Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 6C99BCA4 for ; Sat, 14 Jul 2018 15:43:02 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id DD16D4FA for ; Sat, 14 Jul 2018 15:43:01 +0000 (UTC) Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 1527E21AFD; Sat, 14 Jul 2018 11:43:01 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute1.internal (MEProxy); Sat, 14 Jul 2018 11:43:01 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sprovoost.nl; h= content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= fm3; bh=LL7tJe97x3LkoUMRABFEsujIY9HzBSO1TwuwyFxbAKE=; b=BTcecIEn +Bzw3WjkcLHfRhHAGUaUR70KaTNKduwWHX9s7uvtw2K2hLnyEouGfPLdp1OjHeLO lJEdWifc3GIVM7WauhU5FCDypM2dr3GewFEG6WXOfQ9NwdbjtVL93URIb4+zUp5V TRKeiZ5i4iDrnHhgh5S6Ag0DamGjUozPKWzs5jXxr1lRfXnBEcw3YzRLoplJz9eA 9m9M3Hjp1e2YW+aW1Oa1NSKTVbToNCFEcUyOqrDpiFNYJKrSE09BtMjiGjmqAfyU QZX9EDLO9MsXXthazx9d9yYjNBhfWLgop62lx7lgOl0xkcK8iSt+DOn45Bq7H0oU I6KlpxrHvY+JZQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm3; bh=LL7tJe97x3LkoUMRABFEsujIY9HzB SO1TwuwyFxbAKE=; b=aPidd9h6DWsp+QvfFY5tPk2NcXae8/UHRu+EBfWImtICw bKlM3KE6keQpZ7wtcM+nAjI97M9c1849N+ZXnC7rDhWYxOksd/+F44VOyf4L2bB2 p1lbzyEOz210M/qeKTzG60pKBH8Vp+JmwICezK1alkVH22Tx5KioZstPZk5KtUSv YkQcBbbooh3gF+BYV9R5waxBPRch4fKyliIkwYFMXfbTg4vBfrCJ397n5YDJIlOb xjRYu1ry1IrbX6Ai0gMkdcPp4dXJqbGf5P4vf3/K8K2heT/h0t6EEpJlNI0ZPFPQ keNLaoC5ZGtVLWl9TaNVrJ0ia51j4gOo+vR50KEUg== X-ME-Proxy: X-ME-Sender: Received: from [192.168.178.185] (54693d0f.cm-12-2a.dynamic.ziggo.nl [84.105.61.15]) by mail.messagingengine.com (Postfix) with ESMTPA id 6528210268; Sat, 14 Jul 2018 11:43:00 -0400 (EDT) From: Sjors Provoost Content-Type: multipart/signed; boundary="Apple-Mail=_7DA7A546-9451-4815-913A-49C9A76783D3"; protocol="application/pgp-signature"; micalg=pgp-sha256 Mime-Version: 1.0 (Mac OS X Mail 11.4 \(3445.8.2\)) Date: Sat, 14 Jul 2018 17:42:58 +0200 References: To: Bitcoin Protocol Discussion , Pieter Wuille In-Reply-To: Message-Id: X-Mailer: Apple Mail (2.3445.8.2) X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Sat, 14 Jul 2018 15:48:27 +0000 Subject: Re: [bitcoin-dev] Schnorr signatures BIP X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jul 2018 15:43:02 -0000 --Apple-Mail=_7DA7A546-9451-4815-913A-49C9A76783D3 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > Op 6 jul. 2018, om 20:08 heeft Pieter Wuille via bitcoin-dev = het volgende geschreven: >=20 > Hello everyone, >=20 > Here is a proposed BIP for 64-byte elliptic curve Schnorr signatures, > over the same curve as is currently used in ECDSA: > https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki The power of simplification at work, thanks Pieter! Questions: Regarding verification: why does bytes(P) use compressed key = serialization rather than the implicit Y coordinate used for signing? I = understand space savings don't matter since these values don't end up on = the blockchain. Is it just easier to implement or is it faster? Regarding rationale for choosing (e,s) vs. (R,s), you say that (e,s) = "avoids the difficulty of encoding a point R in the signature". But = since e =3D H(sG - eP || m) also involves converting a point to some = byte encoding in order to hash it, how much difficulty is actually = avoided? Is that, like for previous question, because you could get away = with compressed keys rather than implicit Y coordinates? Regarding batch verification: "randomly generated independently for each = batch of verifications" - by whom? I assume randomly picked by the = verifier? Regarding random number used for signing. The suggested (?) = deterministic algorithm to derive secret key ''k'' from the private key = ''d'' seems similar to RFC6979. Maybe it's useful to briefly explain = the difference, as well as your rationale for not making it mandatory = (presumably the same as why RFC6979 isn't mandatory although most (?) = wallets use it). Nits: * Motivation: "signatures ... These are standardized", but the = "standardized" link points to the secp256k1 curve parameters, not to = anything signature related afaik * "message m: an array of 32 bytes", maybe add "typically the sha256 = hash of the transaction components commited to by SIGHASH_TYPE=E2=80=9D * I left a few even smaller nits as a PR: = https://github.com/sipa/bips/pull/10 Cheers, Sjors --Apple-Mail=_7DA7A546-9451-4815-913A-49C9A76783D3 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE7ZvfetalXiMuhFJCV/+b28wwEAkFAltKGgIACgkQV/+b28ww EAm8thAAswQO8gTBLgM7dYvhmX4lyRl4lk720GYaDLLZ2TZdvojF4AYu/ZMdmnCb UfW8EmkLAzRy6NLgW2lITZOG1An3Jd/6bLb0lHVnhr3dmQRgMV1RN1AFObQ1Nr0R QC+tXY8Vcj3EOUEgkG2pTuUrFihAFEF2iM5GOBQhzQOpKMcQ/6hOXqG4dyVkdiU2 32y5F12cz1sWpqxKB/cbIyiPw1KcNxn1ERVaQ8opft/O8nFF/viGzsxzrCUNFV2F pP9MPwxwAHyRhMKV1wkuNXsFWkbqw5oHY2A1AHHPxS3gorD3JRdwjsiZgBEhRggk x6USF4F7CzzdjUC7fqqz/AVBR0/JffLwtXR4yYrhWlyTPyfxLLyuTaToiNzyysQY M811oO6OaKM3ZfSRu7cv1LJ5idsRZgzg9JUahrbnvaiEDBFrztXqSrZk6aVlp9oi /UfiYomxdBiWQlEXLeollh75ISaMTwXsLUBx+ZsCJ/z+BCsOTVmiVpmJmi8RMZ2u Wets7oDGJMGRGfZMeVCjrhJLsx9CGXpNQvGn5rxJoRjBqcf6dfN/IpcHEtFhYnkW DxzP6uS4L7UpR2jhmp8hUzrfVRm84MWOuO/oBUagGDQwRBf8YBi60h0A8QPfebfg iuSP76aY7yGSwSafd1ULrbO7DQ39DiTxFUVRRmObURHCFHrCBNc= =hMoY -----END PGP SIGNATURE----- --Apple-Mail=_7DA7A546-9451-4815-913A-49C9A76783D3--