Delivery-date: Wed, 09 Jul 2025 11:56:13 -0700 Received: from mail-oi1-f184.google.com ([209.85.167.184]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1uZZxk-00068l-Q0 for bitcoindev@gnusha.org; Wed, 09 Jul 2025 11:56:13 -0700 Received: by mail-oi1-f184.google.com with SMTP id 5614622812f47-4066a4d2d31sf98845b6e.2 for ; Wed, 09 Jul 2025 11:56:12 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1752087366; cv=pass; d=google.com; s=arc-20240605; b=iN1Y+eR5x4G6pgk44Oa4fe24965l0OtxbkI+UETR0OnZrhId3wde/x+eEQ1p0+hWyf 5vgVUhM05GFya6yrAuXH4yuxVsWMUAq/HK57PlznoqeDsoh527ysZcZ4sy9RZtdBkrit bPDxFX0evj91UwI1KxJfP5yj0O+D8F0pRrIFXF41mHKNKtP5v9tgtek4xOI5w0tBgPzf d0yUqTG4bITtv1gD20xsulWyzyxI7halw4mfwyRxTct4XsIfp8whi6izbj3fH4+sweWz HBNjJhFqMUmfziEDpfjaaNz0WkD/lhkMZDOu/2rgnLsmuyJ1V16P0H4H0ytHEryayKqV ktWA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version:feedback-id :references:in-reply-to:message-id:subject:cc:from:to:date :dkim-signature; bh=LMQQduCsbMyqnBjnweJUWk18ZBSSRfxVlu0OASq5tBo=; fh=2XsZIfsPAVdnHQZemVPcNMzDtzDt98yA+1OBc5/AMBI=; b=b0kK9qrfPU3sVEhqdnQkQtDZxgK84vn8/xhYQrHxDd/nnBlAQCsmWEO7oJ1gLwPGnQ r76Eui+8+DkF2Venafl7D5HkM2+I+33YYSMMEtd6ppCyy4O1+Rurrp8eHb/WiTfuBze6 ArfxP7xXKKBpsbfjH7A+tqvGbTcpgGAYBETc/iNCJqY8vnmCMh3/PIuJNxJPxOiuaqmm lmnJRH3aTIJXTwD4XtLYfcy+ms8rwVh7tuCDzNjiXetQouoG3nyzlr1vFpjbAhMoahGy xahtb8QYzLWRdd6Q8hEJ1xg52cao8mRkobEBJe7HLAZnTAXl/t54L8NB4HGphT5jZzIK s+Pw==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@proton.me header.s=protonmail header.b=RfvfSn31; spf=pass (google.com: domain of conduition@proton.me designates 185.70.43.22 as permitted sender) smtp.mailfrom=conduition@proton.me; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1752087366; x=1752692166; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :feedback-id:references:in-reply-to:message-id:subject:cc:from:to :date:from:to:cc:subject:date:message-id:reply-to; bh=LMQQduCsbMyqnBjnweJUWk18ZBSSRfxVlu0OASq5tBo=; b=BM2K0x/I3zzJjllrMNSf61JQoAxIODZnPaUsiFsdT5Ro36szGpVNzA27GB6EbyIAqL WqxtCkChQygyP+atApqiCGd9w4+L+uK70xh/f+ppFYcCyhMMbf+P0Q4m7U/ofgcwjD25 9QY+L6Io9LnInrjuBNQn7DEm3QGomxRNPEYHq2wmNcBmhpeuIA+tM6QDrF6hsJt9caaL 2lW5G9vTnFH5FOOFJHbuXkSPm0It3JS8L1FvWzbQo8Q2YE7qUp7S22Rf9NqH28+lDHXs dDPT0hc2IW2xZr9nOdTNbxvMsoWJyR9hOuKN2gsxTYVcZZIn6SRNWDvHRnH8pbvNaPb9 0ezg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1752087366; x=1752692166; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :feedback-id:references:in-reply-to:message-id:subject:cc:from:to :date:x-beenthere:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=LMQQduCsbMyqnBjnweJUWk18ZBSSRfxVlu0OASq5tBo=; b=slBWnxhlk56UqQl8+dOpCg/SiV5l19f2N0t9MTdP/5h6utkr7WkRL8abU4+Hom/KBc 0LZMCjj4KEJJwy97VAIGNDCR9TjAcOJGOG/Cs9vJTrBnVd8/vi4yo+YmRibNIW8k/LBr 91pjQcR3lKylmfyVxuwl+VXWplFZd15BmrhF1eIcEBCoc61YdDhbJHkjfBrXJyUvdbHs O/4Z3JcvHCAnzkUBvkxvEsyteVavr6yMORO2Zl9Iw4iiRBN+K8JmRN70oYyu7iTduxoS a+Qg8xBFpSys1Nbg0jq3wmRfGMSVX4tv6tMqm3xzUeEeOgJMxYtigkD7n+PMgU3EsISH