ATL BitLab LogoATL BitLab

Michael Tidwell: Bitcoin Secrets Revealed - The Taptree of Horror - Atlanta BitDevs - Event 002

Thursday, January 30, 2025

Michael Tidwell reveals the secrets of the TABConf 6 Capture the Bitcoin challenge. In this one scavenger hunt breakdown, he demonstrates the flexibility and power of Bitcoin's taproot upgrade and how it can be used to build far more interesting things than just simple sending and receiving of bitcoin.

Links

Transcript

Stephen DeLorme: [00:00:00] This podcast episode is an event recording. If you're listening to the audio version, you might be missing some context from the speaker's visuals. You can find the video version at atlbitlab. com. That's A T L B I T L A B dot com There might also be audience questions or other background chatter that's not audible.

Look, event recordings are never perfect, but we're sharing it here because we think you're going to find something valuable in it. Let's talk a little bit about our sponsors first, and then we'll get on to the show. This episode is sponsored by ATL BitLab. ATL BitLab is Atlanta's freedom tech hackerspace.

We have co working desks, conference rooms, event space, maker tools, and tons of coffee. There is a very active community here in the lab. Every Wednesday night is Bitcoin night here in Atlanta. We also have meetups for cybersecurity, artificial intelligence, [00:01:00] decentralized identity, product design, and more.

We offer day passes and nomad passes for people who need to use the lab only occasionally. as well as memberships for people who plan to use the lab more regularly, such as myself. One of the best things about having a BitLab membership isn't the amenities, it's the people. Surrounding yourself with a community helps you learn faster and helps you build better.

Your creativity becomes amplified when you work in this space, that's what I think at least. If you're interested in becoming a member or supporting the space, please visit us at atlbitlab. com. That's A T L B I T L A B dot com. All right, on to our show.

Michael Tidwell: All right. So my plan was just to pretty much do website, no presentation and just go through and then if anyone had a question, I would just, I think that'd be a cool opportunity just to pause for a second, answer that question, go into it as deep as we want and then, uh, get back to the CTB.

So I'm going to be covering the capture [00:02:00] the Bitcoin challenge. And if you don't know what this is, this is something I like to plan every year for tab comp. And usually it's, you know, we're talking like 10 million sats or less usually in terms of the total prize pool. So a decent chunk of money and it is there to incentivize people to learn things, get out of their comfort zone, learn the newest technologies of Bitcoin.

And, uh, you know, feel good about learning this, but also there being a carrot there dangling for you to capture. Um, all right, so I'm gonna, let me kill this. So, I don't have the coin. Actually, you know what's funny? Uh, I could go to the YouTube video, actually, that I just uploaded and show you what the coin looks like.

So, let me see how easy it is to find this video. I wonder if I just type in CTB. Last year He said if, [00:03:00] is this year's what?

Yeah, you could still use it. Yeah, you can still use it to start the Actually, you know what? Uh, here we go.

Alright, so I made like a little review and prep for this and also to put online. But I'll show you, uh, you know, The coin looks like this. So you can see in the video of me talking about it. You can see there's a hash around the edge of the coin. And when you check into TabConf, You just instinctively need to know to look at the edge.

And the funny part is some people That's the hard part, so even getting started can be the hard part. Um, when you plug this hash into a block explorer, you will then, actually let's go to it, actually, you know, maybe doing this video a [00:04:00] little bit is a cheat code for me. So, around the edge of the coin, right, so this is how the puzzle begins.

Around the edge of the coin is a hash, and you need to instinctively know also that that is a transaction ID that you can plug into a block explorer. And when you plug that into a block explorer, you'll see right here, there's an op return that has a website URL. Does anyone not know what an op return is?

Okay, so an op return is just, you can pretty much add whatever, like, random data you want to a bitcoin transaction. So the idea is, in a fun way of like starting the puzzle. That random piece of data is going to be a website. So then, you look at the coin, it points you to the Bitcoin blockchain, and then you get a website through an op return, and then that will then send you somewhere else.

So it's kind of like a scavenger hunt. You see what I'm saying? Uh, yeah, what's up, Jordan?

Audience Member 2: Mike, is there a limit to how much data I can put in that op return?

Michael Tidwell: Yeah, there is. Can I put a JPEG? [00:05:00] Uh, a very small one, sure. Otherwise you need to, uh I don't know, have some sort of method of combining OP returns, you know.

Audience Member 2: Do you know the

limit off the top of your head? I don't know.

Michael Tidwell: Uh, well it used to be, uh, I think it was 80 bytes, then it was 40 bytes, or 80 bytes. Something like, like, consensus is 80 bytes, but then I think relay policy at one point was 40 bytes, and I think maybe they became more liberal and made it 80 bytes again.

Is that fair, or? But at one point, they wouldn't relay a transaction that had an OP return over 40 bytes, but I think that was, like, a temp thing. I mean, yeah, I don't know.

Stephen DeLorme: I think Bitcoin knots doesn't relay, uh, it's still valid, but

Michael Tidwell: yeah, I wanna say Bitcoin core also did that at one point. But don't, don't hold me to that.

Um, anyways, but you can have multiple op returns. Obviously, you know, if one, if one op return just isn't doing it for you, make that jpeg. Jordan, I believe [00:06:00] in you. . Um, . All right. So if, if everyone's following me in, in this journey. We got our tab comp coin. And again, if you don't know what tab conf is, you might not, this is just the conference that we run here in Atlanta.

Um, it's, uh, you could call it like a hacker conference. All right. So you get this coin when you check in, but no one tells you like, this is like the challenge going, that's also kind of like a cool part about it. You just need to like, look and be curious and plug this into the Bitcoin blockchain, you get a website and now we're moving on and I'm going to ditch this video now and go to the actual website.

That you would actually receive. So it would be tabctv. com slash six. Alright. And this is what you're presented with when you first come. Uh, there's some sponsors that helped fund not only TabComp but the CTB. I have some text here and then I give some [00:07:00] shoutouts to some developers who helped make some of this possible.

But one thing I include here at the bottom is It's the dress that literally holds everything, my opinion, it's good to give this address early to let people know, Hey, you know, like are the funds still available and let them know that as early as possible, sort of, because you don't want to give someone false hope that there might be a large amount of Bitcoin.

And so this address was given immediately. So you could check that out. So let's go ahead and take this, uh, address and see what we get. I'm going to use men pool space. So if we plug that in. Then we get the, the transaction. If, what's up? Oh, I mean, hey, if you have something funny to say, like, I want to hear it too.

This is like what teachers do, you know, in classrooms, you know what I mean? Alright, so, so this is the transaction, uh, that you would see when you plug this in. And you're like, [00:08:00] uh, at the time, if you were the first one to look at this, uh, all of these would be green, okay? Meaning that they haven't been swiped yet.

The fact that we're here now and they're all red, spoiler alert, the CTB was solved, okay? Uh, so all of these funds were stolen. But at the time, the cool part is you could see what was available and what was taken, right? And we're gonna get more into that and like how you could figure that out. But it's a, it's a cool way to sort of track the progress publicly.

Where I don't need your like email address or to dox you or whatever, because I can see publicly what's going on and how much progress, you know, teams are making, uh, without even knowing who the teams are.

So going back to the website, um, there is a button here. If you see that says enter, if you dare, okay. If you click that, you'll then be presented with this. You could just call it vanity text. I was just getting fun with it. [00:09:00] So, every year, the complaint is, Oh, the CTB is great, but it takes up so much time.

And now I've been adding in a disclaimer, which is, You know, if you do this, you know, be careful. What do I say here? Like, time slips away unnoticed as you are walking down a road. You know, this is also Halloween themed, so I try to make it as spooky as possible, right? It's right around Halloween. Spooky vibes here.

