](https://coins.github.io/thx/#1K9zQ8f4iTyhKyHWmiDKt21cYX2QSDckWB?label=Coins%20Project&message=Thank%20you%20for%20your%20contribution!)
20 |
21 |
22 | ## Disclaimer
23 |
24 | > **DO NOT USE IN PRODUCTION! THE SCRIPTS ARE NOT SECURE!**
25 |
26 |
27 | ## Interesting Links
28 | - [List of new opcodes in Liquid](https://github.com/ElementsProject/elements/blob/master/doc/tapscript_opcodes.md)
29 |
--------------------------------------------------------------------------------
/atomic-swap.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/coins/bitcoin-scripts/016f919c82f9e47f7eba4029eddce714ef261fee/atomic-swap.png
--------------------------------------------------------------------------------
/betcoins.md:
--------------------------------------------------------------------------------
1 | # Betcoins - A trustless Bitcoin betting protocol
2 |
3 | Betcoins is a protocol for trustless Bitcoin bets like e.g. a coin flip. It uses only opcodes currently supported in Bitcoin Script. It allows any bet sizes, any discrete probability distributions and any payout sizes. It can be generalized to an election of a random leader.
4 |
5 | ## Naive Betting
6 |
7 | ### Simple Number Commitment
8 | A number commitment enforces a spender to reveal some secret number `N`. For a coin flip `N` is simply 0 or 1.
9 |
10 | 1. Choose secret number `N` in `{0,1}`
11 | 2. Choose secret nonce `R` which is `N + 16` bytes of randomness ( so either 16 or 17 bytes of randomness )
12 | 3. The public commitment is `C = SHA256( R )`
13 |
14 | The following scriptPubKey enforces the spender to reveal `R` and thus `N`:
15 | ```
16 | OP_DUP
17 | OP_SHA256
18 |
11 |
19 |
12 |
13 |
16 |
17 |
18 |
14 |
15 | OP_CHECKSIGVERIFY`
7 |
8 | `Using that
7 |
10 |
20 |
123 |
186 |
220 |
221 |
282 |
314 |
330 |
--------------------------------------------------------------------------------
/script-editor/readme.md:
--------------------------------------------------------------------------------
1 | # Examples
2 |
3 | -[composed opcodes (hacky)](https://coins.github.io/bitcoin-scripts/script-editor/#JHsgISEobGliID0gd2luZG93KT8nJzonJ30KCiR7IGxpYi5PUF9NVUwyID0gYE9QX0RVUCBPUF9BRERgfQokeyBsaWIuT1BfTVVMNCA9IGAke09QX01VTDJ9ICR7T1BfTVVMMn0gYH0KJHsgbGliLk9QX01VTDggPSBgJHtPUF9NVUw0fSAke09QX01VTDJ9IGB9CiR7IGxpYi5PUF9NVUwxNiA9IGAke09QX01VTDh9ICR7T1BfTVVMMn0gYH0KJHsgbGliLk9QX01VTDMyID0gYCR7T1BfTVVMMTZ9ICR7T1BfTVVMMn0gYH0K)
4 |
--------------------------------------------------------------------------------
/split-into-bits.md:
--------------------------------------------------------------------------------
1 | # Split Into Bits
2 |
3 | Algorithms to split a stack item into a string of bits.
4 |
5 | ## Lookup Table
6 |
7 | Here, we use a lookup table to circumvent the `OP_IF, OP_ELSE, OP_ENDIF` branches. This idea can get further optimized and can act as a basis to implement bitwise operations such as XOR.
