Liquid: A Bitcoin Sidechain:
Transfers from Liquid back to Bitcoin, termed peg-outs, are conceptually much simpler. They
are simply Liquid outputs which destroy L-BTC using the OP_RETURN Script opcode, and which
include the following data:• The blockhash of the Bitcoin genesis block, to indicate that these L-BTC are intended to go to the Bitcoin chain.
• A scriptPubKey indicating the destination that the coins should have on the Bitcoin chain.
• A PAK proof, described in more detail in Section 2.3, which proves that this peg-out was 160 initiated by an authorized Liquid participant.
Instead, we use a simpler mechanism in which every peg-out has a so-called peg-out authorization key proof (PAK proof). This is a zero-knowledge proof which demonstrates that the peg-out destination is controlled by a known Liquid participant, without revealing which participant. In cryptographic terms, a PAK proof is a ring signature over a set of keys of the form
Ponline + H(A − Poffline) · (A − Poffline),
one for each participant. Here H is a hash function, A is the public key corresponding to the peg-out destination address, A − Poffline represents (typically) a BIP32 tweak used to derive the address from a master key Poffline, and Ponline is an additional key.
What is the size of OP_RETURN outputs used in L-BTC peg-outs?
Let’s estimate .. it has to have at least 66 bytes as the hash is 32 bytes and P2TR is ~34 bytes. What is the size of the PAK proof?