And you notice the branches start to curve in, you know, also getting into like, tap branches and stuff like this. Um, you're feeling that you're about to be consumed by this puzzle, yadda yadda yadda. You know, like, this is your final chance to turn back. And I thought it would be funny to give you two options here.

You can turn around or let the force pull you in. If you turn around, it will take you to the TAPCOM schedule. So then it's like, alright, you turned around, here's the schedule, go to a talk, go have, you know, fun, actually like enjoy the conference. And then if you instead say, let the force pull you in, it brings you to the next clue.

And again, more [00:10:00] vanity text. Um, and the, and then you get the picture of the tap tree of horror here. You get to see it for the first time. The thing that when you read this, the thing to, to, to note is. A curious, almost sinister compulsion is urging you to circle the tree and peer behind its trunk. So, I know there's someone here, for instance, that got to this step very early, named Tyler.

So someone, so, so, if you participate in the CTB, or even looked at it, can you raise your hand just so I can know? Okay, so, who made it to this step on Wednesday? Okay. And for everyone else, what was the problem with this?

Right, right. Did you know that? Okay. So, so when you, [00:11:00] did you see the, the, so there at the, at the conference, there was a four foot cutout. There's a four foot foam poster of this. Did you, did you think to look behind the poster?

Audience Member 2: I did. And then later someone pointed out that it was a different one.

Michael Tidwell: So, so.

This was so two part. One, I wanted to make sure people that showed up late to the conference could all start at the same time. So I didn't actually reveal this clue and put it on the behind the poster. And then to the real reason I forgot. Hey rich.

Audience Member 3: And then we're like, all right, start the picture. So then we were like, like, We were like looking at the map, and we're like, oh,

Audience Member 4: there's a contrast.

Yeah,

Michael Tidwell: you got, like, like, okay. Yeah, for the recording, people were very confused here. They were doing image manipulation, reverse polarization, trying to [00:12:00] look at the metadata of the image. Yeah, nothing was there. Sorry about that, guys. That was just me being, uh, forgetful. But also, the real Fake excuse is I was trying to just let everyone start at the same time on Thursday morning, which is when Thursday morning.

I put the clue and I say me my wife put the clue behind the tree And the clue was slash grim Grim, that's all you got behind the poster was just slash grim. You would need to know to go here And append Grim. And when you do append Grim, you see, Oh, the Grim Reaper, so scary, Ooh, Halloween themed. And you get more vanity techs, He talks to you about Jan Uh, At first you think he's a legendary super coder, Master of digital realms, But as the figure steps into the dim moonlight, You realize this isn't Yellen's nightmare, but your own.

The Grim Reaper himself. And he goes by Grim. And He [00:13:00] talks to you about, uh, unfortunate UTXOs, they've lured you here, um, it's, it's been amplified by Uptober, uh, power movement by people named Michael buying, uh, buying Bitcoin through that, and then, and then he pretty much offers you a deal. He says, I'll grant you a chance to free the souls of those who came before you, but beware, if you fail, your soul will also be trapped within the trees, dark script.

Oh, and by the way, I found this odd game called Satoshi settlers and left a clue on the same block height as the generous donation. So this is like the most like sellout way of getting people to go to Satoshi sellers, which I just showed you, by the way, man, this is just like a fun little shameless promotion.

of Satoshi Settlers. So if you, so if you, if you look at the actual block height, um,[00:14:00]

so if you, if you look at the, um,

let me, let me go back to the clue. So it says, oh and by the way I found this odd game on, a game called Satoshi Settlers and left a clue on the same block height as the generous donation. And you're just supposed to know that the transaction um, ID Which was here. So you would, you would be like, hey, when did this transaction ID take place?

That was the block height of interest.

Audience Member 3: Yeah,

Michael Tidwell: I'm not that deep. Yeah, yeah.

Audience Member 2: I wanted to let you know much I got tripped up on the URL because one has dot HTML and [00:15:00] the other does not.

Michael Tidwell: Yep. And one doesn't have. Yep. You'd have to know. 'cause sometimes it doesn't. Sometimes it doesn't. Yeah. I just Fuck with you . Yeah. Sorry. Sorry. That that was, that was so the, so the reason I did that was be to fuck with you the real reason.

That was the fake real reason. The real, real reason. That was a mistake. Yeah. And, and then, and then, and then instead of going back and fixing it, I was just like, ah. They'll figure it out. . Funny enough, not everyone figured that out. I was like, oh, okay. Well. Oops. Yeah. Lessons learned. Okay, so, you might be wondering What the hell is this Satoshi Settlers thing?

And you would be right to ask that question. I don't even know what would happen. Oh, actually, if you Google it you'd get to it. It's not that bad. Uh, you go here You enter into this Blockchain Explorer weird game You go to a What was it? Seven to, wait, what was it? [00:16:00] Eight? Uh oh yo, it was eight six. Six two.

Seven seven. So you go to eight six. 6 2 7 7. And I don't know if you guys can see this, but uh, this is, this is very small text. The idea is there's some, there's some metadata here within the game. Um, there's gr here talking about there's 11 souls trapped. Oh, you're a sat hunter looking to test your skills, you know, uh, let's make a deal if you get, you get to try to save these souls and get rich, but if you fail the tap tree of horror will trap your soul, and then all you have to do is say I accept your terms, I know this is kind of hard to read from the audience, but this says slash I accept your terms, and then someone then trolled afterwards and said Tidwell Satoshi up here, um, but that's not part of the actual puzzle, uh, you're looking for the messages by Grimm himself.

So Grimm's kind of like this persona that is doing shit. So if we go back to [00:17:00] the website, now we want to accept Grimm's terms, right? So we're doing, I accept your terms. And this is where, as soon as you utter the words, accept your terms, souls locked away by the unholy tree extracting offers, or UTXOs, if you didn't know what that stood for, for Halloween themed.

For short, come forth, still bounded by the tree, you're barraged by visible UTXO suffered spirits. That have been confirmed into damnation. How many of there are, how many of them are there? Each one seemingly stuck for a different reason. The premise of this was I am a firm believer that people are more likely to obscure and secure their Bitcoin in bizarre, odd ways and secure themselves out of their Bitcoin versus their Bitcoin actually gets still getting stolen.

Obviously your Bitcoin getting stolen is definitely non zero. I'm not trying to say you shouldn't be worried about that, but I think. It's much more likely for you to come up with something really clever that you think is clever. And then 10 years [00:18:00] later, you're like, Oh shit, I remember what I did. That was so clever.

I remember it perfectly, but it's not working. And then you're like, and then everyone's like, dude, what are you talking about? Um, so every single example here is a soul, a persona of someone who is. Screwed themselves and they need your help. And the way to help them is by taking their Bitcoin and spending their Bitcoin to release their UTXO, their, their suffered UTXO spirit.

Now, the cool part, the cool part about this is how do you do an iterative Bitcoin puzzle? Because scripts, if you don't know, scripts are winner take all. If you get a script, right, of any. Complicated Bitcoin script and you get the spending condition for it. CTV doesn't exist. None of these fancy things exist.

You can spend all the Bitcoin in that script. Okay. So the question is how in today's age, how do we make any sort of iterative kind of fun, you know, puzzle where it's not just a winner take all kind of thing. And the way I solved [00:19:00] this was each one of these people has a small canary amount, that 300, 000 sats, right?

So each one of these souls has 300, 000 sats. But their secrets are reused for the entire puzzle, right? So that's the kind of cool part about, you know, what we're doing here. So I'm going to dive into just a little bit into that. So everything on this screen is clickable. All the soles are clickable, grims clickable.

If you click grim, um, he has a Noster page. Um, you're both impressed of Grimm's ability to rattle off his end pub and your ability to memorize it as if he's telling you this. Um, he gives you a secret. He also gives you one of the secrets sovereignty through knowledge, um, that you, that is a pre image for the overall puzzle.

Um, he's pretty much saying like, Hey, I'm tired of standing guard here. I need to move on with my afterlife. Like let's, you know, if you kill the spirit, I'm not going to be upset about it. He's pretty much like, kind of like. [00:20:00] Like, Hey, I'm a shitty security guard. Like let's, if you want to, if you want to take care of this tree, I'll even hand you one of the secrets that you need to accomplish it.

And then he also gives you a clue, which is he wants, he says right here, if you touch the trunk of the tree, it will give you a vision that will help you. Right. So let's try that out. Let's, let's take Graham's advice and let's click the trunk of the tree. So now Graham has given us a pre image. Um, real quick, pre image, questions?

I can answer these questions, this is your one chance. Okay, we're gonna keep moving on. Pre image, so you have an image, imagine an image. A pre image is before the image.

In cryptography, in Bitcoin, whatever, the idea is, when you hash something, right, the thing that you hash is the pre image, the resulting hash is the thing, is the image. So, [00:21:00] for instance, if you have a secret. Your secret has already been hashed. The thing that produces your secret is this text right here, Sovereignty Through Knowledge.

That, in this case, is the preimage. Okay, so that is like our secret preimage. When we hash that preimage a few times, that's when we get the thing that people can see on the blockchain. But no one knows how to create that secret without the preimage. Okay? Does that, does that make sense? D d does hashes make sense?

Okay, cool. Any other questions before we move on? All right.

Right, right. But eventually you get it. And then if you look at the descriptor, which we'll get into, you'll be able to be like, Oh, I think it was like five times. And then after the fifth time, you, you can match up the, the hex and the, and the bytes with what's in the descriptor and be like, Oh, okay. This is, this is the pre image.

Like I know exactly because the pre image is going to be in minus one [00:22:00] hashes of the string. So if this, if this string requires 10 hashes or five hashes, the idea is the pre image is five minus one. It's the, it's the very, it's the hash right before the final hash is the pre image for the script. If that makes no sense, don't worry.

I'm sure half of y'all are confused on what I just said. Um, so we'll, we'll keep going. And like I said, Grim said, touch the trunk. So here's the trunk first picture. This is not a pre image. This is just a graphic to help you. Understand what the hell's going on. So this is a taproot tree and I don't think there's good graphics of taproot tree.

So I don't even know if like, I think this is, I've talked to a bunch of cryptographers or not a bunch, like one cryptographer and name Andrew Polstra. And I was like, Hey, and sank, I guess two, I was like, Hey, does this like make sense? I don't want to do something that's actually technically incorrect. I want to do something that is [00:23:00] also.

So good and like visible, like good to like look at, but also technically accurate. And they said it's technically accurate. So I feel good about showing you all this. And this is a Taproot tree. Taproot was the latest upgrade in Bitcoin. Latest major upgrade in Bitcoin. Happened 3 years ago. So kind of circling back.

The reason we're pushing this is to push people to learn this technology. To understand what the hell is going on here. And to dive into Taproot. Because it's heavily underutilized, essentially. Okay. There's not many companies using it. There's like a handful max. Okay. So at the top, we have a tweaked pub key.

We have internal and a mast. Um, you can, uh, uh, uh, tapped a tap tree. We'll only ever have two nodules coming out of a parent nodule. So a parent to two children, you'll never have more than two. So you can see, this is like the up top most and you have two coming out. Then you have just this one ends here.

Then this one has two, et cetera. So, [00:24:00] the boxes are going to be spending conditions for the tree. The internal key is just like a secret key I have just in case I really screwed things up and I can, I can salvage the Bitcoin here. Okay? The reason for this is, like, that I wanted to not use a dummy internal key was because this is highly, in my opinion, experimental and I really didn't want to lock away all this Bitcoin.

And then be like, Oh, remember that tapestry horror? It's still there. 10 years later, it's worth, it's worth like a million dollars, man. I really fucked up. Huh? Like I would hate for that to happen. So, so I have the internal key. I keep that close to the chest just in case. Everything goes sideways. I can, I can redeem it.

The cool part is you can see which path was used to redeem the overall puzzle. So each one of these squares is a different spending condition. And I'm curious for people who, Jordan, Stu, Tyler, like, who saw this and like understood what this was? I'm curious. Was this helpful at all? [00:25:00] Okay. Alright. You never clicked the trunk?

I know, but I'm just saying, well, you can't get to that without getting here first. There's no way to get to that without getting here first, so. All right. Well, it sounds like no one here got, yeah. Okay. So you would have to intuitively kind of look at this and be like, Oh, a is Alice. B is Bob. C is Charlie.

D is Dave. E is Eve. You know, these are the different names. These are the different pre images. So G is grim. So this is the pre image for grim. So now, you know, it's a ripe one 60 hash. Uh, this is a time lock. So, you know, this, this. Spending condition wouldn't be able to be done until Wednesday, October 23rd.

And then, for instance, on Thursday, these two become available all of a sudden. Now, you have more spending conditions for the tap tree. And this is to showcase, you know, like some cool features of Taproot where, [00:26:00] Hey, the longer this tree exists, the longer the script exists, and the people involved with it, you know, understand each other, the more spending conditions become available.

Potentially like imagine you have a Bitcoin and you say, Hey, look, you give it to your kid. And you say, unless we both agree how to spend this Bitcoin, you're not allowed to spend it. But in 20 years, you don't need my signature anymore. You can spend it on your own. And this is essentially a way more fucking complicated, like.

extravagant way of manipulating and or conditions with different thresholds. Okay. So here we have four of eight thresholds plus either one of these keys plus Judy plus Dave plus this plus this time. So we like all of these are like more combinations coming about. So on Friday we get three more, uh, three more spending paths.

And then on Saturday we get two more. And then this one right here has always been available. This 8th index one. Which is [00:27:00] just every single secret possible. So if you knew every single secret which was pretty much impossible. You could just spin the bitcoin right away. Um, this was the only one that wasn't time locked.

So,

No. Every single secret except the internal key. Yep. Which I think is a bug because I think for some reason. No, no, actually, no, nevermind. It's not a bug. There's, there's many bugs in this, but that wasn't one of them. That would have been a bad one. Cause if you got the internal key, you just take the funds.

Yeah. So the cool part about Taproot is, let's say you want to spend here, right? Well, you, you could, you could reveal all the way from the top down here, but all this right here would never have to be on chain. So if, especially if you have like some sensitive sort of spending paths that you don't want to reveal to the chain, or you just have a massive amount of spending conditions, we're [00:28:00] talking hundreds, that's a huge on chain footprint, right?

You're spending a lot of money to spend out of this tree. But if it's, if you're using taproot, which is the newest operator, Bitcoin, you only reveal the path through the branches that you need, which can potentially make your publishing. Satisfying condition way smaller and therefore take up way less fees, way less block space.

Yeah. What's up? Yep. Yeah. Yeah,

so so if you um, if you're like right if you're spending this one right here You'd have to know this you'd have to know this you'd have to know this you'd have to know this You have to know that yeah Yeah right here

You need to know everything above it that, that, that paths to it, but you, but you don't need to know this.

You don't need to know [00:29:00] one. You just need to know this nodule up here and then two. Yeah. Yeah, we'll get to that right now. So this is a graphical descriptor. This is for me to pretty much say like, Hey, descriptors are pretty intimidating. Let me graphically show you what this looks like. Now, this is the intimidating thing.

So this is what the descriptor looks like. This is what you would actually use. But if you've never seen this before, you're like, what in the fuck is this? The idea is like, it's this. So you're like, this and this are the same thing, but I want to make a graphic for people because I don't think people can visualize this without like actually understanding it.

Can

anyone,

Audience Member 5: you can't deduce this from the other string

of text. It's impossible, right?

Michael Tidwell: Because [00:30:00] if you get one thing wrong, you'd get a different descriptor. If you get one little, cause there's multiple ways of describing the same thing. Okay. And you could potentially describe this tree and get something that looks like this, that's off by just a little bit. And it wouldn't be a valid descriptor.

