Standard Simplicity Script Pubkey

The disassembled DAG of the standard Simplicity program for a single public key looks as follows.

let e0 = Word <32-byte x-only-public-key>     -- : 𝟙 ⊢ 𝟚^256
let e1 = iden                                 -- : 𝟚^256 × 𝟙 ⊢ 𝟚^256 × 𝟙
let e2 = Jet sigAllHash                       -- : 𝟙 ⊢ 𝟚^256
let e3 = disconnect e1 e2                     -- : 𝟙 ⊢ 𝟚^256 × 𝟚^256
let e4 = pair e0 e3                           -- : 𝟙 ⊢ 𝟚^256 × 𝟚^512
let e5 = witness <64-byte BIP-0340-signature> -- : 𝟙 ⊢ 𝟚^512
let e6 = pair e4 e5                           -- : 𝟙 ⊢ (𝟚^256 × 𝟚^512) × 𝟚^512
let e7 = Jet checkSigVerify                   -- : (𝟚^256 × 𝟚^512) × 𝟚^512 ⊢ 𝟙
      in comp e6 e7                           -- : 𝟙 ⊢ 𝟙

For each subexpression above we have a comment showing the inferred type of every subexpression.

Let’s go through this program line by line.

e0

let e0 = Word <32-byte x-only-public-key>     -- : 𝟙 ⊢ 𝟚^256

This expression is a constant function that outputs the user’s 256-bit public key. This will be the first component of the data that will be passed to the checkSigVerify jet in e7.

e1

let e1 = iden                                 -- : 𝟚^256 × 𝟙 ⊢ 𝟚^256 × 𝟙

This expression is passed to disconnect in e3. It receives the Commitment Merkle Root (CMR) of the hash mode expression (see e2), and any other input to the disconnect function. In this example there is no other input, so we just have a unit type here. Normally the purpose of this expression is to determine if the CMR is authorized. However in this case we simply pass the CMR along when it will be included in the message generated by disconnect in e3.

e2

let e2 = Jet sigAllHash                       -- : 𝟙 ⊢ 𝟚^256

This is a jet that computes a transaction hash of all transaction data. It is analogous to Bitcoin Script’s SIGHASH_ALL digest, but differs in its exact implementation.

e3

let e3 = disconnect e1 e2                     -- : 𝟙 ⊢ 𝟚^256 × 𝟚^256

This expression assemble the 512-bit message that will make up the second component of the data that will be passed to the checkSigVerify jet in e7. The disconnect combinator passes the CMR of e2 as an input to e1, which in turn simply passes it back and it ends up as the first component of disconnect’s output. The second component of the output is the output of e2 itself, which is a 256-bit transaction digest.

The important property of disconnect is that its CMR excludes e2. This means that the expression e2 is only decided at redemption time, and the user can replace the digest expression with any other transaction digest jet, or even make up their own digest expression themselves.

What ever expression winds up being used for e2, its CMR necessarily becomes part of the signed message, and this cannot be altered (unless a new signature is generated).

e4

let e4 = pair e0 e3                           -- : 𝟙 ⊢ 𝟚^256 × 𝟚^512

This expression pairs up the output of e0, the user’s public key, with the 512-bit message generated by e3.

e5

let e5 = witness <64-byte BIP-0340-signature> -- : 𝟙 ⊢ 𝟚^512

witness expressions denote constant functions that output Simplicity values. In this example we output a 512-bit BIP-0340 signature value.

The key difference between witness expressions and Word expressions like in e0 is that the CMR of witness excludes the witness’s value. Similar to disconnect, this means that the witness’s value is not decided until redemption time.

Naturally signature values cannot be forged by third parties who do not know the private key corresponding to the fixed public key in e0.

e6

let e6 = pair e4 e5                           -- : 𝟙 ⊢ (𝟚^256 × 𝟚^512) × 𝟚^512

This expression pairs up the output of e4 and e5, creating a tuple with

1. the user’s public key
2. a 512-bit message consisting of the CMR of the chosen hash mode expression, and the output of that hash mode expression.
3. a 512-bit BIP-0340 signature value.

e7

let e7 = Jet checkSigVerify                   -- : (𝟚^256 × 𝟚^512) × 𝟚^512 ⊢ 𝟙

This is jet that verifies a signature on a message with a given public key. The message is additionally tagged with a Simplicity signature application specific tag.

This jet has no output. It either succeeds or aborts. This allows this jet to be compatible with batch verification, allowing an implementation to optimistically succeed and continue, while validating the signature in batch at a later time.

Root

in comp e6 e7                           -- : 𝟙 ⊢ 𝟙

The expression root simply composes e6, which generates the public key, message and signature, with e7 which consumes them and validates the signature.

This expression has type 𝟙 ⊢ 𝟙 which is the type that is required by all Simplicity programs.