Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id BA6F0EA6 for ; Mon, 18 Apr 2016 19:03:19 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from s47.web-hosting.com (s47.web-hosting.com [199.188.200.16]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 33820125 for ; Mon, 18 Apr 2016 19:03:19 +0000 (UTC) Received: from 058176106120.ctinets.com ([58.176.106.120]:60784 helo=2012R2) by server47.web-hosting.com with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.86_1) (envelope-from ) id 1asES5-000tqY-LS; Mon, 18 Apr 2016 15:03:18 -0400 From: To: "'Tier Nolan'" References: <23e401d16552$996546d0$cc2fd470$@xbt.hk> In-Reply-To: Date: Tue, 19 Apr 2016 03:03:07 +0800 Message-ID: <00aa01d199a4$f3a41c80$daec5580$@xbt.hk> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_00AB_01D199E8.01C8E320" X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQKZ0cNygh4pHRrrw11uUfSX/C1ivAHCjXD4AwHsm+IBSSqdEgG+ZxSPncErGVA= Content-Language: en-hk X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - server47.web-hosting.com X-AntiAbuse: Original Domain - lists.linuxfoundation.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - xbt.hk X-Get-Message-Sender-Via: server47.web-hosting.com: authenticated_id: jl2012@xbt.hk X-Authenticated-Sender: server47.web-hosting.com: jl2012@xbt.hk X-Source: X-Source-Args: X-Source-Dir: X-From-Rewrite: unmodified, already matched X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Mon, 18 Apr 2016 19:04:25 +0000 Cc: bitcoin-dev@lists.linuxfoundation.org Subject: Re: [bitcoin-dev] BIP CPRKV: Check private key verify X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Development Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Apr 2016 19:03:19 -0000 This is a multipart message in MIME format. ------=_NextPart_000_00AB_01D199E8.01C8E320 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I just realize that if we have OP_CAT, OP_CHECKPRIVATEKEYVERIFY (aka = OP_CHECKPRIVPUBPAIR) is not needed (and is probably better for privacy) =20 Bob has the prikey-x for pubkey-x. Alice and Bob will agree to a random = secret nonce, k. They calculate r, in the same way as signing a = transaction. =20 The script is: =20 SIZE ADD <0x30> SWAP CAT <0x02|r-length|r> CAT SWAP CAT = CECHKSIGVERIFY CHECKSIG =20 To redeem, Bob has to provide: =20 <0x02|s-length|s|sighashtype> =20 With k, s and sighash, Alice (and only Alice) can recover the prikey-x = with the well-known k-reuse exploit ( = https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm = ) =20 The script will be much cleaner if we remove the DER encoding in the = next generation of CHECKSIG =20 The benefit is prikey-x remains a secret among Alice and Bob. If they = don=E2=80=99t mind exposing the prikey-x, they could use r =3D x = coordinate of pubkey-x, which means k =3D prikey-x = (https://bitcointalk.org/index.php?topic=3D291092.0) This would reduce = the witness size a little bit as a DUP may be used =20 From: bitcoin-dev-bounces@lists.linuxfoundation.org = [mailto:bitcoin-dev-bounces@lists.linuxfoundation.org] On Behalf Of Tier = Nolan via bitcoin-dev Sent: Monday, 29 February, 2016 19:53 Cc: Bitcoin Dev Subject: Re: [bitcoin-dev] BIP CPRKV: Check private key verify =20 On Mon, Feb 29, 2016 at 10:58 AM, Mats Jerratsch > wrote: This is actually very useful for LN too, see relevant discussion here http://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-November/0118= 27.html =20 Is there much demand for trying to code up a patch to the reference = client? I did a basic one, but it would need tests etc. added. I think that segregated witness is going to be using up any potential = soft-fork slot for the time being anyway. ------=_NextPart_000_00AB_01D199E8.01C8E320 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

I just = realize that if we have OP_CAT, OP_CHECKPRIVATEKEYVERIFY (aka = OP_CHECKPRIVPUBPAIR) is not needed (and is probably better for = privacy)

 

Bob has the = prikey-x for pubkey-x. Alice and Bob will agree to a random secret = nonce, k. They calculate r, in the same way as signing a = transaction.

 

The script = is:

 

SIZE = <r-length + 1> ADD <0x30> SWAP CAT <0x02|r-length|r> = CAT SWAP CAT <pubkey-x> CECHKSIGVERIFY <Bob pubkey hash> = CHECKSIG

 

To redeem, = Bob has to provide:

 

<Bob = sig> <0x02|s-length|s|sighashtype>

 

With k, s = and sighash, Alice (and only Alice) can recover the prikey-x with the = well-known k-reuse exploit

( https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_A= lgorithm )

 

The script = will be much cleaner if we remove the DER encoding in the next = generation of CHECKSIG

 

The benefit = is prikey-x remains a secret among Alice and Bob. If they don=E2=80=99t = mind exposing the prikey-x, they could use r =3D x coordinate of = pubkey-x, which means k =3D prikey-x (https://bitco= intalk.org/index.php?topic=3D291092.0) This would reduce the witness = size a little bit as a DUP may be used

 

From:<= /b> = bitcoin-dev-bounces@lists.linuxfoundation.org = [mailto:bitcoin-dev-bounces@lists.linuxfoundation.org] On Behalf Of = Tier Nolan via bitcoin-dev
Sent: Monday, 29 February, 2016 = 19:53
Cc: Bitcoin Dev = <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: = [bitcoin-dev] BIP CPRKV: Check private key = verify

 

On Mon, Feb 29, 2016 at 10:58 AM, Mats Jerratsch = <matsjj@gmail.com> = wrote:

This is actually very useful for LN too, see = relevant discussion here

http://lists.linuxfoundation.org/pipermail/bitcoin-dev/= 2015-November/011827.html

 

Is there much demand for trying to code = up a patch to the reference client?  I did a basic one, but it = would need tests etc. added.

I think that segregated witness is going to be using = up any potential soft-fork slot for the time being = anyway.

------=_NextPart_000_00AB_01D199E8.01C8E320--