Hi Ethan,<br /><br />&gt; I'm not sure I understand what you are saying here. I agree that once<br />&gt; Alice broadcasts a transaction spending such an output, she can not<br />&gt; double spend that output without losing security. You'd want to define<br />&gt; the unforgeability property to be EU-CMA with only a single signature.<br />&gt; Why would Alice simply just not rebroadcast her original transaction?<br />&gt; If she wants the capability to bump the fees without changing the sig<br />&gt; hash, she can use the SIGHASH flag anyone can pay or CPFP.<br /><br />If my understanding of your scheme is correct, the Lamport public key<br />(e.g x00 == Hash(y00) is committed in the redeem script of a said UTXO.<br />scriptpubkey.<br /><br />I think this opens the following denial-of-service attack by adversaries<br />with hashrate capabilities:<br />- Alice Lamport-emulated signs and broadcast her transaction X<br />- Coalition of Miners (e.g 30% of network) refuse to include Alice's transaction X<br />- Alice can:<br />        - a) wait for the 70% honest network to mine her transaction<br />        - b) increase her feerate to bump incentives to mine transaction X<br />- If Alice picks up option b)<br />        - Alice Lamport-emulated signs and broadcast her transaction X by using ACP flag / CPFP<br />        - This assumes the consumption of a "fresh" fee-bumping UTXO<br />        - This fee-bumping UTXO can be locked under a Lamport emulated-pubkey<br /><br />I think this scheme with a one-time usage property is more exposed to denial-of-service<br />attacks (or wallet UTXO deanonymization) than ECDSA / Schnorr scheme.<br /><br />I believe you might even have a worst-case scenario of this DoS where a coalition<br />of mining attackers force you to one-time sig all your Lamport pubkeys committed<br />in UTXOs (original UTXO + fee-bumping UTXOs), in a way that the orignal UTXO cannot<br />be moved because its feerate is perpetually under mempool min fee, or the marginal<br />ancestor feerate unit of miners block templates.<br /><br />I don't know if this vector of attack is correct, however one can note it could arise<br />in alternative spontaneous scenarios, such as second-layers scarce liquidity allocation<br />(e.g dual-funding), where many UTXOs concurrent spends might compete to confirm first.<br /><br />&gt; What do you mean by this? k=0? I do agree that this scheme is making<br />&gt; some very odd assumptions about ecdsa signatures and they may not<br />&gt; hold. Certainly no one should expect this scheme to be secure without<br />&gt; a proof of security or at the least some sort of justification for why<br />&gt; anyone expects these assumptions to hold.<br /><br />I think the ECDSA signature verification algorithm forbids the usage<br />of the point at infinity for the curve point resulting from the modular<br />arithmetic on your r-value and s-value, not k=0 where k is the nonce.<br /><br />I don't know if you could play with the transaction hash to produce<br />a curve point which is equals to the point at infinity, especially in<br />context where the transaction hash is including inputs from multiple<br />non-trusted counterparties (e.g if you're using SIGHASH flags).<br /><br />&gt; It's worse than that! Storage and lookup would not require anything so<br />&gt; fancy as rainbow tables. Once you have precomputed a 20 byte r-value<br />&gt; you can use it everywhere. Grinding such an r-value would cost 2^96<br />&gt; queries for 50% success rate, but would let you trivially break any of<br />&gt; these signatures which used a 21 byte r-value with a pen and some<br />&gt; paper. Still, if you could do 2^96 ecdsa queries, it would be<br />&gt; computationally expensive as mining 1,125,899,906,842,620 bitcoin<br />&gt; blocks. You'd probably be better off mining those blocks than grinding<br />&gt; the r-value.<br /><br />Well, we're not comparing "apple-to-apple" here as on one side you have<br />modular arithmetic operations, on the other side bitwise rotations. I'm<br />thinking you might have an advantage in your ecdsa queries as a finite field<br />is, as the name say so, "finite" so you could theoretically pre-compute all<br />entries in your storage. On the other hand, with block mining (even assuming<br />a functional implementation of Grover's algorithm) you have lookup and<br />propagation latency under 10 min in average. Sounds you can parellize both<br />problems resolution (re-use hash round states or point addition), so it might<br />be just a classicla time-space trade-off here.<br /><br />&gt; I think a more interesting open question of this post is if we have already hash-chain-based covenant<br />&gt; "today" in Bitcoin. If by fixing the integer `z` of the s-value of ECDSA signature in redeem script, and<br />&gt; computing backward the chain of chids redeem scripts to avoid hash-chain dependencies. <br /><br />Correcting myself on my initial email, the design bottleneck here is obviously<br />that spent outpoints are committed in a child signature digest in a no-APO world.<br />This is still an interesting question if you can remove spent outpoints commitment<br />by leveraging OP_SIZE or fixing other ECDSA signature components.<br /><br />Best,<br />Antoine<br /><br /><div class="gmail_quote"><div dir="auto" class="gmail_attr">Le lundi 6 mai 2024 à 20:25:33 UTC+1, Andrew Poelstra a écrit :<br/></div><blockquote class="gmail_quote" style="margin: 0 0 0 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">On Mon, May 06, 2024 at 08:56:21AM -1000, David A. Harding wrote:
<br>&gt; On 2024-05-06 06:48, Andrew Poelstra wrote:
<br>&gt; &gt; [...] post-Taproot script can verify a
<br>&gt; &gt; trace of any program execution, as long as the individual elements it is
<br>&gt; &gt; operating on fit into 4-byte CScriptNums. You can therefore implement
<br>&gt; &gt; SHA2, ECDSA, etc., and reconstruct the pattern of SIZE elements by
<br>&gt; &gt; feeding in transaction data. Which of course can then be arbitrarily
<br>&gt; &gt; constrained.
<br>&gt; 
<br>&gt; Thanks for your answer!  I think I understand.  However, we don&#39;t have ECDSA
<br>&gt; in tapscript; all signatures in tapscript are 64 bytes plus an optional
<br>&gt; sighash byte, so there&#39;s no natural variation in signature size.
<br>&gt;
<br>
<br>You can implement ECDSA. It will just take a *lot* of opcodes.
<br>
<br>-- 
<br>Andrew Poelstra
<br>Director, Blockstream Research
<br>Email: apoelstra at <a href="http://wpsoftware.net" target="_blank" rel="nofollow" data-saferedirecturl="https://www.google.com/url?hl=fr&amp;q=http://wpsoftware.net&amp;source=gmail&amp;ust=1715129481530000&amp;usg=AOvVaw2zSaowE8QPY_5pe0-Ar_OD">wpsoftware.net</a>
<br>Web:   <a href="https://www.wpsoftware.net/andrew" target="_blank" rel="nofollow" data-saferedirecturl="https://www.google.com/url?hl=fr&amp;q=https://www.wpsoftware.net/andrew&amp;source=gmail&amp;ust=1715129481530000&amp;usg=AOvVaw1UjRgzo3NpzxwX6z6t0dzD">https://www.wpsoftware.net/andrew</a>
<br>
<br>The sun is always shining in space
<br>    -Justin Lewis-Webster
<br>
<br></blockquote></div>

<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups &quot;Bitcoin Development Mailing List&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoindev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/bitcoindev/bd37a9f1-7fb9-4111-a069-31c3665073d2n%40googlegroups.com?utm_medium=email&utm_source=footer">https://groups.google.com/d/msgid/bitcoindev/bd37a9f1-7fb9-4111-a069-31c3665073d2n%40googlegroups.com</a>.<br />