MIME-Version: 1.0
References: <CAPg+sBj7f+=OYXuOMdNeJk3NBG67FSQSF8Xv3seFCvwxCWq69A@mail.gmail.com>
	<CAMZUoKks9of0oWdn8J=601cY2PMf+EV4e=PeWpDAXPcGPNFkRw@mail.gmail.com>
	<CAAS2fgTM+8mORcgjGdQxGxMkXjW7NOqByZwD1_VEad80ofVObA@mail.gmail.com>
In-Reply-To: <CAAS2fgTM+8mORcgjGdQxGxMkXjW7NOqByZwD1_VEad80ofVObA@mail.gmail.com>
From: "Russell O'Connor" <roconnor@blockstream.io>
Date: Sun, 8 Jul 2018 10:36:16 -0400
Message-ID: <CAMZUoKnCkUybwMh_X3GksDW-zJ0NtfUsqfxC2sRgxpNiHFpBTQ@mail.gmail.com>
To: Gregory Maxwell <greg@xiph.org>
Content-Type: multipart/alternative; boundary="00000000000084362d05707dd298"
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Schnorr signatures BIP
Precedence: list

--00000000000084362d05707dd298
Content-Type: text/plain; charset="UTF-8"

On Fri, Jul 6, 2018 at 6:00 PM, Gregory Maxwell <greg@xiph.org> wrote:

> On Fri, Jul 6, 2018 at 9:05 PM, Russell O'Connor via bitcoin-dev
> <bitcoin-dev@lists.linuxfoundation.org> wrote:
> > If the inputs to hash were reordered as hash(bytes(dG) || bytes(x(R)) ||
> m)
> > then there is an opportunity for SHA256 expander to be partially
> prefilled
> > for a fixed public key.  This could provide a little benefit, especially
> > when multiple signatures for a single public key need to be generated
> and/or
> > verified.  If all things are otherwise equal, perhaps this alternate
> order
> > is better.
>
> There is a minor design preference to have message before nonce when
> H() is a MD-style hash function.  Say the attacker knows some weakness
> in H and can find pairs of messages m and m' so that the compression
> function results in the same midstate.  He could then ask you to sign
> m but get a signature that also works for m'.   If the signer
> controlled R value comes first, then this doesn't work.    The pubkey
> being where it is in the current design just follows from the idea
> that it is just logically prepended on the message.  I don't think the
> pubkey is sufficiently attacker controlled that the above argument
> would apply,  so H(P || R.x || m) would be okay.
>
> BUT, the sha256 compression function reads 64 bytes at a time. PRM
> would not let you precompute a whole compression function run, but
> instead would just let you hardwire part of the expander in a pubkey
> dependant way-- an optimization I'm pretty confident virtually no one
> would use.  (Hardwiring to a constant, yes. Hardwiring to a reused
> dynamic value that comes in from the network, no)
>

Right.  I readily admit my proposal has extremely marginal efficiency
benefits. However, I didn't realize there is also an extremely marginal
security benefit to placing the nonce in front of everything.  Although
these things are so marginal that it is perhaps a waste of time to even be
considering them, I think I'd judge the extremely marginal security benefit
to exceed the value of the extremely marginal efficiency gain.  It's
probably best to leave the nonce at the beginning after all.


> If instead the hash function were defined as using 31 zeros then
> P||R||m (or P || 31 zeros bytes || R || m, I'm not sure what would be
> better), an entire midstate could be cached for different pubkeys. m
> is often 32 bytes, sadly- - but the final compression run in that case
> would only be the constant update with the length.... and
> almost-all-zeros + constant length, is an easy optimization. (Bitcoin
> core even has it for computing sha256(sha256())).
>

I did consider this, however the 31 bytes of zeros, plus the SHA256 padding
means we would need to compress *three* blocks in general instead of the
current proposal of just two blocks.  This burden seems to exceed the
benefit of maybe sometimes getting a slightly fast
two-blocks-with-lots-of-zeros when public keys are reused. I wouldn't
recommend it.

There is an alternative of just dropping the SHA-256 length padding.  This
would still be secure in this context because the data is of fixed size.
However, I doubt it is worth breaking the API of every SHA-256 library in
existence to enable that.


> [I'm not really sure if I was clear, so I'll try TLDRing it:  I think
> optimizing sha256 where part of the input is constant is realistic,
> optimizing midstate reuse is realistic, optimizing where part is
> reused is less realistic.  If we insert padding, and put P first, we
> can make it possible to midstate cache P,  and the 'extra' compression
> function run ends up with all constant input, so it could be made
> faster.]
>

--00000000000084362d05707dd298
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"auto"><div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><div =
class=3D"gmail_quote">On Fri, Jul 6, 2018 at 6:00 PM, Gregory Maxwell <span=
 dir=3D"ltr">&lt;<a href=3D"mailto:greg@xiph.org" target=3D"_blank" rel=3D"=
noreferrer">greg@xiph.org</a>&gt;</span> wrote:<br><blockquote class=3D"gma=
il_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-lef=
t:1ex"><span>On Fri, Jul 6, 2018 at 9:05 PM, Russell O&#39;Connor via bitco=
in-dev<br>
&lt;<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_bla=
nk" rel=3D"noreferrer">bitcoin-dev@lists.linuxfoundation.org</a>&gt; wrote:=
<br>
&gt; If the inputs to hash were reordered as hash(bytes(dG) || bytes(x(R)) =
|| m)<br>
&gt; then there is an opportunity for SHA256 expander to be partially prefi=
lled<br>
&gt; for a fixed public key.=C2=A0 This could provide a little benefit, esp=
ecially<br>
&gt; when multiple signatures for a single public key need to be generated =
and/or<br>
&gt; verified.=C2=A0 If all things are otherwise equal, perhaps this altern=
ate order<br>
&gt; is better.<br>
<br>
</span>There is a minor design preference to have message before nonce when=
<br>
H() is a MD-style hash function.=C2=A0 Say the attacker knows some weakness=
<br>
in H and can find pairs of messages m and m&#39; so that the compression<br=
>
function results in the same midstate.=C2=A0 He could then ask you to sign<=
br>
m but get a signature that also works for m&#39;.=C2=A0 =C2=A0If the signer=
<br>
controlled R value comes first, then this doesn&#39;t work.=C2=A0 =C2=A0 Th=
e pubkey<br>
being where it is in the current design just follows from the idea<br>
that it is just logically prepended on the message.=C2=A0 I don&#39;t think=
 the<br>
pubkey is sufficiently attacker controlled that the above argument<br>
would apply,=C2=A0 so H(P || R.x || m) would be okay.<br>
<br>
BUT, the sha256 compression function reads 64 bytes at a time. PRM<br>
would not let you precompute a whole compression function run, but<br>
instead would just let you hardwire part of the expander in a pubkey<br>
dependant way-- an optimization I&#39;m pretty confident virtually no one<b=
r>
would use.=C2=A0 (Hardwiring to a constant, yes. Hardwiring to a reused<br>
dynamic value that comes in from the network, no)<br></blockquote><div><br>=
</div><div>Right.=C2=A0 I readily admit my proposal has extremely marginal =
efficiency benefits. However, I didn&#39;t realize there is also an extreme=
ly marginal security benefit to placing the nonce in front of everything.=
=C2=A0 Although these things are so marginal that it is perhaps a waste of =
time to even be considering them, I think I&#39;d judge the extremely margi=
nal security benefit to exceed the value of the extremely marginal efficien=
cy gain.=C2=A0 It&#39;s probably best to leave the nonce at the beginning a=
fter all.<br></div><div>=C2=A0</div><blockquote class=3D"gmail_quote" style=
=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
If instead the hash function were defined as using 31 zeros then<br>
P||R||m (or P || 31 zeros bytes || R || m, I&#39;m not sure what would be<b=
r>
better), an entire midstate could be cached for different pubkeys. m<br>
is often 32 bytes, sadly- - but the final compression run in that case<br>
would only be the constant update with the length.... and<br>
almost-all-zeros + constant length, is an easy optimization. (Bitcoin<br>
core even has it for computing sha256(sha256())).<br></blockquote><div><br>=
</div><div>I did consider this, however the 31 bytes of zeros, plus the SHA=
256 padding means we would need to compress *three* blocks in general inste=
ad of the current proposal of just two blocks.=C2=A0 This burden seems to e=
xceed the benefit of maybe sometimes getting a slightly fast two-blocks-wit=
h-lots-of-zeros when public keys are reused. I wouldn&#39;t recommend it.<b=
r><br>There is an alternative of just dropping the SHA-256 length padding.=
=C2=A0 This would still be secure in this context because the data is of fi=
xed size.=C2=A0 However, I doubt it is worth breaking the API of every SHA-=
256 library in existence to enable that.<br></div><div>=C2=A0</div><blockqu=
ote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc s=
olid;padding-left:1ex">
[I&#39;m not really sure if I was clear, so I&#39;ll try TLDRing it:=C2=A0 =
I think<br>
optimizing sha256 where part of the input is constant is realistic,<br>
optimizing midstate reuse is realistic, optimizing where part is<br>
reused is less realistic.=C2=A0 If we insert padding, and put P first, we<b=
r>
can make it possible to midstate cache P,=C2=A0 and the &#39;extra&#39; com=
pression<br>
function run ends up with all constant input, so it could be made<br>
faster.]<br>
</blockquote></div><br></div></div></div>

--00000000000084362d05707dd298--