public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Anthony Towns <aj@erisian.com.au>
To: ZmnSCPxj <ZmnSCPxj@protonmail.com>
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] Soft-forks and schnorr signature aggregation
Date: Wed, 21 Mar 2018 21:21:19 +1000	[thread overview]
Message-ID: <20180321112119.GA6588@erisian.com.au> (raw)
In-Reply-To: <d_OOMciZ--WI6X8V1PWVCcPGyEFo7AWcNcXls8uUK8itK8pkoUJLRsekBYUdXTRYg_pOinoBQliMFKfzWW48kd3isE6DbkIVoI5frIxOBFo=@protonmail.com>

On Wed, Mar 21, 2018 at 03:53:59AM -0400, ZmnSCPxj wrote:
> Good morning aj,

Good evening Zeeman!

[pulled from the bottom of your mail]
> This way, rather than gathering signatures, we gather public keys for aggregate signature checking.  

Sorry, I probably didn't explain it well (or at all): during the script,
you're collecting public keys and messages (ie, BIP 143 style digests)
which then go into the signing/verification algorithm to produce/check
the signature.

You do need to gather signatures from each private key holder when
producing the aggregate signature, but that happens at the wallet/p2p
level, rather than the consensus level.

> I am probably wrong, but could solution 2 be simplified by using the below opcodes for aggregated signatures?
> 
> OP_ADD_AGG_PUBKEY - Adds a public key for verification of an aggregated signature.
> OP_CHECK_AGG_SIG[VERIFY] - Check that the gathered public keys matches the aggregated signature.

Checking the gathered public keys match the aggregated signature is
something that only happens for the entire transaction as a whole, so
you don't need an opcode for it in the scripts, since they're per-input.

Otherwise, I think that's pretty similar to what I was already saying;
having:

   SIGHASH_ALL|BUCKET_1 pubkey OP_CHECKSIG

would be adding "pubkey" and a message hash calculated via the SIGHASH_ALL
hashing rules to the list of things that the signature for bucket 1 verifies.

FWIW, the Bellare-Neven verification algorithm looks something like:

   s*G = R + K   (s,R is the signature)
   K = sum( H(R, L, i, m) * X_i )   for i corresponding to each pubkey X_i
   L = the concatenation of all the pubkeys, X_0..X_n
   m = the concatenation of all the message hashes, m_0..m_n

So the way I look at it is each input puts a public key and a message hash
(X_i, m_i) into the bucket via a CHECKSIG operation (or similar), and once
you're done, you look into the bucket and there's just a single signature
(s,R) left to verify. You can't start verifying any of it until you've
looked through all the scripts because you need to know L and m before
you can do anything, and both of those require info from every part of
the aggregation.

[0] [1]

> The effect is that in the OP_CHECKCOVENANT case, pre-softfork nodes will not actually do any checking.

Pre-softfork nodes not doing any checking doesn't work with cross-input
signature aggregation as far as I can see. If it did, all you would have
to do to steal people's funds is mine a non-standard transaction:

  inputs:
   my-millions:
     pay-to-pubkey pubkey1
     witness=SIGHASH_ALL|BUCKET_1
   your-two-cents:
     pay-to-script-hash script=[1 OP_RETURN_TRUE pubkey2 CHECKSIG]
     witness=SIGHASH_ALL|BUCKET_1

   bucket1: 64-random-bytes
  output:
   all-the-money: you

Because there's no actual soft-fork at this point every node is an "old"
node, so they all see the OP_RETURN_TRUE and stop validating signatures,
accepting the transaction as valid, and giving you all my money, despite
you being unable to actually produce my signature.

Make sense?

Cheers,
aj

[0] For completeness: constructing the signature for Bellare-Neven
    requires two communication phases amongst the signers, and looks
    roughly like:

     1. each party generates a random variable r_i, and sharing the
        corresponding curve point R_i=r_i*G and their sighash choice
        (ie, m_i) with the other signers.

     2. this allows each party to calculate R=sum(R_i) and m,
        and hence H(R,L,i,m), at which point each party calculates a
        partial signature using their respective private key, x_i:

          s_i = r_i + H(R,L,i,m)*x_i

        all these s_i values are then communicated to each signer.

     3. these combine to give the final signature (s,R),
        with s=sum(s_i), allowing each signer to verify that the signing
        protocol completed successfully, and any signer can broadcast
        the transaction to the blockchain

[1] muSig differs in the details, but is basically the same.



  reply	other threads:[~2018-03-21 11:21 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-03-21  4:06 [bitcoin-dev] Soft-forks and schnorr signature aggregation Anthony Towns
2018-03-21  7:53 ` ZmnSCPxj
2018-03-21 11:21   ` Anthony Towns [this message]
2018-03-21 23:28     ` ZmnSCPxj
2018-03-21 12:45 ` Andrew Poelstra
2018-03-22  0:47 Bram Cohen
2018-03-27  6:34 ` Anthony Towns
2018-03-28  3:19   ` Bram Cohen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180321112119.GA6588@erisian.com.au \
    --to=aj@erisian.com.au \
    --cc=ZmnSCPxj@protonmail.com \
    --cc=bitcoin-dev@lists.linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox