Return-Path: <bitcoin-dev@wuille.net>
Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 874E8C002D
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Thu, 28 Jul 2022 15:58:15 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp3.osuosl.org (Postfix) with ESMTP id 30BFD60F81
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Thu, 28 Jul 2022 15:58:15 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 30BFD60F81
Authentication-Results: smtp3.osuosl.org; dkim=pass (2048-bit key,
 unprotected) header.d=wuille.net header.i=@wuille.net header.a=rsa-sha256
 header.s=protonmail2 header.b=vWHy2mHF
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -1.1
X-Spam-Level: 
X-Spam-Status: No, score=-1.1 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, BITCOIN_OBFU_SUBJ=1, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from smtp3.osuosl.org ([127.0.0.1])
 by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id SV8dFcFUXPBR
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Thu, 28 Jul 2022 15:58:13 +0000 (UTC)
X-Greylist: delayed 00:30:50 by SQLgrey-1.8.0
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 82C2360F83
Received: from mail-0201.mail-europe.com (mail-0201.mail-europe.com
 [51.77.79.158])
 by smtp3.osuosl.org (Postfix) with ESMTPS id 82C2360F83
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Thu, 28 Jul 2022 15:58:13 +0000 (UTC)
Date: Thu, 28 Jul 2022 15:58:03 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wuille.net;
 s=protonmail2; t=1659023886; x=1659283086;
 bh=z3dqGCQBypwpbqmTcroAW38L15ijCz2Wo9KzTO5f3EI=;
 h=Date:To:From:Cc:Reply-To:Subject:Message-ID:In-Reply-To:
 References:Feedback-ID:From:To:Cc:Date:Subject:Reply-To:
 Feedback-ID:Message-ID;
 b=vWHy2mHFG2QsluYhdYXM2lnzUhorI7xpsUAJnPntDtcSw76ZNchAur1DZDqAv+Mpi
 rvu77yhip6C/VrWuLyA+W4/0q5iV1j6TnEa32kD1PrTVB8sqF8E3mCkPopcTZqZK1l
 xPaKZGUDBhSNTEe/FhrzY85ylxYx0PhUE5SN1PU6q+g5ozclMXlygG5Z+JyDB0IyWl
 lzzu87D5sv/U5v6hWXm9SweAb33KnbDtGqaWXjkRtjRNjV4gY3kzZHCIhvfLekAZnp
 oSL1mfT40B8IBbEJO4zfqPhlKTFRkXcjBfXEGMwZTUByxj9QB5BUVrkhVsxyc8Ksj5
 Rue9sAiwQl6mQ==
To: Ali Sherief <ali@notatether.com>
From: Pieter Wuille <bitcoin-dev@wuille.net>
Reply-To: Pieter Wuille <bitcoin-dev@wuille.net>
Message-ID: <3CQzcfbQ1qjdBAAViGbW7aXwJBWv3uov0YNHAHS0xtMCLxodi6veZDTIygYXj_P8JrT15hgupZUBah0HLw3B6GjvegZYv52gHUSBy8tCk-E=@wuille.net>
In-Reply-To: <ltMy8y1N-J_DQ0rQiKcb1fkiBkd9PcLX6B4W_TZ6i7bdmNWQMXJ0h2fet6DFKvllyH0QNzzVnqMpxT3vMgxdwJKOfsUKf8lS5P5sTC4-3j8=@notatether.com>
References: <bG2Fk0bM_4lbwijBwZRiGgCAmktVOFSY5vR5k1D7QSc8imn9NWXxfOLPgMl5p22vfAPDHeuEA_p6TDhU7qGFoVmZok57RzA9rEV1LJzHpsM=@notatether.com>
 <BQZI2zpZwzJcXi_Gxr0f1wg9ZD6U5nb0HTOfIu4i50nM6FqFNqFjfm4DbOIxg94IwZQ4pHAthUNeGUkwHENJwAhap-bIkuKRN8ErZyFeR-o=@wuille.net>
 <ltMy8y1N-J_DQ0rQiKcb1fkiBkd9PcLX6B4W_TZ6i7bdmNWQMXJ0h2fet6DFKvllyH0QNzzVnqMpxT3vMgxdwJKOfsUKf8lS5P5sTC4-3j8=@notatether.com>
Feedback-ID: 19463299:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Thu, 28 Jul 2022 19:05:20 +0000
Cc: "bitcoin-dev@lists.linuxfoundation.org"
 <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Zero-knowledge proofs e.g. Schnorr are
	incompatible with address signing without compromise
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jul 2022 15:58:15 -0000

------- Original Message -------
On Thursday, July 28th, 2022 at 11:51 AM, Ali Sherief <ali@notatether.com> =
wrote:

> The way I understood the BIP, was that a user can do batch recovery or si=
ngle-key recovery. Can you explain how it is possible to recover a public k=
ey from a single-key signature, because a few days earlier on the BIP-notat=
ether-messageverify thread I was told (I think it was achow) that Schnorr d=
oesn't allow for public key recovery.

No, BIP340, in its design decisions, had to choice to either support public=
 key recovery, or support batch validation. We chose to support batch valid=
ation for a variety of reason. BIP340 does not in any way support key recov=
ery.

> > > , just like BIP340).
> >
> > How so? Every taproot compatible wallet has a BIP340 implementation.
>
>
> I guess I made an assumption, since almost all of the wallets I have seen=
 did not have a sign message feature, not even for legacy addresses.

I'm not talking about sign message, I'm talking about BIP340 for the purpos=
e of transaction signing, as it's the signature scheme used in BIP341/BIP34=
2.

My point being: for any prospective message signing feature, if the wallet =
supports taproot signing, they inevitably already have code to produce BIP3=
40 signatures. If they don't support taproot signing, then message signing =
for it is irrelevant.

Cheers,

--
Pieter