = sign_musig(privkey2_c, k2, R_agg, agg_pubkey_tweaked, msg)\n",
@@ -73,7 +75,7 @@
    "outputs": [],
    "source": [
     "# Example key pair\n",
-    "privkey = ECKey().set(102118636618570133408735518698955378316807974995033705330357303547139065928052, True)\n",
+    "privkey = ECKey().set(102118636618570133408735518698955378316807974995033705330357303547139065928052)\n",
     "internal_pubkey = privkey.get_pubkey()\n",
     "\n",
     "# Example tweak\n",
