Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 928B487A for ; Fri, 22 Sep 2017 21:55:21 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-oi0-f47.google.com (mail-oi0-f47.google.com [209.85.218.47]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id C334E41D for ; Fri, 22 Sep 2017 21:55:20 +0000 (UTC) Received: by mail-oi0-f47.google.com with SMTP id 199so360102oii.11 for ; Fri, 22 Sep 2017 14:55:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=6SnXPYPB/b503Fj4NQNjYMKMnyZ58fvrPZ8Tot8Y6jI=; b=E1nljPdwIN0CTRjbSnhWcjYdEpV4qfsQ0lDm9AzplgdXai9VeAMheRQjJHAROy9Mgk i13jokoKAbxPoaSe1wUfPwh44qTDjtV6GN2rJDmCo1NKY5olJ/Mz2wY9krNrNVKggdR/ i5ouN8Jdj9w65EnVSEUv+UNTaKSQOjG9tLBcXWNxe8raPSBfdOdj5MDpNe7rAwXcy923 fp+R01yS+xIZ/GMVOye+Nu96QG5Ec77x0xKfK6mTQ3ElG9e6e4/xbT9hR9oXQI+RO6Z7 Ga0NTKsIMThdwtQiBc2eIaIkbIncEI7PFHB0VvUGieUqshzcmtnYq2P4EfwHgL5SLx7m oSQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=6SnXPYPB/b503Fj4NQNjYMKMnyZ58fvrPZ8Tot8Y6jI=; b=Nrwt5XT7BurrOuNnxeaEQc+FsYQg2aiJq0kvC+zb+SEDG9JrtDvQA4/sGA/6vMUkoO AQ3iomgMUyrWL5eNmRQqXgf/zaNwDn8AtjNjCjzz68OZQ29s2l1jhp+OpKtY346mouEe 3ZyqW574ztey21dhu9S+01WKi8haVR3VhtgF3KHpZv/9tt8irREoB0rJgE5OsAUCabtA W861nKbk8+ZDBNM8f5BnASoQYVTaIElqF3EEbFK0fSk7N4D9f4qFM2x5lNX4bUzDmwaS LpnWIEhb0Akr+F6/8f1+CVoZ61IyCvt9XDlEJNX2HOTJU+EnBIT2vqf4oiotsUH51g97 ckZQ== X-Gm-Message-State: AHPjjUi/X6hJg2WkakXbMZn+9z4BBNQZhlcFwyc0ZkKfPhSK50HRAg8s x725Id+9X1jGGWG7wBUjasSNGp8Ex3elRVZb3RQ= X-Google-Smtp-Source: AOwi7QD33naa3V6vJuwqI2kPHiSRD79cDUd9k5iOlCcsD5lTp8ifh7Bu1X6Y6W0Oo6Jsn27QzyHJHRnL8jpxFQY0inA= X-Received: by 10.202.232.140 with SMTP id f134mr692983oih.204.1506117320025; Fri, 22 Sep 2017 14:55:20 -0700 (PDT) MIME-Version: 1.0 Received: by 10.157.85.72 with HTTP; Fri, 22 Sep 2017 14:54:39 -0700 (PDT) In-Reply-To: <9FD4AF03-28A5-4B8A-9C12-CBCB1BC2E22C@friedenbach.org> References: <5B6756D0-6BEF-4A01-BDB8-52C646916E29@friedenbach.org> <201709190309.08669.luke@dashjr.org> <3385CE20-C1BA-40DD-8FC3-8F53F3350717@friedenbach.org> <9FD4AF03-28A5-4B8A-9C12-CBCB1BC2E22C@friedenbach.org> From: Sergio Demian Lerner Date: Fri, 22 Sep 2017 18:54:39 -0300 Message-ID: To: Mark Friedenbach Content-Type: multipart/alternative; boundary="001a114085f4d9f50e0559ce43d3" X-Spam-Status: No, score=0.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_SORBS_SPAM autolearn=disabled version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Fri, 22 Sep 2017 22:07:02 +0000 Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] cleanstack alt stack & softfork improvements (Was: Merkle branch verification & tail-call semantics for generalized MAST) X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Sep 2017 21:55:21 -0000 --001a114085f4d9f50e0559ce43d3 Content-Type: text/plain; charset="UTF-8" If the variable size increase is only a few bytes, then three possibilities arise: - one should allow signatures to be zero padded (to reach the maximum size) and abandon strict DER encoding - one should allow spare witness stack elements (to pad the size to match the maximum size) and remove the cleanstack rule. But this is tricky because empty stack elements must be counted as 1 byte. - signers must loop the generation of signatures until the signature generated is of its maximum size. On Fri, Sep 22, 2017 at 6:39 PM, Mark Friedenbach wrote: > You generally know the witness size to within a few bytes right before > signing. Why would you not? You know the size of ECDSA signatures. You can > be told the size of a hash preimage by the other party. It takes some > contriving to come up with a scheme where one party has variable-length > signatures of their chosing > > > On Sep 22, 2017, at 2:32 PM, Sergio Demian Lerner < > sergio.d.lerner@gmail.com> wrote: > > > > But generally before one signs a transaction one does not know the > signature size (which may be variable). One can only estimate the maximum > size. > > --001a114085f4d9f50e0559ce43d3 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
If the variable size increase is only a few bytes, then th= ree possibilities arise:

- one should allow signatures t= o be zero padded (to reach the maximum size) and abandon strict DER encodin= g

- one should allow spare witness stack elements = (to pad the size to match the maximum size) and remove the cleanstack rule.= But this is tricky because empty stack elements must be counted as 1 byte.=

- signers must loop the generation of signatures until = the signature generated is of its maximum size.




On Fri, Sep 22, 2017 at 6:39 PM, Mark Friedenbach <ma= rk@friedenbach.org> wrote:
= You generally know the witness size to within a few bytes right before sign= ing. Why would you not? You know the size of ECDSA signatures. You can be t= old the size of a hash preimage by the other party. It takes some contrivin= g to come up with a scheme where one party has variable-length signatures o= f their chosing

> On Sep 22, 2017, at 2:32 PM, Sergio Demian Lerner <sergio.d.lerner@gmail.com> wrote:
>
> But generally before one signs a transaction one does not know the sig= nature size (which may be variable). One can only estimate the maximum size= .


--001a114085f4d9f50e0559ce43d3--