From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Tue, 07 May 2024 07:38:03 -0700 Received: from mail-qt1-f186.google.com ([209.85.160.186]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1s4LxD-0008Ca-Is for bitcoindev@gnusha.org; Tue, 07 May 2024 07:38:03 -0700 Received: by mail-qt1-f186.google.com with SMTP id d75a77b69052e-43dacacbd14sf5124111cf.0 for ; Tue, 07 May 2024 07:38:03 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715092677; cv=pass; d=google.com; s=arc-20160816; b=hgkNU8JEE2ef2gwxKKrDlF+9G7bJLwLz+R5JLpsRGKt7qhy6ymz1FzpDWx5KfgupNT 5TRipi8w/C2YiF+QmNHJCj+Y3/gZjMuGjvagOJLd+DaPHF2RUIUVrzC7g2A8oQVi/ySI 8M41y77LrfA9BYcvJTNfcPQ4HIyXnSBtvRSVwy5HwiUokAUAZ43ZQhl+Df8z7tzYWdBg kH5ubJmAC1TfUMqZPyczHhksMFIb+Hha00h71P6jyKYziZEJtAnh877D8BtALtnnuvtC 0KoOLo8Asa9jyWS7U60wLHvbxTUWfiSC2eLRDmKgqQzynfJExraQjhl7iG7AWzqtEmYn 10QQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:sender :dkim-signature; bh=awFQfZLqcoifTv9iNhz6QlSMyykCvWMBmDxxIajnrBA=; fh=b6yJOE8ynFZyWRYaa0DrIMVZJs2GXmTSFOuTbjdRbx4=; b=iLWXWZzm1KHLxbUJP2zctU5nVHk2XXv0oJVmfp7qjr12P8B6otNY9RdB1vXv44W7LQ wsdayqd58PJSbkq7RjU/vTGOsfIlOtpZ5MgO57H7r6N39XVzp5cYBJqCuCuU+GYie3qb PrMww0CJLVS+KBS3tq42x6sdJgq4r9vNtEX8xaygzE1TnH7EKf3VnICVGCx0A/a83tpK Ui8wtZSkU8Bun5KL0WFYl5/FM64hAv+ljA+RWi88BHHwPjDS71T+S/JVE1N1V3sn/DGj MkL2EO321V6TuNnr8/zROFZp8YiFhqit4/pQYErK/RLJF0fDV/z1ihazxX5KDP8vjWJu 9QVA==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@mail.wpsoftware.net header.s=default header.b=KhWHlqkV; spf=pass (google.com: domain of apoelstra@wpsoftware.net designates 66.183.0.205 as permitted sender) smtp.mailfrom=apoelstra@wpsoftware.net; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=wpsoftware.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1715092677; x=1715697477; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:sender:from:to:cc :subject:date:message-id:reply-to; bh=awFQfZLqcoifTv9iNhz6QlSMyykCvWMBmDxxIajnrBA=; b=GU3LBYUoCJ9w8I5aBOlV+0rAdxAav9SiTkHdcwAHHCfg8+MGGQQZOAteD/yY0eCdKU fhO2KRnt+t3/p455qZysPVumFrXn7TJjPLD9R6+b06ydfEDCro/lKd4S+FlP/I6rvdmb DSJBJocHlzFf1pE7NZShbs8XkuCbhYdWnYGZ4f2qxjNWU/Koy23rdWv5YgjA3ccGNDuQ 0RMv2jkCnnibDPVY3OT1mZMpbH4d2gpoRWVu31Ctw2VODtXyeuaWOepoV+USJPg2bjdM XOigIj9oiM7Wxi3WQLJbX4nF9etGkXoVEsBy6zYWJiGsu7SaZiV9dXdvxQAU50ER7apg cFGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715092677; x=1715697477; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:x-beenthere :x-gm-message-state:sender:from:to:cc:subject:date:message-id :reply-to; bh=awFQfZLqcoifTv9iNhz6QlSMyykCvWMBmDxxIajnrBA=; b=G2e0Q5UIpUJiyIU4NGh5wZ4+ocyYBB8TXslUmHka+YZzeSn5R4rRc8BfXdKwTa8/NU x2APKbcZ4rzgpgy+GAhoPG7PghFRTSyL6pxFpEJX9784WNBJrBh0KrAmoLPYuhhkRbIp aZW6tgxNvFMWzon1FjIg7r8/ccZyO4nzKzM32Jjale3PaS5G532qCO/PAuZN1IrNiIBD jyO8Sb3Nztxd77LgMph7Y842FAO9aMzJpZu5vC/kceYoM/3VZhwG7pE4WDruNw1frIaJ /jO3hd3Vo1z5BMW9KxpR4BqhhsWIOs1e6xstPaNGOaJbQVT6VdcBA6byvLDI2/HL0X/2 x7vQ== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCVTtGXHsqIgKJhTd1h1TV4PLt3w9yz68GQ24BYKT+PQBJeRcNsbqyaGncp2sF6w9goRrGsgVA7+HrB71bcxpMnCNUX+m+o= X-Gm-Message-State: AOJu0Yz207URZSSTQicDETIWcGYX9zZN4TJwzIxud2IQhJOYGcgzJMB7 4gPRB+O8EhTC6xtb4OyJ3QhLjxXa/03ZnwMjdtHtmWLWumJXuYyq X-Google-Smtp-Source: AGHT+IFPJPIAlh+aOflpJZukahbTtqfCkYAko1gBgy18RpWyNwrVmcNvG5cv8G+NSHXZjjzyXFbtsQ== X-Received: by 2002:a05:622a:255:b0:43b:6fb:8bfd with SMTP id c21-20020a05622a025500b0043b06fb8bfdmr15271607qtx.20.1715092677307; Tue, 07 May 2024 07:37:57 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com Received: by 2002:ac8:5a45:0:b0:43a:b15a:f8c9 with SMTP id d75a77b69052e-43ca74cb24als67849981cf.0.-pod-prod-07-us; Tue, 07 May 2024 07:37:55 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVFIlcQE7M4gWtzHMBn/TQY7yxUYkdoFVSxDUh1xfR/sos/i0ee0aw0vaqeQDN+BuvaYFvgKBqdU7ZoLp0b5RyR7c2oL0TwSKC2n/8= X-Received: by 2002:ac8:5714:0:b0:439:de63:29e5 with SMTP id 20-20020ac85714000000b00439de6329e5mr154792qtw.5.1715092675749; Tue, 07 May 2024 07:37:55 -0700 (PDT) Received: by 2002:a05:620a:2943:b0:790:ee24:5a3f with SMTP id af79cd13be357-792a740b183ms85a; Tue, 7 May 2024 07:34:05 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCV9WJA8TKpzH393PsgUz25xn9GEYpNaHdEBswgYrxirOzEzSd7qRhyspGkk39yjDjHSl62XxeLOhn+6bowIWwGIl1MEyTQwxHifVHQ= X-Received: by 2002:a05:6214:ca1:b0:690:c568:8dc9 with SMTP id 6a1803df08f44-6a15147122amr20966d6.36.1715092445055; Tue, 07 May 2024 07:34:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1715092445; cv=none; d=google.com; s=arc-20160816; b=YCa/Pfr4NVdJo8efhqtnwMtoJbRSpmtQBX1BrnokfDckBsELIlWCzD3kIDI0D84IVC /FWtwKsFCTYrFYjXzTMqYLiHHcv3XAvVREPWJNNCLEgxJIz5qja4mQ1DeyVi1+l4dGyQ ZGXRHOt30IqwREtUfMMvN67X7FMSD3Jn18kvhCenwgQgqSAWnJZNJdmoowZ6/WKGrmol TTzfPAyDHGj5QIv6shS/TTE46PDyMVy4FsdkGa7Y0AWf72dehkHycZwQU4w8PV/Dq4n8 1DnPhFF5XlxVUlP4uRPdbSMN2y7kLKdh3v4kkS7AdOiD1ZA7pFTdenrnF5PbmqdDPH6W H52g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:dkim-signature; bh=xu63A44Ve6OQJZHakZZpz1GUbooKxIwmlNp6qSDhZUg=; fh=F4Yi2qrZGojr5/AC+8Po021ePc+eBwPeJPP1rn5BI+w=; b=MaaQeFYSzIF2G8YmndZ8OdVW52Js+2h39wXSpMgPUw3+Gi7kG+ekGAmp9M57oRQ2Cw 79//7PWsk6JOEPC8+/gfNV+s91xsHENYSfFA+4Nd3Jhh0UsXZcKeUs6BKRP/BB3LVFk3 D0zW/zrag+qLaWLlozvzYtBO6qcrS/b/WAwgTVYMB33LhWXjK4IuY41L6alA3DQDoHw9 VOL51N18aOez9ltWxtrlGPxu3D2EWCVQlb4LmD7kb5FdsqnB0CplUhlVMey+YOV1jpjf d3LO6g6P5FsoH+nuGBl9RNBjDHQ2gIkBXjd7ESbcANN2rsS+CwPtKn0fjbUI3DbM9jUL ywaw==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@mail.wpsoftware.net header.s=default header.b=KhWHlqkV; spf=pass (google.com: domain of apoelstra@wpsoftware.net designates 66.183.0.205 as permitted sender) smtp.mailfrom=apoelstra@wpsoftware.net; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=wpsoftware.net Received: from mail.wpsoftware.net ([66.183.0.205]) by gmr-mx.google.com with ESMTP id h2-20020a0ceec2000000b006a0e8c815ccsi930236qvs.3.2024.05.07.07.34.04 for ; Tue, 07 May 2024 07:34:04 -0700 (PDT) Received-SPF: pass (google.com: domain of apoelstra@wpsoftware.net designates 66.183.0.205 as permitted sender) client-ip=66.183.0.205; Received: from camus (camus-andrew.lan [192.168.0.190]) by mail.wpsoftware.net (Postfix) with ESMTPSA id A1C2840119; Tue, 7 May 2024 14:34:03 +0000 (UTC) Date: Tue, 7 May 2024 14:34:02 +0000 From: Andrew Poelstra To: "David A. Harding" Cc: Matthew Zipkin , Ethan Heilman , Bitcoin Development Mailing List Subject: Re: [bitcoindev] Signing a Bitcoin Transaction with Lamport Signatures (no changes needed) Message-ID: References: <47711dc4ffe9d661e8321b05b6adab4e@dtrt.org> <93b8ed39b0aa3955eb9cb99f9fc5aae9@dtrt.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="mEX4VOIzkLALve3E" Content-Disposition: inline In-Reply-To: <93b8ed39b0aa3955eb9cb99f9fc5aae9@dtrt.org> X-Original-Sender: apoelstra@wpsoftware.net X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@mail.wpsoftware.net header.s=default header.b=KhWHlqkV; spf=pass (google.com: domain of apoelstra@wpsoftware.net designates 66.183.0.205 as permitted sender) smtp.mailfrom=apoelstra@wpsoftware.net; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=wpsoftware.net Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.8 (/) --mEX4VOIzkLALve3E Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline On Mon, May 06, 2024 at 06:11:48PM -1000, David A. Harding wrote: > On 2024-05-06 09:06, Andrew Poelstra wrote: > > You can implement ECDSA. It will just take a *lot* of opcodes. > > I'll accept that as a given, but how do you know that a given ECDSA > signature actually commits to the transaction that contains it if > OP_CHECKSIG only operates on fixed-size schnorr signatures? > You need to connect your Lamport signature to an ECDSA CHECKSIG (in a pre-Taproot output). So what I'm depending on here is that it's possible to "copy the signature" from a pre-Taproot spend to a post-Taproot spend by using Lamport signatures and some anti-equivocation scheme. In pre-Taproot we confirm that the signature matches the pattern of OP_SIZE outputs. In post-Taproot we reconstruct the signature and constrain the transaction, checking that it spends *both* the pre-Taproot and the post-Taproot output. > Is this what you're describing: if the controlling signature is a lamport > signature that commits to an ECDSA signature, it's safe to disclose the > private key for the ECDSA signature; when you don't have to worry about > private key disclosure, it's safe to construct a schnorr signature that uses > the same private key, nonce, and message commitment as the ECDSA signature; > if that schnorr signature makes OP_CHECKSIG return true, then you know the > message is the current transaction? > Nope, in this scheme we are avoiding Schnorr signatures entirely. > That still leaves me confused. If ECDSA can be implemented within > tapscript, then I would expect that schnorr could also be implemented within > tapscript; that gives you an OP_CSFS equivalent. If being able to implement > ECDSA in tapscript allows introspection, then I would expect implementing > schnorr in tapscript would allow introspection; that gives you an OP_CAT > equivalent. If you have OP_CSFS and OP_CAT, you have covenants and there's > no need for lamport signatures or ECDSA. > Implementing ECDSA in Tapscript *only* allows introspection in conjunction with the ability to force a user to spend a Tapscript output alongside a pre-Tapscript output containing the same ECDSA signature. And I am waving my hands and saying that I think you can force this by using covenant tricks. > Apologies for my remaining confused in the face of something that's probably > obvious, > Lol. This whole thing is kinda insane. -- Andrew Poelstra Director, Blockstream Research Email: apoelstra at wpsoftware.net Web: https://www.wpsoftware.net/andrew The sun is always shining in space -Justin Lewis-Webster -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/Zjo72iTDYjwwsXW3%40camus. --mEX4VOIzkLALve3E Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEkPnKPD7Je+ki35VexYjWPOQbl8EFAmY6O9kACgkQxYjWPOQb l8EFfQf/boOSPm4BCCqmGVXWPH0Wy67XLECT4+xnDLjHOsAmb+zxwX8N0f4q9+29 6jVU16heUhZFOZNAyxiTRIp+82stqWrEh3vaXvVZTybYMbc60cmSGD1Q+BuIUdwi 0mC1Nk29eA+xx2om4QuS8VuzybkuoybLyyk7QPrXk9qWVtf/zcpMWEDdZtBnzQ2J 3ccDWRJVsByCH9f56Ns6G15Cga8GgIm7ARLV8329FXExGNWi9GQGEJ7gLaPneNGE /OA849XVUSM3iuschKMEc8JTOHzVpF9SNohsueUEKMeHjTNrLL6SG2v5yH+k/fQB 4cpmjgUgs+pcVw8fpVsGCnAcxFBtpw== =hRRJ -----END PGP SIGNATURE----- --mEX4VOIzkLALve3E--