Delivery-date: Fri, 15 Nov 2024 14:02:19 -0800 Received: from mail-yb1-f184.google.com ([209.85.219.184]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1tC4OQ-0001YK-HG for bitcoindev@gnusha.org; Fri, 15 Nov 2024 14:02:19 -0800 Received: by mail-yb1-f184.google.com with SMTP id 3f1490d57ef6-e381f9e1395sf120882276.3 for ; Fri, 15 Nov 2024 14:02:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1731708132; x=1732312932; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:sender:from :to:cc:subject:date:message-id:reply-to; bh=kc2WJnf+STUZaw3wuHyrBPZd8hneZoG6eODY44cjO+8=; b=OnRsNPBTcUc9ZQvRwx6cjpkLTQ5mSOO6ZMe8Jnok/RGgyz0bATYUpaJzYwqnq4rC12 ENDkmKpnA+eh2QLg1RhzAW/9eek6AAzKmciofYqcGTxT9olzrpPaejVEt4cVUzkgKULn BjTAYKsxBM3q2uHKx9yblpKujErdEBupc1S1XM4amjoF15OaR+N3YNa9jdNoTetDoPO7 /tRS26EA3n3EFfM1dhvtQbzLzAhYuLJgOk8r7CwaKgkgRVYKFHLZlckntQbQdg2BVH9X b+aN+Osmk5OyOaE5aMSK1fFh7s+ZmMwPbC7QVk2nyIGUpGfAufa7CpywTA/vm9wkmyU8 iRIg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups-com.20230601.gappssmtp.com; s=20230601; t=1731708132; x=1732312932; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:from:to:cc :subject:date:message-id:reply-to; bh=kc2WJnf+STUZaw3wuHyrBPZd8hneZoG6eODY44cjO+8=; b=VBTWGg0MgKBXbchhwCvN+oMVrrIb/NnPIyzAWRLCcaoIwIujvEn50GMMENtfAfSkYO hx5HEyO0ZKb7aZq30iVlkYP0+4Wn0hmqt1+LMkiWYw5by4fIQnjwkBrGCgSVr9BW95g7 LOQ2mtut80z0AfxIOlOffgxxYEQ1dhW7TS/D9hQchSiYe7clm9ah3p7rwr28aJatFi+D KewQL5PhDNkaR0QFBaqhrJgUlmna08vQznA9goMmDMb9j6+RAII+FGrCQRogqiftAq5z YRtzHeRcVsibtHJsVu1BfSBSilLuM10fue4BH7STrtTQkstjjE8awQYHJAjUsBmNWReX kKlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731708132; x=1732312932; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-sender:mime-version :subject:references:in-reply-to:message-id:to:from:date:x-beenthere :x-gm-message-state:sender:from:to:cc:subject:date:message-id :reply-to; bh=kc2WJnf+STUZaw3wuHyrBPZd8hneZoG6eODY44cjO+8=; b=NLhg7xLxJwXMpNVyYngr5xVugdrIzCaOolZSfphUs43Rpmv9alIpR3j8EvusAD4GBF pui0nRgWBT6k6QJxNyEPDV4n81F3OcP8UEwkGdamKLOP/H3XBk8lnkG/ahMIgC8nCCHB wi4KqVT0J61fdJdsdKjO0YkxYxbEb/M+btWHjlner7krsYwVdZbDWEaHLNiEvw4AATWi GtiLZrWjc9FR/wXuoPF6DxHzVyyBEEYyMxmnGVYuaMd458dT1zo5gQHSO13Q9vEZ5JY6 /8XTFnKvjBwwuH93cmz3EGvQ0OurK3Cae68Z9gt3HVe7SAL17oMP9cQs8BgtbGE1S4PO witA== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=1; AJvYcCUDL0UicDFr0Xh5gs9eOQnkDfV3kk/raD4LlPqey0mqAlslAb6Jvm6KTaV7/zgJpPyrR1tHKtjlLhpA@gnusha.org X-Gm-Message-State: AOJu0Yy3rUzBAE4hqocNnIIoklwCvENZMlH1AsuJJM63xYnDU7FbK4iZ 2kkvGQhcJobUVn2MlxK0dmMvCEmIbAMECyXcTr7FqIWeN64Xy9wB X-Google-Smtp-Source: AGHT+IEvYyganSCOMSQIxig+I9roAHewgAFpj69pYuG9wbKZK/519zu1JzZtRDGJGFIqly25DT0laA== X-Received: by 2002:a05:6902:20c8:b0:e28:f0e5:380b with SMTP id 3f1490d57ef6-e3825d36b1dmr4015325276.4.1731708132077; Fri, 15 Nov 2024 14:02:12 -0800 (PST) X-BeenThere: bitcoindev@googlegroups.com Received: by 2002:a05:6902:1823:b0:e30:e1d9:fe2c with SMTP id 3f1490d57ef6-e3825d24900ls1426803276.1.-pod-prod-03-us; Fri, 15 Nov 2024 14:02:09 -0800 (PST) X-Received: by 2002:a05:690c:6f06:b0:6ea:3075:1fb5 with SMTP id 00721157ae682-6ee55c567b5mr51712597b3.33.1731708129230; Fri, 15 Nov 2024 14:02:09 -0800 (PST) Received: by 2002:a05:690c:5083:b0:6e2:1e5e:a1e1 with SMTP id 00721157ae682-6ee534df37ams7b3; Fri, 15 Nov 2024 13:54:10 -0800 (PST) X-Received: by 2002:a05:690c:d19:b0:6dd:bba1:b86d with SMTP id 00721157ae682-6ee55bee4abmr56927527b3.10.1731707649145; Fri, 15 Nov 2024 13:54:09 -0800 (PST) Date: Fri, 15 Nov 2024 13:54:08 -0800 (PST) From: Xiaohui Liu To: Bitcoin Development Mailing List Message-Id: <129a9605-7a91-42a7-a9ef-07de6662ca7en@googlegroups.com> In-Reply-To: References: Subject: Re: [bitcoindev] Signing a Bitcoin Transaction with Lamport Signatures (no changes needed) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_116478_1244980752.1731707648849" X-Original-Sender: x.liu@scrypt.io Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.7 (/) ------=_Part_116478_1244980752.1731707648849 Content-Type: multipart/alternative; boundary="----=_Part_116479_1946381969.1731707648849" ------=_Part_116479_1946381969.1731707648849 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, How does covenant work without OP_CAT here, assuming no size limit? Don't= =20 you still need OP_CAT to parse/introspect fields (e.g., input/output) of=20 the spending transaction? Regards, sCrypt On Tuesday, April 30, 2024 at 7:22:54=E2=80=AFAM UTC-7 Andrew Poelstra wrot= e: > On Tue, Apr 30, 2024 at 08:32:42AM -0400, Matthew Zipkin wrote: > > > if an attacker managed to grind a 23-byte r-value at a cost of 2^72 > > computations, it would provide the attacker some advantage. > >=20 > > If we are assuming discrete log is still hard, why do we need Lamport > > signatures at all? In a post-quantum world, finding k such that r is 21 > > bytes or less is efficient for the attacker. > > > > Aside from Ethan's point that a variant of this technique is still > secure in the case that discrete log is totally broken (or even > partially broken...all we need is that _somebody_ is able to find the > discrete log of the x=3D1 point and for them to publish this). > > Another reason this is useful is that if you have a Lamport signature on > the stack which is composed of SIZE values, all of which are small > enough to be manipulated with the numeric script opcodes, then you can > do covenants in Script. > > (Sadly(?), I think none of this works in the context of the 201-opcode > limit...and absent BitVM challenge-response tricks it's unlikely you can > do much in the context of the 4MWu block size limit..), but IMO it's a > pretty big deal that size limits are now the only reason that Bitcoin > doesn't have covenants.) > > --=20 > Andrew Poelstra > Director, Blockstream Research > Email: apoelstra at wpsoftware.net > Web: https://www.wpsoftware.net/andrew > > The sun is always shining in space > -Justin Lewis-Webster > > --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= 129a9605-7a91-42a7-a9ef-07de6662ca7en%40googlegroups.com. ------=_Part_116479_1946381969.1731707648849 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi,

How does covenant work without OP_CAT here, = assuming no size limit? Don't you still need OP_CAT to parse/introspect fie= lds (e.g., input/output) of the spending transaction?

= Regards,
sCrypt

=
On Tuesday, April 30, 2024 at 7:22:5= 4=E2=80=AFAM UTC-7 Andrew Poelstra wrote:
On Tue, Apr 30, 2024 at 08:32:42AM -0400, Matt= hew Zipkin wrote:
> > if an attacker managed to grind a 23-byte r-value at a cost o= f 2^72
> computations, it would provide the attacker some advantage.
>=20
> If we are assuming discrete log is still hard, why do we need Lamp= ort
> signatures at all? In a post-quantum world, finding k such that r = is 21
> bytes or less is efficient for the attacker.
>

Aside from Ethan's point that a variant of this technique is still
secure in the case that discrete log is totally broken (or even
partially broken...all we need is that _somebody_ is able to find the
discrete log of the x=3D1 point and for them to publish this).

Another reason this is useful is that if you have a Lamport signature o= n
the stack which is composed of SIZE values, all of which are small
enough to be manipulated with the numeric script opcodes, then you can
do covenants in Script.

(Sadly(?), I think none of this works in the context of the 201-opcode
limit...and absent BitVM challenge-response tricks it's unlikely yo= u can
do much in the context of the 4MWu block size limit..), but IMO it'= s a
pretty big deal that size limits are now the only reason that Bitcoin
doesn't have covenants.)

--=20
Andrew Poelstra
Director, Blockstream Research
Email: apoelstra at wpsoftware.net
Web: https://www.wpsoftwar= e.net/andrew

The sun is always shining in space
-Justin Lewis-Webster

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoind= ev/129a9605-7a91-42a7-a9ef-07de6662ca7en%40googlegroups.com.
------=_Part_116479_1946381969.1731707648849-- ------=_Part_116478_1244980752.1731707648849--