Felix Crisan, profile picture
Uploaded byFelix Crisan
101 views

Bitcoin:Next

The document discusses future advancements in Bitcoin technology, focusing on concepts such as Schnorr signatures, MAST (Merkelized Abstract Syntax Tree), and Taproot. These innovations aim to improve transaction efficiency, enhance privacy, and reduce transaction sizes by allowing for aggregation and batch verification of signatures. Additionally, the introduction of new opcodes and interactive scripts is explored, highlighting their potential impact on Bitcoin's scripting capabilities.

Embed presentation

Download to read offline
What’s next for Bitcoin?
Topics ● Schnorr ● MAST ● Taproot ● Graftroot
Elliptic curves refresher (or intro, as the case might be) ● It all starts with a prime number, e.g. p=2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1 ● And a regular looking equation, such as y2 = x3 + 7 ● And a point G (x,y - calculated from x=79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798) ● ECDSA sig (r,s) => s = r-1 (H(m)+ka)
Operations ● P=kG ● One can add points on the curve P+R=Q ● One can multiply points with scalars R=xP (can be seen as R=P+P+....+P - x times) ● Most important: aG+bG=(a+b)G (translates to: sum of pubkeys has priv key the sum of privkeys)
ECDSA Img Src https://medium.com/cryptoadvance/how-schnorr-signatures-may-improve-bitcoin-91655bcb4744
Schnorr signature Img Src https://medium.com/cryptoadvance/how-schnorr-signatures-may-improve-bitcoin-91655bcb4744
Warning! ● The previous graphs are valid for real numbers and we’re actually working in Zp which results in a graph that looks more like a scatterplot
Real numbers vs prime field Img Src https://www.maximintegrated.com/en/app-notes/index.mvp/id/5767
Schnorr ● Signature (k priv key P=kG, m message to sign, r - random, R=rG) s = r - h(m||R)k then signature for m is (r,s) ● Verification sG = rG - h(m||R)k => S = R - h(m||R)P
Aggregation ● The immediate benefit of Schnorr sig is that they can be aggregated and batch verified => reduction in tx size + faster transaction (maybe even block) validation time ● BIP-SCHNORR (no official # yet)
Other advantages ● Provable secure in ECDLP random-oracle model (ECDSA is _not proven_) ● Non-Maleable (in ECDSA 3rd party can alter sig for P and m into another sig for P and m) ● O(1) - due to aggregation ● Batch verification
Scripts ● Any script can be represented as a tree ○ To be more specific: even as a binary tree ○ We’re talking about stack-based Bitcoin-like scripts ○ Polish notation anyone? ● This means that one can make a commitment to a script by Merkle-izing it
Example Image src https://en.cryptonomist.ch/2019/05/19/mast-bitcoin-privacy-scripts/
MAST-ized Image src https://en.cryptonomist.ch/2019/05/19/mast-bitcoin-privacy-scripts/
MAST ● Scripts can be anyway revealed only on spend (BIP 16) ● Benefit: one does not have to reveal anything than the executed path ● Saves space ● More Privacy! ● BIP 114,117
Bitcoin Scripts - P2PKH ● “Standard signature”: OP_DUP OP_HASH160 <pkh> OP_EQUALVERIFY OP_CHECKSIG ● Same thing in “SegWit lingo” OP_0 <pkh>
Bitcoin Scripts - P2SH ● P2SH OP_HASH160 <scripthash> OP_EQUAL ● In SegWit lingo (P2WSH) OP_0 <scripthash> ● The data length classifies vs previous case (20 bytes here vs 32 before)
Taproot ● P2SH and P2PKH are distinguishable ● Can we merge both? ○ E.g. ContractHash = P + h(z||P)G ● Once we do this ○ Spending means just signing with k+h(z||P) <- works even now OR ○ Provide script z and let the stack decide <- needs a new opcode
Putting it together ● New opcode (OP_NEW) ● In output OP_NEW <pubkey> ● In input (to spend) ○ Provide <signature> in P2PKH mode ○ OR ○ <P> <script>[]<arguments> (taproot) ○ <scriptsig> <script> []<arguments> (graftroot) ● BIP-TAPROOT (no official # yet)
Graftroot ● Extension of Taproot ● Focuses on the “everybody agrees” case ● Allows delegating signing to a separate script ● Is interactive (compared to Taproot which is not)
ELTOO ● SIGHASH_NOINPUT (BIP 118) ● HF only for SegWit scripts with ver>=1 ● Allows an input _not_ to reference a specific previous output (commitment to pubkey, not to input) ● Tx can be bound to any output that matches <witness> and for which <witnessProg> yields true

More Related Content

PDF
Richard Salter: Using the Titanium OpenGL Module
byAxway Appcelerator
 
PDF
Q4.11: Using GCC Auto-Vectorizer
byLinaro
 
PDF
C# Assignmet Help
byProgramming Homework Help
 
PDF
Feel++ webinar 9 27 2012
byUniversité de Strasbourg
 
DOCX
Matlab Area Calculation program
byTevfik AKKUŞ
 
PDF
Coding with Vim
byEnzo Wang
 
PDF
Inc decsourcefile
byheartplusbrain
 
PDF
The Big Three
byRoman Okolovich
 
Richard Salter: Using the Titanium OpenGL Module
byAxway Appcelerator
 
Q4.11: Using GCC Auto-Vectorizer
byLinaro
 
C# Assignmet Help
byProgramming Homework Help
 
Feel++ webinar 9 27 2012
byUniversité de Strasbourg
 
Matlab Area Calculation program
byTevfik AKKUŞ
 
Coding with Vim
byEnzo Wang
 
Inc decsourcefile
byheartplusbrain
 
The Big Three
byRoman Okolovich
 

What's hot

PPTX
Solidity
bygavofyork
 
PDF
Large Scale Vandalism Detection in Knowledge Bases: PyData Berlin 2017
byAlexey Grigorev
 
PDF
Q4.11: NEON Intrinsics
byLinaro
 
PDF
Timur Shemsedinov "Пишу на колбеках, а что... (Асинхронное программирование)"
byOdessaJS Conf
 
PPT
ملخص البرمجة المرئية - الوحدة الثالثة
byجامعة القدس المفتوحة
 
PDF
WSDM Cup 2017: Vandalism Detection
byAlexey Grigorev
 
PDF
Bca1 pic
byjatin batra
 
PDF
Passwd crack introduction
byChia-Hao Tsai
 
PDF
C coroutine
byChien-Wei Huang
 
DOC
Praktikum Komputasi Statistika
byDian Arisona
 
PDF
Logging in JavaScript - Part-3
byIdeas2IT Technologies
 
PDF
Payment Channel Introduction
bymosa siru
 
PPTX
Fantastic caches and where to find them
byAlexey Tokar
 
PPTX
MFC Map2
byRazvan Raducanu, PhD
 
KEY
Proove Mark&Sweep GC with Coq
byHiroki Mizuno
 
PDF
201801 CSE240 Lecture 12
byJavier Gonzalez-Sanchez
 
DOCX
Doubly linklist
byilsamaryum
 
PDF
Ooprc4 b
byAnkit Dubey
 
PDF
CUDA First Programs: Computer Architecture CSE448 : UAA Alaska : Notes
bySubhajit Sahu
 
PPTX
Untitled presentation(4)
bychan20kaur
 
Solidity
bygavofyork
 
Large Scale Vandalism Detection in Knowledge Bases: PyData Berlin 2017
byAlexey Grigorev
 
Q4.11: NEON Intrinsics
byLinaro
 
Timur Shemsedinov "Пишу на колбеках, а что... (Асинхронное программирование)"
byOdessaJS Conf
 
ملخص البرمجة المرئية - الوحدة الثالثة
byجامعة القدس المفتوحة
 
WSDM Cup 2017: Vandalism Detection
byAlexey Grigorev
 
Bca1 pic
byjatin batra
 
Passwd crack introduction
byChia-Hao Tsai
 
C coroutine
byChien-Wei Huang
 
Praktikum Komputasi Statistika
byDian Arisona
 
Logging in JavaScript - Part-3
byIdeas2IT Technologies
 
Payment Channel Introduction
bymosa siru
 
Fantastic caches and where to find them
byAlexey Tokar
 
MFC Map2
byRazvan Raducanu, PhD
 
Proove Mark&Sweep GC with Coq
byHiroki Mizuno
 
201801 CSE240 Lecture 12
byJavier Gonzalez-Sanchez
 
Doubly linklist
byilsamaryum
 
Ooprc4 b
byAnkit Dubey
 
CUDA First Programs: Computer Architecture CSE448 : UAA Alaska : Notes
bySubhajit Sahu
 
Untitled presentation(4)
bychan20kaur
 

Similar to Bitcoin:Next

PPTX
lecture2 block_chain technology it is.pptx
byMaulikSidana
 
PPTX
lecture3 this is blockchain it is yes.pptx
byMaulikSidana
 
PDF
Ethereum VM and DSLs for Smart Contracts (updated on May 12th 2015)
byZvi Avraham
 
