From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Wed, 08 May 2024 17:37:23 -0700 Received: from mail-ua1-f61.google.com ([209.85.222.61]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1s4rmk-0001cx-NP for bitcoindev@gnusha.org; Wed, 08 May 2024 17:37:23 -0700 Received: by mail-ua1-f61.google.com with SMTP id a1e0cc1a2514c-7f46ba3d89bsf204691241.3 for ; Wed, 08 May 2024 17:37:22 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715215036; cv=pass; d=google.com; s=arc-20160816; b=POYVdvkWsoCJoM9V6gvqADQFqwyAgEKLvmCgLmfi5VUjRavmxXOIAC/8pU8mnu9Sch evLUuBBL3IMVvlnLwVHoGFdKCSWJ/JPkDBkdC2A47AGtJHlcPE2zUbthDwlm4+j0FJXd 4gKfF5Xlli3OHN44+1DHG5GVjNvJs8XV7OeYXHeKV4vg0U9FrCzVW4WCXR6jrSUptr07 mciRH/hQOHI32zviF1ceaXrGjOLyRE0HgjhfJ7M7TfiMuOBXjZQcki1XA/GyzNkksUjF ouiUwjmbAuhzggPWwKjQJedaASxrycBM2XdkEcKnbHRAxXuMzDR1FMyEWwGwJSZvH8TJ tD1Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:sender:dkim-signature :dkim-signature; bh=8tZLcAX++VnLdj1PzWxIZj7Lq+XkP3XBu1EjMZq+vzc=; fh=EgZ8u2KYp0oFOY6DH5L8H/orUDgVtWqV70hJtZZQgPc=; b=Usp/QX11gNyM6KT3WAxyS7d0eeLlfnEnC/E2vfpasluszbEUOJMwjYx7RM/A0KgzuS 07pty0xDbeYyJFh4QGr/BAvuAzI8+nsLk+oOANC2py7LvL6k4GnBrlke+LkbzdAbWKeW ZqLBXSAUWjDLcil/UhgEEusD8lbD7II3hTiX1p/tq5/GK8IojUMiY92lrMQempg3VeVw n6j1oKJk+tjPR9JU0gvwbO9Dr8j5Ek4rd9+8MbzMLgtfNCTfsYmuRQiKBJD4S4d6CRgP +wQuXoHW1V8uz7IQUYKw8tiToMb/0AKn6iZA7fIZqBhekC4NBbSGnnLQt247GTYIjdWg ozkw==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=RTfajXGZ; spf=pass (google.com: domain of eth3rs@gmail.com designates 2a00:1450:4864:20::12d as permitted sender) smtp.mailfrom=eth3rs@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1715215036; x=1715819836; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:sender:from:to:cc:subject:date:message-id :reply-to; bh=8tZLcAX++VnLdj1PzWxIZj7Lq+XkP3XBu1EjMZq+vzc=; b=pBSrldS1xgmJaDBo0T/pY1/nGR3eWKMiNTxOcqva4WxveJky9Aj8p+OGwT9Mk1VZFJ hidi6t4OEnWuiSljfYbCBDYjRx1tv9xpf2jauLPsAT0u+TrlpKiMMP0P5wmR2/ntYxe0 jHaIUNQh+T6wer22UI8fh5rYnv/w5sTI9efspSMMsWgeMHHFHI2+n4f5haEYjC3fUSlY qCEViuVcQ3bJfsOkiWYKPFz7fBRm+4h2v1Din5alPgVTwnBL8wmdvOnQP2XWWJwqC2uF rnbrXfl6Z+NoYUuEVGXGJQQeCyQJGiX+WODJBWWmut01BmUEDjStTcjj3xkLxuTLy9NP iBSg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1715215036; x=1715819836; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:from:to:cc:subject:date:message-id:reply-to; bh=8tZLcAX++VnLdj1PzWxIZj7Lq+XkP3XBu1EjMZq+vzc=; b=GaAGW0xeJAtG8udYhXglWm3CLGjRR44eWFvPjGweDNZF7AjKHCV+7wgWzPyhmyA6vL wNRvtdk6iHHjvUCQTucmGPyV1wtT3gp7ZapZVp29Ox+HmXelWrOoRypL7fcY3LPvytJV PEvPdLL3rtE7R5nyvMlyiwa1k9FCPtJ+Ddk5OSS2STWnBiXhnsoO6mTO/UnTaJNWst5i z1wRunGH8QS0cakCv1yi1tQg2ymxh5l1M99U1ypCld9MMhiYGzmTVCO2uXgTEJfcpQgN d8zJnlEdvpyLGoyGK3orq0LhVY7ZMIxh4hJX+EqN5De/du8aQW1o89C1Irc14fBeRPD2 gLPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715215036; x=1715819836; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:x-beenthere:x-gm-message-state:sender:from :to:cc:subject:date:message-id:reply-to; bh=8tZLcAX++VnLdj1PzWxIZj7Lq+XkP3XBu1EjMZq+vzc=; b=M04MdaovTCjDElkHOxc0uFppbX9DFyeSq0chdSwL/WQhTK5RCdCSoB1/+bJHixdzx+ wMPrv5WXky38PTV2ZDFjwDT9eWPwP8q+c4I7AAAlpEUh4SGx9sNeEAKg5kb5s7EgLwsf i+YKvBZoUZZ5bHgABJGa/WgxoxdBYl6u8+SB8lF7J1mF24Hvyaf9TknVYebqG5PwzvYN 3QOQhImRPNOwIGynbwdpSAt1pmALvKQkmd2cl4pfkzujBLu3anVzTe78gHXi2PhO1vNu