summaryrefslogtreecommitdiff
path: root/f3/bd64be827a4538e6846208f9570375cd7e4dbe
blob: 28422ac658f8591cbac3e033123948343c021d7a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
Return-Path: <sjors@sprovoost.nl>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 6C99BCA4
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sat, 14 Jul 2018 15:43:02 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com
	[66.111.4.26])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id DD16D4FA
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sat, 14 Jul 2018 15:43:01 +0000 (UTC)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41])
	by mailout.nyi.internal (Postfix) with ESMTP id 1527E21AFD;
	Sat, 14 Jul 2018 11:43:01 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
	by compute1.internal (MEProxy); Sat, 14 Jul 2018 11:43:01 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sprovoost.nl; h=
	content-type:date:from:in-reply-to:message-id:mime-version
	:references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=
	fm3; bh=LL7tJe97x3LkoUMRABFEsujIY9HzBSO1TwuwyFxbAKE=; b=BTcecIEn
	+Bzw3WjkcLHfRhHAGUaUR70KaTNKduwWHX9s7uvtw2K2hLnyEouGfPLdp1OjHeLO
	lJEdWifc3GIVM7WauhU5FCDypM2dr3GewFEG6WXOfQ9NwdbjtVL93URIb4+zUp5V
	TRKeiZ5i4iDrnHhgh5S6Ag0DamGjUozPKWzs5jXxr1lRfXnBEcw3YzRLoplJz9eA
	9m9M3Hjp1e2YW+aW1Oa1NSKTVbToNCFEcUyOqrDpiFNYJKrSE09BtMjiGjmqAfyU
	QZX9EDLO9MsXXthazx9d9yYjNBhfWLgop62lx7lgOl0xkcK8iSt+DOn45Bq7H0oU
	I6KlpxrHvY+JZQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=content-type:date:from:in-reply-to
	:message-id:mime-version:references:subject:to:x-me-sender
	:x-me-sender:x-sasl-enc; s=fm3; bh=LL7tJe97x3LkoUMRABFEsujIY9HzB
	SO1TwuwyFxbAKE=; b=aPidd9h6DWsp+QvfFY5tPk2NcXae8/UHRu+EBfWImtICw
	bKlM3KE6keQpZ7wtcM+nAjI97M9c1849N+ZXnC7rDhWYxOksd/+F44VOyf4L2bB2
	p1lbzyEOz210M/qeKTzG60pKBH8Vp+JmwICezK1alkVH22Tx5KioZstPZk5KtUSv
	YkQcBbbooh3gF+BYV9R5waxBPRch4fKyliIkwYFMXfbTg4vBfrCJ397n5YDJIlOb
	xjRYu1ry1IrbX6Ai0gMkdcPp4dXJqbGf5P4vf3/K8K2heT/h0t6EEpJlNI0ZPFPQ
	keNLaoC5ZGtVLWl9TaNVrJ0ia51j4gOo+vR50KEUg==
X-ME-Proxy: <xmx:BBpKWxSv6SL5uZYl9hF-_NENSOy0nIMbS_MkTRhykD2iM4q2XxVpbQ>
	<xmx:BBpKW4J6u-Va93j4FQcG7oWMl1a1qqpCnpFDx3n7cH-b5_AYs4M6Ig>
	<xmx:BBpKWy3qncGR7fMCXMuDwSvSzulV4arE9_cDQoKGy07TxaoaWGb9Qw>
	<xmx:BBpKW8ul59mc0c0cVO2I60xgiBFvfASo2ou3a8IbvL8WmGxUEGHQHA>
	<xmx:BBpKW2FFVgQLxatqT3ceC9dGb19h2RNBXFbolPF8r014JCAmdCuNkg>
	<xmx:BRpKWzRFYn6waqQ8iKkPAyuEvkIzOsSPEcPcwbhZ3PT-X0Q39oGxYg>
X-ME-Sender: <xms:BBpKW_zyDvHAJCSIjoTxLG5yKtdib2pnKlyrzBzmyh2UVlC73ZS2Ag>
Received: from [192.168.178.185] (54693d0f.cm-12-2a.dynamic.ziggo.nl
	[84.105.61.15])
	by mail.messagingengine.com (Postfix) with ESMTPA id 6528210268;
	Sat, 14 Jul 2018 11:43:00 -0400 (EDT)
From: Sjors Provoost <sjors@sprovoost.nl>
Content-Type: multipart/signed;
	boundary="Apple-Mail=_7DA7A546-9451-4815-913A-49C9A76783D3";
	protocol="application/pgp-signature"; micalg=pgp-sha256
Mime-Version: 1.0 (Mac OS X Mail 11.4 \(3445.8.2\))
Date: Sat, 14 Jul 2018 17:42:58 +0200
References: <CAPg+sBj7f+=OYXuOMdNeJk3NBG67FSQSF8Xv3seFCvwxCWq69A@mail.gmail.com>
To: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>,
	Pieter Wuille <pieter.wuille@gmail.com>
In-Reply-To: <CAPg+sBj7f+=OYXuOMdNeJk3NBG67FSQSF8Xv3seFCvwxCWq69A@mail.gmail.com>
Message-Id: <A899D97B-5D47-4AB0-8A7F-57F91C58ADE1@sprovoost.nl>
X-Mailer: Apple Mail (2.3445.8.2)
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
X-Mailman-Approved-At: Sat, 14 Jul 2018 15:48:27 +0000
Subject: Re: [bitcoin-dev] Schnorr signatures BIP
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Jul 2018 15:43:02 -0000


