On Mon, May 06, 2024 at 06:11:48PM -1000, David A. Harding wrote: > On 2024-05-06 09:06, Andrew Poelstra wrote: > > You can implement ECDSA. It will just take a *lot* of opcodes. > > I'll accept that as a given, but how do you know that a given ECDSA > signature actually commits to the transaction that contains it if > OP_CHECKSIG only operates on fixed-size schnorr signatures? > You need to connect your Lamport signature to an ECDSA CHECKSIG (in a pre-Taproot output). So what I'm depending on here is that it's possible to "copy the signature" from a pre-Taproot spend to a post-Taproot spend by using Lamport signatures and some anti-equivocation scheme. In pre-Taproot we confirm that the signature matches the pattern of OP_SIZE outputs. In post-Taproot we reconstruct the signature and constrain the transaction, checking that it spends *both* the pre-Taproot and the post-Taproot output. > Is this what you're describing: if the controlling signature is a lamport > signature that commits to an ECDSA signature, it's safe to disclose the > private key for the ECDSA signature; when you don't have to worry about > private key disclosure, it's safe to construct a schnorr signature that uses > the same private key, nonce, and message commitment as the ECDSA signature; > if that schnorr signature makes OP_CHECKSIG return true, then you know the > message is the current transaction? > Nope, in this scheme we are avoiding Schnorr signatures entirely. > That still leaves me confused. If ECDSA can be implemented within > tapscript, then I would expect that schnorr could also be implemented within > tapscript; that gives you an OP_CSFS equivalent. If being able to implement > ECDSA in tapscript allows introspection, then I would expect implementing > schnorr in tapscript would allow introspection; that gives you an OP_CAT > equivalent. If you have OP_CSFS and OP_CAT, you have covenants and there's > no need for lamport signatures or ECDSA. > Implementing ECDSA in Tapscript *only* allows introspection in conjunction with the ability to force a user to spend a Tapscript output alongside a pre-Tapscript output containing the same ECDSA signature. And I am waving my hands and saying that I think you can force this by using covenant tricks. > Apologies for my remaining confused in the face of something that's probably > obvious, > Lol. This whole thing is kinda insane. -- Andrew Poelstra Director, Blockstream Research Email: apoelstra at wpsoftware.net Web: https://www.wpsoftware.net/andrew The sun is always shining in space -Justin Lewis-Webster -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/Zjo72iTDYjwwsXW3%40camus.