Re: [bitcoindev] On (in)ability to embed data into Schnorr

public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed

From: Peter Todd <pete@petertodd•org>
To: waxwing/ AdamISZ <ekaggata@gmail•com>
Cc: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Subject: Re: [bitcoindev] On (in)ability to embed data into Schnorr
Date: Fri, 3 Oct 2025 13:24:38 +0000	[thread overview]
Message-ID: <aN_OlgvB-Co1BL19@petertodd.org> (raw)
In-Reply-To: <0f6c92cc-e922-4d9f-9fdf-69384dcc4086n@googlegroups.com>

[-- Attachment #1: Type: text/plain, Size: 1531 bytes --]

On Wed, Oct 01, 2025 at 07:24:50AM -0700, waxwing/ AdamISZ wrote:
> Hi all,
> 
> https://github.com/AdamISZ/schnorr-unembeddability/
> 
> Here I'm analyzing whether the following statement is true: "if you can 
> embed data into a (P, R, s) tuple (Schnorr pubkey and signature, BIP340 
> style), without grinding or using a sidechannel to "inform" the reader, you 
> must be leaking your private key".
> 
> See the abstract for a slightly more fleshed out context.
> 
> I'm curious about the case of P, R, s published in utxos to prevent usage 
> of utxos as data. I think this answers in the half-affirmative: you can 
> only embed data by leaking the privkey so that it (can) immediately fall 
> out of the utxo set.
> 
> (To emphasize, this is different to the earlier observations (including by 
> me!) that just say it is *possible* to leak data by leaking the private 
> key; here I'm trying to prove that there is *no other way*).

You can probably use timelock encryption to ensure that the leak of the private
key only happens in the future, after the funds are recovered by the owner in a
subsequent transaction.

-- 
https://petertodd.org 'peter'[:-1]@petertodd.org

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups•com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/aN_OlgvB-Co1BL19%40petertodd.org.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

     prev parent reply	other threads:[~2025-10-03 15:51 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-10-01 14:24 waxwing/ AdamISZ
2025-10-01 22:10 ` Greg Maxwell
2025-10-01 23:11   ` Andrew Poelstra
2025-10-02  0:25     ` waxwing/ AdamISZ
2025-10-02 15:56       ` waxwing/ AdamISZ
2025-10-02 19:49         ` Greg Maxwell
2025-10-03 13:24 ` Peter Todd [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aN_OlgvB-Co1BL19@petertodd.org \
    --to=pete@petertodd$(echo .)org \
    --cc=bitcoindev@googlegroups.com \
    --cc=ekaggata@gmail$(echo .)com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox