On Sun, Dec 21, 2014 at 10:01:37AM +0000, Adam Back wrote: > On 20 December 2014 at 14:48, Peter Todd wrote: > > We need the following primitives operating on message m, pubkey p, and a > > valid signature sig1 for m, p: > > > > AntiReplaySign(m, p, sig1) -> sig2 > > VerifyAntiReplaySig(m, p, sig2) -> True or False > > > > Additionally once AntiReplaySign() has been used once for a given pubkey > > it is impossible to re-run the primitive on a different message m'. This > > is of course impossible to implement with math alone, but we can > > implement it with a trusted third party. > > Well while you cant prevent it you could render it insecure enabling > miners to take funds. > > That could work via a one-show signature; normal ECDSA being address > a=H(Q), public key Q=dG, R=kG, r=R.x, s=(H(m)+rd)/k, signature (r,s), > verify: a=?H(Q) and sR=?H(m)G+rQ one-show being: a=H(Q,R), verify > being: a=?H(Q,R) and sR=?H(m)G+rQ. Now that is unsafe to double-spend > by design as only that specific R is usable and as we know reusing R > with different messages leaks the private key because: s=(H(m)+rd)/k > and s'=(H(m')+rd)/k implies sk=H(m)+rd and s'k=H(m')+rd so > k=(H(m)-H(m'))/(s'-s), and d=(sk-H(m))/r. There's no need to get into the specifics of crypto math so early; you can just as easily and only slightly less efficiently obtain the same result with a few extensions to the Bitcoin scripting system to verify ECDSA signatures directly. The interesting question is how "risky" this actually is? Sybil attacks are reasonably easy to pull off, and users have little incentive to validate if 99% of the time everything works, so you don't want to create a system where an actual attack will likely go undetected. Talking about the low level details of how double-spend punishment is actually detailed is just premature optimization. As usual in Bitcoin, the hard part is *not* the math. -- 'peter'[:-1]@petertodd.org 000000000000000012f5511833a1304a72a754df8afef26f5712438bcc40826b