So that's why I give you the descriptor for free. So you don't have to guess what the descriptor is. You don't have to recreate the descriptor. Take the descriptor, copy and paste it into whatever code you want. Here it is. Exactly. And then you can test, you know, what Grimm's free image is. You know, you know, all like the pub keys.

Cause if you look at all this, you can, I mean, this is kind of like bad resolution. But, um, here, let me zoom in just like,

yeah, this contains everything. You can see like, and conditions like nested with friends. You can see like, uh, you can see like an X pub right [00:31:00] here. You know, you can see like X pubs. You can see like, this is the shot to day six, like pre image right here. Like you can see everything in here. You can see like this is a multi multisig threshold, right?

And then it's like, this is four of and then all these pub keys. So this is like a four of eight threshold starting right here. This multisig threshold. So like, yeah, everything's here, but it's just. It's kind of crappy to look at, you know?

No, this, this is, this is If anyone's ever used, who's used multisig here? Okay. So, one thing, if you're using multisig for the first time, in this day and age, you, you start to learn about the scripters, right? You start to be like, well, how do we actually, like, spend this money? Well, you need to know what was the agreement contract.

What, what, what are we actually, you know, spending our money from, and this is a really complicated big descriptor. You can think of this as like a really crazy multi sig, but this is [00:32:00] like many multi sig spending possibilities. So,

Audience Member 1: describe the tree, and

something spits this out. Be valid.

Michael Tidwell: Well, you can, you can roll this by hand, or you can have a software program make it for you, yeah.

Audience Member 1: Yeah.

Michael Tidwell: Yeah. Uh, I, I have a software program make it for you. So, when I, when I made this, and I'll, I'll show you the code in a bit. But the, I made this with a kind of, uh, it's, it was like mini script syntax that then, uh, compiles into a descriptor and I'll show the exact code that I used in Rust Bitcoin for it.

Yeah. Uh, yeah, Jordan.

Audience Member 1: But, but the, the part of the tree that you need to express to spend

Michael Tidwell: the output. You still need the whole descriptor. Which is one. I know, but you still need the whole descriptor. You need the entire descriptor if you're going to use any of the spending paths. Which means the more spending paths, the larger the descriptor.[00:33:00]

If you end up having something with like thousands and thousands of descriptors, you could potentially be like, Hey, I gotta like have this like 10 megabyte file that is just like on Google Drive or Dropbox or something that I just need to like keep really safe. Because if I lose this, it's gonna be a bad time.

You know what I mean?

Audience Member 1: The bigger the tree, the harder it is to solve, right?

Michael Tidwell: Uh, no. Well, not necessarily. It might be easier to solve because you have a bunch of easy spending conditions. Yeah, Jordan.

Audience Member 2: So, if you go, can you go back to the graphical view? Did that mean, is each, one more time. Each time you get to a, a branch, is that, in the, in the script, is it a condition?

Michael Tidwell: It's an and, so you see like these ands. So you see all the ands? So the ands are going to be splits.

Audience Member 2: Yeah,[00:34:00]

Michael Tidwell: that's going to be, ands are going to be, true, like, both sides need to be true. Ors are going to be, there's like a couple, there's not many ors, there's like one or right here. And this or right here is pretty much being used for like right here, where you have to have one of these ors, like you have to, this key or this key, right here.

I think that's where that or is being used because I want at least one or condition in the descriptor. So you have to have four of eight of these and at least one of these. So this or this and these two and this pre image and this time lock. Now, this right here, this or condition could have easily been described.

I think you're asking like, you know, how can you can do this? This could have been described as a one of two threshold. I didn't have to say this or this. I could have said this one of two threshold these two items. So there's multiple ways of doing the same thing, right? So this is why having the [00:35:00] descriptor is super useful.

Yeah, pretty much the way, I mean, because when we think of multisig and Bitcoin, we think of threshold signature. So multi A is just codified, like it's standardized as a threshold signature in Taproot.

Yeah, if you, if you, so, so, the, the golden standard for what's possible in Bitcoin that makes sense is going to be pretty much the miniscript spec. I would, I would look there. So if [00:36:00] you,

Oh, no, that's fine.

Audience Member 3: Uh,

Michael Tidwell: where's the, um, where's like the, here it is. So, You see like this, this website right here, bitcoin. sipa. be slash manuscript. It's going to give you like pretty much all the ways of using manuscript and like all the different things that you can do. Like right here, this is that multi a, you can also do multi, you can also do thresh.

So multi versus thresh are obviously different things. See, I don't even have a Thresh in here, so I think multi might be, uh, I think Thresh might be deprecated, because everything I have is a multi A. Anyways, this is, uh, this is all supposed to be valid, um, mini script. [00:37:00] So, if you're interested in, like, rolling any of this on your own, or if you just want to know, like, what these things mean, I would just look it up on this website.

This is probably, like, the best resource for that. Does that answer your question? I might not be able to answer your question if this doesn't do it. Okay. Okay, cool, cool. Alright.

This descriptor? I mean, it depends how risky you want to get. You can make a giant, crazy, granular QR code. I don't know if there's any limit on QR codes. But then your QR code would be like crazy, either big or like super granular and

Typically, like at some point, QR codes don't make sense because you're, you're encapsulating so much data in them. It's just like, it's like, it's just better to put it in like a URL that then points to the big data, you know,[00:38:00]

I guess you need an application that can then read the animated. Yeah.

Yeah. All right.

All right. So we're back to the tree right now. I think we kind of get the idea. We have 11 souls. Their keys are reused for the overall tap tree. We just talked about the tap tree. We talked about the spending conditions. And now we have this idea where as soon as one of these souls are freed. Alice, Bob, Charlie, etc.

We can see it on the blockchain. So the cool part is, Let's click on Alice.

So this is apathetic Alice. So everyone kind of has like a funny sort of Reason why they've screwed themselves out of Bitcoin. Apathetic Alice is just lazy or she just doesn't care enough to understand X Privs. So apathetic, apathetic Alice [00:39:00] is pretty much saying, Hey, I'm used to seeing 12 words or 24 words.

What the hell is this thing? I made it somehow. I don't even know how, and now I don't understand how to get my Bitcoin. Now the cool part is the dress for each soul is at the bottom. So if you go, um, To this, you can see like, Oh, is apathetic Alice. Okay. Her funds were spent. So then you might be incentivized like, Hey, I'm not going to focus on Alice because her funds were already taken.

I'm going to go for like one of these that haven't been taken yet. So, like I said, real time, some of these circles were green, some were red. And I could observe when, which souls were taken, which was pretty cool. And, and this would make you be like. Hey, I know a secret. I'm the one who got it. I'm the one who got, you know, Frank.

You're the one who got Alice like, let's, let's do a soul swap or let's do a secret swap. And, you know, cause both teams would then get closer or whatever. So, you know, these are kind of like [00:40:00] ideas that exist. You also have ideas where if two teams find the same soul at the same time, they start RBF in each other.

You could see that happening on chain. Um, so some fun things like that. Actually, I don't think happened. I don't think it did. I, I gave you a lot of opportunities, even started a day late. Y'all disappoint me. I wanted to see some hostile RBFing and we didn't get to see minor, uh, donations. Oh well. Um, yeah.

So that's, that's how those observability would work. Let's dive back into uh, Alice. So, Xprev with the derivation path. I mean, this is a mini descriptor. You could make this a descriptor. This is like as small as it can pretty much get. You would plug this into a wallet that understands exprivs, or descriptors, and you would pretty much just have the funds immediately, uh, specifying this.

Um, [00:41:00] I don't know if there's any questions here, otherwise I'm gonna go to Bob.

Okay.

This was the first one found. And it was found Thursday morning. And the reason for Thursday morning again, cause I'm forgetful, like Frank. I'm like forgetful Frank, you know. So Bob was the next one to be found.