--Apple-Mail=_7DA7A546-9451-4815-913A-49C9A76783D3
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=utf-8


> Op 6 jul. 2018, om 20:08 heeft Pieter Wuille via bitcoin-dev =
<bitcoin-dev@lists.linuxfoundation.org> het volgende geschreven:
>=20
> Hello everyone,
>=20
> Here is a proposed BIP for 64-byte elliptic curve Schnorr signatures,
> over the same curve as is currently used in ECDSA:
> https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki

The power of simplification at work, thanks Pieter!

Questions:

Regarding verification: why does bytes(P) use compressed key =
serialization rather than the implicit Y coordinate used for signing? I =
understand space savings don't matter since these values don't end up on =
the blockchain. Is it just easier to implement or is it faster?

Regarding rationale for choosing (e,s) vs. (R,s), you say that (e,s) =
"avoids the difficulty of encoding a point R in the signature". But =
since e =3D H(sG - eP || m) also involves converting a point to some =
byte encoding in order to hash it, how much difficulty is actually =
avoided? Is that, like for previous question, because you could get away =
with compressed keys rather than implicit Y coordinates?

Regarding batch verification: "randomly generated independently for each =
batch of verifications" - by whom? I assume randomly picked by the =
verifier?

Regarding random number used for signing. The suggested (?) =
deterministic algorithm to derive secret key ''k'' from the private key =
''d''  seems similar to RFC6979. Maybe it's useful to briefly explain =
the difference, as well as your rationale for not making it mandatory =
(presumably the same as why RFC6979 isn't mandatory although most (?) =
wallets use it).

Nits:

* Motivation: "signatures ... These are standardized", but the =
"standardized" link points to the secp256k1 curve parameters, not to =
anything signature related afaik
* "message m: an array of 32 bytes", maybe add "typically the sha256 =
hash of the transaction components commited to by SIGHASH_TYPE=E2=80=9D
* I left a few even smaller nits as a PR: =
https://github.com/sipa/bips/pull/10

Cheers,

Sjors

--Apple-Mail=_7DA7A546-9451-4815-913A-49C9A76783D3
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE7ZvfetalXiMuhFJCV/+b28wwEAkFAltKGgIACgkQV/+b28ww
EAm8thAAswQO8gTBLgM7dYvhmX4lyRl4lk720GYaDLLZ2TZdvojF4AYu/ZMdmnCb
UfW8EmkLAzRy6NLgW2lITZOG1An3Jd/6bLb0lHVnhr3dmQRgMV1RN1AFObQ1Nr0R
QC+tXY8Vcj3EOUEgkG2pTuUrFihAFEF2iM5GOBQhzQOpKMcQ/6hOXqG4dyVkdiU2
32y5F12cz1sWpqxKB/cbIyiPw1KcNxn1ERVaQ8opft/O8nFF/viGzsxzrCUNFV2F
pP9MPwxwAHyRhMKV1wkuNXsFWkbqw5oHY2A1AHHPxS3gorD3JRdwjsiZgBEhRggk
x6USF4F7CzzdjUC7fqqz/AVBR0/JffLwtXR4yYrhWlyTPyfxLLyuTaToiNzyysQY
M811oO6OaKM3ZfSRu7cv1LJ5idsRZgzg9JUahrbnvaiEDBFrztXqSrZk6aVlp9oi
/UfiYomxdBiWQlEXLeollh75ISaMTwXsLUBx+ZsCJ/z+BCsOTVmiVpmJmi8RMZ2u
Wets7oDGJMGRGfZMeVCjrhJLsx9CGXpNQvGn5rxJoRjBqcf6dfN/IpcHEtFhYnkW
DxzP6uS4L7UpR2jhmp8hUzrfVRm84MWOuO/oBUagGDQwRBf8YBi60h0A8QPfebfg
iuSP76aY7yGSwSafd1ULrbO7DQ39DiTxFUVRRmObURHCFHrCBNc=
=hMoY
-----END PGP SIGNATURE-----

--Apple-Mail=_7DA7A546-9451-4815-913A-49C9A76783D3--