You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Bitcoin Script is an unusual stack-based language with many edge cases, designed for implementing spending conditions consisting of various combinations of
83
83
signatures, hash locks, and time locks. Yet despite being limited in functionality it is still highly nontrivial to:<ul>
84
84
<li>Given a combination of spending conditions, finding the most economical script to implement it.</li>
85
-
<li>Given a two scripts, construct a script that implements a composition of their spending conditions (e.g. a multisig where one of the "keys" is another multisig).</li>
85
+
<li>Given two scripts, construct a script that implements a composition of their spending conditions (e.g. a multisig where one of the "keys" is another multisig).</li>
86
86
<li>Given a script, find out what spending conditions it permits.</li>
87
87
<li>Given a script and access to a sufficient set of private keys, construct a general satisfying witness for it.</li>
88
88
<li>Given a script, be able to predict the cost of spending an output.</li>
89
-
<li>Given a script, know whether any code path requires violating particular resource limitations like the ops limit.</li>
89
+
<li>Given a script, know whether particular resource limitations like the ops limit might be hit when spending.</li>
90
90
</ul>
91
91
92
92
<p>
93
93
Miniscript functions as a representation for scripts that makes these sort of operations possible. It has a structure that allows composition. It is very easy to
94
94
statically analyze for various properties (spending conditions, correctness, security properties, malleability, ...). It can be targeted by spending policy compilers
95
-
(see further). Finally, compatible scripts easily can be converted to miniscript - avoiding the need for additional metadata for e.g. signing devices that support it.
95
+
(see further). Finally, compatible scripts can easily be converted to Miniscript form - avoiding the need for additional metadata for e.g. signing devices that support it.
96
96
97
97
<p>
98
98
For now, Miniscript is really only designed for P2WSH and P2SH-P2WSH embedded scripts. Most of its constructions works fine in P2SH as well, but some of the (optional) security properties
Miniscript was designed and implemented by Pieter Wuille, Andrew Poelstra, and Sanket Kanjalkar at Blockstream Research, but is the result of discussions with several other people.
103
103
104
-
105
104
<p>
106
105
Links:<ul>
107
106
<li>This <ahref="http://bitcoin.sipa.be/miniscript">website</a> and C++ compiler: <ahref="https://github.com/sipa/miniscript">[code]</a></li>
<h3class="card-header">Policy to Miniscript compiler</h3>
117
116
<divclass="card-block">
118
117
119
-
<p>Here you can see a demonstration of the Miniscript compiler. Write a spending policy following the instructions below, and observe how it affects the constructed Miniscript.
118
+
<p>Here you can see a demonstration of the Miniscript compiler. Write a spending policy according to the instructions below, and observe how it affects the constructed Miniscript.
<li><samp>pk(<em>NAME</em>)</samp>: Require public key named <em>NAME</em> to sign. <em>NAME</em> can be any string up to 16 characters.</li>
127
126
<li><samp>after(<em>NUM</em>)</samp>, <samp>older(<em>NUM</em>)</samp>: Require that the <samp>nLockTime</samp>/<samp>nSequence</samp> value is at least <em>NUM</em>. <em>NUM</em> cannot be 0.</li>
128
127
<li><samp>sha256(<em>HEX</em>)</samp>, <samp>hash256(<em>HEX</em>)</samp>: Require that the preimage of 64-character <em>HEX</em> is revealed. The special value <samp>H</samp> can be used as <em>HEX</em>.</li>
129
128
<li><samp>ripemd160(<em>HEX</em>)</samp>, <samp>hash160(<em>HEX</em>)</samp>: Require that the preimage of 40-character <em>HEX</em> is revealed. The special value <samp>H</samp> can be used as <em>HEX</em>.</li>
130
-
<li><samp>and(<em>EXPR</em>,<em>EXPR</em>)</samp>: Require that both subexpressions are satisfied.</li>
131
-
<li><samp>or([<em>N</em>@]<em>EXPR</em>,[<em>N</em>@]<em>EXPR</em>)</samp>: Require that one of the subexpressions is satisfied. The numbers N indicate the relative probability of each of the subexpressions.</li>
132
-
<li><samp>thresh(<em>NUM</em>,<em>EXPR</em>,<em>EXPR</em>,...)</samp>: Require that NUM out of the following subexpressions are satisfied (all combinations are assumed to be equally likely).</li>
129
+
<li><samp>and(<em>POL</em>,<em>POL</em>)</samp>: Require that both subpolicies are satisfied.</li>
130
+
<li><samp>or([<em>N</em>@]<em>POL</em>,[<em>N</em>@]<em>POL</em>)</samp>: Require that one of the subpolicies is satisfied. The numbers N indicate the relative probability of each of the subexpressions (so <samp>9@</samp> is 9 times more likely than the default).</li>
131
+
<li><samp>thresh(<em>NUM</em>,<em>POL</em>,<em>POL</em>,...)</samp>: Require that NUM out of the following subpolicies are met (all combinations are assumed to be equally likely).</li>
<li>Takes its inputs from the top of the stack.</li>
336
336
<li>When satisfactied, pushes nothing.</li>
337
-
<li>Cannot be dissatisfied (aborts execution instead).</li>
337
+
<li>Cannot be dissatisfied without aborting.</li>
338
338
<li>A "V" can be obtained using the <code>v:</code> wrapper on a "B" expression, or by combining other "V" expressions using <code>and_v</code>, <code>or_i</code>, <code>or_c</code>, or <code>andor</code>.</li>
339
339
<li>For example <code>vc:pk(key)</code> = <samp><key> CHECKSIGVERIFY</samp>.</li>
Then there are 5 type modifiers, which guarantee additional properties:<ul>
359
359
<li><b>"z"</b> Zero-arg: this expression always consumes exactly 0 stack elements.</li>
360
360
<li><b>"o"</b> One-arg: this expression always consumes exactly 1 stack element.</li>
361
-
<li><b>"n"</b> Nonzero: no satisfaction for this expression requires a top stack element that is zero.</li>
361
+
<li><b>"n"</b> Nonzero: this expression always consumes at least 1 stack element, no satisfaction for this expression requires the top input stack to be zero.</li>
362
362
<li><b>"d"</b> Dissatisfiable: a dissatisfaction for this expression can unconditionally be constructed.</li>
363
363
<li><b>"u"</b> Unit: when satisfied, this expression will put an exact 1 on the stack (as opposed to any nonzero value).</li>
In order to do that, we add additional properties to the type system:<ul>
570
570
<li><b>"s"</b> Signed: satisfying this expression always requires a signature (predicting whether all satisfactions will be HASSIG).</li>
571
571
<li><b>"f"</b> Forced: dissatisfying this expression always requires a signature (predicting whether all dissatisfactions will be HASSIG). This conflicts with "d". </li>
572
-
<li><b>"e"</b> Expressive: regardless of what conditions are met, exactly one dissatisfaction without signatures is available (predicting non-DONTUSE dissatisfactions). This implies "d".</li>
572
+
<li><b>"e"</b> Expressive: an uncondition dissatisfaction must always be constructible (like "d"), but it also needs to be unique, and there cannot ever be any other dissatisfactions available except ones that require a signature.
0 commit comments