11* By [ Antoine Poinsot] [ darosior ] , [ Revault] [ ] developer*
22
3- Bitcoin [ vaults] [ topic vaults ] are contracts that can reveal to a
4- user that one or more of their signing keys has been obtained by an
5- attacker, and which may allow the user to prevent the attacker from
6- spending some or all of the user's funds. Numerous such protocols have been
7- proposed (single or multi-party, with or without [ covenants] [ topic covenants ] ) so we'll focus on what they have in
8- common. Contrary to [ batched payments] [ topic payment batching ] that execute multiple payments with a single onchain transaction,
3+ Bitcoin [ vaults] [ topic vaults ] are a type of contract that require two sequential
4+ transactions for a user to spend money from their wallet. Numerous such
5+ protocols have been proposed (single or multi-party, with or
6+ without [ covenants] [ topic covenants ] ) so we'll focus on what they have in
7+ common.
8+
9+ Contrary to [ batched payments] [ topic payment batching ] that execute multiple payments with a single onchain transaction,
910vaults use multiple transactions to execute a single payment. The first transaction, the * unvault* , pays
1011to either:
1112
@@ -21,10 +22,13 @@ Rather the opposite. The *spend* transaction must use the taproot script
2122sending path, since it is encumbered by the relative timelock[ ^ 0 ] while the
2223* cancel* transaction could in theory use the key spending path.
2324
24- Already requiring a lot of interactivity in practice, multi-party vaults can benefit from [ Musig2] [ topic musig ]
25- and future key aggregation proposals made possible by [ BIP340] [ ] . However, these schemes come with new
25+ Since multi-party vaults already require a lot of interactivity in practice,
26+ they could theoretically benefit from interactive [ multisignature] [ topic
27+ multisignature] and [ threshold signature] [ topic threshold signature ] schemes made
28+ possible by [ BIP340] [ ] , such as [ Musig2] [ topic musig ] . However, these schemes
29+ come with new
2630safety challenges. Since vault protocols are intended to be used for cold
27- storage, the design choices are more conservative and would probably be the
31+ storage, the design choices are more conservative and vaults would probably be the
2832last to use these new technologies.
2933
3034By switching to taproot, vaults would also benefit from a slight privacy and efficiency improvement
@@ -37,8 +41,13 @@ For instance, the *unvault* output script in a multi-party setup with 6 "cold" k
3741- ` <X> CSV DROP <active key 3> CHECKSIG <active key 1> CHECKSIGADD 2 EQUAL `
3842- ` <cold key 1> CHECKSIG <cold key 2> CHECKSIGADD <cold key 3> CHECKSIGADD <cold key 4> CHECKSIGADD <cold key 5> CHECKSIGADD <cold key 6> CHECKSIGADD 6 EQUAL `
3943
40- This is about 76.5 vbytes for the cheapest (happy) spending path and about 176.0 vbytes for the costliest (dispute) one.
41- Compared to the roughly 134.75 vbytes (happy) and 189.5 vbytes (dispute) by using the following P2WSH:
44+ <!-- TODO: recalculate spending costs
45+ This is about xxxx vbytes for the cheapest (happy) spending path and about xxxx vbytes for the costliest (dispute) one.
46+ Compared to the roughly xxxx vbytes (happy) and xxxx vbytes (dispute) by using the following P2WSH: -->
47+
48+ In taproot, only the leaf being used to spend the output needs to be revealed,
49+ so the transaction weight is considerably smaller than for the equivalent P2WSH
50+ script:
4251
4352``` text
4453IF
0 commit comments