The graphic? This?

Oh, so if you got Alice, you know, like you would have one of the ten requirements here, so you'd have A. And then you'd be able to reuse her secret, the same secret that was used to swipe her Bitcoin, in this condition. Because I reused the secrets into the tree as well. Like, like the same pub keys were used.

Audience Member 4: (Inaudible)

Michael Tidwell: UTXO. The 300k sats. Remember? [00:42:00] Like right here. This was, this was Alice's Well, technically it was using Taproot. But, the Taproot, like, if you're just doing really simple stuff with Taproot, it's no different than just like, you know, receiving and sending Bitcoin, it's not really interesting.

Yeah, yeah, all the secrets from all the personas are reused for different spending conditions within the overall prize, which the overall prize is more than 300k sat bitcoins. It's like, I think it was 4 million sats. Yeah.

Yeah, so this is a, this is an XProve, which means it's like a private version of the XPub. You've heard of XPubs? So this is an XProve, which is just the counterpart to an XPub. Well, it's like, you know, like

Audience Member 1: it's effectively the same. That so

Michael Tidwell: pretty much whenever you have a 12 word seed, [00:43:00] right? Your software is just creating this expert.

And the reason the reason for making sure people understand this is because 12 word seeds don't have descriptors. They don't have derivation paths and and this controversial take coming. You ready? Uh, there's a chance that normalizing 12 and 24 word seeds the way we've done is a very dangerous premise towards long term security of our funds.

Uh, it could be a situation where in the future, um, we find out like, hey, how come this 12 word or 24 word seed isn't working with this software? And it's because Bitcoin Core never supported seed phrases, right? Bitcoin has no idea what a seed phrase is. They never wrote. Like, they're like anti seed phrase, right?

I wouldn't say anti seed phrase, but they don't mess with this BIP39 stuff, right? Everything is BIP32.[00:44:00]

This is, this is, this is like a, this is a private key? That a lot of people call like HD or extended private, but you can create many keys from this. Yeah, like a hardware wallet, you would get like this. But the idea is that 12 word seed, 24 word seed becomes this.

Audience Member 1: Can you reverse that? I'm just curious.

Back to a seed? Yeah. Yeah,

Michael Tidwell: you should be able to. I don't, I Sure. I Sure. Uh Not necessary. Not necessary. Hey, hey, does anyone know if you can reverse an expriv back to 39? I don't think you can. Okay, yeah, yeah, it's a one way, it's a one way train. You go from 39 to 32. You don't go from 32 to 39.

Audience Member 1: Yeah, a hundred years maybe.

(Inaudible)

Michael Tidwell: don't actually know too much about what the best descriptor [00:45:00] wallets are. I'm thinking Sparrow is probably a descriptor wallet, uh, Bitcoin Core wallet is obviously a descriptor wallet. Uh, yeah, what's up?

Audience Member 2: Is there a default, uh, derivation path, or is it maybe just a convention because, uh, If you didn't have it on there, you could just kind of assume what would, like, what would the most common, you know, because you said it's dangerous to not have it.

Audience Member 1: So 86 is the

Audience Member 2: (inaudible)

Michael Tidwell: so, these are like your typical derivation paths. So, like, if you just plug this into, like, any legitimate wallet, hypothetically, they would just scan every single one of these paths and not even ask you. So, they would just be like, hey, give me your 12 word seed. And it would just, and then it would check 44.

It would check 49, it would check 84, it would check 86. But here's the problem. What if you're doing something that requires you to use account 3? Or, or this isn't hardened, it's unhardened because you're doing something interesting. Or, you, you see what I'm trying to say? Like, it's a, [00:46:00] it's a weird premise to be like, if you do anything non standard that that wallet thinks is non standard, and non standard is subjective, then your funds just don't show up.

Now, because Wait a minute that 12 word seed. I thought that's all I need. I put in the steel and you know, whatever Ten years later and nothing works because everything has changed software wise or something that things no longer supported. This is why I think Like it's good for us to understand how Bitcoin works To really understand these descriptors because this is actually how Bitcoin works.

Yeah

Audience Member 1: Like with a Segwit wallet, and then you open up

Samurai Pool transaction. Then it splits your wallet into, like, paths.

Yeah, you just

Michael Tidwell: create a bunch, yeah.

Audience Member 1: The pre pool, where your funds go before it's mixed, and you get the post pool, where it's at the mix, and then you get stuff that's remainder, which goes into something called that bank, and then you get these different [00:47:00] derivation paths. If you don't understand that, and you try to, like, recover what was in that section, you can, it's super confusing.

Michael Tidwell: I wrote real quick. We're coming up on time. It's almost 7 30. What time do we need to end?

Okay. 30 minutes left. Are we just going to stop at eight, right? Or eight, uh, seven 50. Okay.

Stephen DeLorme: Yeah.

Michael Tidwell: I just, I just wasn't sure. Yeah. I just wasn't sure if we're in at seven 30 cause then I was going to stop questions, but if we're going to end at eight, I'll still take questions. Yeah, that's fine.

Audience Member 5: So does that have

Michael Tidwell: any meaning for A, to solve, um, a merge?

Is that extra? Do you [00:48:00] mean Got it. And create signatures to satisfy all of Alice's encumbrances, wherever Alice is in the tree, you would then be able to use this to then sign a message in order to satisfy that thing. Okay. Yeah.

That is the million dollar question, and I was really worried that no one would figure this out. So I put the index number of which key you should use for Alice. So this is one, two, and then down here it's like 3, 8, 4. And I didn't just purposely put in order to let you know like, Hey, this is the eighth index, this is the fourth, this is the fifth.

So you literally go to, um, let's go back to Alice. You see how it says like star right here. So for instance, the first in the zero [00:49:00] index, if you want to use Alice's secret for the zero index, you'd make this a zero. If you care about using her, if she's in the 8th index, this would be an 8. And then, you would then derive the, the, the key pairs, you know, the signature.

Right, for the specific, yeah, it was pretty fucking complicated, yeah. Yeah, you would have to know that that index told you which this wildcard star would be.

Audience Member 6: Yeah.

Michael Tidwell: Yeah, that's that. So this is like a lot of times when you see a derivation paths, the last one will be a star. I'm just keeping convention here.

Audience Member 3: Yeah. Yeah.

Audience Member 6: [00:50:00] (inaudible)

Michael Tidwell: It'll pretty much just iterate through this. And then, and then pretty much if it ever. Yeah. Exactly.

Audience Member 3: Yeah.

Michael Tidwell: Yeah. And then, and then you can also change this number. And then reiterate through one through a billion again, and then change this to a three, one through a billion.

Audience Member 1: Yeah, be

careful too. 'cause there's times when, especially in change address, where usually that last, the set of change addresses, they don't always use every consecutive one.

So if you're scanning forward, like where the astro is, you hit something uneven. You actually probably want to keep scanning a little bit to see if you see anything else that is, it's used. And if you don't see anything for a while, you can say, uh, probably that was

Michael Tidwell: the last one. Hopefully you never have to do that manually.

Yeah. Hopefully [00:51:00] the wallet just does it for

Audience Chatter: you. Addresses that you kind of keep going just

in

case. It's

often

called

an attack. But if you're looking at the wallet, you're going to say, what's the

Michael Tidwell: Well, the first one takes the longest. Yeah. Because you've got to break the ice.

All right, we're gonna go to Bob first. Hold maybe any other questions. We'll start answering them maybe as we keep going. But, uh, we got 11 of these trapped souls. We have to save them. You can't just focus on Alice. All right, we got 10 more to go through. So next one up is voting accident. Bob and voting accident.

Bob is trying to convince you he really did have a voting accident and His seed phrase got damaged and rough weather, giant wave, abandoned ship, seed wet, and then, uh, float. So, what we're trying to do here is understand as if, [00:52:00] like, somehow he had a boating accident and only this part of his seed was damaged, whatever, funny, haha.