PDF
Berlin sigma-2017
byAlex Chepurnoy
 
PDF
Bitcoin protocol for developers at techfest
byAlberto Gomez Toribio
 
PPTX
“Technical Intro to Blockhain” by Yurijs Pimenovs from Paybis at CryptoCurren...
byDace Barone
 
PDF
snarks <3 hash functions
byRebekah Mercer
 
ODP
Blockchan For Developers
byAlex Chepurnoy
 
PDF
What can Bitcoin teach us?
byMatteo Bedini
 
PPTX
Bitcoin developer guide
by承翰 蔡
 
PDF
Smart Signatures—Experiments in Authentication (Stanford BPASE 2018 final)
byChristopher Allen
 
PDF
Bitcoin.pdf
byINSPECTORESWSS
 
PPTX
Mechanics of Bitcoin Bitcoin transaction
byTamaraRadivilova1
 
PPTX
Bitcoin cryptosecurity
byNavneet kumar
 
PPTX
J.burke HackMiami6
byJesse Burke
 
PPTX
Presentation_Topalidis_Giorgos
byGiorgos Topalidis
 
PPTX
Presentation topalidis giorgos
byGiorgos Topalidis
 
PDF
Security Model of Blockchain
bysaficus
 
PPTX
Bitcoin Technology Presentation No.1.pptx
byscottjones511
 
PPTX
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
bySvetlin Nakov
 
lecture2 block_chain technology it is.pptx
byMaulikSidana
 
lecture3 this is blockchain it is yes.pptx
byMaulikSidana
 
Ethereum VM and DSLs for Smart Contracts (updated on May 12th 2015)
byZvi Avraham
 
Berlin sigma-2017
byAlex Chepurnoy
 
Bitcoin protocol for developers at techfest
byAlberto Gomez Toribio
 
“Technical Intro to Blockhain” by Yurijs Pimenovs from Paybis at CryptoCurren...
byDace Barone
 
snarks <3 hash functions
byRebekah Mercer
 
Blockchan For Developers
byAlex Chepurnoy
 
What can Bitcoin teach us?
byMatteo Bedini
 
Bitcoin developer guide
by承翰 蔡
 
Smart Signatures—Experiments in Authentication (Stanford BPASE 2018 final)
byChristopher Allen
 
Bitcoin.pdf
byINSPECTORESWSS
 
Mechanics of Bitcoin Bitcoin transaction
byTamaraRadivilova1
 
Bitcoin cryptosecurity
byNavneet kumar
 
J.burke HackMiami6
byJesse Burke
 
Presentation_Topalidis_Giorgos
byGiorgos Topalidis
 
Presentation topalidis giorgos
byGiorgos Topalidis
 
Security Model of Blockchain
bysaficus
 
Bitcoin Technology Presentation No.1.pptx
byscottjones511
 
Blockchain Cryptography for Developers (Nakov @ BGWebSummit 2018)
bySvetlin Nakov
 

More from Felix Crisan

PDF
Big data uservices
byFelix Crisan
 
PPTX
BigData in BlockChains
byFelix Crisan
 
PDF
Lightning Network
byFelix Crisan
 
PDF
Smart contracts using web3.js
byFelix Crisan
 
PDF
Smart contracts in Solidity
byFelix Crisan
 
PDF
Mashing the data
byFelix Crisan
 
PDF
Big(data) in block(chains)
byFelix Crisan
 
PDF
Enablers for o commerce
byFelix Crisan
 
PDF
mcommad
byFelix Crisan
 
PDF
NoSQL solutions
byFelix Crisan
 
PDF
Deconstructing Lambda architectures
byFelix Crisan
 
PDF
402 @ Mobile next
byFelix Crisan
 
PDF
Presentation for the first Bucharest Big data meetup
byFelix Crisan
 
PDF
Data analysis with Pandas and Spark
byFelix Crisan
 
PDF
TCP/IP of money
byFelix Crisan
 
Big data uservices
byFelix Crisan
 
BigData in BlockChains
byFelix Crisan
 
Lightning Network
byFelix Crisan
 
Smart contracts using web3.js
byFelix Crisan
 
Smart contracts in Solidity
byFelix Crisan
 
Mashing the data
byFelix Crisan
 
Big(data) in block(chains)
byFelix Crisan
 
Enablers for o commerce
byFelix Crisan
 
mcommad
byFelix Crisan
 
NoSQL solutions
byFelix Crisan
 
Deconstructing Lambda architectures
byFelix Crisan
 
402 @ Mobile next
byFelix Crisan
 
Presentation for the first Bucharest Big data meetup
byFelix Crisan
 
Data analysis with Pandas and Spark
byFelix Crisan
 
TCP/IP of money
byFelix Crisan
 

Recently uploaded

PDF
final.pdf
byomarbishtawi04
 
PDF
apidays Paris 2025 | Zero Trust By Design
byapidays
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PPTX
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
PDF
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PPTX
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
final.pdf
byomarbishtawi04
 
apidays Paris 2025 | Zero Trust By Design
byapidays
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
CTO Strategy OS 2026: The Tech, AI & Cloud Playbook Boards Want
byridwansassman
 
