This is a 31-bit commitment in Bitcoin Script.
OP_DUP
OP_TOALTSTACK
OP_DUP
<1073741824>
RobinLinus
/ seed-splitting.html
Last active
August 28, 2023 23:38
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <main> | |
| <h1>Seed Splitting</h1> | |
| <h3>Split your BIP39 seed phrase into two of three shards.</h3> | |
| <div class="row-reverse"> | |
| <a onclick="example()">Example</a> | |
| </div> | |
| <textarea id="$seedphrase" placeholder="Enter 24 word seed phrase"></textarea> | |
| <div class="row-reverse"> | |
| <button onclick="splitSeed()">Split</button> | |
| </div> |
RobinLinus
/ 31-bit_commitment.md
Last active
October 16, 2023 00:12
RobinLinus
/ schnorr-bit-commitment.md
Last active
October 20, 2023 14:21
This is a bit commitment (e.g. for BitVM) which allows you to commit to the value of a 1-bit variable across two different UTXOs via Schnorr signatures. If Paul equivocates on the bit's value then he leaks his private key.
Surprisingly, the commitment script doesn't need to commit to anything specific. All semantics arise from the nonces in the partial signatures. That allows you to reprogram gates after compile time.
The commitment script uses OP_CODESEPARATOR such that public key P can sign off on one of two execution branches in the script. Depending on which branch is signed, the script leaves 0 or 1 on the stack.
RobinLinus
/ cat_ecc.md
Last active
September 3, 2024 22:05
OP_CAT Enables Scalar Multiplication for EC Points
CAT can reduce curve point scalar multiplication to a subtraction in the scalar field.
Subtraction of field elements can probably be emulated in less than 250 (?) opcodes. For now, let's assume we had an (emulated) opcode, op_scalar_sub, for subtracting two elements of the scalar field of secp256k1.
Given secp's generator G, we want to compute for some scalar r the point R = rG
That is possible by hacking it into a Schnorr signature (R,s) for the key P = xG = 1G = G
RobinLinus
/ publishing-proofs.md
Last active
December 17, 2025 04:51
Optimizing On-Chain Costs of Publishing Proofs for BitVM3-Style Bridges
Liam Eagen came up with a clever optimization for publishing proof data in BitVM-style bridges. Instead of Lamport/Winternitz signatures, it uses adaptor signatures. The message is split into chunks (e.g., 8- or 11-bit digits), and for each digit a Schnorr signature is provided.
Naively, the unlocking script would require a separate public key for each digit. The following construction shows how to use OP_CODESEPARATOR to instead require just a single public key, regardless of the number of digits. The key idea is to use OP_CODESEPARATOR to modify the sighash so that each adaptor signature is tied to a specific digit.
OlderNewer