Return-Path: <earonesty@gmail.com> Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 96E3AC7A for <bitcoin-dev@lists.linuxfoundation.org>; Wed, 29 Aug 2018 12:09:52 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com [209.85.221.47]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 7BD18619 for <bitcoin-dev@lists.linuxfoundation.org>; Wed, 29 Aug 2018 12:09:51 +0000 (UTC) Received: by mail-wr1-f47.google.com with SMTP id 20-v6so4573924wrb.12 for <bitcoin-dev@lists.linuxfoundation.org>; Wed, 29 Aug 2018 05:09:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=q32-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IeMq/9YE0JSFz2BYPCUhDj0POoEkLhtVz6oVkMuO0gY=; b=lOALbO5g+Sy0hGGSQ/shI9Xm7+9l6VLK59oRUjs3FodSrS+NdnGM1tiswKx5vkMYAS T3bqUg+7p17KYLK9+N9vW5YRkyI9eJIrCKivzg84FGAaspUh18UDEVzEE4HZJGJvTj7F mppGgA4B5ZvU+Dzh6jCavQXg2g/J+VeFPUr7hwe+z8EYullOSAcJmnPyYbS4T45SmOIl tjD27jJQAa/9HSzjsOeFfUmiIrUQpxeAVtvSwmhtfjDj421F05Xgjc8p+Of/WHQsW08n WkxKhPnAQhLrf4Uip/+LnRAIWC3Dfk1siVCO2prGPkLclanwxuB9QzMZEr45i/HTECXc q/7A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IeMq/9YE0JSFz2BYPCUhDj0POoEkLhtVz6oVkMuO0gY=; b=bLPPv82Trf3NL3hLDFp77gXZIiH0i/Wks9aRPWQln4yo+cYeNAYAqkv+5jRbCQ4Lvl IP6YjdazsuotczmKL95UAEITlH9PHDTejcLEzu0GyW0JxvYvqGT8SQhp4b8G9Nr28hip oO/aZwWY28f1TpT4ALJy7uGfTlblB9TQfomxTOv5fig4HLtZr/7U0wTbHv6dR+Ixf1TZ kaTT5Kaaje3pxUWr7EdOSuOJs4X0Xyci/ea54omLVqwPN2T8g/3IgzvnhF/Y3H44Xbfr LR2Oue1IrQt+p5C9bhgUZcshYZxXvtPuZewXkPZlOLR+tz2wd04ENwDVvM803nNV5eLn VlMg== X-Gm-Message-State: APzg51C4VYBDZIEDSt0AmKwOfyXKxuAJJ5JyiPleo6WFbCENrc72dhX2 m5kokuMGBZcg8WjOwWq2D60SPx/jOPhuBFlCJcHjylKf2A== X-Google-Smtp-Source: ANB0VdY6zC4uoeL2XEz50H10YTt0AncxJ1gyQ0AJjPcOxVE6wRpCzSvnZLm2pnu7E+lLsX9+/gvjs5RNOmlllaEencI= X-Received: by 2002:adf:f687:: with SMTP id v7-v6mr4155789wrp.201.1535544589905; Wed, 29 Aug 2018 05:09:49 -0700 (PDT) MIME-Version: 1.0 References: <CAPg+sBj7f+=OYXuOMdNeJk3NBG67FSQSF8Xv3seFCvwxCWq69A@mail.gmail.com> <2e620d305c86f65cbff44b5fba548dc85c118f84.camel@timruffing.de> <20180812163734.GV499@boulet.lan> In-Reply-To: <20180812163734.GV499@boulet.lan> From: Erik Aronesty <erik@q32.com> Date: Wed, 29 Aug 2018 08:09:36 -0400 Message-ID: <CAJowKg+h11YkwOo-gyWCw+87Oh-9K34LOnJ1730hhpoVR2m5sA@mail.gmail.com> To: apoelstra@wpsoftware.net, Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org> Content-Type: multipart/alternative; boundary="000000000000d17720057491d5bf" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Wed, 29 Aug 2018 12:30:06 +0000 Subject: Re: [bitcoin-dev] Schnorr signatures BIP X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org> List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe> List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/> List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org> List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help> List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe> X-List-Received-Date: Wed, 29 Aug 2018 12:09:52 -0000 --000000000000d17720057491d5bf Content-Type: text/plain; charset="UTF-8" Note: This spec cannot be used directly with a shamir scheme to produce single-round threshold multisigs, because shares of point R would need to be broadcast to share participants in order to produce valid single signatures. (R, s) schemes can still be used "online", if share participants publish the R(share).... but, not sure if it matter much, this choice eliminates offline multiparty signing in exchange for batch validation. On Sun, Aug 12, 2018 at 12:47 PM Andrew Poelstra via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > > I think it's just an oversight. We should specify that we use the standard > encoding from section 2.3 of http://www.secg.org/sec1-v2.pdf except that > we allow only compressed public keys. > > Andrew > > > On Mon, Aug 06, 2018 at 11:12:48PM +0200, Tim Ruffing via bitcoin-dev > wrote: > > Is it intentional that the encoding of public (and private) keys is > > unspecified? I'd consider at least the encoding of the public key to be > > part of the signature scheme, so ideally it should be specified already > > in this BIP. On the other hand, there may be good arguments against it, > > but I'm not aware of any. > > > > This issue leads to a discrepancy between the specification and the > > test vectors because the data fields of test vectors "are given as byte > > arrays", including public and secret key. As a consequence, even the > > Python reference implementation in the BIP draft doesn't work on test > > vectors (in a strict sense). > > > > Best, > > Tim > > > > > > On Fri, 2018-07-06 at 11:08 -0700, Pieter Wuille via bitcoin-dev wrote: > > > Hello everyone, > > > > > > Here is a proposed BIP for 64-byte elliptic curve Schnorr signatures, > > > over the same curve as is currently used in ECDSA: > > > https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki > > > > > > It is simply a draft specification of the signature scheme itself. It > > > does not concern consensus rules, aggregation, or any other > > > integration into Bitcoin - those things are left for other proposals, > > > which can refer to this scheme if desirable. Standardizing the > > > signature scheme is a first step towards that, and as it may be > > > useful > > > in other contexts to have a common Schnorr scheme available, it is > > > its > > > own informational BIP. > > > > > > If accepted, we'll work on more production-ready reference > > > implementations and tests. > > > > > > This is joint work with several people listed in the document. > > > > > > Cheers, > > > > > > > _______________________________________________ > > bitcoin-dev mailing list > > bitcoin-dev@lists.linuxfoundation.org > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > > > > > > -- > Andrew Poelstra > Mathematics Department, Blockstream > Email: apoelstra at wpsoftware.net > Web: https://www.wpsoftware.net/andrew > > "A goose alone, I suppose, can know the loneliness of geese > who can never find their peace, > whether north or south or west or east" > --Joanna Newsom > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --000000000000d17720057491d5bf Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div>Note: <br></div><div><br></div><div>This spec cannot = be used directly with a shamir scheme to produce single-round threshold mul= tisigs, because shares of point R would need to be broadcast to share parti= cipants in order to produce valid single signatures.=C2=A0=C2=A0 <br></div>= <div><br></div><div>(R, s) schemes can still be used "online", if= share participants publish the R(share).... but, not sure if it matter muc= h, this choice eliminates offline multiparty signing in exchange for batch = validation.<br></div><div><br></div><div><br></div><div><br></div><div><br>= </div><div><br></div><div><br></div><div><br></div></div><br><div class=3D"= gmail_quote"><div dir=3D"ltr">On Sun, Aug 12, 2018 at 12:47 PM Andrew Poels= tra via bitcoin-dev <<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation= .org">bitcoin-dev@lists.linuxfoundation.org</a>> wrote:<br></div><blockq= uote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc = solid;padding-left:1ex"><br> I think it's just an oversight. We should specify that we use the stand= ard<br> encoding from section 2.3 of <a href=3D"http://www.secg.org/sec1-v2.pdf" re= l=3D"noreferrer" target=3D"_blank">http://www.secg.org/sec1-v2.pdf</a> exce= pt that<br> we allow only compressed public keys.<br> <br> Andrew<br> <br> <br> On Mon, Aug 06, 2018 at 11:12:48PM +0200, Tim Ruffing via bitcoin-dev wrote= :<br> > Is it intentional that the encoding of public (and private) keys is<br= > > unspecified? I'd consider at least the encoding of the public key = to be<br> > part of the signature scheme, so ideally it should be specified alread= y<br> > in this BIP. On the other hand, there may be good arguments against it= ,<br> > but I'm not aware of any.<br> > <br> > This issue leads to a discrepancy between the specification and the<br= > > test vectors because the data fields of test vectors "are given a= s byte<br> > arrays", including public and secret key. As a consequence, even = the<br> > Python reference implementation in the BIP draft doesn't work on t= est<br> > vectors (in a strict sense).<br> > <br> > Best,<br> > Tim<br> > <br> > <br> > On Fri, 2018-07-06 at 11:08 -0700, Pieter Wuille via bitcoin-dev wrote= :<br> > > Hello everyone,<br> > > <br> > > Here is a proposed BIP for 64-byte elliptic curve Schnorr signatu= res,<br> > > over the same curve as is currently used in ECDSA:<br> > > <a href=3D"https://github.com/sipa/bips/blob/bip-schnorr/bip-schn= orr.mediawiki" rel=3D"noreferrer" target=3D"_blank">https://github.com/sipa= /bips/blob/bip-schnorr/bip-schnorr.mediawiki</a><br> > > <br> > > It is simply a draft specification of the signature scheme itself= . It<br> > > does not concern consensus rules, aggregation, or any other<br> > > integration into Bitcoin - those things are left for other propos= als,<br> > > which can refer to this scheme if desirable. Standardizing the<br= > > > signature scheme is a first step towards that, and as it may be<b= r> > > useful<br> > > in other contexts to have a common Schnorr scheme available, it i= s<br> > > its<br> > > own informational BIP.<br> > > <br> > > If accepted, we'll work on more production-ready reference<br= > > > implementations and tests.<br> > > <br> > > This is joint work with several people listed in the document.<br= > > > <br> > > Cheers,<br> > > <br> > <br> > _______________________________________________<br> > bitcoin-dev mailing list<br> > <a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_bl= ank">bitcoin-dev@lists.linuxfoundation.org</a><br> > <a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-= dev" rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org= /mailman/listinfo/bitcoin-dev</a><br> > <br> > <br> <br> -- <br> Andrew Poelstra<br> Mathematics Department, Blockstream<br> Email: apoelstra at <a href=3D"http://wpsoftware.net" rel=3D"noreferrer" ta= rget=3D"_blank">wpsoftware.net</a><br> Web:=C2=A0 =C2=A0<a href=3D"https://www.wpsoftware.net/andrew" rel=3D"noref= errer" target=3D"_blank">https://www.wpsoftware.net/andrew</a><br> <br> "A goose alone, I suppose, can know the loneliness of geese<br> =C2=A0who can never find their peace,<br> =C2=A0whether north or south or west or east"<br> =C2=A0 =C2=A0 =C2=A0 =C2=A0--Joanna Newsom<br> <br> _______________________________________________<br> bitcoin-dev mailing list<br> <a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">= bitcoin-dev@lists.linuxfoundation.org</a><br> <a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" = rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev</a><br> </blockquote></div> --000000000000d17720057491d5bf--