From Hallucinations to High-Confidence AI with Data Enrichment.pdf
byPrecisely
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 

Bitcoin:Next

  • 1.
  • 2.
    Topics ● Schnorr ● MAST ●Taproot ● Graftroot
  • 3.
    Elliptic curves refresher(or intro, as the case might be) ● It all starts with a prime number, e.g. p=2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1 ● And a regular looking equation, such as y2 = x3 + 7 ● And a point G (x,y - calculated from x=79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798) ● ECDSA sig (r,s) => s = r-1 (H(m)+ka)
  • 4.
    Operations ● P=kG ● Onecan add points on the curve P+R=Q ● One can multiply points with scalars R=xP (can be seen as R=P+P+....+P - x times) ● Most important: aG+bG=(a+b)G (translates to: sum of pubkeys has priv key the sum of privkeys)
  • 5.
  • 6.
    Schnorr signature Img Srchttps://medium.com/cryptoadvance/how-schnorr-signatures-may-improve-bitcoin-91655bcb4744
  • 7.
    Warning! ● The previousgraphs are valid for real numbers and we’re actually working in Zp which results in a graph that looks more like a scatterplot
  • 8.
    Real numbers vsprime field Img Src https://www.maximintegrated.com/en/app-notes/index.mvp/id/5767
  • 9.
    Schnorr ● Signature (kpriv key P=kG, m message to sign, r - random, R=rG) s = r - h(m||R)k then signature for m is (r,s) ● Verification sG = rG - h(m||R)k => S = R - h(m||R)P
  • 10.
    Aggregation ● The immediatebenefit of Schnorr sig is that they can be aggregated and batch verified => reduction in tx size + faster transaction (maybe even block) validation time ● BIP-SCHNORR (no official # yet)
  • 11.
    Other advantages ● Provablesecure in ECDLP random-oracle model (ECDSA is _not proven_) ● Non-Maleable (in ECDSA 3rd party can alter sig for P and m into another sig for P and m) ● O(1) - due to aggregation ● Batch verification
  • 12.
    Scripts ● Any scriptcan be represented as a tree ○ To be more specific: even as a binary tree ○ We’re talking about stack-based Bitcoin-like scripts ○ Polish notation anyone? ● This means that one can make a commitment to a script by Merkle-izing it
  • 13.
  • 14.
  • 15.
    MAST ● Scripts canbe anyway revealed only on spend (BIP 16) ● Benefit: one does not have to reveal anything than the executed path ● Saves space ● More Privacy! ● BIP 114,117
  • 16.
    Bitcoin Scripts -P2PKH ● “Standard signature”: OP_DUP OP_HASH160 <pkh> OP_EQUALVERIFY OP_CHECKSIG ● Same thing in “SegWit lingo” OP_0 <pkh>
  • 17.
    Bitcoin Scripts -P2SH ● P2SH OP_HASH160 <scripthash> OP_EQUAL ● In SegWit lingo (P2WSH) OP_0 <scripthash> ● The data length classifies vs previous case (20 bytes here vs 32 before)
  • 18.
    Taproot ● P2SH andP2PKH are distinguishable ● Can we merge both? ○ E.g. ContractHash = P + h(z||P)G ● Once we do this ○ Spending means just signing with k+h(z||P) <- works even now OR ○ Provide script z and let the stack decide <- needs a new opcode
  • 19.
    Putting it together ●New opcode (OP_NEW) ● In output OP_NEW <pubkey> ● In input (to spend) ○ Provide <signature> in P2PKH mode ○ OR ○ <P> <script>[]<arguments> (taproot) ○ <scriptsig> <script> []<arguments> (graftroot) ● BIP-TAPROOT (no official # yet)
  • 20.
    Graftroot ● Extension ofTaproot ● Focuses on the “everybody agrees” case ● Allows delegating signing to a separate script ● Is interactive (compared to Taproot which is not)
  • 21.
    ELTOO ● SIGHASH_NOINPUT (BIP118) ● HF only for SegWit scripts with ver>=1 ● Allows an input _not_ to reference a specific previous output (commitment to pubkey, not to input) ● Tx can be bound to any output that matches <witness> and for which <witnessProg> yields true