Delivery-date: Fri, 15 Nov 2024 14:02:19 -0800
Received: from mail-yb1-f184.google.com ([209.85.219.184])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBCP2XJ55WYARBYMJ364QMGQEZKFLREY@googlegroups.com>)
id 1tC4OQ-0001YK-HG
for bitcoindev@gnusha.org; Fri, 15 Nov 2024 14:02:19 -0800
Received: by mail-yb1-f184.google.com with SMTP id 3f1490d57ef6-e381f9e1395sf120882276.3
for <bitcoindev@gnusha.org>; Fri, 15 Nov 2024 14:02:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1731708132; x=1732312932; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:sender:from
:to:cc:subject:date:message-id:reply-to;
bh=kc2WJnf+STUZaw3wuHyrBPZd8hneZoG6eODY44cjO+8=;
b=OnRsNPBTcUc9ZQvRwx6cjpkLTQ5mSOO6ZMe8Jnok/RGgyz0bATYUpaJzYwqnq4rC12
ENDkmKpnA+eh2QLg1RhzAW/9eek6AAzKmciofYqcGTxT9olzrpPaejVEt4cVUzkgKULn
BjTAYKsxBM3q2uHKx9yblpKujErdEBupc1S1XM4amjoF15OaR+N3YNa9jdNoTetDoPO7
/tRS26EA3n3EFfM1dhvtQbzLzAhYuLJgOk8r7CwaKgkgRVYKFHLZlckntQbQdg2BVH9X
b+aN+Osmk5OyOaE5aMSK1fFh7s+ZmMwPbC7QVk2nyIGUpGfAufa7CpywTA/vm9wkmyU8
iRIg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups-com.20230601.gappssmtp.com; s=20230601; t=1731708132; x=1732312932; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:from:to:cc
:subject:date:message-id:reply-to;
bh=kc2WJnf+STUZaw3wuHyrBPZd8hneZoG6eODY44cjO+8=;
b=VBTWGg0MgKBXbchhwCvN+oMVrrIb/NnPIyzAWRLCcaoIwIujvEn50GMMENtfAfSkYO
hx5HEyO0ZKb7aZq30iVlkYP0+4Wn0hmqt1+LMkiWYw5by4fIQnjwkBrGCgSVr9BW95g7
LOQ2mtut80z0AfxIOlOffgxxYEQ1dhW7TS/D9hQchSiYe7clm9ah3p7rwr28aJatFi+D
KewQL5PhDNkaR0QFBaqhrJgUlmna08vQznA9goMmDMb9j6+RAII+FGrCQRogqiftAq5z
YRtzHeRcVsibtHJsVu1BfSBSilLuM10fue4BH7STrtTQkstjjE8awQYHJAjUsBmNWReX
kKlQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1731708132; x=1732312932;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-sender:mime-version
:subject:references:in-reply-to:message-id:to:from:date:x-beenthere
:x-gm-message-state:sender:from:to:cc:subject:date:message-id
:reply-to;
bh=kc2WJnf+STUZaw3wuHyrBPZd8hneZoG6eODY44cjO+8=;
b=NLhg7xLxJwXMpNVyYngr5xVugdrIzCaOolZSfphUs43Rpmv9alIpR3j8EvusAD4GBF
pui0nRgWBT6k6QJxNyEPDV4n81F3OcP8UEwkGdamKLOP/H3XBk8lnkG/ahMIgC8nCCHB
wi4KqVT0J61fdJdsdKjO0YkxYxbEb/M+btWHjlner7krsYwVdZbDWEaHLNiEvw4AATWi
GtiLZrWjc9FR/wXuoPF6DxHzVyyBEEYyMxmnGVYuaMd458dT1zo5gQHSO13Q9vEZ5JY6
/8XTFnKvjBwwuH93cmz3EGvQ0OurK3Cae68Z9gt3HVe7SAL17oMP9cQs8BgtbGE1S4PO
witA==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=1; AJvYcCUDL0UicDFr0Xh5gs9eOQnkDfV3kk/raD4LlPqey0mqAlslAb6Jvm6KTaV7/zgJpPyrR1tHKtjlLhpA@gnusha.org
X-Gm-Message-State: AOJu0Yy3rUzBAE4hqocNnIIoklwCvENZMlH1AsuJJM63xYnDU7FbK4iZ
2kkvGQhcJobUVn2MlxK0dmMvCEmIbAMECyXcTr7FqIWeN64Xy9wB
X-Google-Smtp-Source: AGHT+IEvYyganSCOMSQIxig+I9roAHewgAFpj69pYuG9wbKZK/519zu1JzZtRDGJGFIqly25DT0laA==
X-Received: by 2002:a05:6902:20c8:b0:e28:f0e5:380b with SMTP id 3f1490d57ef6-e3825d36b1dmr4015325276.4.1731708132077;
Fri, 15 Nov 2024 14:02:12 -0800 (PST)
X-BeenThere: bitcoindev@googlegroups.com
Received: by 2002:a05:6902:1823:b0:e30:e1d9:fe2c with SMTP id
3f1490d57ef6-e3825d24900ls1426803276.1.-pod-prod-03-us; Fri, 15 Nov 2024
14:02:09 -0800 (PST)
X-Received: by 2002:a05:690c:6f06:b0:6ea:3075:1fb5 with SMTP id 00721157ae682-6ee55c567b5mr51712597b3.33.1731708129230;
Fri, 15 Nov 2024 14:02:09 -0800 (PST)
Received: by 2002:a05:690c:5083:b0:6e2:1e5e:a1e1 with SMTP id 00721157ae682-6ee534df37ams7b3;
Fri, 15 Nov 2024 13:54:10 -0800 (PST)
X-Received: by 2002:a05:690c:d19:b0:6dd:bba1:b86d with SMTP id 00721157ae682-6ee55bee4abmr56927527b3.10.1731707649145;
Fri, 15 Nov 2024 13:54:09 -0800 (PST)
Date: Fri, 15 Nov 2024 13:54:08 -0800 (PST)
From: Xiaohui Liu <x.liu@scrypt.io>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Message-Id: <129a9605-7a91-42a7-a9ef-07de6662ca7en@googlegroups.com>
In-Reply-To: <ZjD-dMMGxoGNgzIg@camus>
References: <CAEM=y+XyW8wNOekw13C5jDMzQ-dOJpQrBC+qR8-uDot25tM=XA@mail.gmail.com>
<CA+x5asTOTai_4yNGEgtKEqAchuWJ0jGDEgMqHFYDwactPnrgyw@mail.gmail.com>
<ZjD-dMMGxoGNgzIg@camus>
Subject: Re: [bitcoindev] Signing a Bitcoin Transaction with Lamport
Signatures (no changes needed)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_Part_116478_1244980752.1731707648849"
X-Original-Sender: x.liu@scrypt.io
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.7 (/)
------=_Part_116478_1244980752.1731707648849
Content-Type: multipart/alternative;
boundary="----=_Part_116479_1946381969.1731707648849"
------=_Part_116479_1946381969.1731707648849
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hi,
How does covenant work without OP_CAT here, assuming no size limit? Don't=
=20
you still need OP_CAT to parse/introspect fields (e.g., input/output) of=20
the spending transaction?
Regards,
sCrypt
On Tuesday, April 30, 2024 at 7:22:54=E2=80=AFAM UTC-7 Andrew Poelstra wrot=
e:
> On Tue, Apr 30, 2024 at 08:32:42AM -0400, Matthew Zipkin wrote:
> > > if an attacker managed to grind a 23-byte r-value at a cost of 2^72
> > computations, it would provide the attacker some advantage.
> >=20
> > If we are assuming discrete log is still hard, why do we need Lamport
> > signatures at all? In a post-quantum world, finding k such that r is 21
> > bytes or less is efficient for the attacker.
> >
>
> Aside from Ethan's point that a variant of this technique is still
> secure in the case that discrete log is totally broken (or even
> partially broken...all we need is that _somebody_ is able to find the
> discrete log of the x=3D1 point and for them to publish this).
>
> Another reason this is useful is that if you have a Lamport signature on
> the stack which is composed of SIZE values, all of which are small
> enough to be manipulated with the numeric script opcodes, then you can
> do covenants in Script.
>
> (Sadly(?), I think none of this works in the context of the 201-opcode
> limit...and absent BitVM challenge-response tricks it's unlikely you can
> do much in the context of the 4MWu block size limit..), but IMO it's a
> pretty big deal that size limits are now the only reason that Bitcoin
> doesn't have covenants.)
>
> --=20
> Andrew Poelstra
> Director, Blockstream Research
> Email: apoelstra at wpsoftware.net
> Web: https://www.wpsoftware.net/andrew
>
> The sun is always shining in space
> -Justin Lewis-Webster
>
>
--=20
You received this message because you are subscribed to the Google Groups "=
Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/=
129a9605-7a91-42a7-a9ef-07de6662ca7en%40googlegroups.com.
------=_Part_116479_1946381969.1731707648849
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div>Hi,</div><div><br /></div>How does covenant work without OP_CAT here, =
assuming no size limit? Don't you still need OP_CAT to parse/introspect fie=
lds (e.g., input/output) of the spending transaction?<div><br /></div><div>=
Regards,</div><div>sCrypt</div><div><br /></div><div class=3D"gmail_quote">=
<div dir=3D"auto" class=3D"gmail_attr">On Tuesday, April 30, 2024 at 7:22:5=
4=E2=80=AFAM UTC-7 Andrew Poelstra wrote:<br/></div><blockquote class=3D"gm=
ail_quote" style=3D"margin: 0 0 0 0.8ex; border-left: 1px solid rgb(204, 20=
4, 204); padding-left: 1ex;">On Tue, Apr 30, 2024 at 08:32:42AM -0400, Matt=
hew Zipkin wrote:
<br>> > if an attacker managed to grind a 23-byte r-value at a cost o=
f 2^72
<br>> computations, it would provide the attacker some advantage.
<br>>=20
<br>> If we are assuming discrete log is still hard, why do we need Lamp=
ort
<br>> signatures at all? In a post-quantum world, finding k such that r =
is 21
<br>> bytes or less is efficient for the attacker.
<br>>
<br>
<br>Aside from Ethan's point that a variant of this technique is still
<br>secure in the case that discrete log is totally broken (or even
<br>partially broken...all we need is that _somebody_ is able to find the
<br>discrete log of the x=3D1 point and for them to publish this).
<br>
<br>Another reason this is useful is that if you have a Lamport signature o=
n
<br>the stack which is composed of SIZE values, all of which are small
<br>enough to be manipulated with the numeric script opcodes, then you can
<br>do covenants in Script.
<br>
<br>(Sadly(?), I think none of this works in the context of the 201-opcode
<br>limit...and absent BitVM challenge-response tricks it's unlikely yo=
u can
<br>do much in the context of the 4MWu block size limit..), but IMO it'=
s a
<br>pretty big deal that size limits are now the only reason that Bitcoin
<br>doesn't have covenants.)
<br>
<br>--=20
<br>Andrew Poelstra
<br>Director, Blockstream Research
<br>Email: apoelstra at <a href=3D"http://wpsoftware.net" target=3D"_blank"=
rel=3D"nofollow" data-saferedirecturl=3D"https://www.google.com/url?hl=3De=
n&q=3Dhttp://wpsoftware.net&source=3Dgmail&ust=3D17317938873310=
00&usg=3DAOvVaw2qNwbsvfc_hMVEvYdRa8Kn">wpsoftware.net</a>
<br>Web: <a href=3D"https://www.wpsoftware.net/andrew" target=3D"_blank" =
rel=3D"nofollow" data-saferedirecturl=3D"https://www.google.com/url?hl=3Den=
&q=3Dhttps://www.wpsoftware.net/andrew&source=3Dgmail&ust=3D173=
1793887331000&usg=3DAOvVaw1xFz8de2XVGwNtkOx4HgEt">https://www.wpsoftwar=
e.net/andrew</a>
<br>
<br>The sun is always shining in space
<br> -Justin Lewis-Webster
<br>
<br></blockquote></div>
<p></p>
-- <br />
You received this message because you are subscribed to the Google Groups &=
quot;Bitcoin Development Mailing List" group.<br />
To unsubscribe from this group and stop receiving emails from it, send an e=
mail to <a href=3D"mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoind=
ev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion visit <a href=3D"https://groups.google.com/d/msgid/=
bitcoindev/129a9605-7a91-42a7-a9ef-07de6662ca7en%40googlegroups.com?utm_med=
ium=3Demail&utm_source=3Dfooter">https://groups.google.com/d/msgid/bitcoind=
ev/129a9605-7a91-42a7-a9ef-07de6662ca7en%40googlegroups.com</a>.<br />
------=_Part_116479_1946381969.1731707648849--
------=_Part_116478_1244980752.1731707648849--