Confidential Script: Emulate soft forks using stateless TEEs

The "confidential-script-lib" library emerged from a presentation at the BTC++ hackathon in Austin, introducing an architecture that allows for the confidential execution of complex scripts not yet supported by the Bitcoin protocol. This initiative, recognized for its ambition, aims to enable developers to test features like OP_CAT, OP_CTV, OP_CCV, and Simplicity on the mainnet in a permissionless and minimally trust-reliant manner. This could serve as a middle ground in debates around soft forks by showcasing which upgrades have genuine demand.

A Trusted Execution Environment (TEE) such as AWS's Nitro Enclave plays a crucial role in this architecture, providing a secure space where code execution can be isolated from external threats. This environment ensures the protection of sensitive information against both side-channel and physical attacks while offering reliable attestations about the executed code and its outcomes. The use of TEE, coupled with AWS's Key Management System (KMS), offers a robust framework for securing significant funds, although it requires users to place trust in AWS as the system's operator.

At its core, the library employs a two-step emulation and signing process. Initially, it constructs a transaction using an input that spends a real previous outpoint but with an emulated script-path spend from a P2TR script_pubkey. This is validated through a Verifier compatible with rust-bitcoinkernel, allowing for the emulation of unadopted Bitcoin protocol features. If the transaction passes validation, the library signs it using a derived child private key from the parent private key and the merkle root of the emulated script path. This method separates script execution from on-chain settlement, enhancing privacy and enabling new functionalities with minimal reliance on trust.

A key feature of this approach includes a failsafe mechanism via a backup script path, ensuring that users can recover their funds should the primary TEE-based execution path become unavailable. This library also extends support for experimenting with proposed soft fork upgrades, offering a platform for testing new opcodes and scripting languages by adhering to the rust-bitcoinkernel API.

For maximum security within this innovative framework, the recommended setup involves running the library inside a Nitro Enclave, tightly integrated with AWS KMS. This setup ensures that the master private key is securely provisioned and that any AWS account can deploy an identical enclave, making the process nearly permissionless. Such a configuration emphasizes the importance of irrevocable KMS policies for key creation, preventing deletion and ensuring access is strictly reserved for specific, verified enclaves.

In summary, the "confidential-script-lib" library introduces a groundbreaking approach to executing advanced Bitcoin scripts confidentially and securely. By leveraging TEEs like AWS Nitro Enclave and integrating with KMS, it provides a robust platform for developers to explore and implement features not yet available on the Bitcoin mainnet, all while maintaining high security standards and minimal trust assumptions.