diff options
| author | Anthony Towns <aj@erisian.com.au> | 2018-08-06 18:39:25 +1000 |
|---|---|---|
| committer | bitcoindev <bitcoindev@gnusha.org> | 2018-08-06 08:39:34 +0000 |
| commit | 739c5d1ad138a447a7ec22491474bafa89480703 (patch) | |
| tree | 6670dcc5c60a0f4baa75bc4b89c2d82d4179a6c5 | |
| parent | fa49fcb336e02de464b22e0da7f65adc8e1e672d (diff) | |
| download | pi-bitcoindev-739c5d1ad138a447a7ec22491474bafa89480703.tar.gz pi-bitcoindev-739c5d1ad138a447a7ec22491474bafa89480703.zip | |
Re: [bitcoin-dev] Schnorr signatures BIP
| -rw-r--r-- | e2/8c2cde4edf9dd2c1cafdb261dd668cca30a458 | 76 |
1 files changed, 76 insertions, 0 deletions
diff --git a/e2/8c2cde4edf9dd2c1cafdb261dd668cca30a458 b/e2/8c2cde4edf9dd2c1cafdb261dd668cca30a458 new file mode 100644 index 000000000..e58d6611e --- /dev/null +++ b/e2/8c2cde4edf9dd2c1cafdb261dd668cca30a458 @@ -0,0 +1,76 @@ +Return-Path: <aj@erisian.com.au> +Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org + [172.17.192.35]) + by mail.linuxfoundation.org (Postfix) with ESMTPS id 69FDF40B + for <bitcoin-dev@lists.linuxfoundation.org>; + Mon, 6 Aug 2018 08:39:34 +0000 (UTC) +X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 +Received: from azure.erisian.com.au (cerulean.erisian.com.au [139.162.42.226]) + by smtp1.linuxfoundation.org (Postfix) with ESMTPS id E99CB1A0 + for <bitcoin-dev@lists.linuxfoundation.org>; + Mon, 6 Aug 2018 08:39:33 +0000 (UTC) +Received: from aj@azure.erisian.com.au (helo=sapphire.erisian.com.au) + by azure.erisian.com.au with esmtpsa (Exim 4.84_2 #1 (Debian)) + id 1fmb34-00015u-4S; Mon, 06 Aug 2018 18:39:31 +1000 +Received: by sapphire.erisian.com.au (sSMTP sendmail emulation); + Mon, 06 Aug 2018 18:39:25 +1000 +Date: Mon, 6 Aug 2018 18:39:25 +1000 +From: Anthony Towns <aj@erisian.com.au> +To: Russell O'Connor <roconnor@blockstream.io>, + Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org> +Message-ID: <20180806083925.kg5px476bzhec44b@erisian.com.au> +References: <CAPg+sBj7f+=OYXuOMdNeJk3NBG67FSQSF8Xv3seFCvwxCWq69A@mail.gmail.com> + <A899D97B-5D47-4AB0-8A7F-57F91C58ADE1@sprovoost.nl> + <CAPg+sBg1WuG1MihC3zBHJpxVqC2Sys7Y52iWs6JXEMmnL_tE_w@mail.gmail.com> + <CAMZUoKm4Qs2yAc+WKgN1J2D8MDgbzNnK69kF+hbY2GDyRqdVdg@mail.gmail.com> + <CAMZUoKm_ij4Ffzx5Wpipa5RAFA=5F06jhiTCMJhp3vAj1q+2jA@mail.gmail.com> +MIME-Version: 1.0 +Content-Type: text/plain; charset=us-ascii +Content-Disposition: inline +In-Reply-To: <CAMZUoKm_ij4Ffzx5Wpipa5RAFA=5F06jhiTCMJhp3vAj1q+2jA@mail.gmail.com> +User-Agent: NeoMutt/20170113 (1.7.2) +X-Spam-Score: -1.9 +X-Spam-Score-int: -18 +X-Spam-Bar: - +X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,UNPARSEABLE_RELAY + autolearn=ham version=3.3.1 +X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on + smtp1.linux-foundation.org +Subject: Re: [bitcoin-dev] Schnorr signatures BIP +X-BeenThere: bitcoin-dev@lists.linuxfoundation.org +X-Mailman-Version: 2.1.12 +Precedence: list +List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org> +List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, + <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe> +List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/> +List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org> +List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help> +List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, + <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe> +X-List-Received-Date: Mon, 06 Aug 2018 08:39:34 -0000 + +On Sun, Aug 05, 2018 at 10:33:52AM -0400, Russell O'Connor via bitcoin-dev wrote: +> In light of this, I revise my proposed change to make the verification +> equation +> +> R + sG + eP = 0. + +Isn't the verification equation "R + s(-G) + eP = 0" equally good, then, +since -G is a constant? (ie, at worst it's a matter of optimising the +verifier for -G as well as G) + +If not, what's the actual performance impact of having to negate "s" +as part of batch verifying ~10000 signatures? It seems like it should +be trivially small to me? (scalar_negate benchmarks at 0.00359us, while +ecdsa_verify benchmarks at 66us, which I believe then reduces by a factor +of ~3 for batches of 10k schnorr sigs?) + +FWIW, I'm a fan of the formulation "s = r + H(R,P,m)p" mostly because +it seems like the simplest possible way of describing the setup, and I'm +all for optimising for people being able to understand what's going on. + +Cheers, +aj + + |