sipa changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
Chris_Stewart_5 has quit [Ping timeout: 265 seconds]
TheoStorm has quit [Ping timeout: 245 seconds]
Chris_Stewart_5 has joined #bitcoin-wizards
BashCo_ has quit [Ping timeout: 260 seconds]
AaronvanW has quit []
Belkaar has quit [Ping timeout: 276 seconds]
Belkaar has joined #bitcoin-wizards
Belkaar has joined #bitcoin-wizards
cryptojanitor has joined #bitcoin-wizards
Chris_Stewart_5 has quit [Ping timeout: 256 seconds]
d9b4bef9 has quit [Remote host closed the connection]
d9b4bef9 has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
TheoStorm has joined #bitcoin-wizards
tromp has quit [Ping timeout: 260 seconds]
Belkaar has quit [Read error: Connection reset by peer]
TheoStorm has quit [Ping timeout: 240 seconds]
Belkaar has joined #bitcoin-wizards
Belkaar has joined #bitcoin-wizards
Belkaar has quit [Changing host]
Belkaar has quit [Read error: Connection reset by peer]
TheoStorm has joined #bitcoin-wizards
Belkaar has joined #bitcoin-wizards
Belkaar has joined #bitcoin-wizards
Belkaar has quit [Changing host]
TheoStorm has quit [Ping timeout: 260 seconds]
TheoStorm has joined #bitcoin-wizards
thrmo_ has quit [Quit: Waiting for .007]
Belkaar has quit [Read error: Connection reset by peer]
Belkaar has joined #bitcoin-wizards
Belkaar has joined #bitcoin-wizards
Belkaar has quit [Changing host]
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 265 seconds]
jtimon has quit [Ping timeout: 244 seconds]
TheoStorm has quit [Ping timeout: 256 seconds]
TheoStorm has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 256 seconds]
luke-jr has quit [Excess Flood]
luke-jr has joined #bitcoin-wizards
TheoStorm has quit [Ping timeout: 248 seconds]
TheoStorm has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 256 seconds]
TheoStorm has quit [Ping timeout: 265 seconds]
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 268 seconds]
TheoStorm has joined #bitcoin-wizards
harrymm has quit [Ping timeout: 256 seconds]
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 268 seconds]
harrymm has joined #bitcoin-wizards
TheoStorm has quit [Ping timeout: 240 seconds]
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 256 seconds]
TheoStorm has joined #bitcoin-wizards
SopaXorzTaker has joined #bitcoin-wizards
TheoStorm has quit [Ping timeout: 265 seconds]
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 248 seconds]
tromp has joined #bitcoin-wizards
TheoStorm has joined #bitcoin-wizards
p0nziph0ne has joined #bitcoin-wizards
adrao has quit [Ping timeout: 256 seconds]
SopaXorzTaker has quit [Remote host closed the connection]
adrao has joined #bitcoin-wizards
TheoStorm has quit [Ping timeout: 265 seconds]
TheoStorm has joined #bitcoin-wizards
d9b4bef9 has quit [Remote host closed the connection]
Krellan has joined #bitcoin-wizards
TheoStorm has quit [Ping timeout: 240 seconds]
p0nziph0ne has quit [Quit: Leaving]
SopaXorzTaker has joined #bitcoin-wizards
TheoStorm has joined #bitcoin-wizards
BashCo has joined #bitcoin-wizards
TheoStorm has quit [Quit: Leaving]
TheoStorm has joined #bitcoin-wizards
TheoStorm has quit [Quit: Leaving]
jtimon has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
Aaronvan_ has joined #bitcoin-wizards
cryptojanitor has quit [Quit: Connection closed for inactivity]
AaronvanW has quit [Ping timeout: 240 seconds]
nuncanada has joined #bitcoin-wizards
TheoStorm has joined #bitcoin-wizards
SopaXorzTaker has quit [Quit: Leaving]
d9b4bef9 has joined #bitcoin-wizards
son0p_ has joined #bitcoin-wizards
Krellan has quit [Read error: Connection reset by peer]
Krellan has joined #bitcoin-wizards
opdenkamp has quit [Quit: ZNC 1.6.5+deb1 - http://znc.in]
Aaronvan_ has quit [Remote host closed the connection]
AaronvanW has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 256 seconds]
Chris_Stewart_5 has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
jimmysong has joined #bitcoin-wizards
<jimmysong>
Question for the crew here, Schnorr Signatures, using the canonical form is checked with: R = s*G - H(R||z) * P
<jimmysong>
If you do that, you can compute P just from the signature using
<jimmysong>
specifically, you end up using H(P||R||z), which precludes the possibility of computing P from just the Signature
<jimmysong>
Two questions:
<jimmysong>
1. What is the reason that for Segwit Version 0, that we didn't do something similar with pubkeys. After all, the pubkey can be derived using just the signature, so why is the pubkey in the witness program?
<jimmysong>
Specifically, there are 4 possible pubkey values, we could have just specified which one in the witness program (2 bits) instead of the 33 bytes required for a compressed SEC pubkey
<jimmysong>
2. Why does the Schnorr construction use P in the hashing function?
<jimmysong>
I'm sure I'm missing something, I would like to know what the reasoning is
<jimmysong>
Obviously, removing the pubkey from the witness program would be a pretty big win from a space savings perspective
Chris_Stewart_5 has quit [Ping timeout: 265 seconds]
<jimmysong>
I'm missing the drawbacks or the vulnerabilities of doing something like that
BashCo has quit [Ping timeout: 240 seconds]
Chris_Stewart_5 has joined #bitcoin-wizards
<jimmysong>
*hattip to one of my students asking this
<kanzure>
"pubkey can be derived using just the signature" ecdsa pubkey recovery?
