Discussion:
[bitcoin-dev] Why is deriving public key from the signature not used in Segwit?
Артём Литвинович via bitcoin-dev
2018-01-24 03:50:10 UTC
Permalink
Greetings.

I wanted to ask what was the rationale behind still having both public
key and signature in Segwit witness?

As is known for a while, the public key can be derived from the
signature and a quadrant byte, a trick that is successfully used both
in Bitcoin message signing algorithm and in Ethereum transaction
signatures. The later in particular suggests that this is a perfectly
functional and secure alternative.
Leaving out the public key would have saved 33 bytes per signature,
which is quite a lot.

So, the question is - was there a good reason to do it the old way
(security, performance, privacy, something else?), or was it something
that haven't been thought of/considered at the time?
Gregory Maxwell via bitcoin-dev
2018-01-24 04:25:28 UTC
Permalink
On Wed, Jan 24, 2018 at 3:50 AM, Артём Литвинович via bitcoin-dev
Post by Артём Литвинович via bitcoin-dev
Greetings.
I wanted to ask what was the rationale behind still having both public
key and signature in Segwit witness?
As is known for a while, the public key can be derived from the
signature and a quadrant byte, a trick that is successfully used both
in Bitcoin message signing algorithm and in Ethereum transaction
signatures. The later in particular suggests that this is a perfectly
functional and secure alternative.
Leaving out the public key would have saved 33 bytes per signature,
which is quite a lot.
So, the question is - was there a good reason to do it the old way
(security, performance, privacy, something else?), or was it something
that haven't been thought of/considered at the time?
It is slow to verify, incompatible with batch validation, doesn't save
space if hashing isn't used, and is potentially patent encumbered.
Aymeric Vitte via bitcoin-dev
2018-01-24 10:24:55 UTC
Permalink
34 bytes in fact

I have asked already the question at least twice on this list pointing
out the fact that pubkey is there now even for standard p2pkh
transactions and it was not the case some time ago

But I never got any answer regarding what motivated this change
(compared to the previous behavior) and when, so whether I am missing
something obvious, whether nobody wants to answer

Txs without pubkey are now rejected then what is the element in the code
(protocol, version, etc) that "decided" this?
Post by Gregory Maxwell via bitcoin-dev
On Wed, Jan 24, 2018 at 3:50 AM, Артём Литвинович via bitcoin-dev
Post by Артём Литвинович via bitcoin-dev
Greetings.
I wanted to ask what was the rationale behind still having both public
key and signature in Segwit witness?
As is known for a while, the public key can be derived from the
signature and a quadrant byte, a trick that is successfully used both
in Bitcoin message signing algorithm and in Ethereum transaction
signatures. The later in particular suggests that this is a perfectly
functional and secure alternative.
Leaving out the public key would have saved 33 bytes per signature,
which is quite a lot.
So, the question is - was there a good reason to do it the old way
(security, performance, privacy, something else?), or was it something
that haven't been thought of/considered at the time?
It is slow to verify, incompatible with batch validation, doesn't save
space if hashing isn't used, and is potentially patent encumbered.
_______________________________________________
bitcoin-dev mailing list
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
--
Bitcoin transactions made simple: https://github.com/Ayms/bitcoin-transactions
Zcash wallets made simple: https://github.com/Ayms/zcash-wallets
Bitcoin wallets made simple: https://github.com/Ayms/bitcoin-wallets
Get the torrent dynamic blocklist: http://peersm.com/getblocklist
Check the 10 M passwords list: http://peersm.com/findmyass
Anti-spies and private torrents, dynamic blocklist: http://torrent-live.org
Peersm : http://www.peersm.com
torrent-live: https://github.com/Ayms/torrent-live
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms
Gregory Maxwell via bitcoin-dev
2018-01-24 10:31:35 UTC
Permalink
Post by Aymeric Vitte via bitcoin-dev
out the fact that pubkey is there now even for standard p2pkh
transactions and it was not the case some time ago
But I never got any answer regarding what motivated this change
(compared to the previous behavior) and when, so whether I am missing
something obvious, whether nobody wants to answer
No such behaviour ever existed, you are simply mistaken.
Aymeric Vitte via bitcoin-dev
2018-01-24 11:16:30 UTC
Permalink
Then what about
https://blockchain.info/tx/226a8b08dc46a00e9ecec5567a303a0b354bef3c1674476eb5e4b627b2ace493?format=hex
?

Scriptsig:

473044022057a1234709270325e7215200f982546304cf465971cbd55d54231ead54ef1a7802207a82e93ef2b0f87188abe87bccb67ee9d5c650b1b58948e5b1c80ba1b4c43dc301

No pubkey...
Post by Gregory Maxwell via bitcoin-dev
Post by Aymeric Vitte via bitcoin-dev
out the fact that pubkey is there now even for standard p2pkh
transactions and it was not the case some time ago
But I never got any answer regarding what motivated this change
(compared to the previous behavior) and when, so whether I am missing
something obvious, whether nobody wants to answer
No such behaviour ever existed, you are simply mistaken.
--
Bitcoin transactions made simple: https://github.com/Ayms/bitcoin-transactions
Zcash wallets made simple: https://github.com/Ayms/zcash-wallets
Bitcoin wallets made simple: https://github.com/Ayms/bitcoin-wallets
Get the torrent dynamic blocklist: http://peersm.com/getblocklist
Check the 10 M passwords list: http://peersm.com/findmyass
Anti-spies and private torrents, dynamic blocklist: http://torrent-live.org
Peersm : http://www.peersm.com
torrent-live: https://github.com/Ayms/torrent-live
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms
Gregory Maxwell via bitcoin-dev
2018-01-24 11:35:49 UTC
Permalink
Post by Aymeric Vitte via bitcoin-dev
Then what about
https://blockchain.info/tx/226a8b08dc46a00e9ecec5567a303a0b354bef3c1674476eb5e4b627b2ace493?format=hex
?
473044022057a1234709270325e7215200f982546304cf465971cbd55d54231ead54ef1a7802207a82e93ef2b0f87188abe87bccb67ee9d5c650b1b58948e5b1c80ba1b4c43dc301
No pubkey...
Because the pubkey is in the scriptPubKey of vout 0 of
40872a376e98a1f8b285827c2ad8c5b3eec7d779d752dc3a4adda5d9bb70f3b5 which
it is spending.
Aymeric Vitte via bitcoin-dev
2018-01-24 12:03:55 UTC
Permalink
Indeed... I would have bet that I had other examples with p2pkh this
time but apparently I imagined it
Post by Gregory Maxwell via bitcoin-dev
Post by Aymeric Vitte via bitcoin-dev
Then what about
https://blockchain.info/tx/226a8b08dc46a00e9ecec5567a303a0b354bef3c1674476eb5e4b627b2ace493?format=hex
?
473044022057a1234709270325e7215200f982546304cf465971cbd55d54231ead54ef1a7802207a82e93ef2b0f87188abe87bccb67ee9d5c650b1b58948e5b1c80ba1b4c43dc301
No pubkey...
Because the pubkey is in the scriptPubKey of vout 0 of
40872a376e98a1f8b285827c2ad8c5b3eec7d779d752dc3a4adda5d9bb70f3b5 which
it is spending.
--
Bitcoin transactions made simple: https://github.com/Ayms/bitcoin-transactions
Zcash wallets made simple: https://github.com/Ayms/zcash-wallets
Bitcoin wallets made simple: https://github.com/Ayms/bitcoin-wallets
Get the torrent dynamic blocklist: http://peersm.com/getblocklist
Check the 10 M passwords list: http://peersm.com/findmyass
Anti-spies and private torrents, dynamic blocklist: http://torrent-live.org
Peersm : http://www.peersm.com
torrent-live: https://github.com/Ayms/torrent-live
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms
Loading...