<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#000000">I am working on CTV, which has cases where it's plausible you'd want a taproot tree with a NUMS point.<br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif;font-size:small;color:#000000"><br></div><div dir="ltr"><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default">The need for NUMS points is a little bit annoying. There are a few reasons you would want to use them instead of multisig:<br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default"><br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default">1) Cheaper to verify/create.</div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default">If I have a protocol with 1000 people in it, if I add a multisig N of N to verify I need a key for all those people, and the probability of use seems low.</div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default">I then also need to prove to each person in the tree that their key is present. My memory on MuSig is a bit rusty, but I think they key aggregation requires sending all the public keys and re-computing. (Maybe you can compress this to O(log n) using a Merkle tree for the tweak L?)</div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default">Further, these keys can't just be the addresses provided for those 1000 people, as if those addresses are themselves N of Ns or scripts it gets complicated, fast (and potentially broken). Instead we should ask that each participant give us a list of keys to include in the top-level. We'd also want each participant to provide</div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default">two signatures with that key of some piece of non-txn data (so as to prove it itself wasn't a NUMS point -- otherwise may as well skip this all and just use a top-level nums point).<br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default">2) Auditable.</div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default">If I set up an inheritance scheme, like an annuity or something, and the IRS wants me to pay taxes on what I've received, adverse inference will tell them to assume that my parent gave me a secret get all the money path and this is a tax dodge. With a NUMS point, heirs can prove there was no top-level N of N.</div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default">3) I simply don't want to spend it without a script condition, e.g., timelock.<br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default"><br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default"><br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default">Now, assuming you do want a NUMS, there is basically 4 ways to make one (that I could think of):</div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default"><br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default">1) Public NUMS -- this is a constant, HashToCurve("I am a NUMS Point"). Anyone scanning the chain can see spends are using this constant. Hopefully everyone uses the same constant (or everyone uses 2,3,4) so that "what type of NUMS you are using" isn't a new fingerprint.<br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default">2) Moslty Public NUMS -- I take the hash of some public data (like maybe the txid) on some well defined protocol, and use that. Anyone scanning the chain and doing an EC operation per-txid can see I'm using a constant -- maybe my HashToCurve takes 10 seconds (perhaps through a VDF to make it extra annoying for anyone who hasn't been sent the shortcut), but in practice it's no better than 1.<br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default">3) Interactive NUMS -- I swap H(Rx), H(Ry) with the other participant and then NUMS with H(Rx || Ry). This is essentially equivalent to using a MuSig key setup where one person's key is a NUMS. Now no one passively scanning can see that it's NUMS, but I can prove to an auditor later.<br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default">4) 1/2 RTT Async-Interactive NUMS -- I take some public salt -- say the txid T, and hash it with a piece of random data R and then HashToCurve(T || R)... I think this is secure? Not clear the txid adds any security. Now I can prove to you that the hash was based on the txid, but I've blinded it with R to stop passive observers. But I also need ot send you data out of band for R (but I already had to do this for Taproot maybe?)</div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default"><br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default">The downsides with 3/4 is that if you lose your setup, you lose your ability to spend/prove it's private (maybe can generate R from a seed?). So better hold on to those tightly! Or use a public NUMS.<br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default"><br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default">Only 3,4 provide any "real" privacy benefit and at a small hit to likelihood of losing funds (more non-deterministic data to store). I guess the question becomes how likely are we to have support for generating a bunch of NUMS points?</div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default"><br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default">Comparing with this proposal which removes the NUMS requirement:<br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default"><br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default">1) NUMS/Taproot anonymity set *until* spend, MAST set after spend</div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default">2) No complexity around NUMS generation/storage</div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default">3) If people don't have ecosystem-wide consistent NUMS practices, leads to additional privacy leak v.s. bare MAST which would be equivalent to case 1 (Public NUMS)</div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default">4) Slightly less chain overhead (32 bytes/8 vbytes).</div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default">5) Slightly faster chain validation (EC Point tweak is what like 10,000 - 100,000 times slower than a hash?)