Um, and we have one, two, three, four, five, six, seven, eight, eh. Nine, so like nine and a half words, kind of. And the idea is, out of nine and a half words, can we just come up with the twelve word seed, right? Now you might be wondering, like, how is this possible? Well, one, there's not that many words left to figure out.

And then two, we're given this address. So what we can, and the derivation path, obviously. That would be very mean if I made a random derivation path. But the idea is, you can just keep Um, uh, using this derivation path in random words from the BIP39 list. Does anyone, please just let me know, does anyone not know what BIP39 is?

Cause I'd rather just answer that. I feel like that's important to know. Okay. BIP39 everyone has, does everyone know like the 12 words, 24 words, stuff like that. [00:53:00] That's coming from a list of words called BIP39, okay? Which is non standard part of Bitcoin Core, but pretty much has become a community standard amongst Bitcoiners, right?

As we see, we're going to see a lot of BIP39 seed phrases, those 12 words. I don't ever use 24 words just because this is a puzzle. I don't want to make someone type in 24 words versus 12. There's no significant difference here, uh, for, for the puzzle's sake. So what you could do is you could write a script, brute force guess all 2, 000 words, you know, You could just keep guessing all the the words that are missing.

Hypothetically, you're you're only missing Uh, like two and a half words out of this, you know, this next word starts with S E. So the first thing you do is you'd say, okay, this next word has to begin with S E, which only gives me like eight possible words for this. And then I have two other words here. The idea is you just keep crunching, crunching through until you get this [00:54:00] address.

And once you get this address, you can stop and be like, Oh, I know this is the key because this is the only way to produce this address with this derivation path. Make sense? Okay. Is there software to brute force that? I don't think so. You probably have to write it yourself. And it's, I think that's the fun part.

You know? I think it was brute force. Yeah. It was supposed to be brute force. There's no real other way to do this. So the idea is, how do you brute force something where you have a seed phrase, but you know you messed up one or two words or something. The idea is you can still solve this yourself if you have what you're looking for.

Now conversely, if you didn't have what you're looking for, every single attempt, you'd have to look at the blockchain and see if that, if there's any Bitcoin on that address, which would be a huge time sink versus just verifying a string of text. Okay. All right. So this was the second one found. Um, we can, we can look, uh, [00:55:00] this is boating accident, Bob, his, I'm pretty sure it's the second one.

So the idea is you can just see like timestamps. I have a list. Anyways, I'm scared to bring up my notes cause it might be something everyone shield your eyes. Wait, hold on. Let me just get to,

uh, don't have it. I deleted it. Damn it. Okay. Um, if, if you want to know the exact time things happen, I would just say, look at the, look at the thing, but I'll, I'll try to keep you on the straight and narrow on when these things were found. Some of them were found out order, they, they weren't just all linearly found.

So

up. All right, so we'll move on to Charlie now. So [00:56:00] this is clever Charlie, and I'm using the word clever Charlie, because it's like, oh, you're so clever, but now you've lost your Bitcoin. You know, clever Charlie, uh, wanted to be called crypto Charlie, but as my British friend said, the other souls told me. It would have been cringe for him to call.

So he called himself clever Charlie instead. You're welcome. Now, if you see here, X and, or is highlighted and you're given two seat phrases based on that alone, I think I exclusively did something with these two phrases or something. I feel like an idiot. Please just help me. So this is a funny one, this seed phrase.

And this seed phrase are both valid seed phrases. When you XOR them, you get another valid seed phrase. Which is kind of cool. XOR them. [00:57:00] And XOR them means you take the bytes, or you take two sets of bits, and you, every time you see a, a, a, what is it? A 0, 1, it becomes a 1. A 0, 0 becomes a 0. A 1, 1 becomes a 0.

My God, I'm not good at XOR. That's like the simplest thing. But, the idea here is, you XOR them, you get a third seed phrase, boom. You got the money. The problem, you XOR these two, you get a seed phrase, wasn't the money. So I messed up. And what I accidentally did Is I put the vanity seed phrase right here at the bottom by accident.

So this was actually the money seed phrase right here and I just gave it to you for free. So this was And, and, and the funny part is like I made the vanity seed phrase like more like, like cheeky. And it says you can barely avoid horror when you make a seed Word, story, mystery. Like, like, I made this, your twelve word seed, but then like, I just gave it to you by accident.

[00:58:00] And then the third seed phrase was also like, kinda cheeky, but like, not like, the one that you're supposed to get. And then this one, obviously, was a seed phrase just to make both of the other seed phrases like, funny. But then like, I give you the actual one here by accident, and I thought this was the not actual one, and I messed up.

So, this was actually the easiest, but because I gave you really bad clues, this became third to be found. Also on Thursday.

I don't know! That's the crazy part. It worked for here, but I didn't know that would just work. That's a good question. There's probably like a mathematical thing where it's like, yes. But I have no idea. And the fact that it did work is kind of crazy to me. Yeah.

Audience Member 5: [00:59:00] (inaudible)

Michael Tidwell: but the, the, that's not how this works.

The last word has to be a checksum. So the, the, the fact that this works is probably some mathematical way where when you flip all the bits, the checksum also, I don't know, fuck.

Audience Member 6: Um,

Michael Tidwell: yeah, checksums, valid checksums are usually you get like, you know, uh, you, you start to narrow down like making these vanity seed phrases. I had to manipulate potentially a couple words to get a phrase that would make sense, obviously. Um, okay, we're going to keep going. So next one up, uh, that was found, uh, I think it was Eve.

We'll just go in order derivation. Dave, you thought Charlie was being clever. [01:00:00] Oh boy. I use some crazy derivation path to secure my funds. So essentially derivation, Dave used a crazy derivation path, which means no software would be able to find this Bitcoin unless you knew the exact derivation path.

This is his ex prove. But if you notice what's missing is that 86 slash zero tick, you know, stuff we need to figure that out. And Tyler, any comments on this?

What was the problem with this one?

So, at, uh, at the, at the conference, you had messages, physical, uh, sheets of paper with, uh, different clues to let you know the different, uh, account octets of, you know, the derivation path here. So you'd see, like, somewhere, you'd see, like, uh, uh, I think it was like 69 tick, [01:01:00] 420 tick, slash 9 nines tick. Slash eight, zero, zero, eight, one, three, five.

Yeah. And then that was the derivation path. So you'd have to find those sheets at the conference and then plug that in. And then you got the money. Next up is encrypted Eve. And encrypted Eve was, I am surprised anyone figured this out cause I messed this one up, but people are so clever. They still figured it out.

Encrypted Eve. Uh, just pretty much says, Hey, here's my PGP key. Um, I'm desperate. I gave you my private key. I posted something on Nostr. You know, help me. The idea is you go to Nostr, you find Eve. Uh, I, I have, you know, the tab conf Nostr. It's like, uh, if you Nostr is, it's like Twitter, but way worse, but also way cooler.

And, and, yeah. [01:02:00] So the idea here. Take the key or you, you, you find a message on Nostr that's, that's encrypted. You use this key to decrypt it. The problem, I didn't give you the damn passphrase. So this PGP.

Audience Member 3: (inaudible)

Michael Tidwell: tab conf, but I didn't tell anyone, but here's the thing. No other way in any of these puzzles, would you ever have to guess something that, that you wouldn't be able to find out somehow?

There was never a thing in this entire puzzle where you just have to guess something. Except for here. That's why, that's why this was so confusing. This is why it wasn't found quick. This was one of the later ones to be found. Is there a hint that you have to use passphrase? No! That's why I'm so surprised that someone figured it out.

That's why I'm so surprised someone figured out like, oh, you also need tabcomp as the passphrase here. I'm like, holy crap. [01:03:00] Like Yeah. I mean, I mean, you didn't try just putting in a random like passphrase when you're trying to decrypt something. Yeah, like, All right. Now we're at forgetful. Frank, uh, similar to derivation.

Dave forgetful. Frank had funny, fun, uh, rule set up at the conference. And those rules were essentially the 12 word seed. Pretty simple. Alright. We'll, um, move on here. And we're off to Heather. This is Heather. So Heather just likes hashing stuff. So

Audience Member 5: the sticky notes around the frank conference were

Michael Tidwell: the

Audience Member 5: 12

Michael Tidwell: words?

Yeah. Yeah, exactly. Those frank notes were, those had money in them hills. Money in [01:04:00] them sheets of paper. All right, so hashing Heather. This is someone who just literally took her 12 word seeds and just hashed every single word. And she just loves hashing stuff. And she can hash stuff in her head, but she just can't remember what any of the pre images are.

So, what you would do Is you just go to the 20, uh, the bit 39 list. Remember that list of 2048 words and you would hash every single one of them. And then you just do, you just match them up to this, right? So you just write a script, hash, command F, control F, you know, find. And you just find, find what the words are.

And that's hashing Heather. Um, the phrase here was funny. I forget what it was. It was something like you, this will, this may take you a long time. You will cry hard because. Reasons or something. I forget like what the, the phrase was something funny like that. Um, and then we'll move on to Ian and this one.[01:05:00]

This one's so hard I can't even do it. Or I, I can probably figure it out eventually, but I don't even know how to do it really. I just know it's possible. So I had a friend of mine ensure that this was possible before I did it for the conference. And I almost didn't do this one, but this one was amazing because insecure Ian has, if you notice this derivation path, there's no ticks, there's no H, there's no hardening.

This is an unhardened derivation path. And the reasons for that could be multi multifaceted based on like how you want to run servers and how you want to reveal secrets when you do like invoicing for customer, whatever it might be. But he has a fully unhardened derivation path. And then I reveal one secret of, of a child of this derivation path.

Okay, I don't, this isn't xpub, this is not [01:06:00] xpriv, this is the first xpub we're seeing. Okay, xpub. Is it the first child? Yeah, but it doesn't matter. So, I give you the chi, one of the childs, so this is the same. These two things are the same. One is in width format, one's in hex format. Otherwise, they're, it's just encoding.

These are both the secret. Which don't hold any Bitcoin. Your goal is to take this secret and this XPub and compromise or figure out the XPriv here. And this is a vulnerability that I actually don't know how to pull off. And you could arguably say this isn't a vulnerability, this is just how the cryptography works, right?

But this is just a limitation that you should know about. And a lot of people, when they use BIP32, even though this is in the spec, they actually don't know about this. If you ever lose a secret Even if, even if you only have given out your X pub, if you have an unhardened path, don't use that ever again.

Like roll your keys, you know, send your Bitcoin off to a hardened path kind of thing. [01:07:00] Um, this was found. I was very impressed with the team. I think it was Stu's team that figured this one out, right? Knocked us, figure this one. Yeah. Knocked us, figured this one out. I think that's amazing. I don't even know how to do this.

I just know it's possible. I even asked on stack overflow, how do you do this? And no one responded to me. I don't think it's like, maybe it's like frowned upon to be like, Hey, how do you take Bitcoin? If you have an unhardened path in this, I'm like, we should know like how this works. I'm like more like that.

This right here. So I just, I just took one of the key pairs and then, and then, and then I whiffed it a wallet import format. And then this is just the, the secret as hex. So one is, uh, one is the wallet import format, which like. Most wallets understand and then just in case like you, you want it in different format.

I gave it to you in both

They're synonymous they're they're this is just this is an [01:08:00] encoding of this so technically the hex I Think it was either index zero or one here Yeah, and then the opposite one so index zero had the funds on it Index one was this. You had to take index one, compromise the XPUB, so then you get index zero.

And then actually use that one to, you know, take the, the 300k SATs. Yeah. Good? Yep. Alright. Yeah, this was by far the hardest. I don't think this was the last one to be found, though. I think this was like second to last. Lexicon, anyways, Liam was last, but Alright, so Judy is up. Judy was fun. This was also a meet space in person thing.

Everyone at the conference got a wristband and on that wristband, if you scanned your phone to it, it would take you to the schedule. But if you used any sort of like analyzer tool or like a NFC tool, you would see that it had more than just the website on it. It also [01:09:00] had a word and guess what? That word was indexed with a number.

And the idea is we, we divided the wristbands up 12 different ways. We put. 12 words on, you know, everyone, every single attendee got one word. And then it would be up to you to work with people at the conference to get the whole phrase. So, um, also there's a black wristband that we gave out to village leaders, myself, and a few others.

Like, you know, staff and, you know, volunteers. Those people, um, had a passphrase, so that was like the 13th clue. So you had 12 words and a passphrase. And that's how it worked.

Audience Member 6: (inaudible)

Michael Tidwell: so you had a brute force one of the words, yeah. Yeah.

Wait, are you hacking me? What is what's going on?

You did. Yeah, because one was called passphrase this and one was called [01:10:00] one, you know, boat to about. Yeah, yeah, yeah, the index was there. Otherwise it'd be impossible. You'd never know how to. I mean, that would be like insane if you had 12 words and didn't know the order. I think that'd be, I think that'd be too much.

That would be too much. That would be too, it'd be like, hey, I'm waiting for my computer to get done with like a 40 hour task. Like, I don't want to do that to someone. Yeah. So,

Audience Member 3: so, the manufacturer that made this bracelet, what did they think

Michael Tidwell: about? They don't know what we did. We did all this ourselves.

Audience Member 3: Oh, you programmed

it

yourself.

Michael Tidwell: Yeah, yeah, yeah.

Audience Member 5: Yeah, when Stu asked me who came up with like, oh, I don't

Audience Chatter: know.

Michael Tidwell: So this is, uh, this is Keyless Kelly. I was working on some interesting taproot encumbrances when I heard voices. Slowly I was led down a path and coaxed into thinking the taproot tree wanted to share its knowledge with me, [01:11:00] but instead it took my hash and used it as part of its own wicked scheme.

I'll do you a favor. Here is my seed phrase used in conjunction with a hash. Free me first, then reuse the hash and help destroy the tree once and for all. So this is her seed phrase. So now I give you the seed phrase. And then I give you a pre image. Now, for pre images in Miniscript, you need it to be 32 bytes.

So every time I say a seed phrase or a pre image, it's actually a pre pre image that you need to then make a pre image. And that's why I called her pre image the ultimate pre pre image.

Alright, cool. So, so then you would take, you would take this, the ultimate pre pre image, you would hash it, you get 32 bytes, that is her pre image. And this is a tiny, remember how I showed you that big descriptor earlier? This is a tiny descriptor and this is to warm you up. So you could get used to tap trees before you take on the big boy.

So this is like, Hey, you're [01:12:00] using a pre image. This is a descriptor. You know, you got to, um, you know, you got to figure out how this stuff works. And you can, you can take it in like a small chunk. Now the problem is this. Pre image was never needed because one of the teams found out I did a mistake. I made a mistake and I reused one of the secrets that was her internal key.

And they reused that to then just take the funds. So the point of this failed, which was, Hey, you need to learn how to use pre images as part of your encumbrance scripts. They never figured that out. So then it actually kind of messed up their ability to learn how to use this for the overall tree of the team that ended up winning.

Um, the team that ended up winning actually figured out, found out that pre images are not supported in Bitcoin Core and they're trying to use Bitcoin Core to sign, so that was also something that we found out, uh, via this puzzle.

Uh, Bitcoin Core, at least [01:13:00] at the time when TabConf was going on, I don't know if they made a change because of the puzzle or something, but, uh, they did not support pre image, like, like, as part of, like, the signing method for sending funds. So you could only like sign signatures with like private keys. But I couldn't just have like a string of text act as like a additional secret for my Bitcoin.

