Pieter Wuille [ARCHIVE] on Nostr: 📅 Original date posted:2015-09-25 📝 Original message: On Sep 25, 2015 3:09 AM, ...
📅 Original date posted:2015-09-25
📝 Original message:
On Sep 25, 2015 3:09 AM, "Rusty Russell" wrote:
> >> You can squeze some more bytes out of you want:
> >> 1) Signature should be 64 bytes (never DER encode).
> >> 2) Pubkey can be hashed bitcoin-address style, and recovered from sig.
> >
> > You can recover the pubkey from the hash and the sig? Why are we
putting the pubkey in the scriptSig then? ;)
>
> Because crypto is hard :(
>
> TBH I only learned a few months ago that you can do this.
>
> It helps if you have the (two-bit) recovery id, but you can brute force
> it AFAICT. You then check if the pubkey matches the hash you're given.
You can indeed do public key recovery om ECDSA, and you can brute force the
recovery id. In all non-pathological cases, the recovery id will be 0 or 1;
only one in about 2^128 randomly generated signatures need 2 or 3.
I don't have much context here, but is there a need for this to be ECDSA?
If not, the EC-Schnorr scheme in libsecp256k1 produces 64-byte
non-malleable signatures that support pubkey recovery without an additional
recovery id, and are compatible with the same private/public keys. The
scheme is certainly non-standard and experimental at this point, but it's
an instance of a well researched mechanism.
--
Pieter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20150925/02de7137/attachment.html>;
📝 Original message:
On Sep 25, 2015 3:09 AM, "Rusty Russell" wrote:
> >> You can squeze some more bytes out of you want:
> >> 1) Signature should be 64 bytes (never DER encode).
> >> 2) Pubkey can be hashed bitcoin-address style, and recovered from sig.
> >
> > You can recover the pubkey from the hash and the sig? Why are we
putting the pubkey in the scriptSig then? ;)
>
> Because crypto is hard :(
>
> TBH I only learned a few months ago that you can do this.
>
> It helps if you have the (two-bit) recovery id, but you can brute force
> it AFAICT. You then check if the pubkey matches the hash you're given.
You can indeed do public key recovery om ECDSA, and you can brute force the
recovery id. In all non-pathological cases, the recovery id will be 0 or 1;
only one in about 2^128 randomly generated signatures need 2 or 3.
I don't have much context here, but is there a need for this to be ECDSA?
If not, the EC-Schnorr scheme in libsecp256k1 produces 64-byte
non-malleable signatures that support pubkey recovery without an additional
recovery id, and are compatible with the same private/public keys. The
scheme is certainly non-standard and experimental at this point, but it's
an instance of a well researched mechanism.
--
Pieter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20150925/02de7137/attachment.html>;