From pieter.wuille at gmail.com Fri Sep 25 03:38:59 2015 From: pieter.wuille at gmail.com (Pieter Wuille) Date: Fri, 25 Sep 2015 05:38:59 +0200 Subject: [Lightning-dev] Ionization Protocol: Flood Routing In-Reply-To: <87a8sbs5t1.fsf@rustcorp.com.au> References: <8761314tpn.fsf@rustcorp.com.au> <38D4A6A1-474D-49A4-8380-76B65AFBEB70@gmail.com> <87a8sbs5t1.fsf@rustcorp.com.au> Message-ID: On Sep 25, 2015 3:09 AM, "Rusty Russell" wrote: > >> You can squeze some more bytes out of you want: > >> 1) Signature should be 64 bytes (never DER encode). > >> 2) Pubkey can be hashed bitcoin-address style, and recovered from sig. > > > > You can recover the pubkey from the hash and the sig? Why are we putting the pubkey in the scriptSig then? ;) > > Because crypto is hard :( > > TBH I only learned a few months ago that you can do this. > > It helps if you have the (two-bit) recovery id, but you can brute force > it AFAICT. You then check if the pubkey matches the hash you're given. You can indeed do public key recovery om ECDSA, and you can brute force the recovery id. In all non-pathological cases, the recovery id will be 0 or 1; only one in about 2^128 randomly generated signatures need 2 or 3. I don't have much context here, but is there a need for this to be ECDSA? If not, the EC-Schnorr scheme in libsecp256k1 produces 64-byte non-malleable signatures that support pubkey recovery without an additional recovery id, and are compatible with the same private/public keys. The scheme is certainly non-standard and experimental at this point, but it's an instance of a well researched mechanism. -- Pieter -------------- next part -------------- An HTML attachment was scrubbed... URL: