[bitcoin-dev] Why is deriving public key from the signature not used in Segwit?

public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed

* [bitcoin-dev] Why is deriving public key from the signature not used in Segwit?
@ 2018-01-24  3:50 Артём Литвинович
  2018-01-24  4:25 ` Gregory Maxwell
  0 siblings, 1 reply; 7+ messages in thread
From: Артём Литвинович @ 2018-01-24  3:50 UTC (permalink / raw)
  To: bitcoin-dev

Greetings.

I wanted to ask what was the rationale behind still having both public
key and signature in Segwit witness?

As is known for a while, the public key can be derived from the
signature and a quadrant byte, a trick that is successfully used both
in Bitcoin message signing algorithm and in Ethereum transaction
signatures. The later in particular suggests that this is a perfectly
functional and secure alternative.
Leaving out the public key would have saved 33 bytes per signature,
which is quite a lot.

So, the question is - was there a good reason to do it the old way
(security, performance, privacy, something else?), or was it something
that haven't been thought of/considered at the time?

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [bitcoin-dev] Why is deriving public key from the signature not used in Segwit?
  2018-01-24  3:50 [bitcoin-dev] Why is deriving public key from the signature not used in Segwit? Артём Литвинович
@ 2018-01-24  4:25 ` Gregory Maxwell
  2018-01-24 10:24   ` Aymeric Vitte
  0 siblings, 1 reply; 7+ messages in thread
From: Gregory Maxwell @ 2018-01-24  4:25 UTC (permalink / raw)
  To: Артём
	Литвинович,
	Bitcoin Protocol Discussion

On Wed, Jan 24, 2018 at 3:50 AM, Артём Литвинович via bitcoin-dev
<bitcoin-dev@lists•linuxfoundation.org> wrote:
> Greetings.
>
> I wanted to ask what was the rationale behind still having both public
> key and signature in Segwit witness?
>
> As is known for a while, the public key can be derived from the
> signature and a quadrant byte, a trick that is successfully used both
> in Bitcoin message signing algorithm and in Ethereum transaction
> signatures. The later in particular suggests that this is a perfectly
> functional and secure alternative.
> Leaving out the public key would have saved 33 bytes per signature,
> which is quite a lot.
>
> So, the question is - was there a good reason to do it the old way
> (security, performance, privacy, something else?), or was it something
> that haven't been thought of/considered at the time?

It is slow to verify, incompatible with batch validation, doesn't save
space if hashing isn't used, and is potentially patent encumbered.


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [bitcoin-dev] Why is deriving public key from the signature not used in Segwit?
  2018-01-24  4:25 ` Gregory Maxwell
@ 2018-01-24 10:24   ` Aymeric Vitte
  2018-01-24 10:31     ` Gregory Maxwell
  0 siblings, 1 reply; 7+ messages in thread
From: Aymeric Vitte @ 2018-01-24 10:24 UTC (permalink / raw)
  To: Gregory Maxwell, Bitcoin Protocol Discussion,
	Артём
	Литвинович

34 bytes in fact

I have asked already the question at least twice on this list pointing
out the fact that pubkey is there now even for standard p2pkh
transactions and it was not the case some time ago

But I never got any answer regarding what motivated this change
(compared to the previous behavior) and when, so whether I am missing
something obvious, whether nobody wants to answer

Txs without pubkey are now rejected then what is the element in the code
(protocol, version, etc) that "decided" this?


