Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 69FDF40B for ; Mon, 6 Aug 2018 08:39:34 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from azure.erisian.com.au (cerulean.erisian.com.au [139.162.42.226]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id E99CB1A0 for ; Mon, 6 Aug 2018 08:39:33 +0000 (UTC) Received: from aj@azure.erisian.com.au (helo=sapphire.erisian.com.au) by azure.erisian.com.au with esmtpsa (Exim 4.84_2 #1 (Debian)) id 1fmb34-00015u-4S; Mon, 06 Aug 2018 18:39:31 +1000 Received: by sapphire.erisian.com.au (sSMTP sendmail emulation); Mon, 06 Aug 2018 18:39:25 +1000 Date: Mon, 6 Aug 2018 18:39:25 +1000 From: Anthony Towns To: Russell O'Connor , Bitcoin Protocol Discussion Message-ID: <20180806083925.kg5px476bzhec44b@erisian.com.au> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20170113 (1.7.2) X-Spam-Score: -1.9 X-Spam-Score-int: -18 X-Spam-Bar: - X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,UNPARSEABLE_RELAY autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: Re: [bitcoin-dev] Schnorr signatures BIP X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Aug 2018 08:39:34 -0000 On Sun, Aug 05, 2018 at 10:33:52AM -0400, Russell O'Connor via bitcoin-dev wrote: > In light of this, I revise my proposed change to make the verification > equation > > R + sG + eP = 0. Isn't the verification equation "R + s(-G) + eP = 0" equally good, then, since -G is a constant? (ie, at worst it's a matter of optimising the verifier for -G as well as G) If not, what's the actual performance impact of having to negate "s" as part of batch verifying ~10000 signatures? It seems like it should be trivially small to me? (scalar_negate benchmarks at 0.00359us, while ecdsa_verify benchmarks at 66us, which I believe then reduces by a factor of ~3 for batches of 10k schnorr sigs?) FWIW, I'm a fan of the formulation "s = r + H(R,P,m)p" mostly because it seems like the simplest possible way of describing the setup, and I'm all for optimising for people being able to understand what's going on. Cheers, aj