* [Bitcoin-development] 0.8.5 with libsecp256k1 @ 2013-10-10 3:50 Warren Togami Jr. 2013-10-10 4:10 ` Jeremy Spilman 2013-10-10 8:29 ` [Bitcoin-development] 0.8.5 with libsecp256k1 Mike Hearn 0 siblings, 2 replies; 6+ messages in thread From: Warren Togami Jr. @ 2013-10-10 3:50 UTC (permalink / raw) To: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 1001 bytes --] https://github.com/sipa/secp256k1 sipa's secp256k1, optimized ecdsa, significantly faster than openssl Today someone in #bitcoin-dev asked for Bitcoin 0.8.5 with sipa's secp256k1. Litecoin has been shipping test builds with secp256k1 for several months now so it was a simple matter to throw together a branch of Bitcoin 0.8.5 with secp256k1. https://github.com/wtogami/bitcoin/commits/btc-0.8.5-secp256k1 This branch should theoretically work for Linux, win32 gitian and mac builds. These commits are rather ugly because it was thrown together just to make it build with the old 0.8 makefiles without intent for production code merge. cfields is working on autotoolizing it as one of the prerequisites prior to inclusion into bitcoin master where it will be an option disabled by default. http://193.28.235.60/~warren/bitcoin-0.8.5-secp256k1/ Untested win32 gitian build. Build your own Linux or Mac builds if you want to test it. Not recommended for production wallet or mining uses. Warren [-- Attachment #2: Type: text/html, Size: 1385 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Bitcoin-development] 0.8.5 with libsecp256k1 2013-10-10 3:50 [Bitcoin-development] 0.8.5 with libsecp256k1 Warren Togami Jr. @ 2013-10-10 4:10 ` Jeremy Spilman 2013-10-10 14:21 ` [Bitcoin-development] malleability work-around vs fix (Re: 0.8.5 with libsecp256k1) Adam Back 2013-10-10 8:29 ` [Bitcoin-development] 0.8.5 with libsecp256k1 Mike Hearn 1 sibling, 1 reply; 6+ messages in thread From: Jeremy Spilman @ 2013-10-10 4:10 UTC (permalink / raw) To: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 1390 bytes --] Can this be combined with the ideas on deterministic signing to show matching signatures with OpenSSL's implementation? Not sure if that's worth much, since we would just be testing needles in a very large haystack, but better than nothing? On Wed, 09 Oct 2013 20:50:30 -0700, Warren Togami Jr. <wtogami@gmail•com> wrote: > https://github.com/sipa/secp256k1 > sipa's secp256k1, optimized ecdsa, significantly faster than openssl > > Today someone in #bitcoin-dev asked for Bitcoin 0.8.5 with sipa's > secp256k1. Litecoin has been shipping test builds with secp256k1 for > several months >now so it was a simple matter to throw together a branch > of Bitcoin 0.8.5 with secp256k1. > > https://github.com/wtogami/bitcoin/commits/btc-0.8.5-secp256k1 > This branch should theoretically work for Linux, win32 gitian and mac > builds. These commits are rather ugly because it was thrown together > just to make >it build with the old 0.8 makefiles without intent for > production code merge. cfields is working on autotoolizing it as one of > the prerequisites prior to >inclusion into bitcoin master where it will > be an option disabled by default. > > http://193.28.235.60/~warren/bitcoin-0.8.5-secp256k1/ > Untested win32 gitian build. Build your own Linux or Mac builds if you > want to test it. Not recommended for production wallet or mining uses. > > Warren [-- Attachment #2.1: Type: text/html, Size: 2048 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bitcoin-development] malleability work-around vs fix (Re: 0.8.5 with libsecp256k1) 2013-10-10 4:10 ` Jeremy Spilman @ 2013-10-10 14:21 ` Adam Back 2013-10-10 15:06 ` Adam Back 0 siblings, 1 reply; 6+ messages in thread From: Adam Back @ 2013-10-10 14:21 UTC (permalink / raw) To: Jeremy Spilman; +Cc: Bitcoin Dev Determinstic ECDSA signature aka k=H(d,m) insead of k=random, with signature (r,s) calculated r=[kG].x, s=k^-1(H(m)+rd) with public key Q=dG and verificaton relation [H(m)s^-1G+rs^-1Q].x=?r is cool and should be done. Otherwise RNG issues like EC_DRBG or even leaked partial bits like the RNG bias in the original DSA spec that Bleichenbacher pointed out and then they corrected. On Wed, Oct 09, 2013 at 09:10:09PM -0700, Jeremy Spilman wrote: >Can this be combined with the ideas on deterministic signing to show >matching signatures with OpenSSL's implementation? But k=random and k=H(d,m) create compatible signatures - or were you eaning to cross check the two implementations with fuzz tester on lots of messages? btw about malleability: Mike Hearn <mike@plan99•net> wrote: > I believe the main issue at the moment is the malleability issues? If > so, it would seem possible to use OpenSSL to parse the signature into > components and then libsecp256k1 to verify them. other than the ASN.1 related parsing ambiguity, if any (openSSL asn.1 parsing code is evil and shold not be used), the (r,s) vs (r,-s) ambiguity can be plugged as discussed (eg define -s as invalid). But that is ECDSA specific, and signature malleability and its impact is a generic problem. Its probably a non-requirement of a signature scheme in terms of the analysis effort put in by cryptanalysts that the signature itself be non-malleable, eg there are some encryption schemes which are publicly reblindable, like Elgamal. By plugging the (r,s), (r,-s) specific case as a DSA specific work-around there may be other malleability even in DSA, unless someone has a clear proof that there is not. And we may want to add ECS (schnorr) because it's simpler and allows more flexibility and efficiency (eg native n of n multisig at the storage cost of 1 signature vs n with ECDSA, and k of n threshold signature at the cost of 1 sig (but some threshold secret share setup up front). The relying party doesnt need to know how many multi-sigs there are there is a single public key. So I was thinking a more generic / robust way to fix this would be to change the txid from H(sig,inputs,outputs,script) to H(pubkey,inputs,outputs,script) or something like that in effect so that the malleability of the signature mechanism doesnt affect the security of conditional payments. Adam ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Bitcoin-development] malleability work-around vs fix (Re: 0.8.5 with libsecp256k1) 2013-10-10 14:21 ` [Bitcoin-development] malleability work-around vs fix (Re: 0.8.5 with libsecp256k1) Adam Back @ 2013-10-10 15:06 ` Adam Back 0 siblings, 0 replies; 6+ messages in thread From: Adam Back @ 2013-10-10 15:06 UTC (permalink / raw) To: Jeremy Spilman; +Cc: Bitcoin Dev btw if I got that right, it means you dont even have to fix the asn.1 level ambiguity (though its a good idea to remove openSSL asn.1 parsing code) to have conditional payments using not yet broadcast txid outputs as inputs to work with high assurance. (And even in the event that a new crypto level malleability is discovered in ECDSA it remains secure.) Adam Adam Back wrote: >So I was thinking a more generic / robust way to fix this would be to change >the txid from H(sig,inputs,outputs,script) to H(pubkey,inputs,outputs,script) >or something like that in effect so that the malleability of the signature >mechanism doesnt affect the security of conditional payments. Adam ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Bitcoin-development] 0.8.5 with libsecp256k1 2013-10-10 3:50 [Bitcoin-development] 0.8.5 with libsecp256k1 Warren Togami Jr. 2013-10-10 4:10 ` Jeremy Spilman @ 2013-10-10 8:29 ` Mike Hearn 2013-10-11 11:41 ` Pieter Wuille 1 sibling, 1 reply; 6+ messages in thread From: Mike Hearn @ 2013-10-10 8:29 UTC (permalink / raw) To: Warren Togami Jr.; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 2093 bytes --] Thanks! I'd love to see this library become usable behind a command line flag or config setting. At some point we're going to want to switch to it. I believe the main issue at the moment is the malleability