WP0ec63xGQDgbsEuTvEq5PfFkt+7n6RFRFq/FrpxhTAiS4DkgUENJcjnFvpKzP/ogbAg dqUw== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCWW+wbe4zq2DGlm5tDvM5jtsD8Ias6H4jJkku6i3CVzKwmImVZ7OPL4X7vG7xuX/Vnmb9RbGOtygPqG9ttwH9Jv8Yge+vM= X-Gm-Message-State: AOJu0YwU1jm3Ilw+Hf061LkPSTaA3ybrHWO5DS0eAPPBX2MLheaknE7n G2D286p7n87P1NLt4YST29n1TyQYmdC001wjw63smQRVg88pRbF0 X-Google-Smtp-Source: AGHT+IE4W7gJbnlqITuR9PplJ1q6bULGfscFDFaa/PlRjD9c2PJTnuCtQE7rze7JKUgRTdQC0IR+JA== X-Received: by 2002:a67:e8c7:0:b0:47e:bd11:7e5e with SMTP id ada2fe7eead31-47f3c29eb5bmr4148203137.7.1715215036122; Wed, 08 May 2024 17:37:16 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com Received: by 2002:a05:6214:234e:b0:6a0:a8e7:f46a with SMTP id 6a1803df08f44-6a15d44a36als4180286d6.1.-pod-prod-03-us; Wed, 08 May 2024 17:37:14 -0700 (PDT) X-Received: by 2002:a05:6214:20ea:b0:6a0:c6bc:196e with SMTP id 6a1803df08f44-6a1514c006amr1107826d6.2.1715215034745; Wed, 08 May 2024 17:37:14 -0700 (PDT) Received: by 2002:a05:620a:4101:b0:790:efaf:f1f8 with SMTP id af79cd13be357-792a74187c3ms85a; Tue, 7 May 2024 09:06:32 -0700 (PDT) X-Received: by 2002:a05:6512:482:b0:51c:eeee:8679 with SMTP id v2-20020a056512048200b0051ceeee8679mr10991072lfq.56.1715097990231; Tue, 07 May 2024 09:06:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1715097990; cv=none; d=google.com; s=arc-20160816; b=JxqGJuKLC1aGClT2AKYcs1kbqkCkYLusuZYJRQ/MAw9/7GsAQvdKQniJKL/JF/Wb8g XYTAlVoX4GrrrLZHnIr2cwv06n60XPMsgMtocZGdzsM6xNUJVGdxuKqOu9ExV41nFq1F DnNwFgSjPrfpdqNFHeS7pjqXVURVQhTlaZ4ltyp6dmCvCJ5ATbleYjm7rZ6BQ3SB7pGv SkkPGri+nbBdEsbhW7NpXc7i2kChNpNwzQEKIlk6rdWTj5bVP8BodwpLNHXdcR4GQMfm KFu4os3ewodLVlDJ5IhtM7CT7WON3P8dGGMjz99Sqrzd+AWaLiz1l/VoLoZK6OdjhwHe jN6Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=oLZCulNtOczeH8X2DshDcC2HJTjBXRd/SGumL8r4ODY=; fh=sapDHqhE46zLmMBeB1lkoe0zq8J9+V3Afx71/j8kvug=; b=PmX3dzorS+BfSs8OsKQVK4sPT9BR3fOHhVEVlfKA6I7q76VSJtZb1UXAt16rVmAmw8 3iJAGZegwP8ng7tjjvVl8vQMBF7pP+SdeTMBu9AD955C0RCCe+Ho0TEGVBYj5JaUhRbw NyT6RlJwVuMoxUJwgDXm0D9sw6gYgimDVOSfnR5HUZROzO5t5vIlrJW3PrR/h+oAEP7X DbKPFD0j42WutZ8e9aDZOLO+sPl3lP2WuzUbSiC9mGvvJAg+/EfglrOdoWV4FAxC9LAk bEeJczr5S0OVWXIQI1yXHgFDgpuU+bQ3oAh2bSzrviKHDI2BRPq4RJ7JoLEIpZ4lTtD9 nHGA==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=RTfajXGZ; spf=pass (google.com: domain of eth3rs@gmail.com designates 2a00:1450:4864:20::12d as permitted sender) smtp.mailfrom=eth3rs@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com. [2a00:1450:4864:20::12d]) by gmr-mx.google.com with ESMTPS id h14-20020a0565123c8e00b0051d2708dd8bsi362802lfv.9.2024.05.07.09.06.30 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 07 May 2024 09:06:30 -0700 (PDT) Received-SPF: pass (google.com: domain of eth3rs@gmail.com designates 2a00:1450:4864:20::12d as permitted sender) client-ip=2a00:1450:4864:20::12d; Received: by mail-lf1-x12d.google.com with SMTP id 2adb3069b0e04-51fea3031c3so4261346e87.0 for ; Tue, 07 May 2024 09:06:30 -0700 (PDT) X-Received: by 2002:a05:6512:4dd:b0:520:36ea:9375 with SMTP id w29-20020a05651204dd00b0052036ea9375mr6211797lfq.43.1715097989462; Tue, 07 May 2024 09:06:29 -0700 (PDT) MIME-Version: 1.0 References: <47711dc4ffe9d661e8321b05b6adab4e@dtrt.org> In-Reply-To: From: Ethan Heilman Date: Tue, 7 May 2024 12:05:52 -0400 Message-ID: Subject: Re: [bitcoindev] Signing a Bitcoin