Re: [bitcoin-dev] Schnorr signatures BIP

public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed

From: Sjors Provoost <sjors@sprovoost•nl>
To: Bitcoin Protocol Discussion
	<bitcoin-dev@lists•linuxfoundation.org>,
	Pieter Wuille <pieter.wuille@gmail•com>
Subject: Re: [bitcoin-dev] Schnorr signatures BIP
Date: Sat, 14 Jul 2018 17:42:58 +0200	[thread overview]
Message-ID: <A899D97B-5D47-4AB0-8A7F-57F91C58ADE1@sprovoost.nl> (raw)
In-Reply-To: <CAPg+sBj7f+=OYXuOMdNeJk3NBG67FSQSF8Xv3seFCvwxCWq69A@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 2030 bytes --]

> Op 6 jul. 2018, om 20:08 heeft Pieter Wuille via bitcoin-dev <bitcoin-dev@lists•linuxfoundation.org> het volgende geschreven:
> 
> Hello everyone,
> 
> Here is a proposed BIP for 64-byte elliptic curve Schnorr signatures,
> over the same curve as is currently used in ECDSA:
> https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki

The power of simplification at work, thanks Pieter!

Questions:

Regarding verification: why does bytes(P) use compressed key serialization rather than the implicit Y coordinate used for signing? I understand space savings don't matter since these values don't end up on the blockchain. Is it just easier to implement or is it faster?

Regarding rationale for choosing (e,s) vs. (R,s), you say that (e,s) "avoids the difficulty of encoding a point R in the signature". But since e = H(sG - eP || m) also involves converting a point to some byte encoding in order to hash it, how much difficulty is actually avoided? Is that, like for previous question, because you could get away with compressed keys rather than implicit Y coordinates?

Regarding batch verification: "randomly generated independently for each batch of verifications" - by whom? I assume randomly picked by the verifier?

Regarding random number used for signing. The suggested (?) deterministic algorithm to derive secret key ''k'' from the private key ''d''  seems similar to RFC6979. Maybe it's useful to briefly explain the difference, as well as your rationale for not making it mandatory (presumably the same as why RFC6979 isn't mandatory although most (?) wallets use it).

Nits:

* Motivation: "signatures ... These are standardized", but the "standardized" link points to the secp256k1 curve parameters, not to anything signature related afaik
* "message m: an array of 32 bytes", maybe add "typically the sha256 hash of the transaction components commited to by SIGHASH_TYPE”
* I left a few even smaller nits as a PR: https://github.com/sipa/bips/pull/10

Cheers,

Sjors

[-- Attachment #2: Message signed with OpenPGP --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

next prev parent reply	other threads:[~2018-07-14 15:43 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-07-06 18:08 Pieter Wuille
2018-07-06 21:05 ` Russell O'Connor
2018-07-06 22:00   ` Gregory Maxwell
2018-07-06 22:01     ` Gregory Maxwell
2018-07-08 14:36     ` Russell O'Connor
2018-07-14 15:42 ` Sjors Provoost [this message]
2018-07-14 21:20   ` Pieter Wuille
2018-08-04 12:22     ` Russell O'Connor
2018-08-05 14:33       ` Russell O'Connor
2018-08-06  8:39         ` Anthony Towns
2018-08-06 14:00           ` Russell O'Connor
2018-08-06 21:12 ` Tim Ruffing
2018-08-12 16:37   ` Andrew Poelstra
2018-08-29 12:09     ` Erik Aronesty
2018-09-03  0:05       ` Andrew Poelstra
2018-09-05 12:26         ` Erik Aronesty
2018-09-05 13:05           ` Andrew Poelstra
2018-09-05 13:14             ` Erik Aronesty
2018-09-05 15:35           ` Gregory Maxwell
2018-09-11 16:34             ` Erik Aronesty
2018-09-11 17:00               ` Gregory Maxwell
2018-09-11 17:20                 ` Erik Aronesty
2018-09-11 17:27                   ` Gregory Maxwell
2018-09-11 17:37                     ` Erik Aronesty
2018-09-11 17:51                       ` Gregory Maxwell
2018-09-11 18:30                         ` Erik Aronesty
2018-09-13 18:46                       ` Andrew Poelstra
2018-09-13 20:20                         ` Erik Aronesty
2018-09-14 14:38                           ` Andrew Poelstra
2018-09-20 21:12 ` Russell O'Connor
2018-07-07  2:47 Артём Литвинович

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=A899D97B-5D47-4AB0-8A7F-57F91C58ADE1@sprovoost.nl \
    --to=sjors@sprovoost$(echo .)nl \
    --cc=bitcoin-dev@lists$(echo .)linuxfoundation.org \
    --cc=pieter.wuille@gmail$(echo .)com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox