1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
|
Return-Path: <sergio.d.lerner@gmail.com>
Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])
by lists.linuxfoundation.org (Postfix) with ESMTP id C8C84C0037
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 18 Dec 2023 12:30:29 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp4.osuosl.org (Postfix) with ESMTP id 9E255417F9
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 18 Dec 2023 12:30:29 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 9E255417F9
Authentication-Results: smtp4.osuosl.org;
dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
header.a=rsa-sha256 header.s=20230601 header.b=kOT8Eaqt
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -1.838
X-Spam-Level:
X-Spam-Status: No, score=-1.838 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26,
RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
Received: from smtp4.osuosl.org ([127.0.0.1])
by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id AX7fqlnDFs7A
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 18 Dec 2023 12:30:28 +0000 (UTC)
Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com
[IPv6:2a00:1450:4864:20::330])
by smtp4.osuosl.org (Postfix) with ESMTPS id 4F127417E8
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 18 Dec 2023 12:30:28 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 4F127417E8
Received: by mail-wm1-x330.google.com with SMTP id
5b1f17b1804b1-40c580ba223so35987695e9.3
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 18 Dec 2023 04:30:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1702902626; x=1703507426;
darn=lists.linuxfoundation.org;
h=to:subject:message-id:date:from:in-reply-to:references:mime-version
:from:to:cc:subject:date:message-id:reply-to;
bh=EVVQA4+Lcl94gNFSU3IFxnJb7Nhs/kSneh9izc7iy3E=;
b=kOT8Eaqte3n55XhwTDvytYjhM7M77J3VD889sTvVwlMqDAXg2eBSlpLcq6Fpp86M1r
xLs9Sh3l3ybs1juj2Zx1TgksrqnOxujr+NzlIz5ypSTkB+R3nuX6yMxiSFPxJjo5L5KY
ji6uM5/eQBHvv+yh9D11MHqp9jZfa5Wd/N7g7dl6whzVwaSsmJTL8pTGLc99M/mtMgng
fMn3rfqbdSqP4KWGRWuCuf25pfk6pyzmaGFK+fH/gw/hyVYb0acubRRISRlrQFGLFBq7
Ts1xwRXLviNnnMkyZnLRlkhY9HcZlF3UI+fvKJHeyki/c9HTRMvlKarVc3ecfIoTLhno
losg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1702902626; x=1703507426;
h=to:subject:message-id:date:from:in-reply-to:references:mime-version
:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=EVVQA4+Lcl94gNFSU3IFxnJb7Nhs/kSneh9izc7iy3E=;
b=NY5pj1SgrSshNQWD7tyKux56pYsiH+36tf4nnPuerLNJxggtmLta/zaQjmT4LXvgTd
efoNjI4qZ3t5bZVccsvzT42aCZNiBGPBhhBMwp7/vgzviQ+dKMKzYogNFY2HR453qqlD
Zp3i2urKcLbJJZY+zHFuyfKGlDu+lwzOWplvYCImj4h91T0WrtOxiKhGVGjROSWn3cr3
imhevP2m1N2bmgEyMJH/zgjogxRxoNfBk1QfYiuG1chccc2lWuKHrz9oZlQlZ0s/9/GQ
kcWl49TSwiJtRjPGa7PZRaTdmsrySMUtChwGXjvDZVUYH5GIDfsTuzwPSdm55My58iTf
fOaA==
X-Gm-Message-State: AOJu0Yxn2KWZe0e9X8AwhbBF0E7/yHhMk1kz91BjTOaNEBJAOOoFOMnz
cwwBQU8Hpj7297cW6ymW7r8QTf3SLF+l7F5EChTUcwt/Rik=
X-Google-Smtp-Source: AGHT+IE1bkA6kuQX+US5atl7w37pF3lyQhVTQZ0nJx6yAraPT4NrbqSTsBWl5s+xZQNqo+5k8VNinJeGBRGtoYpqC48=
X-Received: by 2002:a05:600c:2802:b0:40b:5e21:dd3c with SMTP id
m2-20020a05600c280200b0040b5e21dd3cmr9746723wmb.106.1702902625739; Mon, 18
Dec 2023 04:30:25 -0800 (PST)
MIME-Version: 1.0
References: <nvbG12_Si7DVx9JbnnAvZbNdWk7hDQA23W1TXMkfYoU2iBA95Z1HzRnXgyiwFhDBmdi_rWL0dPllX1M9N9YZPDV47VgYADNd7CQA9CkAuX0=@pm.me>
In-Reply-To: <nvbG12_Si7DVx9JbnnAvZbNdWk7hDQA23W1TXMkfYoU2iBA95Z1HzRnXgyiwFhDBmdi_rWL0dPllX1M9N9YZPDV47VgYADNd7CQA9CkAuX0=@pm.me>
From: Sergio Demian Lerner <sergio.d.lerner@gmail.com>
Date: Mon, 18 Dec 2023 09:29:48 -0300
Message-ID: <CAKzdR-qaN7sO62F38tm1ppEow=Oh-3A6kwsfRyts8U+LPXvTnQ@mail.gmail.com>
To: yurisvb@pm.me,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="0000000000001859b9060cc7ea37"
X-Mailman-Approved-At: Mon, 18 Dec 2023 13:57:40 +0000
Subject: Re: [bitcoin-dev] Lamport scheme (not signature) to economize on L1
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Dec 2023 12:30:29 -0000
--0000000000001859b9060cc7ea37
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hi Yuri,
While not exactly the same, the idea of using Lamport chains was analyzed
circa 2012 in the context of cryptocurrencies.