Transaction with Lamport Signatures (no changes needed) To: Antoine Riard Cc: Bitcoin Development Mailing List Content-Type: text/plain; charset="UTF-8" X-Original-Sender: eth3rs@gmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=RTfajXGZ; spf=pass (google.com: domain of eth3rs@gmail.com designates 2a00:1450:4864:20::12d as permitted sender) smtp.mailfrom=eth3rs@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) Hi Antoine, Responding in line: > - Alice can: > - a) wait for the 70% honest network to mine her transaction > - b) increase her feerate to bump incentives to mine transaction X > - If Alice picks up option b) > - Alice Lamport-emulated signs and broadcast her transaction X by using ACP flag / CPFP > - This assumes the consumption of a "fresh" fee-bumping UTXO > - This fee-bumping UTXO can be locked under a Lamport emulated-pubkey > > I think this scheme with a one-time usage property is more exposed to denial-of-service > attacks (or wallet UTXO deanonymization) than ECDSA / Schnorr scheme. It sounded like originally you were saying she can't bump her fee without double signing, but as you point out ANYONECANPAY or CPFP let's you do fee bumping without double signing. This doesn't seem different from say a pre-signed bitcoin transaction that you can't change transaction hash of. > I think the ECDSA signature verification algorithm forbids the usage > of the point at infinity for the curve point resulting from the modular > arithmetic on your r-value and s-value, not k=0 where k is the nonce. > > I don't know if you could play with the transaction hash to produce > a curve point which is equals to the point at infinity, especially in > context where the transaction hash is including inputs from multiple > non-trusted counterparties (e.g if you're using SIGHASH flags). I don't see the attack. If the point at infinity is forbidden, how is this exploited? Wouldn't the attacker's signature just be rejected by the network? > Well, we're not comparing "apple-to-apple" here as on one side you have > modular arithmetic operations, on the other side bitwise rotations. I'm > thinking you might have an advantage in your ecdsa queries as a finite field > is, as the name say so, "finite" so you could theoretically pre-compute all > entries in your storage. On the other hand, with block mining (even assuming > a functional implementation of Grover's algorithm) you have lookup and > propagation latency under 10 min in average. Sounds you can parellize both > problems resolution (re-use hash round states or point addition), so it might > be just a classicla time-space trade-off here. If someone discovers a smaller r than used in the signatures, they would break the existing signatures I agree. Grover's might break P2SH in general so Bitcoin might be in real trouble at that point. > Correcting myself on my initial email, the design bottleneck here is obviously > that spent outpoints are committed in a child signature digest in a no-APO world. > This is still an interesting question if you can remove spent outpoints commitment > by leveraging OP_SIZE or fixing other ECDSA signature components. No APO? Thanks, Ethan -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/CAEM%3Dy%2BX-bhUuDxyYQ-MJGA49BgvnHW9-7L3zvBLPyJux%3DkqYbA%40mail.gmail.com.