Skip to content

Commit

Permalink
Add: Proving general computation section
Browse files Browse the repository at this point in the history
  • Loading branch information
moonsettler committed Nov 27, 2024
1 parent c49bc72 commit e9540a2
Showing 1 changed file with 19 additions and 20 deletions.
39 changes: 19 additions & 20 deletions bip-PC.md
Original file line number Diff line number Diff line change
Expand Up @@ -119,26 +119,6 @@ ELSE
<settlement-n-hash> CTV
ENDIF
```

### Use for proving computation

Merkle trees can be used to prove out computation where the root of the tree
represents the function and the leaves represent the inputs and output. There
are practical limits to the entropy space for the inputs as it needs to be
iterated over and hashed up.

Currently MAST trees can cover 128 bits of entropy space, which is well over
the practical limits to iterate over and merklize. Therefore we assume this
capability does not materially extend what computations are possible to prove
out in bitcoin script. While `OP_PAIRCOMMIT` is not limited to a height of 128,
that should not be practically feasible to utilize.

There is a way to reduce the size of the witness for proving out computation,
by eliminating the merkle path inclusion proofs, using `OP_CHECKSIGFROMSTACK`
together with `OP_PAIRCOMMIT`. This method involves deleted key assumptions,
most likely using MPC to create an enormous amount of signatures for the stack
elements representing the inputs and the output of the function.

## Reference Implementation

A reference implementation is provided here:
Expand Down Expand Up @@ -180,6 +160,25 @@ various reasons, either for expanding the scope or for unnecessary complexity:
* OP_CHECKSIGFROMSTACK on n elements as message
* OP_VECTORCOMMIT: generalized form for n > 2 elements

### Proving general computation

Merkle trees can be used to prove out computation where the root of the tree
represents the *function* and the leaves represent the *inputs* and *output*.
There are practical limits to the entropy space for the *inputs* as it needs
to be iterated over and hashed up.

Currently MAST trees can cover 128 bits of entropy space, which is well over
the practical limits to iterate over and merklize. Therefore we assume this
capability does not materially extend what computations are possible to prove
out in bitcoin script. While `OP_PAIRCOMMIT` is not limited to a height of 128,
that should not be practically feasible to utilize.

There is a way to reduce the size of the witness for proving out computation,
by eliminating the merkle path inclusion proofs, using `OP_CHECKSIGFROMSTACK`
together with `OP_PAIRCOMMIT`. This method involves deleted key assumptions,
most likely using MPC to create an enormous amount of signatures for the stack
elements representing the *inputs* and the *output* of the *function*.

## Backward Compatibility

By constraining the behavior of OP_SUCCESS opcodes, deployment of the BIP
Expand Down

0 comments on commit e9540a2

Please sign in to comment.