scriptPubkey
script for existing types of Bitcoin transaction output.option_anchor_outputs
[11] all outputs in the LN commitment transaction becomes P2WSH outputs, also leading to a requirement for a standard and secure way of making CC inside P2(W)SH outputs.scriptPubkey
and redeemScript
must contain the commitment (made with LNPBP-1 procedure) to a given message. This commitment is deterministically singular, i.e. it can be proven that there is no other alternative message that the given transaction output commits to under this protocol. The singularity is achieved by committing to the sum of all original (i.e. before the message commitment procedure) public keys controlling the spending of a given transaction output. Thus, the given protocol covers all possible options for scriptPubkey
transaction output types.scriptPubkey
value, which may be embed into the transaction output, and an extra-transaction proof (ETP), required for the verification of the commitment. The structure and information in the proof depends on the actual scriptPubkey
type.msg
, must:OP_RETURN
scriptPubkey
is used, it must contain a single public key serialized in BIP-340 xcoordonly form right after OP_RETURN
opcode; for all other forms of OP_RETURN
data algorithm must fail;redeemScript
(for P2(W)SH and P2WSH-in-P2SH, which in case of SegWit is contained within witnessScript
) or scriptPubkey
(for custom bare script outputs), extracted according to the algorithm.P
.Po
from the set of the original public keys, which will contain the commitment. It is advised that the corresponding private key being controlled by the committing party, which will simplify future spending of the output.msg
, the set of original public keys P
, the selected public key Po
and a protocol-specific tag
, provided by the upstream protocol using this standard. The procedure returns a tweaked public key T
.scriptPubkey
of the required type. If OP_RETURN scriptPubkey
format is used, it MUST be serialized according to the following rules:OP_RETURN
code MUST be present in the scriptPubkey
and it MUST be the first byte of it;P
from the step 2 of the algorithm, serialized according to the rules from [15];scriptPubkey
type: a) value of Po
, corresponding to:redeemScript
(for P2SH outputs), or witnessScript
(for P2WSH SegWit v0 native or P2WSH-in-P2SH SegWit legacy outputs), constructed using set of the original public keys;scriptPubkey
from the transaction output containing the commitment;msg
to which the comitting party has committed;scriptPubkey
is a part of a transaction included into the bitcoin chain containing the largest known amount of work at depth satisfying a verifying party security policy (these proofs may be reconstructed/verified by the verifying party itself using its trusted Bitcoin Core server);scriptPubkey'
, matching the type of the scriptPubkey
in the transaction and matching extra-transaction proof data using the tweaked version of the public key in the same way as was perfomed at step 4 of the commitment procedure. If there can be multiple matching scriptPubkey
types for a given data, construct a variant for each of them.scriptPubkey'
values generated at the previous step, matches byte by byte the scriptPubkey
provided during the reveal phase; otherwise fail the verification.pk_h
Miniscript command) and it can't be resolved against known public keys or other public keys extracted from the script, fail the procedure;pk
) add it to the list of the collected public keys;rust-miniscript
library v2.0.0 (commit 463fc1eadac2b46de1cd5ae93e8255a2ab34b906
) which may be found at https://github.com/LNP-BP/rust-miniscript/commit/463fc1eadac2b46de1cd5ae93e8255a2ab34b906S
public key matching two partial set of the public keys (containing and not containing public keys for the hashed values).[v]c:
code in Miniscript [16]), so the committing parties may have a special public key shared across them for embedding the commitment, without requiring to know the corresponding private key to spend the output.scriptPubkey
directly since it will invalidate its commitment to the Tapscript and to the intermediate key, rendering output unspendable. Thus, we put tweak into the underlying intermediate public key as the only avaliable option.