Le 24/01/2018 à 05:25, Gregory Maxwell via bitcoin-dev a écrit :
> On Wed, Jan 24, 2018 at 3:50 AM, Артём Литвинович via bitcoin-dev
> <bitcoin-dev@lists•linuxfoundation.org> wrote:
>> Greetings.
>>
>> I wanted to ask what was the rationale behind still having both public
>> key and signature in Segwit witness?
>>
>> As is known for a while, the public key can be derived from the
>> signature and a quadrant byte, a trick that is successfully used both
>> in Bitcoin message signing algorithm and in Ethereum transaction
>> signatures. The later in particular suggests that this is a perfectly
>> functional and secure alternative.
>> Leaving out the public key would have saved 33 bytes per signature,
>> which is quite a lot.
>>
>> So, the question is - was there a good reason to do it the old way
>> (security, performance, privacy, something else?), or was it something
>> that haven't been thought of/considered at the time?
> It is slow to verify, incompatible with batch validation, doesn't save
> space if hashing isn't used, and is potentially patent encumbered.
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

-- 
Bitcoin transactions made simple: https://github.com/Ayms/bitcoin-transactions
Zcash wallets made simple: https://github.com/Ayms/zcash-wallets
Bitcoin wallets made simple: https://github.com/Ayms/bitcoin-wallets
Get the torrent dynamic blocklist: http://peersm.com/getblocklist
Check the 10 M passwords list: http://peersm.com/findmyass
Anti-spies and private torrents, dynamic blocklist: http://torrent-live.org
Peersm : http://www.peersm.com
torrent-live: https://github.com/Ayms/torrent-live
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [bitcoin-dev] Why is deriving public key from the signature not used in Segwit?
  2018-01-24 10:24   ` Aymeric Vitte
@ 2018-01-24 10:31     ` Gregory Maxwell
  2018-01-24 11:16       ` Aymeric Vitte
  0 siblings, 1 reply; 7+ messages in thread
From: Gregory Maxwell @ 2018-01-24 10:31 UTC (permalink / raw)
  To: Aymeric Vitte
  Cc: Bitcoin Protocol Discussion,
	Артём
	Литвинович

On Wed, Jan 24, 2018 at 10:24 AM, Aymeric Vitte <vitteaymeric@gmail•com> wrote:
> out the fact that pubkey is there now even for standard p2pkh
> transactions and it was not the case some time ago
>
> But I never got any answer regarding what motivated this change
> (compared to the previous behavior) and when, so whether I am missing
> something obvious, whether nobody wants to answer

No such behaviour ever existed, you are simply mistaken.


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [bitcoin-dev] Why is deriving public key from the signature not used in Segwit?
  2018-01-24 10:31     ` Gregory Maxwell
@ 2018-01-24 11:16       ` Aymeric Vitte
  2018-01-24 11:35         ` Gregory Maxwell
  0 siblings, 1 reply; 7+ messages in thread
From: Aymeric Vitte @ 2018-01-24 11:16 UTC (permalink / raw)
  To: Gregory Maxwell
  Cc: Bitcoin Protocol Discussion,
	Артём
	Литвинович

Then what about
https://blockchain.info/tx/226a8b08dc46a00e9ecec5567a303a0b354bef3c1674476eb5e4b627b2ace493?format=hex
?

Scriptsig:

473044022057a1234709270325e7215200f982546304cf465971cbd55d54231ead54ef1a7802207a82e93ef2b0f87188abe87bccb67ee9d5c650b1b58948e5b1c80ba1b4c43dc301

No pubkey...


Le 24/01/2018 à 11:31, Gregory Maxwell a écrit :
> On Wed, Jan 24, 2018 at 10:24 AM, Aymeric Vitte <vitteaymeric@gmail•com> wrote:
>> out the fact that pubkey is there now even for standard p2pkh
>> transactions and it was not the case some time ago
>>
>> But I never got any answer regarding what motivated this change
>> (compared to the previous behavior) and when, so whether I am missing
>> something obvious, whether nobody wants to answer
> No such behaviour ever existed, you are simply mistaken.

-- 
Bitcoin transactions made simple: https://github.com/Ayms/bitcoin-transactions
Zcash wallets made simple: https://github.com/Ayms/zcash-wallets
Bitcoin wallets made simple: https://github.com/Ayms/bitcoin-wallets
Get the torrent dynamic blocklist: http://peersm.com/getblocklist
Check the 10 M passwords list: http://peersm.com/findmyass
Anti-spies and private torrents, dynamic blocklist: http://torrent-live.org
Peersm : http://www.peersm.com
torrent-live: https://github.com/Ayms/torrent-live
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [bitcoin-dev] Why is deriving public key from the signature not used in Segwit?
  2018-01-24 11:16       ` Aymeric Vitte
@ 2018-01-24 11:35         ` Gregory Maxwell
  2018-01-24 12:03           ` Aymeric Vitte
  0 siblings, 1 reply; 7+ messages in thread
From: Gregory Maxwell @ 2018-01-24 11:35 UTC (permalink / raw)
  To: Aymeric Vitte
  Cc: Bitcoin Protocol Discussion,
	Артём
	Литвинович

On Wed, Jan 24, 2018 at 11:16 AM, Aymeric Vitte <vitteaymeric@gmail•com> wrote:
> Then what about
> https://blockchain.info/tx/226a8b08dc46a00e9ecec5567a303a0b354bef3c1674476eb5e4b627b2ace493?format=hex
> ?
>
> Scriptsig:
>
> 473044022057a1234709270325e7215200f982546304cf465971cbd55d54231ead54ef1a7802207a82e93ef2b0f87188abe87bccb67ee9d5c650b1b58948e5b1c80ba1b4c43dc301
>
> No pubkey...

Because the pubkey is in the scriptPubKey of vout 0 of
40872a376e98a1f8b285827c2ad8c5b3eec7d779d752dc3a4adda5d9bb70f3b5 which
it is spending.


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [bitcoin-dev] Why is deriving public key from the signature not used in Segwit?
  2018-01-24 11:35         ` Gregory Maxwell
@ 2018-01-24 12:03           ` Aymeric Vitte
  0 siblings, 0 replies; 7+ messages in thread
From: Aymeric Vitte @ 2018-01-24 12:03 UTC (permalink / raw)
  To: Gregory Maxwell
  Cc: Bitcoin Protocol Discussion,
	Артём
	Литвинович

Indeed... I would have bet that I had other examples with p2pkh this
time but apparently I imagined it


Le 24/01/2018 à 12:35, Gregory Maxwell a écrit :
> On Wed, Jan 24, 2018 at 11:16 AM, Aymeric Vitte <vitteaymeric@gmail•com> wrote:
>> Then what about
>> https://blockchain.info/tx/226a8b08dc46a00e9ecec5567a303a0b354bef3c1674476eb5e4b627b2ace493?format=hex
>> ?
>>
>> Scriptsig:
>>
>> 473044022057a1234709270325e7215200f982546304cf465971cbd55d54231ead54ef1a7802207a82e93ef2b0f87188abe87bccb67ee9d5c650b1b58948e5b1c80ba1b4c43dc301
>>
>> No pubkey...
> Because the pubkey is in the scriptPubKey of vout 0 of
> 40872a376e98a1f8b285827c2ad8c5b3eec7d779d752dc3a4adda5d9bb70f3b5 which
> it is spending.

-- 
Bitcoin transactions made simple: https://github.com/Ayms/bitcoin-transactions
Zcash wallets made simple: https://github.com/Ayms/zcash-wallets
Bitcoin wallets made simple: https://github.com/Ayms/bitcoin-wallets
Get the torrent dynamic blocklist: http://peersm.com/getblocklist
Check the 10 M passwords list: http://peersm.com/findmyass
Anti-spies and private torrents, dynamic blocklist: http://torrent-live.org
Peersm : http://www.peersm.com
torrent-live: https://github.com/Ayms/torrent-live
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms



^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2018-01-24 12:03 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-01-24  3:50 [bitcoin-dev] Why is deriving public key from the signature not used in Segwit? Артём Литвинович
2018-01-24  4:25 ` Gregory Maxwell
2018-01-24 10:24   ` Aymeric Vitte
2018-01-24 10:31     ` Gregory Maxwell
2018-01-24 11:16       ` Aymeric Vitte
2018-01-24 11:35         ` Gregory Maxwell
2018-01-24 12:03           ` Aymeric Vitte

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox