Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id C6FD8720 for ; Mon, 6 Aug 2018 21:12:54 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from mx1.mailbox.org (mx1.mailbox.org [80.241.60.212]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 0688F1A0 for ; Mon, 6 Aug 2018 21:12:53 +0000 (UTC) Received: from smtp2.mailbox.org (smtp2.mailbox.org [80.241.60.241]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.mailbox.org (Postfix) with ESMTPS id AC7764889D for ; Mon, 6 Aug 2018 23:12:51 +0200 (CEST) X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from smtp2.mailbox.org ([80.241.60.241]) by hefe.heinlein-support.de (hefe.heinlein-support.de [91.198.250.172]) (amavisd-new, port 10030) with ESMTP id BBAN5vRctlKF for ; Mon, 6 Aug 2018 23:12:50 +0200 (CEST) Message-ID: <2e620d305c86f65cbff44b5fba548dc85c118f84.camel@timruffing.de> From: Tim Ruffing To: bitcoin-dev@lists.linuxfoundation.org Date: Mon, 06 Aug 2018 23:12:48 +0200 In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Mon, 06 Aug 2018 21:16:25 +0000 Subject: Re: [bitcoin-dev] Schnorr signatures BIP X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Aug 2018 21:12:54 -0000 Is it intentional that the encoding of public (and private) keys is unspecified? I'd consider at least the encoding of the public key to be part of the signature scheme, so ideally it should be specified already in this BIP. On the other hand, there may be good arguments against it, but I'm not aware of any. This issue leads to a discrepancy between the specification and the test vectors because the data fields of test vectors "are given as byte arrays", including public and secret key. As a consequence, even the Python reference implementation in the BIP draft doesn't work on test vectors (in a strict sense). Best, Tim On Fri, 2018-07-06 at 11:08 -0700, Pieter Wuille via bitcoin-dev wrote: > Hello everyone, > > Here is a proposed BIP for 64-byte elliptic curve Schnorr signatures, > over the same curve as is currently used in ECDSA: > https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki > > It is simply a draft specification of the signature scheme itself. It > does not concern consensus rules, aggregation, or any other > integration into Bitcoin - those things are left for other proposals, > which can refer to this scheme if desirable. Standardizing the > signature scheme is a first step towards that, and as it may be > useful > in other contexts to have a common Schnorr scheme available, it is > its > own informational BIP. > > If accepted, we'll work on more production-ready reference > implementations and tests. > > This is joint work with several people listed in the document. > > Cheers, >