</div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default"><br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default"><br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default">Matt raises a interesting point in the other thread, which is that if we put the option for a more private NUMS thing, someone will eventually write software for it. But that seems to be irrespective of if we make no-NUMS an option for bare MAST spends.<br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default"><br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default">Overall I think this is a reasonable proposal. It effectively only introduces bare MAST to prevent the case where people are using a few different Public NUMS leaking metadata by putting incentive to use the same one -- none. Using a private NUMS is unaffected incentive wise as it's essentially just paying a bit more to be in the larger anonymity set. I think it makes some class of users better off, and no one else worse off, so this change seems Pareto.<br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default"><br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default">Thus I'm in favor of adding a rule like this.<br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default"><br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default">I think reasonable alternative responses to accepting this proposed change would be to:</div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default"><br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default">1) Add a BIP for a standard Public NUMS Point exported through secp256k1 to head off people defining their own point.</div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default">2) Add a discounting rule if the point P is the Public NUMS that discounts the extra weight somehow.<br></div></div><div dir="ltr"><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default">3) Take a Bit out of the leaf version portion of C[0] to denote Public NUMS and then elide having to include the point (as it's just standard). This has the benefit of not needing as much code-change as The Group's proposed change, but the downside of still requiring an extra EC Mul in validation.<br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default"><br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default">Rejecting the proposal is also, IMO, reasonable. On my personal preferences, I'd rather get something like Taproot and MAST available sooner than later, even if there are small quirks on privacy and cost, and ignore a small benefit rule change/exception that would hold it up by more than a month or two. I don't see why a small tweak would add substantial delay, but I think other BIP authors/reviewers would be able to better comment.<br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default"><br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default">Best,</div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default"><br></div><div style="font-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)" class="gmail_default">Jeremy<br></div><br></div><div dir="ltr">--<br><a href="https://twitter.com/JeremyRubin" target="_blank">@JeremyRubin</a></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, Feb 9, 2020 at 12:25 PM Bryan Bishop via bitcoin-dev <<a href="mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.linuxfoundation.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">The following is a message forwarded from an anonymous email that, for whatever reason, couldn't be relayed through the mailing list without my assistance. This is message (3/3).<br></div><div><br></div>This email is the third of a collection of sentiments from a group of developers<br>who in aggregate prefer to remain anonymous. These emails have been sent under a<br>pseudonym so as to keep the focus of discussion on the merits of the technical<br>issues, rather than miring the discussion in personal politics. Our goal isn't<br>to cause a schism, but rather to help figure out what the path forward is with<br>Taproot. To that end, we:<br><br>1) Discuss the merits of Taproot's design versus simpler alternatives (see<br>thread subject, "Taproot (and Graftroot) Complexity").<br>2) Propose an alternative path to deploying the technologies described in<br>BIP-340, BIP-341, and BIP-342 (see thread subject, "An Alternative Deployment<br>Path for Taproot Technologies").<br>3) Suggest a modification to Taproot to reduce some of the overhead (see thread<br>subject, "Taproot Public NUMS Optimization").<br><br>We propose to modify Taproot's specification in BIP-341 by adding the rule:<br><br>If there is one element on the witness stack:<br><br>1) Attempt hashing it to see if it's equal to the witness program. The first<br>byte is the control byte for leaf versioning.<br>2) If it's not the witness program, and it's 65 bytes, try signature validation<br><br>If there is more than one element on the witness stack:<br><br>If the control block is even, treat it as a non-Taproot MAST and get the leaf<br>version as the last byte of the script (so you can pop it off before hashing).<br><br><br>If greater anonymity is required, a NUMS point can still be used in Taproot, at<br>the expense of the additional data. However, if NUMS points are just a couple<br>well known constants this could actually decrease privacy as then the NUMS<br>points could differ from application to application fingerprinting wallets.<br>Instead, the NUMS point should only be used when a single use nonce can be<br>sent, so that NUMS cannot be distinguished from a normal Taproot to a third<br>party who doesn't know the setup (e.g., that the NUMS is H(X) for known X).<br><br><br>Great thanks,<br><br>The Group<br><br><br><div dir="ltr">- Bryan<br><a href="http://heybryan.org/" target="_blank">http://heybryan.org/</a><br>1 512 203 0507</div></div>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href="mailto:bitcoin-dev@lists.linuxfoundation.org" target="_blank">bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href="https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" rel="noreferrer" target="_blank">https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev</a><br>
</blockquote></div>