issues? If so, it would seem possible to use OpenSSL to parse the signature into components and then libsecp256k1 to verify them. On Thu, Oct 10, 2013 at 5:50 AM, Warren Togami Jr. <wtogami@gmail•com>wrote: > https://github.com/sipa/secp256k1 > sipa's secp256k1, optimized ecdsa, significantly faster than openssl > > Today someone in #bitcoin-dev asked for Bitcoin 0.8.5 with sipa's > secp256k1. Litecoin has been shipping test builds with secp256k1 for > several months now so it was a simple matter to throw together a branch of > Bitcoin 0.8.5 with secp256k1. > > https://github.com/wtogami/bitcoin/commits/btc-0.8.5-secp256k1 > This branch should theoretically work for Linux, win32 gitian and mac > builds. These commits are rather ugly because it was thrown together just > to make it build with the old 0.8 makefiles without intent for production > code merge. cfields is working on autotoolizing it as one of the > prerequisites prior to inclusion into bitcoin master where it will be an > option disabled by default. > > http://193.28.235.60/~warren/bitcoin-0.8.5-secp256k1/ > Untested win32 gitian build. Build your own Linux or Mac builds if you > want to test it. Not recommended for production wallet or mining uses. > > Warren > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most > from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists•sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > > [-- Attachment #2: Type: text/html, Size: 3272 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Bitcoin-development] 0.8.5 with libsecp256k1 2013-10-10 8:29 ` [Bitcoin-development] 0.8.5 with libsecp256k1 Mike Hearn @ 2013-10-11 11:41 ` Pieter Wuille 0 siblings, 0 replies; 6+ messages in thread From: Pieter Wuille @ 2013-10-11 11:41 UTC (permalink / raw) To: Mike Hearn; +Cc: Bitcoin Dev On Thu, Oct 10, 2013 at 10:29 AM, Mike Hearn <mike@plan99•net> wrote: > Thanks! I'd love to see this library become usable behind a command line > flag or config setting. At some point we're going to want to switch to it. > The current idea is to provide a compile-time flag to enable it, which at the same time disables the wallet and mining RPCs. In that state, it should be safe enough to provide test builds. > I believe the main issue at the moment is the malleability issues? If so, it > would seem possible to use OpenSSL to parse the signature into components > and then libsecp256k1 to verify them. I'm pretty sure that libsecp256k1 supports every signature that OpenSSL supports, so that direction is likely covered. The other direction - the fact that libsecp256k1 potentially supports more than OpenSSL - is only a problem if a majority of the hash power would be running on it. However, with canonical encodings enforced by recent relaying nodes, I hope that by then we're able to schedule a softfork and require them inside blocks. Apart from that, there is of course the issue that there may be actual exploitable mistakes in the crypto code. There are unit tests, including ones that create signatures with libsecp256k1 and verify them using OpenSSL and the other way around, but errors are certainly more likely to occur in edge cases that you don't hit with randomized tests. The only way to catch those is review I suppose. I certainly welcome people looking at it - even if just to get comments like "Can you add an explanation for why this works?". -- Pieter ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2013-10-11 11:41 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2013-10-10 3:50 [Bitcoin-development] 0.8.5 with libsecp256k1 Warren Togami Jr. 2013-10-10 4:10 ` Jeremy Spilman 2013-10-10 14:21 ` [Bitcoin-development] malleability work-around vs fix (Re: 0.8.5 with libsecp256k1) Adam Back 2013-10-10 15:06 ` Adam Back 2013-10-10 8:29 ` [Bitcoin-development] 0.8.5 with libsecp256k1 Mike Hearn 2013-10-11 11:41 ` Pieter Wuille
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox