Added mini-case study OP_RETURN vs pay-to-contract.

Author: jachiang

2.2-taptweak.ipynb

@@ -6,14 +6,15 @@
    "metadata": {},
    "outputs": [],
    "source": [
+    "from io import BytesIO\n",
     "import random\n",
     "\n",
     "import util\n",
     "from test_framework.address import program_to_witness\n",
-    "from test_framework.key import ECKey, SECP256K1_ORDER, generate_key_pair, generate_schnorr_nonce\n",
+    "from test_framework.key import ECKey, ECPubKey, SECP256K1_ORDER, generate_key_pair, generate_schnorr_nonce\n",
     "from test_framework.messages import CScriptWitness, CTxInWitness, sha256\n",
     "from test_framework.musig import generate_musig_key, aggregate_schnorr_nonces, sign_musig, aggregate_musig_signatures\n",
-    "from test_framework.script import TaprootSignatureHash, SIGHASH_ALL_TAPROOT"
+    "from test_framework.script import TaprootSignatureHash, SIGHASH_ALL_TAPROOT, OP_RETURN, CTransaction"
    ]
   },
   {
@@ -442,6 +443,262 @@
     "test.shutdown()"
    ]
   },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "## Part 3 (Case Study): Contract Commitments\n",
+    "\n",
+    "Alice currently commits contracts with Bob to unspendable OP_RETURN outputs, which contain 32B proof-of-existence commitments. Although this is a standard output with a zero amount, several disadvantages remain.\n",
+    "\n",
+    "* Committing data to an OP_RETURN output requires an additional output with a zero amount, resulting in a higher transaction fees.\n",
+    "* The OP_RETURN output reveals the presence of a data commitment to any on-chain observer. This reduces the privacy of Alice's commitments.\n",
+    "\n",
+    "In this chapter, we'll show how Alice can move her contract commitments to public key tweaks to reduce fees and improve the privacy of her commitments."
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "### Committing contract data to an OP_RETURN output\n",
+    "\n",
+    "We'll first show Alice's current setup: An OP_RETURN script containing commitment data."
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "#### Example 2.2.9: Create the contract commitment"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "contract_bytes = \"Alice pays 10 BTC to Bob\".encode('utf-8')\n",
+    "commitment_bytes = sha256(contract_bytes)\n",
+    "print(\"The contract commitment is: {}\".format(commitment_bytes.hex()))"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "#### Example 2.2.10: Create and broadcast a transaction with an OP_RETURN output\n",
+    "\n",
+    "We now construct a OP_RETURN output which contains the commitment data of Alice's contract with Bob, and then add it to a transaction with a regular pay-to-pubkey output. This way, the commitment can be done more efficiently, by sharing transaction data with another spendable output."
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "# Start node\n",
+    "test = util.TestWrapper()\n",
+    "test.setup()\n",
+    "node = test.nodes[0]\n",
+    "\n",
+    "# Generate coins to a new wallet address\n",
+    "coinbase_address = node.getnewaddress(address_type=\"bech32\")\n",
+    "node.generatetoaddress(101, coinbase_address)\n",
+    "balance = node.getbalance()\n",
+    "assert balance > 1\n",
+    "\n",
+    "# Spend wallet utxo with a transaction containing two outputs\n",
+    "# Output 0) OP_RETURN with Alice's commitment\n",
+    "# Output 1) Segwit destination address\n",
+    "unspent_txid = node.listunspent(1)[-1][\"txid\"]\n",
+    "inputs = [{\"txid\": unspent_txid, \"vout\": 0}]\n",
+    "address_alice = node.getnewaddress(address_type=\"bech32\")\n",
+    "tx_hex = node.createrawtransaction(inputs=inputs, outputs=[{\"data\": commitment_bytes.hex()}, {address_alice : 1}])\n",
+    "\n",
+    "# Sign for transaction\n",
+    "res = node.signrawtransactionwithwallet(hexstring=tx_hex)\n",
+    "tx_hex = res[\"hex\"]\n",
+    "assert res[\"complete\"]\n",
+    "assert 'errors' not in res\n",
+    "\n",
+    "# Broadcast transaction\n",
+    "txid = node.sendrawtransaction(hexstring=tx_hex, maxfeerate=0)\n",
+    "tx_op_return_hex = node.getrawtransaction(txid)\n",
+    "\n",
+    "# Reconstruct wallet transaction locally\n",
+    "tx_op_return = CTransaction()\n",
+    "tx_op_return.deserialize(BytesIO(bytes.fromhex(tx_hex)))\n",
+    "tx_op_return.rehash()\n",
+    "\n",
+    "# Confirm details of the OP_RETURN output\n",
+    "output = tx_op_return.vout[0]\n",
+    "print(\"The OP_RETURN output script is: {}\".format(output.scriptPubKey.hex()))\n",
+    "print(\"The OP_RETURN output value is: {}\".format(output.nValue))\n",
+    "\n",
+    "# Note the total weight of the transaction with a dedicated OP_RETURN commitment output\n",
+    "print(\"The total transaction weight is: {}\\n\".format(node.decoderawtransaction(tx_op_return_hex)['weight']))"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "### Committing contract data with the pay-to-contract scheme\n",
+    "\n",
+    "Next, we will commit Alice's contract to a spendable pay-to-pubkey output with the pay-to-contract commitment scheme."
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "#### _Programming Exercise 2.2.11:_ Generate segwit v1 address for a pay-to-contract public key\n",
+    "\n",
+    "Commit the contract to Alice's public key with the pay-to-contract commitment scheme, and then generate the corresponding segwit v1 address."
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "# Generate a key pair\n",
+    "privkey, pubkey = generate_key_pair()\n",
+    "\n",
+    "# Generate the pay-to-contract tweak\n",
+    "contract_bytes = \"Alice pays 10 BTC to Bob\".encode('utf-8')\n",
+    "tweak_private = # TODO: implement\n",
+    "tweak_point = # TODO: implement\n",
+    "\n",
+    "# Tweak Alice's key pair with the pay-to-contract tweak\n",
+    "tweaked_pubkey = # TODO: implement\n",
+    "tweaked_privkey = # TODO: implement\n",
+    "\n",
+    "# Generate the segwit v1 address\n",
+    "tweaked_pubkey_data = # TODO: implement\n",
+    "tweaked_pubkey_program = # TODO: implement\n",
+    "version = 1\n",
+    "address = program_to_witness(version, tweaked_pubkey_program)\n",
+    "print(\"Address encoding the segwit v1 output: \", address)"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "#### Example 2.1.12: Create a transaction with the Bitcoin Core wallet sending funds to the segwit v1 address\n"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "test = util.TestWrapper()\n",
+    "test.setup()\n",
+    "node = test.nodes[0]\n",
+    "\n",
+    "# Generate coins and send coins to segwit v1 address containing the pay-to-contract public key\n",
+    "tx = node.generate_and_send_coins(address)\n",
+    "print(\"Transaction {}, output 0\\nSent to {}\\n\".format(tx.hash, address))\n",
+    "print(\"Transaction weight with pay-to-contract: {}\".format(node.decoderawtransaction(tx.serialize().hex())['weight']))\n",
+    "print(\"Transaction weight with OP_RETURN: {}\\n\".format(node.decoderawtransaction(tx_op_return_hex)['weight']))"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "#### _Programming Exercise 2.1.13:_ Verify that the contract between Alice and Bob is committed correctly\n",
+    "\n",
+    "Extract the witness program from the segwit v1 output and that verify the pay-to-contract commitment."
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "# Fetch output from tx\n",
+    "v1_output = tx.vout[0]\n",
+    "\n",
+    "# Extract witness program from the output script\n",
+    "program = # TODO: implement\n",
+    "\n",
+    "# Reconstruct pay-to-contract public key\n",
+    "tweaked_pubkey_bytes = # TODO: implement\n",
+    "tweaked_pubkey = # TODO: implement\n",
+    "\n",
+    "# Verify pay-to-contract commitment is correct\n",
+    "contract_bytes = \"Alice pays 10 BTC to Bob\".encode('utf-8')\n",
+    "ss = pubkey.get_bytes()\n",
+    "ss += sha256(contract_bytes)\n",
+    "t = sha256(ss)\n",
+    "assert pubkey.tweak_add(t) == tweaked_pubkey\n",
+    "print(\"Contract commitment is correct!\")"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "#### Example 2.1.14 : Construct a CTransaction to spend the pay-to-contract public key\n",
+    "\n",
+    "Unlike an OP_RETURN output, the tweaked pay-to-contract public key can be spent like a regular, untweaked public key. An on-chain observer cannot determine whether a commitment was made to the public key."
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "# Create a spending transaction, which sends funds back to the wallet\n",
+    "spending_tx = test.create_spending_transaction(tx.hash)\n",
+    "print(\"Spending transaction:\\n{}\\n\".format(spending_tx))\n",
+    "\n",
+    "# Create sighash for ALL (0x00)\n",
+    "sighash = TaprootSignatureHash(spending_tx, [tx.vout[0]], SIGHASH_ALL_TAPROOT, input_index=0)\n",
+    "\n",
+    "# Create a valid transaction signature for the tweaked public key\n",
+    "sig = tweaked_privkey.sign_schnorr(sighash)\n",
+    "print(\"Signature of tweaked keypair is {}\\n\".format(sig.hex()))\n",
+    "\n",
+    "# Construct transaction witness\n",
+    "witness = CScriptWitness()\n",
+    "witness.stack.append(sig)\n",
+    "witness_in = CTxInWitness()\n",
+    "witness_in.scriptWitness = witness\n",
+    "spending_tx.wit.vtxinwit.append(witness_in)\n",
+    "\n",
+    "# Test mempool acceptance\n",
+    "assert node.test_transaction(spending_tx)\n",
+    "print(\"Success!\")"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "#### _Shutdown TestWrapper_"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "# Shutdown\n",
+    "test.shutdown()"
+   ]
+  },
   {
    "cell_type": "markdown",
    "metadata": {},
@@ -450,7 +707,8 @@
     "\n",
     "- Learned how to tweak a public/private key pair with a value.\n",
     "- Created an _insecure_ commitment scheme (by tweaking the keys with the raw commitment value) and a _secure_ commitment scheme (by tweaking with a hash of the commitment and the public key).\n",
-    "- Sent coins to a segwit v1 output with a tweaked public key, and later spent that output by signing with the tweaked private key."
+    "- Sent coins to a segwit v1 output with a tweaked public key, and later spent that output by signing with the tweaked private key.\n",
+    "- Improved cost and privacy of a contract commitment by moving it from an unspendable OP_RETURN output to a pay-to-contract public key."
    ]
   }
  ],

solutions/2.2-taptweak-solutions.ipynb

@@ -124,6 +124,74 @@
     "assert node.test_transaction(spending_tx)\n",
     "print(\"Success!\")"
    ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "#### _Programming Exercise 2.2.11:_ Generate segwit v1 address for a pay-to-contract public key"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "# Generate a key pair\n",
+    "privkey, pubkey = generate_key_pair()\n",
+    "\n",
+    "# Generate the pay-to-contract tweak\n",
+    "contract_bytes = \"Alice pays 10 BTC to Bob\".encode('utf-8')\n",
+    "ss = pubkey.get_bytes()\n",
+    "ss += sha256(contract_bytes)\n",
+    "t = sha256(ss)\n",
+    "tweak_private = ECKey().set(t, True)\n",
+    "tweak_point = tweak_private.get_pubkey()\n",
+    "\n",
+    "# Tweak Alice's key pair with the pay-to-contract tweak\n",
+    "tweaked_pubkey = pubkey + tweak_point\n",
+    "tweaked_privkey = privkey + tweak_private\n",
+    "\n",
+    "# Generate the segwit v1 address\n",
+    "tweaked_pubkey_data = tweaked_pubkey.get_bytes()\n",
+    "tweaked_pubkey_program = bytes([tweaked_pubkey_data[0] & 1]) + tweaked_pubkey_data[1:]\n",
+    "version = 1\n",
+    "address = program_to_witness(version, tweaked_pubkey_program)\n",
+    "print(\"Address encoding the segwit v1 output: \", address)"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {},
+   "source": [
+    "#### _Programming Exercise 2.1.13:_ Verify that the contract between Alice and Bob is committed correctly"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "# Fetch output from tx\n",
+    "v1_output = tx.vout[0]\n",
+    "\n",
+    "# Extract witness program from the output script\n",
+    "program = v1_output.scriptPubKey[2:]\n",
+    "\n",
+    "# Reconstruct pay-to-contract public key\n",
+    "tweaked_pubkey_bytes = bytes([program[0] + 2]) + program[1:]\n",
+    "tweaked_pubkey = ECPubKey().set(tweaked_pubkey_bytes)\n",
+    "\n",
+    "# Verify pay-to-contract commitment is correct\n",
+    "contract_bytes = \"Alice pays 10 BTC to Bob\".encode('utf-8')\n",
+    "ss = pubkey.get_bytes()\n",
+    "ss += sha256(contract_bytes)\n",
+    "t = sha256(ss)\n",
+    "assert pubkey.tweak_add(t) == tweaked_pubkey\n",
+    "print(\"Contract commitment is correct!\")"
+   ]
   }
  ],
  "metadata": {