ORUg== X-Forwarded-Encrypted: i=2; AJvYcCWmU6T1YjiC0cIq68Dye3z/PHvrNsLMMM3vD+M0ZJWahQK5r0HCKoPv1ZuF9SqguglaHgiH288R0sUN@gnusha.org X-Gm-Message-State: AOJu0YxaDkgeU/Kjxgy7J/Cx1SwmTO0b9N8XoW3XS/lkWmrJnWNCLdTH PFA3p0OTB1b9ZswxYp+15WCQLTF7GwGozh6IH/nsAw9ljMbinLxqjpq+ X-Google-Smtp-Source: AGHT+IEVYFJy9qeZn1//bY303Cue65G3sEJegocuDGEnclEpLX/3SSInWCf8kVKih8lgl6vhZxLGBg== X-Received: by 2002:a05:6820:2110:b0:611:4701:bcd2 with SMTP id 006d021491bc7-613d70599femr684926eaf.6.1752087366391; Wed, 09 Jul 2025 11:56:06 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h=AZMbMZdbpt5uRweIuIckQTQ+be6Ti1xdyJgqCuHTiE4XmvlBNg== Received: by 2002:a05:6820:510c:b0:611:fdca:b1b1 with SMTP id 006d021491bc7-613d7b098e3ls39693eaf.0.-pod-prod-04-us; Wed, 09 Jul 2025 11:56:02 -0700 (PDT) X-Received: by 2002:a05:6808:d4a:b0:40c:fc48:33b5 with SMTP id 5614622812f47-413ac83c997mr645625b6e.12.1752087362031; Wed, 09 Jul 2025 11:56:02 -0700 (PDT) Received: by 2002:a05:6402:22c7:b0:604:5cbf:497f with SMTP id 4fb4d7f45d1cf-6102d4f87b1msa12; Tue, 8 Jul 2025 00:03:44 -0700 (PDT) X-Received: by 2002:a17:907:2d8c:b0:ad8:ae51:d16 with SMTP id a640c23a62f3a-ae3fe82cdeamr1255522966b.55.1751958221865; Tue, 08 Jul 2025 00:03:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1751958221; cv=none; d=google.com; s=arc-20240605; b=Dd6eVys6GjEU/JFVjFDNM5IylSE4T09GaE/Yu0vwJrti1A6PvSAN7dlBT5QvbuxKX+ 1zcrMyJpj/g9KhKrzBKZTd4SfW1tREiXSg45OwvTs16q1o8Ng/SCYRWcutUPmZdZPqC9 LcQBtWjF3DwhG8QyiTMXqJeoOjsof3HvM2Du5BJP0FT7YakZqZ1kccOE+MXWDRjOi8Am PXFpb7LhD8UOHS8+mSPRn1B0gDuHe6a7fyFsMRxLDil2wj/6fN4JP/KlmQ5bX11XqXF/ yeYN7la4P5xnLitBl3cpqor4jNeU/ly6IGqQcsOpZ3yc6dvAgTCwsTJIaIOHsLIFhbHu b/6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:feedback-id:references:in-reply-to:message-id:subject :cc:from:to:date:dkim-signature; bh=EQ631mNeCITZVtLloAwTpFPtwoPQummvXHCMxZ1duZM=; fh=MjdRPwMMqTCvqsS0x8/KiUP5ScpwSKUUuPzaYsRCcYc=; b=kLHa3I2+5P6w3pAYJVmqPbu0nvJMFCm2MOfxb/u/e7dIotNNSR/al8Bz64xIHHy6CA k61wmbY8DJn+KTr/Nf9WN3UjCO0Tox6EGE2q/+uNUnmpNyyDvhfdmImH4QNEx5GGZ1tL riLI4JZDHSwuXt0/sIrsMhhaGfMHdgxh5mmZl0dMqsMEU3D77Q3q8a2aI7f80Yq9ZCut lQ9MoOzNNpyyT+9eSlmV0icWbHBhl9hs90cMqWJ156D3JOszFul7G2HxqC7hHxJ9SmmJ ajDSQgP3hzjKQChjXlD+ccrC5hSR/udHkbv04BlAN+/fjP0gAQgvAfAq+LJlSbBuQ62P xCjg==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@proton.me header.s=protonmail header.b=RfvfSn31; spf=pass (google.com: domain of conduition@proton.me designates 185.70.43.22 as permitted sender) smtp.mailfrom=conduition@proton.me; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me Received: from mail-4322.protonmail.ch (mail-4322.protonmail.ch. [185.70.43.22]) by gmr-mx.google.com with ESMTPS id a640c23a62f3a-ae3f6817745si20693166b.1.2025.07.08.00.03.41 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 08 Jul 2025 00:03:41 -0700 (PDT) Received-SPF: pass (google.com: domain of conduition@proton.me designates 185.70.43.22 as permitted sender) client-ip=185.70.43.22; Date: Tue, 08 Jul 2025 07:03:37 +0000 To: Jonas Nick From: "'conduition' via Bitcoin Development Mailing List" Cc: bitcoindev@googlegroups.com Subject: Re: [bitcoindev] OP_CAT Enables Winternitz Signatures Message-ID: In-Reply-To: References: Feedback-ID: 72003692:user:proton X-Pm-Message-ID: 437fcb14f567b7e9b0300289804cdaa3ed820929 MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha512; boundary="------75a7c93bd1b7370eec335449886f993bb19b0c5d7b132796a789f7640b3b9c89"; charset=utf-8 X-Original-Sender: conduition@proton.me X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@proton.me header.s=protonmail header.b=RfvfSn31; spf=pass (google.com: domain of conduition@proton.me designates 185.70.43.22 as permitted sender) smtp.mailfrom=conduition@proton.me; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=proton.me X-Original-From: conduition Reply-To: conduition Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -1.0 (-) This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------75a7c93bd1b7370eec335449886f993bb19b0c5d7b132796a789f7640b3b9c89 Content-Type: multipart/mixed;boundary=---------------------d1a8b04e81674bfce2ab1ca604336e20 -----------------------d1a8b04e81674bfce2ab1ca604336e20 Content-Type: text/plain; charset="UTF-8" Minor correction: the optimal checksum for w = 16 should actually be 480, not 512. I forgot the average of [0, 16) is actually 7.5 and not 8. On Monday, July 7th, 2025 at 6:15 PM, 'conduition' via Bitcoin Development Mailing List wrote: > Hey Jonas, really cool to hear from you on this :) > > > For further reductions in size, it may be worth looking > > into "Target Sum Winternitz" [0], where the checksum is > > hardcoded into the verifier instead of being an explicit > > part of the signature, at the cost of additional signing > > complexity. > > > If you take a second look at the script, we're actually > doing fixed-sum winternitz [0]. For w = 16 as I selected, > the optimal checksum for efficient signing is 512. You can > compute the optimal checksum with the expression `w*(n / log2(w))/2` where n is the bit-length of the message to > sign. > > Though unlike traditional fixed-sum WOTS, I didn't > implement the random salt counter appended to the sig, as > it isn't strictly needed. Remember: we're not WOTS-signing > a static TX sighash - we're signing an EC signature which > in turn signs the TX sighash. We can retry the EC signature > generation step with a new nonce `R` unlimited times until > we get an `(R, s)` pair whose hash fits the hardcoded > checksum requirement. > > > I think the size difference largely comes from the fact > > that my implementation [2] is based on W-OTS+ [3] and not > > on W-OTS. The main difference is that W-OTS relies on > > some variant of collision-resistance of the hash > > function, whereas W-OTS+ only relies on the weaker > > preimage resistance property. > > > Agreed. AFAICT, the only reason we'd use WOTS+ over stock > WOTS (w/o randomizers) would be if we wanted to use a less > collision-resistant hash algo (RMD160) as the primary hash > function. Someone would need to do the math to see if the > hash size savings are enough to offset the added script > size cost. > > Maybe you're not the right person to ask, but riddle me > this: Would OP_HASH160 (aka rmd160(sha256(...))) be a > possible contender for the hash function here, to shrink > the witness size further while still retaining some of the > collision resistance of SHA256? > > [0]: https://gist.github.com/conduition/c6fd78e90c21f669fad7e3b5fe113182#file-winternitz-ts-L95-L98 > > regards, > conduition > > On Monday, July 7th, 2025 at 3:43 AM, Jonas Nick jonasd.nick@gmail.com wrote: > > > Hi conduition, > > > Thanks for this work. I think it provides a very useful data point. > > > For further reductions in size, it may be worth looking into "Target Sum > > Winternitz" [0], where the checksum is hardcoded into the verifier instead > > of being an explicit part of the signature, at the cost of additional > > signing complexity. In this scheme, the signer has to hash their message > > with some randomness, encode into chunks and check if the sum of the chunks > > matches the checksum. If not, they rehash the message with new randomness > > until they have found the randomness that results in the correct checksum. > > > There is also some more recent work that promises "20% to 40% improvement in > > the verification cost of the signature" [1]. However, I have not read the > > paper and the increase in Bitcoin Script size may eat up theoretical > > reductions in verification cost. > > > > I believe my construction improves on Jonas', on two counts: [...] My > > > > script results in much smaller witnesses. 8kb vs 24kb. > > > I think the size difference largely comes from the fact that my > > implementation [2] is based on W-OTS+ [3] and not on W-OTS. The main > > difference is that W-OTS relies on some variant of collision-resistance of > > the hash function, whereas W-OTS+ only relies on the weaker preimage > > resistance property. W-OTS+ is also standardized as part of XMSS [4] in the > > form of a variant that was proven secure a little later [5]. > > > However, using just W-OTS and therefore relying on collision-resistance seems > > okay because Bitcoin already relies on collision-resistance of SHA256. If that > > property was broken, the blockchain and the transaction Merkle tree would not > > provide integrity anymore, resulting in chain splits. Therefore, I suggested [6] > > to change my implementation to a Winternitz variant that does rely on > > collision-resistance and whose Blockchain footprint is smaller. So far, no one > > has implemented that, but it would certainly be very interesting to see if a > > Great Script Restoration based implementation can significantly improve over > > your