8 |
9 | ```js
10 | `
11 | // Lookup table
12 | ${ 2**1 }
13 | 0
14 | ${ 2**2 }
15 | 0
16 | ${ 2**3 }
17 | 0
18 | ${ 2**4 }
19 | 0
20 | ${ 2**5 }
21 | 0
22 | ${ 2**6 }
23 | 0
24 | ${ 2**7 }
25 | 0
26 |
27 | // The input value
28 | // We use a bit string only for debugging
29 | // It's a single item on the stack
30 | ${ 0b01100001 }
31 |
32 | DUP
33 | ${ 2**7 }
34 | GREATERTHANOREQUAL
35 | 1ADD
36 | ROLL
37 | SUB
38 | SWAP
39 | TOALTSTACK
40 |
41 | DUP
42 | ${ 2**6 }
43 | GREATERTHANOREQUAL
44 | 1ADD
45 | ROLL
46 | SUB
47 | SWAP
48 | TOALTSTACK
49 |
50 | DUP
51 | ${ 2**5 }
52 | GREATERTHANOREQUAL
53 | 1ADD
54 | ROLL
55 | SUB
56 | SWAP
57 | TOALTSTACK
58 |
59 | DUP
60 | ${ 2**4 }
61 | GREATERTHANOREQUAL
62 | 1ADD
63 | ROLL
64 | SUB
65 | SWAP
66 | TOALTSTACK
67 |
68 | DUP
69 | ${ 2**3 }
70 | GREATERTHANOREQUAL
71 | 1ADD
72 | ROLL
73 | SUB
74 | SWAP
75 | TOALTSTACK
76 |
77 | DUP
78 | ${ 2**2 }
79 | GREATERTHANOREQUAL
80 | 1ADD
81 | ROLL
82 | SUB
83 | SWAP
84 | TOALTSTACK
85 |
86 | DUP
87 | ${ 2**1 }
88 | GREATERTHANOREQUAL
89 | 1ADD
90 | ROLL
91 | SUB
92 | SWAP
93 | TOALTSTACK
94 |
95 | FROMALTSTACK
96 | FROMALTSTACK
97 | FROMALTSTACK
98 | FROMALTSTACK
99 | FROMALTSTACK
100 | FROMALTSTACK
101 | FROMALTSTACK
102 |
103 | `
104 | ```
105 |
106 | #### Generic n-bit Template
107 |
108 | ```js
109 | const N = 30; // The bit length
110 |
111 | [
112 |
113 | // Push the lookup table onto the stack
114 | loop( N - 1, i => `
115 | ${ 2 ** (i + 1) }
116 | 0
117 | `),
118 |
119 | // The input value
120 | // We use a bit string for debugging
121 | // It's a single item on the stack
122 | 0b0001000000000001,
123 |
124 | // The loop
125 | loop( N - 1, i => `
126 | DUP
127 | ${ 2 ** (N - 1 - i) }
128 | GREATERTHANOREQUAL
129 | 1ADD
130 | ROLL
131 | SUB
132 | SWAP
133 | TOALTSTACK
134 | `),
135 |
136 | // Read the result from the altstack
137 | loop( N - 1, _ => `FROMALTSTACK` ),
138 |
139 | ]
140 | ```
141 |
142 |
143 | ## Nullify Leading Bits
144 |
145 | ```js
146 | const N = 16; // The bit length
147 | const T = 8; // Number of leading bits to nullify
148 |
149 | [
150 |
151 | // Push the lookup table onto the stack
152 | loop( T, i => `
153 | ${ 2 ** (N - T + i) }
154 | 0
155 | `),
156 |
157 | // The input value
158 | // We use a bit string for debugging
159 | // It's a single item on the stack
160 | 0b1010110011111111,
161 |
162 | // The loop
163 | loop( T, i => `
164 | DUP
165 | ${ 2 ** (N - 1 - i) }
166 | GREATERTHANOREQUAL
167 | 1ADD
168 | ROLL
169 | SUB
170 | NIP
171 | `),
172 |
173 | ]
174 | ```
175 |
176 | ### Reusing the Lookup Table
177 |
178 | ```js
179 | const N = 16; // The bit length
180 | const T = 8; // Number of leading bits to nullify
181 |
182 | // The loop
183 | const nullify_T_bits = loop( T, i => `
184 | DUP
185 | ${ 2 ** (N - 1 - i) }
186 | GREATERTHANOREQUAL
187 | ${ i * 2 + 1 }
188 | ADD
189 | PICK
190 | SUB
191 | `);
192 |
193 | // The loop which also drops the lookup table
194 | const nullify_T_bits_drop = loop( T, i => `
195 | DUP
196 | ${ 2 ** (N - 1 - i) }
197 | GREATERTHANOREQUAL
198 | 1ADD
199 | ROLL
200 | SUB
201 | NIP
202 | `);
203 |
204 |
205 | [
206 |
207 | // Push the lookup table onto the stack
208 | loop( T, i => `
209 | ${ 2 ** (N - T + i) }
210 | 0
211 | `),
212 |
213 | // First input
214 | 0b1010110011111110,
215 | nullify_T_bits,
216 | 'TOALTSTACK',
217 |
218 | // Second input
219 | 0b1010110011111100,
220 | nullify_T_bits,
221 | 'TOALTSTACK',
222 |
223 | // Third input
224 | 0b1010110011111000,
225 | nullify_T_bits,
226 | 'TOALTSTACK',
227 |
228 | // Fourth input
229 | 0b1010110011110000,
230 | nullify_T_bits_drop,
231 |
232 | 'FROMALTSTACK',
233 | 'FROMALTSTACK',
234 | 'FROMALTSTACK',
235 |
236 | ]
237 | ```
238 |
239 |
240 | ### Nullifying Trailing Bits
241 |
242 | ```js
243 | const N = 8; // The bit length
244 | const T = N - 6; // Number of trailing bits to nullify
245 |
246 | // The loop
247 | const nullify_T_bits = [
248 | 'DUP',
249 | loop( T, i => `
250 | DUP
251 | ${ 2 ** (N - 1 - i) }
252 | GREATERTHANOREQUAL
253 | ${ i * 2 + 2 }
254 | ADD
255 | PICK
256 | SUB
257 | `),
258 | 'SUB'
259 | ];
260 |
261 | // The loop which also drops the lookup table
262 | const nullify_T_bits_drop = [
263 | 'DUP',
264 | loop( T, i => `
265 | DUP
266 | ${ 2 ** (N - 1 - i) }
267 | GREATERTHANOREQUAL
268 | 2
269 | ADD
270 | ROLL
271 | SUB
272 | NIP
273 | `),
274 | 'SUB'
275 | ];
276 |
277 |
278 | [
279 |
280 | // Push the lookup table onto the stack
281 | loop( T, i => `
282 | ${ 2 ** (N - T + i) }
283 | 0
284 | `),
285 |
286 | // First input
287 | 0b11111110,
288 | nullify_T_bits,
289 | 'TOALTSTACK',
290 |
291 | // Second input
292 | 0b11111100,
293 | nullify_T_bits,
294 | 'TOALTSTACK',
295 |
296 | // Third input
297 | 0b11111000,
298 | nullify_T_bits,
299 | 'TOALTSTACK',
300 |
301 | // last input
302 | 0b11110000,
303 | nullify_T_bits_drop,
304 |
305 | 'FROMALTSTACK',
306 | 'FROMALTSTACK',
307 | 'FROMALTSTACK',
308 |
309 | ]
310 | ```
311 |
--------------------------------------------------------------------------------
/tic-tac-toe.md:
--------------------------------------------------------------------------------
1 | # Tic Tac Toe in a Schnorr Signature
2 |
3 | A sketch of some ideas to implement the game [Tic Tac Toe](https://en.wikipedia.org/wiki/Tic-tac-toe) in Bitcoin. This model requires only a single onchain transaction containing a single Schnorr signature.
4 | Scriptless scripts and the replace-by-fee mechanism are used to implement the full game logic.
5 |
6 | Before the game starts the tree of possible moves is scaffolded out. There are 26830 different games. Every possible move is represented by a transaction with a 2-of-2 MuSig splitting the key among both players.
7 | All of these transactions compete to spend the same output. If any transaction hits the chain it gives the bitcoins to the current player (or refunds both players in case of a draw). There are no further scripts.
8 | In the non-cooperative case older transactions are replaced by newer transactions via the replace-by-fee mechanism.
9 |
10 | 
11 |
12 | Before the game starts, each player traverses the tree of game states and signs every possible move of their opponent. The player subtracts his signature by his signature of the parent transaction that leads to this particular game state.
13 | These so-called *adapter signatures* form a tree which is exchanged upfront. This ensures a player can execute a transaction exactly if the opponent executed the preceding move, that lead to that particular game situation. The set of transactions that a player can complete at a point in time represents the set of valid moves they can choose from.
14 |
15 | Note that the index of a move is actually represented by the nonce of the signature. The message is always simply one of three possibilities: "Player A takes the money", "Player B takes the money", or "Both players are refunded."
16 |
17 | The game starts once the scaffold is complete. The two players take turns revealing signatures to each other.
18 | - In the cooperative case the players send the signatures to each other privately.
19 | - In this case only a single transaction has to be broadcasted to the bitcoin network.
20 | - In the non-cooperative case players take turns replacing each others' transactions with the replace-by-fee mechanism (RBF).
21 | - There are at most 9 rounds in Tic Tac Toe.
22 | - An honest player can always update to the most recent state without going through intermediate states.
23 | - The fee of a newer transaction is always at least 1 sat/byte higher than in the preceding round.
24 |
25 | Only one last transaction hits the chain and spends the output.
26 |
27 |
28 | ## Shortcomings
29 | - The game must end before an intermediate game state hits the chain.
30 | - Using RBF as consensus mechanism is risky. This update mechanism depends on the mempool of bitcoin miners. We assume no player cooperates with a miner.
31 | - The players have to sign and exchange the whole game tree upfront, which is about 25000 signatures per game.
32 |
33 |
--------------------------------------------------------------------------------
/tictactoe.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/coins/bitcoin-scripts/016f919c82f9e47f7eba4029eddce714ef261fee/tictactoe.png
--------------------------------------------------------------------------------
/token_auction.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/coins/bitcoin-scripts/016f919c82f9e47f7eba4029eddce714ef261fee/token_auction.png
--------------------------------------------------------------------------------
/weighted-multi-sig.md:
--------------------------------------------------------------------------------
1 | # Weighted Multi-Signature
2 |
3 | We can express a weighted n-of-m voting by duplicating keys and signatures.
4 |
5 |
6 | ## Regular Multi-Sig
7 | Regular 3-of-5 example:
8 | ```
9 | 3
10 |