And apparently, according to HL, that was an oversight or something. Like this was, like they didn't actually think anyone's ever tried this before or something.

No, this is like a completely separate thing. Not having to do with seed phrases, not having to do with private keys. This is like, I just want to take some string of text. And then use that as part of like, my secret to then send my Bitcoin later. Yeah. That's, that's whenever I'm talking about pre images, I'm talking about that.

I'm talking about like just the string of text that are used as secrets. [01:14:00]

Audience Member 3: (inaudible)

Michael Tidwell: That's an invalid question. They didn't support as part of just signing for it when you, uh, uh, when you import into the wallet, they would still validate it. They would still think it was valid. It was still thinking standard. They would still like it. They just wouldn't allow you to then send it from the Bitcoin core wallet.

Yeah. So I'm gonna move on. And. Let's see, did we cover Judy? We just covered. Keyless Kelly, last but not least is Liam, lexicon Liam, and this is a little bit of an older school kind of cypher punky puzzle, which is not really having to do much with Bitcoin, but just substitution principles. Uh, the idea is this is a 12 word seed, but you get like uno, one, zero, one, zero, one, uno, one, zero, one, zero, one.

You get this kind of like weird. Like string slash number stuff. [01:15:00] So, so what you, what you would do is you would look for one of the words that only had one word in it. So like this one only has uno. And then you'd be like, what does this need to then become like a enough bits for like one of the seed words?

And then you would say like, okay, well, uno, uh, this, you know, this is missing four bits. So maybe uno is one, one, one, one. That would be like the idea, and then you'd be able to then know uno equals one one one one. So then you could plug it into any of these, and then you'd know what zero was, because then you'd find the missing bits there.

The idea is, like, you'd use substitution, like, you know, like, algebra? Like, you'd use, like, yeah. So, so you would, you would

So imagine, like, uno is, like, x, and zero is y. And then you would just need to figure out what these two values equal. But I gave you a hint where I said where uno is pretty much four ones and zero ended up being two zeros. And then you would just [01:16:00] convert those bits into the seed words.

I'm saying you'd go to one of the ones that only has one variable and you'd try and you would try to elude that. What is this missing? You actually don't need a script for this one. Yeah, you could do this without a script. But yeah, this, this, this is just. This is just substituting, um, looking at this enough to understand the placement can be even in the middle, whatever.

And understanding like, okay, what could this possibly, I mean someone figured it out, so I know.

Yeah, this was, this was supposed to be hard. I'm not saying it was easy. Because it's not using any Bitcoin related kind of ideas of Cypher. Like this is all just like substitution Cypher stuff. Like this is literally a substitution Cypher. Well, So, [01:17:00] What would you call it?

Audience Member 5: Oh,

Michael Tidwell: I don't know. I would just consider this to be a substitution cipher because you just substitute uno for four ones and zero for two zeros.

And then you wouldn't ever need to figure out both of these variables at the same time because you have some that are isolated. So that's why. Yeah. So, Yeah.

Audience Member 5: How do you know that's the last, the last two words that both have (inaudible)

Michael Tidwell: them? They have eleven.

Audience Member 5: Seed words all have

eleven, eleven bits. Right.

But how do you know it's

four

Michael Tidwell: ones? Okay. So then 11 minus seven, and then what are you missing? You're missing four bits. [01:18:00] Oh, cause it's uno.

Audience Chatter: I mean,

Michael Tidwell: and then, and then also, and then also I give a, I gave a hint that all the, all the seed words. Let's start with the letter W. So, so then, so then the seed phrase was like this really epic seed phrase. Yeah, the, so like, so then like, uh, so then like the seed phrase was like, I, like, wonder what wolf want.

Wool and wolves. Sheep, wolves clothing or something. It said like something about like a wolf in winter. Wanting. Wool, wondering why, want, this, or, want, want. Yeah, so like, it was like a, it was like a seed phrase with all W's in it. That sort of made sense. Kind of sounded like a caveman was saying it. I see your logic, man.

Yeah. Hey, dude, my puzzles aren't easy, but someone figured it out. So my excuse is, it was just hard enough. Alright? Um, Is this the last one we solved? Yeah, so these are all the seed, so this is it. [01:19:00] And then, um, we'll, we'll, we'll need to wrap up here shortly. And then we can take questions maybe later. Um, but I'll just show you real quick.

So I did get a PR merged into Rust Bitcoin, Rust Miniscript. So I was really excited about that. Um, Polstra, uh, took in my example. I got the TapTree of Horror as a, the only, like, end to end holistic, pretty much, uh, tree with a readme. I also put this, cleaned it up a bit. And, uh, I know, I know we need to end here, but I'll just show you real quick some code and then we'll end.

So, here you can see I have like Alice, Bob, Charlie, and you notice I'm not using any BIP39, no seed words here. Um, they don't want any seed words in the RustBitcoin stuff, so I just converted everything to XPrivs, XPubs, stuff like that. Um, so, you could, you could substitute this with seed phrases, whatever.

And [01:20:00] then, I, um, have, uh, I get all the secret keys from here as a descriptor. And then, uh, I then produce key pairs for each, uh, persona. So Alice, Bob, Charlie, Dave, etc.

I then define my, my pre images and I define my time locks as UTC timestamps and then I give them really easy names like You know, October 23rd morning, October 24th evening, and the reason for that is because I then can I make this smaller? No, I then have a policy. And I think you're asking me, like, how did I actually define the descriptor?

Well, I defined it here. And if you see, like, the first one is an or statement. So I'm pretty much saying, like, it could be either the internal key or all the rest of it. So that's kind of like how it starts. And You can see I, I punch in [01:21:00] variables like this one would be like the second index and this is like Alice to Bob to Charlie to, and then, you know, like it has to be like at this time lock after this time, this is all using mini script syntax and then I make this policy the street and then I pretty much take away all the spacing and line breaks and tabs and all that and then I compile it into a descriptor.

So this is how I compile the taproot descriptor. And I don't, I, and I don't, I say none because I actually want to use the internal key. I don't want to use a bogus internal key. And, and then I give an example of how to actually spend out of it. Um, so then I, I specified my time logs. I give a dummy address.

I give a dummy like UTXO that would have potentially sent to this. And then I do all my PSBT signing as Alice, Bob, Charlie, Dave, Eve, Frank, Henry, or Heather, et cetera. And then I include my two pre images here for Kelly and Grim. Uh, and I'm [01:22:00] satisfying, uh, one of the conditions here, which would be this condition.

Um, I think it's, yeah, I think it's 10, 10 is not up here. I think, I think it's actually zero because yeah, it's zero. So this is the, this is, this is the one I'm, I'm satisfying right here. Um. Yeah, and that is like the code. This is all public, so you can take a look at it. The reason for making this example holistic, like end to end, with how to create the policy, how to spin out of it, is because I want more companies to use this.

So, I think like AnchorWatch has already like looked at this, so maybe, hopefully, they'll start using Taproot. Um, I want like, like, the only like boogeyman is like, oh, quantum computers. So, we're obviously going to be talking about that next year at TabConf, because then I'm going to feel really dumb.

Quantum computers end up standing, uh, you know, stealing all the taproot coins, but then maybe it's like, Oh, we have bigger problems. So, [01:23:00] um, yeah, that's, I want to wrap it up here. We're, we're after eight, so I'll, I'll end here. Thank you so much for having me and thank you.

Stephen DeLorme: Hey, thanks for listening. I hope you enjoyed this episode. If you want to learn more about anything that we discussed, you can look for links in the show notes that podcast player. Or you can go to atlbitlab. com slash podcast on a final note, if you found this information useful and you want to help support us, you can always send us a tip in Bitcoin.

Your support really helps it so that we can keep bringing you content like this. All right. Catch you later.