Damus
SatsAndSports · 9w
You need a bit more than the header, right? You also need the transaction that contains the OTS op_return and the Merkle path from that Bitcoin transaction up to the root that's in header So that's t...
Vitor Pamplona profile picture
Not really. The proof file inside the ots event already carries the tx and the block merkle path. There are two merkle structures + the transaction itself sitting between the document hash and the block header's merkle root. The elegant trick of OTS is that every byte of that intermediate material is embedded inline in the .ots proof file as APPEND/PREPEND operands. The verifier never goes to the chain for any of it. So, in practice, the verifier only executes the ops from the event, ends up with 32 bytes, and does one comparison — result == header.merkleRoot. Failure of any of the embedded data (wrong sibling, wrong tx byte, wrong path) makes that final comparison fail. There's only one check but, conceptually, you're right that two merkle trees + a tx are being walked; they're just walked using bytes inside the proof.
🤙1
SatsAndSports · 9w
Thanks for the details! I had assumed, incorrectly, that the OTS proof was more minimal