Dear Bitcoin Development Mailing List, I would like to present for initial comment a new draft BIP that we have been working on.
This BIP provides a new standard template for creating revocable proof-of-burn transactions that can be easily and cheaply verified by nodes running under SPV assumptions. We would very much appreciate further peer-feedback and critical comment so that this proposal may be improved as it continues through the formal standardisation process. Please find the full draft-proposal appended, you may also use the link provided to view the online rendered copy. Yours sincerely, Veleslav PS. Upon being assigned a BIP-Number, I will write to the list with the updated URL. https://github.com/veleslavs/bips/blob/bip-rpob-tx-template/bip-rpob-tx-template.mediawiki <pre> BIP: bip-rpob-tx-template Layer: Applications Title: Revocable Proof-of-Burn Transaction Template Author: Veleslav <veleslav.b...@protonmail.com> Comments-Summary: No comments yet. Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-bip-rpob-tx-template Status: Draft Type: Standards Track Created: 2022-08-18 License: BSD-3-Clause CC0-1.0 </pre> ==Introduction== ===Abstract=== This BIP proposes an application-layer template for revocable proof-of-burn, or ''"RPoB"'', transactions. * This proposal uses a new transaction version number to allow for future extensions. * This proposal recommends that implementations who mine and relay transaction to update their standard transaction templates as defined by this document. This proposal aims to support decentralised systems, allowing the use ''RPoB'' assertions in a consistent, efficient, reliable, and interoperable way. ''The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.'' ===Copyright=== This document is dual licensed as BSD 3-clause and Creative Commons CC0 1.0 Universal. ===Motivation=== In signalling theory<ref group="Note">Evolutionary biology theory of communication, or ''"signalling theory"'', where creatures make honest signals that are hard to cheat, for mutual evolutionary advantage.</ref>, proof of burn<ref group="Note">In Bitcoin, ''proof of burn'' places bitcoin value into outputs that provably unspendable. This dose not reduce the wealthy of the network, but instead reduces the velocity of these coins to zero. Transferring the network wealth onto the remaining coins that have a non-zero velocity.</ref> is a costly signal,<ref group="Note">A ''"costly signal"'' indicates dedication, an observer expects that such a signal is not made flippantly because the high cost.</ref> allowing the network to assign a default trust.<ref group="Note">An entity is assigned a ''"default trust"'' value when they are not connected to the trust graph. Without a default source trust, growing a decentralised web-of-trust network is impossible. New users face a catch-22 problem: they are disconnected from the trust graph and don't have a possibility to prove themselves.</ref> Bitcoin naturally provides an implementation of proof of burn without feedback loops,<ref group="Note">A ''"feedback loop"'' is when a trust signal can be amplified by a privileged subset of the network by feeding the creation-cost of this signal back into the process of making the signal.</ref> allowing for default trust to be assigned fairly in decentralised networks.<ref group="Note">New users are able to use a proof-of-burn to bootstrap themselves into new trust networks. 'New-user-with-burn-proofs' can be welcomed-in with basic services and focused attention, as the network knows that it was costly to generate the burn-proof.</ref> The ability to revoke<ref group="Note">To ''"revoke", is'' publicly asserting that a previous statement should not be valued as originally intended.</ref> past assertions is important for many applications,<ref group="Note">Unexpected things happen, for example, the loss or compromise of private keys.</ref> therefore proposal couples bitcoin proof-of-burn with a revocation mechanic. In choosing to standardise via the BIP peer-reviewed process, we hope to give the community greater confidence in making use of bitcoin-based revocable proof of burn technology. ====Notes:==== <references group="Note" /> ==Design== ===Conceptual=== ''"Proof-of-Burn"'' transactions have long exited in Bitcoin, ''"OP_RETURN"'' transactions, (named after the op-code ''"return"'', that causes the public key script to return in failure, hence making the output unspendable and "burning" any value allocated to that output), these transactions have been actively mined since the release of Bitcoin-Core 0.9. Since OP_RETURN doesn't allow the public key script to be spent (as is it's design), there hasn't been any built-in solution addressing the requirements a application-useable proof-of-burn transaction, in particular: *A standard association with a public key in for transaction. *A standard protocol to publicly revoke a proof-of-burn transaction. In this proposal we satisfy these requirements by specifying a taproot public key in the op_return payload and an another output for revocation. ===Other Requirements=== Operation under <abbr title="Simple Payment