I proposed a new signature scheme called MAVE [1], and then a
cryptocurrency scheme called MAVEPAY [2] to reduce the size of signatures
to a minimum of 3 hash verifications per signature, assuming a blockchain
or time-stamping service.
Later there was a similar proposal by A. Miller called FawkesCoin [3]
(using "Guy Fawkes Protocol" [4] or fawkes signatures, for short).
regards
[1] https://bitslog.files.wordpress.com/2012/04/mave1.pdf
[2] https://bitslog.files.wordpress.com/2012/04/mavepay1.pdf
[3] https://link.springer.com/chapter/10.1007/978-3-319-12400-1_36
[4] R. J. Anderson, F. Bergadano, B. Crispo, J.-H. Lee, C. Manifavas, and
R. M. Needham. A new family of authentication protocols. Operating Systems
Review, 32(4):9=E2=80=9320, 1998.
On Mon, Dec 18, 2023 at 6:19=E2=80=AFAM Yuri S VB via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> Dear colleagues,
>
> After having mentioned it in a Twitter Space
> <https://twitter.com/i/spaces/1vOxwjWWOqdJB> a few moments ago, I felt
> the need to share the idea with you even just as a draft. Utilizing Lampo=
rt
> Scheme <https://en.wikipedia.org/wiki/S/KEY> (not signature
> <https://en.wikipedia.org/wiki/Lamport_signature>) for better
> byte-efficiency in L1:
>
>
> 1. Have signing keys consist of the current ECC key AND a Lamport
> chain;
> 2. For signing of a transaction, broadcast a tuple consisting of
> 1. the plain transaction,
> 2. hash of the previous Lamport chain concatenated to the
> transaction
> 3. commitment signed by ECC freezing its UTXO and promising that in
> a few blocks time the pre image of hash will be published.
> 3. a and b (but not c) are buried in coinbase session of a block B1 by
> miner M1;
> 4. If upon maturity, such pre-image is not broadcasted, signed
> commitment is buried in the next block and executed. As a consequence,
> frozen UTXO pays B1 for a and b being buried at M1's coinbase *and* mi=
ner
> M2 for burying it [the commitment] in a block B2 subsequent to maturit=
y;
> 5. If pre-image is broadcasted before maturity, it is buried in
> another block B2', pays for itself, pays M1 for burying a adn b at B1 =
and
> pays whatever else was determined in the plain transaction of item 2.a=
.
>
>
> The whole point is that, in the typical use case in which pre-image of
> hash is, in fact, successfully broadcasted before maturity, commitment, t=
he
> only ECC signature in this protocol is discarded, and only two Lamport
> hashes end up being buried at L1.
>
> To push economy even further, we could implement a memory-hard hash like
> Argon2 to do the same entropy-processing trade-off already utilized for
> passwords, so we could have hashes of, say 12 bytes, making it 24 in tota=
l,
> down from 136 from ECC.
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
--0000000000001859b9060cc7ea37
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Hi Yuri,<br>While not exactly the same, the idea of using =
Lamport chains was analyzed circa 2012 in the context of cryptocurrencies.=
=C2=A0<div>I proposed a new=C2=A0signature scheme called MAVE [1], and then=
a cryptocurrency scheme called MAVEPAY [2] to reduce the size of signature=
s to a minimum of 3 hash verifications per signature, assuming a blockchain=
or time-stamping service.</div><div><br></div><div>Later there was a simil=
ar proposal by A. Miller called FawkesCoin [3] (using "Guy Fawkes Prot=
ocol" [4] or fawkes signatures, for short).<br><br></div><div>regards<=
/div><div><br></div><div>[1] <a href=3D"https://bitslog.files.wordpress.com=
/2012/04/mave1.pdf">https://bitslog.files.wordpress.com/2012/04/mave1.pdf</=
a></div><div>[2]=C2=A0<a href=3D"https://bitslog.files.wordpress.com/2012/0=
4/mavepay1.pdf">https://bitslog.files.wordpress.com/2012/04/mavepay1.pdf</a=
></div><div>[3]=C2=A0<a href=3D"https://link.springer.com/chapter/10.1007/9=
78-3-319-12400-1_36">https://link.springer.com/chapter/10.1007/978-3-319-12=
400-1_36</a><br>[4] R. J. Anderson, F. Bergadano, B. Crispo, J.-H. Lee, C. =
Manifavas, and R. M. Needham. A new family of authentication protocols. Ope=
rating Systems Review, 32(4):9=E2=80=9320, 1998.<br></div><div><br></div></=
div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On=
Mon, Dec 18, 2023 at 6:19=E2=80=AFAM Yuri S VB via bitcoin-dev <<a href=
=3D"mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.linuxfo=
undation.org</a>> wrote:<br></div><blockquote class=3D"gmail_quote" styl=
e=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);paddin=
g-left:1ex"><div style=3D"font-family:Arial,sans-serif;font-size:14px"></di=
v><div style=3D"line-height:1.5;background-color:rgb(255,255,255)">Dear col=
leagues,<br><br>After having mentioned it in<span>=C2=A0</span><a title=3D"=
a Twitter Space" href=3D"https://twitter.com/i/spaces/1vOxwjWWOqdJB" rel=3D=
"noreferrer nofollow noopener" style=3D"text-decoration:underline" target=
=3D"_blank">a Twitter Space</a><span>=C2=A0</span>a few moments ago, I felt=
the need to share the idea with you even just as a draft. Utilizing<span>=
=C2=A0</span><a title=3D"Lamport Scheme" href=3D"https://en.wikipedia.org/w=
iki/S/KEY" rel=3D"noreferrer nofollow noopener" style=3D"text-decoration:un=
derline" target=3D"_blank">Lamport Scheme</a>=C2=A0(not<span>=C2=A0</span><=
a title=3D"signature" href=3D"https://en.wikipedia.org/wiki/Lamport_signatu=
re" rel=3D"noreferrer nofollow noopener" style=3D"text-decoration:underline=
" target=3D"_blank">signature</a>) for better byte-efficiency in L1:<br><br=
></div><div style=3D"line-height:1.5;background-color:rgb(255,255,255)"><ol=
style=3D"margin:0px;padding:0px 0px 0px 2.85714em;font-size:1em"><li style=
=3D"list-style-type:"1. ""><span>Have signing keys consist of the=
current ECC key AND a Lamport chain;<br></span></li><li style=3D"list-styl=
e-type:"2. ""><span>For signing of a transaction, broadcast a tup=
le consisting of=C2=A0</span></li><ol style=3D"margin:0px;padding:0px 0px 0=
px 2.85714em;list-style-type:lower-alpha"><li><span>the plain transaction,=
=C2=A0</span></li><li><span>hash of the previous Lamport chain concatenated=
to the transaction</span></li><li>commitment signed by ECC freezing its UT=
XO and promising that in a few blocks time the pre image of hash will be pu=
blished.</li></ol><li style=3D"list-style-type:"3. "">a and b (bu=
t not c) are buried in coinbase session of a block B1 by miner M1;</li><li =
style=3D"list-style-type:"4. "">If upon maturity, such pre-image =
is not broadcasted, signed commitment is buried in the next block and execu=
ted. As a consequence, frozen UTXO pays B1 for a and b being buried at M1&#=
39;s coinbase<span>=C2=A0</span><b>and</b><span>=C2=A0</span>miner M2 for b=
urying it [the commitment] in a block B2 subsequent to maturity;</li><li st=
yle=3D"list-style-type:"5. "">If pre-image is broadcasted before =
maturity, it is buried in another block B2', pays for itself, pays M1 f=
or burying a adn b at B1 and pays whatever else was determined in the plain=
transaction of item 2.a.<br></li></ol><div><br>The whole point is that, in=
the typical use case in which pre-image of hash is, in fact, successfully =
broadcasted before maturity, commitment, the only ECC signature in this pro=
tocol is discarded, and only two Lamport hashes end up being buried at L1.<=
br><br>To push economy even further, we could implement a memory-hard hash =
like Argon2 to do the same entropy-processing trade-off already utilized fo=
r passwords, so we could have hashes of, say 12 bytes, making it 24 in tota=
l, down from 136 from ECC.</div></div><div style=3D"font-family:Arial,sans-=
serif;font-size:14px"><div>
</div>
</div>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div>
--0000000000001859b9060cc7ea37--
|