implementation. > > > [0] https://eprint.iacr.org/2025/055.pdf > > [1] https://eprint.iacr.org/2025/889.pdf > > [2] https://github.com/jonasnick/GreatRSI > > [3] https://eprint.iacr.org/2017/965.pdf > > [4] https://datatracker.ietf.org/doc/html/rfc8391 > > [5] https://tches.iacr.org/index.php/TCHES/article/download/8730/8330/5451 > > [6] https://github.com/jonasnick/GreatRSI/issues/1#issuecomment-2548062773 > > > -- > > You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. > > To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. > > To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/c2abfd68-f118-4951-ba4a-499fc819332f%40gmail.com. > > > -- > You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. > To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. > To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/Um1180WhyfREJS4CHTfTCzAuDywzNlFlsaIFFwLEGcETcwKCDuJMgSwSs4idfqgCDqtMTuc4FUmcTHWnK2z_tzxw8bdVD9zDiGTCfdbJFjs%3D%40proton.me. -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/KZQi7ji4ah0m_ox6EN3K4cEsYvHbX-FFBmsPvdC5QXK_BfxuxCDwR6X2f0J32FoqOlN_MajHRmFPql5Pf0eCrlY531lOfVtTyFSBXclOizM%3D%40proton.me. -----------------------d1a8b04e81674bfce2ab1ca604336e20 Content-Type: application/pgp-keys; filename="publickey - conduition@proton.me - 0x474891AD.asc"; name="publickey - conduition@proton.me - 0x474891AD.asc" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="publickey - conduition@proton.me - 0x474891AD.asc"; name="publickey - conduition@proton.me - 0x474891AD.asc" LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0tCgp4ak1FWkRub0tSWUpLd1lCQkFI YVJ3OEJBUWRBcnBZYWFjZDgwcXdocmNaQW9VbW9NSHNWS21iZWlPZUEKcFhXbk1ybFdPZkxOSzJO dmJtUjFhWFJwYjI1QWNISnZkRzl1TG0xbElEeGpiMjVrZFdsMGFXOXVRSEJ5CmIzUnZiaTV0WlQ3 Q2pBUVFGZ29BUGdXQ1pEbm9LUVFMQ1FjSUNaQjRLV3p0aFBhenhRTVZDQW9FRmdBQwpBUUlaQVFL YkF3SWVBUlloQkVkSWthMENNdHJMZGcxM2EzZ3BiTzJFOXJQRkFBQTZhQUVBM1RmNHdqSVoKYnox K0diS0h4K09WQytNUXlVdi84RStoWUpjTE5QZnA0NEFBLzNiak5OTXN4WHdJTGZEM0xManNVVWFo CitBV2JyblVjVUFqQ2R1d3hUT01LempnRVpEbm9LUklLS3dZQkJBR1hWUUVGQVFFSFFDSXYxZW5J MU5MbAo3Zm55RzlVWk1wQ3ZsdG5vc0JrTmhQUVZxT3BXL3RKSkF3RUlCOEo0QkJnV0NBQXFCWUpr T2VncENaQjQKS1d6dGhQYXp4UUtiREJZaEJFZElrYTBDTXRyTGRnMTNhM2dwYk8yRTlyUEZBQUFR TFFEL2NCR2kwUDdwCkZTTkl2N1B6OVpkeUNVQjhzTy90dWZkV3NjQkNZK2ZMYTV3QkFNK0hTL3Jp S014RGt0TkhLakRGc2EvUgpEVDFxUGNBYXZCaXc2dDZ4Ti9jRgo9Y3d5eAotLS0tLUVORCBQR1Ag UFVCTElDIEtFWSBCTE9DSy0tLS0tCg== -----------------------d1a8b04e81674bfce2ab1ca604336e20-- --------75a7c93bd1b7370eec335449886f993bb19b0c5d7b132796a789f7640b3b9c89 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: ProtonMail wrsEARYKAG0FgmhswrgJkHgpbO2E9rPFRRQAAAAAABwAIHNhbHRAbm90YXRp b25zLm9wZW5wZ3Bqcy5vcmd+1mKdzVwk4Enc4sg0aJDCG9iYGtxGz8xweyCx +l2A4RYhBEdIka0CMtrLdg13a3gpbO2E9rPFAADZ4AD+Px2pFVbGvpbi+SZ+ Ub1xj+8ArCkgRwcXjw8RucE5RIkA/i4PxJ6kvMKX86kf92l8O2ZUB4hpZUiR m8RsGCLvfH0M =6tFN -----END PGP SIGNATURE----- --------75a7c93bd1b7370eec335449886f993bb19b0c5d7b132796a789f7640b3b9c89--