<waxwing>
yeah for 1, that's the same question. i remember there was a thread on btctalk years ago about that
<waxwing>
i guess verification issues? but i was never clear on that.
<jimmysong>
maybe sipa, luke-jr or gmaxwell can comment? Just trying to understand so I can explain this
<waxwing>
for 2, if you don't hash the pubkey into the Schnorr sig, it's interesting to observe it's not a zkpok of the private key if the pubkey is not known in advance. a (s, R, m) tuple alone. how that fact plays in in the bitcoin context isn't completely clear though.
<waxwing>
basically because it's a linear thing, you can add up a bunch of sigs and validate them all together, but it's not secure without first randomizing the terms; then you're using the curious fact that doing a lot of elliptic curve scalar mults at once is much quicker than doing them all individually
<waxwing>
oh yeah istr gmaxwell telling me once that that's the reason for (R, s) rather than (Hash, s) being the preferred schnorr sig form (for batch validation). maybe there's other reasons, not sure.
<jimmysong>
ok, thanks. That explains 2. How about #1?
<kanzure>
was my pubkey recovery answer unsatisfying?
<waxwing>
kanzure, to be specific: "pubkey recovery is incompatible with schnorr": are you saying it's incompatible with schnorr aggregation?
<kanzure>
i'm not actually sure, i haven't investigated the details
Chris_Stewart_5 has quit [Ping timeout: 245 seconds]
<waxwing>
right; i think as per jimmysong 's Q, it's straightforward if just a single key schnorr, unless i missed something obvious
<kanzure>
actually i mean ecdsa pubkey recovery is incompatible, and i shouldn't be bullshiting around, apologies.
<waxwing>
yeah this is very tricky stuff. but i think not hashing the pubkey into a schnorr sig construction is dodgy as per my earlier zkpok comment and i suspect, specifically, if you try to use schnorr's linearity (as you do when you aggregate keys or signatures) you end up with naughtiness :) and if you *do* hash the key (H(P||R||m), then of course recovery is not possible, you need the P before you start :)
coinsmurf has joined #bitcoin-wizards
coinsmurf2 has quit [Ping timeout: 256 seconds]
<jimmysong>
i missed something. What do you mean ECDSA pubkey recovery is incompatible? With batch invalidation?
<kanzure>
incompatible with schnorr was the message i received from andytoshi
<jimmysong>
ok, will have to ask him next time unless he answers here
<sipa>
jimmysong: schnorr with key prefixing (secure against key malleation) is incompaitble with pubkey recovery
BashCo has joined #bitcoin-wizards
<sipa>
jimmysong: without key prefixing, you can take a signature for a pubkey P and msssage m, and turn it into a valid signature for a key P+aG and message m, for any a
<sipa>
jimmysong: MuSig also requires key prefixing for its security proof
son0p__ is now known as son0p
<sipa>
jimmysong: and most importantly, batch validation is inherently incompatible with pubkey recovery (you can only recover at most one pubkey from the batch), and signature aggregation gives far bigger gains
<yoleaux>
@nopara73 agree, NB you can use Brands' ecash protocol http://cypherspace.org/credlib/ which is ECDL compatible, also has blinding, can use Bitcoin curve, supports multiple denominations & should be CT compatible (similar to the CT construction) doing public audit seems hard & conflicts with scale (@adam3us, in reply to tw:944333907373318144)
<andytoshi>
jimmysong: 1. segwit v0 did not change anything about the signature scheme except to restructure the sighash (but importantly no semantics were changed). this is because segwit had enough scope already.
<andytoshi>
1a. The reason not to use pubkey recovery is that it's incompatible with batch validation
<andytoshi>
2. (also 1b). Committing to P ensures that the signature is not only a strong signature, but also a proof of knowledge of the secret key. this prevents key malleability attacks and greatly simplifies the analysis of integrating with larger cryptosystems
<andytoshi>
as waxwing said
<andytoshi>
jimmysong: re batch validation with ECDSA, we do not have it, unfortunately the ECDSA signature malleability means that you can't batch validate ECDSA sigs unless you can somehow determine which complete R point corresponds to the r value in the sig
<andytoshi>
and our choice of symmetry breaking in BIP66 does _not_ fix the R point, something (afaik) it did not occur to us was possible until over a year after bip66 was deployed
laurentmt has joined #bitcoin-wizards
laurentmt has quit [Client Quit]
Krellan has joined #bitcoin-wizards
mgxm has quit [Ping timeout: 244 seconds]
Chris_Stewart_5 has quit [Ping timeout: 240 seconds]
Chris_Stewart_5 has joined #bitcoin-wizards
SopaXorzTaker has joined #bitcoin-wizards
Aesthetic has quit [Ping timeout: 260 seconds]
<gmaxwell>
jimmysong: beyond the security implications-- which could be addressed by putting the scriptPubkey or key hash in H(), certicom has a patent on key recovery that could potentially apply to that construction.
<gmaxwell>
(and of course batch validation what whatnot)