Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id DAF584864 for ; Tue, 22 Jan 2019 16:33:38 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com [209.85.221.41]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 20966102 for ; Tue, 22 Jan 2019 16:33:38 +0000 (UTC) Received: by mail-wr1-f41.google.com with SMTP id r10so28057165wrs.10 for ; Tue, 22 Jan 2019 08:33:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=U41BAvxqPVR5t3pwgiQV58WFWjY11zxUql49+AWaNEQ=; b=NhY9P2z7mcfs3ImESoG/qYDC4ekeagvMs2oftLf57bfqvtsfvctx6T3gFFxVt25nZb dRhkZTbMMPtbzmhbTEmn0dEWpCuhsin5llhqFeoV+l3C0/9ifBDpG0PydCtHgAQ71/Zp Foui552naZuK42J/B75+0yqgmYn1krWC124HiDk3FxEWk1zk0iTX9EYeBuiL1Rj1zJ95 kqBtiFvGc3lNehh4oq3S4V8ext1X3jkinF6drjbQH/sPbXMNDwIyCt3SZLVrVIF9QDiz eKGpFa0E7PaWdc+aM5HRubNoJHV7w/Vl+n/gJulJZkAe4j5xNuh/EduJ91a/AjQVatsI ozIQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=U41BAvxqPVR5t3pwgiQV58WFWjY11zxUql49+AWaNEQ=; b=JVknh/xX7myrorE6VdSaBByVCcXtVmN1qg/ZcSgkG7BMNAFczhdzVOBXQctDmUcfvu HT03THiBOAGFn2kOu4A1YTjA5cU+6vyIxx02CqqxQ/0UHO3WsjHrxHuIc29TVzDeUWJ8 cgxpRUtQUf7iRkqzrC9WrZWVru4zM985GMbSiiDzv0TUVP32N8ghBc2ePPlDB6w1dBxy NlZp8Zlh8Aly40ISpekzdUHbs7G4Dj9H+nGcf/B9yx363ViYHrCHRrwtHVWTmQ/PgKVR sU21ArOLFydykHvvmJw22C+z2UsZmez2eojA1Zu8Qw46gLwybCX4axkGqHw6guyJ5KLy KnyA== X-Gm-Message-State: AJcUukeNOQi3qDpatLyYUl2CJs58aRAS6giSLnoaoZTtIKgmPHOh6nbS 3+ipYi3H0u4WIMKv4T9ppEUpikwCgxJ4bnn/Zpb0dQ== X-Google-Smtp-Source: ALg8bN5Cek7Bq1/zSsSyXZQGzRbwBWByFnP6Sd4ekVtHXT+UXOtwFA0L5sLIZYeX1IUW6X3rG2mgke/t9pgMUtgscUQ= X-Received: by 2002:a5d:6647:: with SMTP id f7mr33481200wrw.225.1548174816209; Tue, 22 Jan 2019 08:33:36 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Dustin Dettmer Date: Tue, 22 Jan 2019 08:33:23 -0800 Message-ID: To: Bitcoin Protocol Discussion , ZmnSCPxj Content-Type: multipart/alternative; boundary="000000000000f875fb05800e8961" X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Tue, 22 Jan 2019 19:53:57 +0000 Subject: Re: [bitcoin-dev] Proof-of-Stake Bitcoin Sidechains X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Jan 2019 16:33:39 -0000 --000000000000f875fb05800e8961 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Wouldn=E2=80=99t a revealed private key for time locked funds create a race= to spend? I imagine miners who are paying attention would have the advantage but it would still just be a race. Would be nice to have the funds destroyed or sent somewhere specific. Like if somehow the revealed key was actually itself a presigned transaction. Or perhaps a 32 byte piece of a tx needed to complete it. On Tue, Jan 22, 2019 at 6:14 AM ZmnSCPxj via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > Good Morning Matt, > > > ### ZmnSCPxj, > > > > I'm intrigued by this mechanism of using fixed R values to prevent > multiple signatures, but how do we derive the R values in a way where the= y > are > unique for each blockheight but still can be used to create signatures or > verify? > > One possibility is to derive `R` using standard hierarchical derivation. > Then require that the staking pubkey be revealed to the sidechain network > as actually being `staking_pubkey =3D P + hash(P || parent_R) * G` (possi= bly > with some trivial protection against Taproot). > To sign for a blockheight `h`, you must use your public key `P` and the > specific `R` we get from hierarchical derivation from `parent_R` and the > blockheight as index. > > > > Regards, > ZmnSCPxj > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --000000000000f875fb05800e8961 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Wouldn=E2=80=99t a revealed private key for time loc= ked funds create a race to spend? I imagine miners who are paying attention= would have the advantage but it would still just be a race.

Would be nice to have the funds = destroyed or sent somewhere specific. Like if somehow the revealed key was = actually itself a presigned transaction. Or perhaps a 32 byte piece of a tx= needed to complete it.

On Tue, Jan 22, 2019 at 6:14 AM ZmnSCPxj via bitcoin-dev <bitcoin-dev@lists.linux= foundation.org> wrote:
Good = Morning Matt,

> ### ZmnSCPxj,
>
> I'm intrigued by this mechanism of using fixed R values to prevent= multiple signatures, but how do we derive the R values in a way where they= are
unique for each blockheight but still can be used to create signatures or v= erify?

One possibility is to derive `R` using standard hierarchical derivation. Then require that the staking pubkey be revealed to the sidechain network a= s actually being `staking_pubkey =3D P + hash(P || parent_R) * G` (possibly= with some trivial protection against Taproot).
To sign for a blockheight `h`, you must use your public key `P` and the spe= cific `R` we get from hierarchical derivation from `parent_R` and the block= height as index.



Regards,
ZmnSCPxj
_______________________________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mail= man/listinfo/bitcoin-dev
--000000000000f875fb05800e8961--