Verification">SPV</abbr> assumptions: *Transactions are small: ''RPoB transactions (non-witness-part) are fixed to two possible sizes, depending if there is a change output, or not.'' *Revocations are quickly and cheaply indexed: ''RPoB revocations only require obtaining the preimage to a double-sha256 hash. This is easily indexed and propagated in a gossip network.'' Ease of implementation: *Use of only Taproot and Schnorr: ''To reduce the scope of the transaction, we use only Taproot for inputs and Outputs, and Schnorr for the signature that covers the funding outpoint.'' Transaction funded by 3rd party: * It should be secure for an untrusted 3rd party fund the proof-of-burn transaction. ''Allowing for services to fund these transactions and be compensated with some sort of off-chain payment.'' Future extendability: *Making use of the transaction version feature of bitcoin. ''This allows for easier indexing strategies in the future, (with a simple consensus change: to include in the coinbase the number of the transactions in the block by their transaction version).'' * Including a byte for 8 version flag bits. ''This allows for a reliable way to upgrade in the future in a forward-comparable way.'' ===Transaction Design Overview:=== [[File:bip-rpob-tx-template/rpob-template-summary-table.svg]] ==Specification== This section specifies our RPoB transaction template. ===Transaction=== General form: <pre> version: 0x3 marker: 0x0 flag: 0x1 txin_count: 0x1 txout_count: 0x2 (without change) or 0x3 (with change) lock_time: (any) </pre> *RPoB transactions MUST use the transaction version (nVersion) 0x03. *RPoB transactions MUST have only one input and either two or three outputs. ===Input 1: Funding=== General form: <pre> signature_script: (empty) witness_script: <taproot_witness> </pre> *The RPoB transaction input MUST be P2TR (Pay to Tap Root). ===Output 1: Burn and Data=== General form: <pre> value: (any) public_key_script: RETURN < 1-byte-rpob_version_flag> <32-byte-rpob_secp256k1_public_key> <64-byte-rpob_schnorr_signature> </pre> The public key script fields are: <pre> rpob_version_flag: 1-byte , 0x00 (initial version). rpob_secp256k1_public_key: 32-bytes, SECP256K1 compact public key. rpob_schnorr_signature: 64-bytes, bip-340 Schnorr Signature. </pre> *The first RPoB transaction contains the burn value, that is made unspendable by the 'OP_RETURN' in the public key script. ===Output 2: Revocation Puzzle=== General form: <pre> value: 0 public_key_script: SIZE 32 EQUALVERIFY HASH256 <32-byte-rpob_revocation_puzzle> EQUAL </pre> *The Value of the Revocation Puzzle Output MUST be zero. <code>HASH256</code> is defined by ''double sha256'': <pre> rpob_revocation_puzzle: 32-bytes, public, SHA256(SHA256( <32-byte-rpob_revocation_solution> )) rpob_revocation_solution: 32-bytes, secret, publicly reveal this value to revoke the proof-of-burn. </pre> *It is RECOMMENDED that implementations use a value for the <code>rpob_revocation_solution</code> that is derived from the secret key used to generate the <code>rpob_secp256k1_public_key</code> . ===Output 3, Optional: Change=== <pre> value: (any) public_key_script: 1 <32-byte-taproot_witness_program> </pre> *This output MAY have any value. *The public key MUST be a standard P2TW output. ===Signature: Included in Output 1=== <pre> rpob_schnorr_signature: 64-bytes, bip-340, signature ( <32-byte-rpob_signature_message_hash>, <32-byte-secp256k1_private_key> ) rpob_signature_message_hash: 32-bytes, bip-340, sha256_taged_hash ( <77-byte-rpob_signature_message>, <16-byte-rpob_hash_tag> ) rpob_hash_tag: 16-bytes, utf-8-hash_tag ("rpob/BTC/MAINNET") or, utf-8-hash_tag ("rpob/BTC/TESTNET") rpob_signature_message: 77-bytes, < 1-byte-version_flags> <32-byte-input_txid_hash> < 4-byte-input_index> < 8-byte-burn_output_value> <32-byte-rpob_revocation_puzzle> </pre> *The <code>rpob_schnorr_signature</code> uses the [https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki BIP-340] algorithm. ==Deployment== While the ''IsStandard'' rules are quite restricting, it is quite possible to submit transactions directly to miners, or co-operate with miners who would enjoy to have some addition fee-revenue. So the initial process of testing on the main-network should be possible. If this standard gains significant attention, we are happy to write a supplementary BIP to define a new service bit to allow nodes to signal that this new type of standard transaction is accepted. ==Rationale== ===Why require RPoB transactions to use a new transaction version?=== This allows for future indexing and enforcement strategies at the consensus layer. ===Why use a hash puzzle for the revocation?=== The hash-puzzle allows for easy indexing of the revocation, in the format: <code><32-byte-revocation-puzzle> (if revoked: <32-byte-revocation-puzzle-preimage>)</code> *Since the digest algorithm is double sha256, even for a very large number of revocation, this index would be very cheap to verify. *We envision nodes keeping track of all the revocation-puzzles listed in the blockchain, as 32-byte each, a million RPoB is only 32mb. This can be further optimised. Additionally, we do not want to confuse a public key, (that can sign), and a revocation-puzzle (that may only revoke). ===Why must the revocation output be of zero value?=== Revocation can be spent by anyone once the revocation pre-image has been published. ===Why does a RPoB need a signature at all?=== The primary purpose of the signature is to stop replay-attacks. (Somebody takes your public-key and makes transaction where you don't control the revocation). The secondary purpose is to allow for untrusted parties to create transactions on your behalf. i.e. a 'RPoB' transaction creation service. ===Why waste precious block space?=== Consuming block-space is a of secondary proof-of-burn that this proposal takes advantage of, as itself is limited and contested for (blocks are almost full on average). There is an opportunity cost of the next best transaction when a miner chooses to include a RPoB transaction their block. Additionally, transaction fees are important for the long-term health of the bitcoin-network, this proposal increases the demand for the blockchain. ===What do you want to make these RPoB transactions if there is insufficient block-space?=== This isn't our problem. Those who have the economic purpose and resources to make RPoB transactions will outcompete those who do not. ==Backwards Compatibility== As this is an application layer structure without any preexisting deployment, we foresee no compatibility issues. ==Reference Implementation== To be made. ==Acknowledgements== While we have somewhat independently come up with the concept of RPoB, the idea of having a public record of public key enrolments has been around for a long time. None of the ideas in this BIP are new. We would like to thank Jonas Schnelli, 'M', and 'P', for their past contributions. ==Appendixes== ===Appendix 1: Some alternatives to blockchain-based proof-of-burn:=== Blockchains provide the our first opportunity to have deterministic and decentralised trust networks. Before blockchains we had proof-of-work and proof-of-payments as the two main gate-keepers for boot-scraping new members into a exclusive group: ==== Proof-of-Work: ==== For example, * In games it could be to grind your character up to a certain level. * Or it could be to make and present hand-drawn artworks. * Or it could be to solve a CAPTCHA. With proof-of-work blockchains provides a way to quantises an abstract an amount of work into a value. Providing a solution "how much dose this work cost?" problem: your work can be traded for bitcoin, and the bitcoin value is set efficiently in the market. ==== Proof-of-Payment: ==== For example, * Buying an expensive uniform item required for the clan. * Paying membership dues. * Proving a donation to a charity. With proof-of-payment the problem is the feedback loops, who gets the payment is placed into a privileged position of responsibly. The blockchain solves this with proof-of-burn outputs, the 'payment' goes back to the network, distributed indirectly and proportionally the holders of bitcoin. ==== None: ==== For example, * Pretty-Good-Privacy (PGP). PGP provided the basic cryptographic infrastructure for secure communication, including a basic web-of-trust where users can cross-sign each others keys, to make man-in-the-middle attacks harder to carry out. The primary problem with PGP is that any infrastructure that uses it is open to denial-of-service attack, as making new pgp-key identities is extremely cheap. The trust network also is open to sybil attack, as huge numbers of keys can all cross-trust each other making it appear that they belong to a large-genuine trust network. ==== Other: ==== * Blockchain Timestamping, i.e. Open-Timestamps. One of the most simple ways of assiging value to something is to prove that it is old. Timestamping with a blockchain allows users to assert that they didn't just create this account just now. - However the problem is that timestamps are cheap to make, and if the need for timestamps is predictable, then adversaries can pre-generate many to misuse and attack a network at a later date. * Blockchain space Use. Simply putting a statement into a blockchain itself, if there is any free-pressure is indirect form of burn by via the miner. By out-competing the next-best-transaction set, this has burnt the value in the difference between the fees of the two set. Thus, it can be shown that if the blocks are full, a RPoB transaction with zero-burn-amount is still a proof-of-bun transaction! === Appendix 2: Some notes on blockchain-based proof-of-burn and decentralised networks: === Using a blockchain the relative value of a proof-of-burn is deterministically calculable: * Trust calculations transferring a proof-of-burn into a "default trust" value are possible. Leading to the creation of trust graphs that can operate reliably without human intervention. * Networks using such default trust calculations become inherently resistant to distributed denial of service attacks. All this cannot easily be achieved without leveraging the functionally of a blockchain such as Bitcoin. ==Footnotes== <references /> _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev