Quartz sync: Sep 2, 2024, 9:27 PM

Author: Nesopie

content/PurrSettle.md

@@ -3,7 +3,7 @@ date: 2024-09-02
 title: PurrSettle
 ---
 
-PurrSettle is a settlement mechanism for Bitcoin zero confirmation transactions. It is a derivative concept of this [paper](https://eprint.iacr.org/2017/394.pdf) which makes use `OP_AND` which is also currently disabled. This mechanism makes use of the disabled `OP_CAT` to ensure a penalty mechanism is in place when a malicious actor tries to double spend their coins. At the heart of this mechanism, is the commitment of a nonce within the script that will be used to create signatures. If a malicious actor tries to double spend their coins, they risk revealing their private key making it easy for onlookers aware of the protocol to sweep all their coins. 
+PurrSettle is a settlement mechanism for Bitcoin zero confirmation transactions. It is a derivative concept of this [paper](https://eprint.iacr.org/2017/394.pdf) which makes use `OP_AND` which is currently disabled. This mechanism makes use of the `OP_CAT` opcode which is also disabled but allows for a more cost-effective version to ensure a penalty mechanism is in place when a malicious actor tries to double spend their coins. At the heart of this mechanism, is the commitment of a nonce within the script that will be used to create signatures. If a malicious actor tries to double spend their coins, they risk revealing their private key making it easy for onlookers aware of the protocol to sweep all their coins. An example implementation can be found [here](https://github.com/crema-lab/PurrSettle).
 
 ## PurrScript: How it works
 The key behind this mechanism is the `OP_CAT` opcode. This opcode takes two inputs and concatenates them together. As described before, this will be used to used to generate the signature while the script is being evaluated. One part of the signature (the nonce) is committed in advance into the script. The other part of signature is provided with the unlocking script (or the witness). If you're aware of the Bitcoin ecosystem, there are two types of signatures available: 
@@ -44,14 +44,14 @@ $$
     \frac{s_{1} - s_{2}}{e_{1} - e_{2}} = d
 $$
 
-These signatures follow the [BIP-0340](https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki#default-signing) for signing. The extracted private key can be used to sweep all of the perpetrator's coins. This includes P2PK, P2WPKH, P2SH-P2WPKH, P2TR (key-path spends) transactions. 
+These signatures follow the [BIP-0340](https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki#default-signing) scheme for signing. The extracted private key can be used to sweep all of the perpetrator's coins. This includes P2PK, P2WPKH, P2SH-P2WPKH, P2TR (key-path spends) UTXOs. 
 
 Note that all information required to extract the private key is available in the transaction. An example that extracts the private keys from these transactions can be found [here](https://github.com/crema-labs/PurrSettle/blob/32ef4cad78283087806b3521c9432e1518f04659/src/lib.rs#L403). Instructions for running that test case can be found in the [readme](https://github.com/crema-labs/PurrSettle/blob/main/src/lib.rs#L403). 
 
 ## Making PurrSettle transactions the norm
 By now, you may have realised that you simply cannot use the same UTXO twice without being penalised. This means that change outputs should be sent to new PurrScripts and not the PurrScript you're spending from since you will reveal your private key in the process. Using PurrSettle requires you to store the nonces. Or, you may create deterministic schemes to create the nonce. 
 
-One idea is to use [BIP32 HD paths](https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki) to create nonces instead of private key. For reference, the old key derivation path was as follows: `m'/xx'/coin_type'/account'/key_chain/index`. The new paths would look like: `m'/xx'/coin_type'/account'/key_or_nonce/key_chain/index` where another node is inserted after the account to indicate whether you're deriving a private key or a nonce. While it is not backwards-compatible with the previous key generation scheme, it allows us to easily keep track of nonces while also inflicting possibly greater penalty on double spending. If the private key (xpriv) is ever revealed during this scheme, and if the xpub of `m/xx'/coin'/account'` is known, then all nonces and all private keys that have been used so far can be [derived and sweeped](https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki#implications).
+One idea is to use [BIP32 HD paths](https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki) to create nonces instead of private key. For reference, the old key derivation path was as follows: `m'/xx'/coin_type'/account'/key_chain/index`. The new path would look like: `m'/xx'/coin_type'/account'/key_or_nonce/key_chain/index` where another node is inserted after the account to indicate whether you're deriving a private key or a nonce. While it is not backwards-compatible with the previous key generation scheme, it allows us to easily keep track of nonces while also inflicting possibly greater penalty on double spending. If the private key (xpriv) is ever revealed during this scheme, and if the xpub of `m/xx'/coin'/account'` is known, then all nonces and all private keys that have been used so far can be [derived and sweeped](https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki#implications).
 
 ## Closing thoughts
 PurrSettle is not without its challenges. The requirement to manage nonces carefully and the risks associated with incorrect usage—such as inadvertently revealing private keys—mean that users must exercise caution when implementing PurrSettle. Additionally, the reliance on a disabled opcode like OP_CAT means that this technique is currently limited to experimental environments like [StarkWare's public signet](https://catnet-mempool.btcwild.life/). While PurrSettle may not yet be ready for mainstream adoption, it opens the door to new possibilities in Bitcoin's scripting capabilities.