Delivery-date: Wed, 01 Oct 2025 16:20:31 -0700
Received: from mail-oa1-f56.google.com ([209.85.160.56])
	by mail.fairlystable.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <bitcoindev+bncBAABBNPO63DAMGQENDUJWAI@googlegroups.com>)
	id 1v467b-0000md-4n
	for bitcoindev@gnusha.org; Wed, 01 Oct 2025 16:20:31 -0700
Received: by mail-oa1-f56.google.com with SMTP id 586e51a60fabf-319c4251788sf584888fac.3
        for <bitcoindev@gnusha.org>; Wed, 01 Oct 2025 16:20:30 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1759360825; cv=pass;
        d=google.com; s=arc-20240605;
        b=bjkk8UlSRWbQ0xv9vRBzfE5JVkIcU5U2iTq9ZLt/Js2Pw8S5H0yx6HpAYIcTsdjWV7
         /bYNhBtZ2VmT8gFeXXWkQCoiYDqBu/t5KeQzptW/Uf5/qzYtdsgF6HTKfNZbSxesQl9U
         EZuBMJFOB78jnQk21Xt/+KwpKC93rCPpq1SpXhCMo+9F8Slv6sWTaNBOl8qvA/Eh2J4F
         6WNlNHNzPt56tEwhMVpNutrcecl2AN+7jEFcca8OcSYV+IrvUBkOl3aGDQRFFAhfm5KD
         ZeCcjY6nj5CDa8tSigTaVtTMyRD24dxcRcjFo1R95WRpxfbnjzGKwulTZA8x9HkUuE+y
         +igg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:to:from:date:sender
         :dkim-signature;
        bh=Fg6sJS6/YxCF6Iwyr9Gd00p0vBuh/gMIueZYKYLTzfM=;
        fh=plKWz7QWAGc/Rdgb/xgl+ryEQL2YO+tzzcCz2KfKaJw=;
        b=diwMyUfPjbLkMMsRWsOxk2lNKFiqhO2tKIRYYFtmRColKWGJryIufCvyZUSBl6jKSr
         aoTWnuCun1QQTNmU2CZQ7YimA9VF68fIUZabpw1liWOxjeBR12fw++p43hreoN2ix7Bj
         0pdsYZ20BZfjR+eV+zA76zwaarekD4FRHJ0Vhe0TH8lYYnKm+mSgsN1ZgJX+UW5z5KUJ
         9u50zn+2cPqJenp5cwu7OK8PxLGgIDtDC+j70/mg4EOx43P/Q1G/XWZwNfuG9YtC63PG
         iH94AxLjIZgb+N3TxbBeOF6y7vX/dT0DkzHXX8hXQaDE5TY1c81BUqpi9peEHvJEbr77
         gcDA==;
        darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
       dkim=pass header.i=@mail.wpsoftware.net header.s=default header.b=YXXfInh+;
       spf=pass (google.com: domain of apoelstra@wpsoftware.net designates 66.183.0.127 as permitted sender) smtp.mailfrom=apoelstra@wpsoftware.net;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=wpsoftware.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20230601; t=1759360825; x=1759965625; darn=gnusha.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-authentication-results
         :x-original-sender:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:to:from:date:sender:from:to:cc
         :subject:date:message-id:reply-to;
        bh=Fg6sJS6/YxCF6Iwyr9Gd00p0vBuh/gMIueZYKYLTzfM=;
        b=hP8nzDLt4HxNnOdkYNBHCVm8XrpQa9BRzFdtSuFgCHHZ/mk1diRvObHR++lP3rwpUc
         3dOC3D0JYOY0W5Kn6RLqycftD14aV0dKkeiPCZS+JZHe5IDD2WvHR/z9HE04mKxPAhu6
         YMFjYLCnodP/O9/A5I53Hu9DZpSfSTzAWwyOD+7xTuXFMbQ7P+Kea6YxQ3UUZyqGGNGQ
         xfZLPdPXZr1taeVMOca3/oVsvnXrQgwoaYonVxtGupG9eiV+xO92qULRIyASLXx8bFI+
         Lv8EXFUCsL7yWP8e/8woo6/DFzKZgASTmkrnOWNe3G+xyC8uldA0USB+NUF1VxHBxLVw
         pp2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1759360825; x=1759965625;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-authentication-results
         :x-original-sender:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:to:from:date:x-beenthere
         :x-gm-message-state:sender:from:to:cc:subject:date:message-id
         :reply-to;
        bh=Fg6sJS6/YxCF6Iwyr9Gd00p0vBuh/gMIueZYKYLTzfM=;
        b=ngjiW542NHlnFCWe4j3bRVHeDr8izWd6TmY6NliX4ij7HCNezujkbbL/yTvWKHT0Sg
         JgUgv110OnZPfsS4qRW3kmRwQnmyhK5x6eiuJ+0LBHnEV+EXP43Ykb/AgNqYjCgMN2el
         L+aNlhSCGdLBtk6oDYKpTW4MO7oUpJeNn1DjT4DeETixMmjk8HPjfHMK0Xj21AO8oy75
         O7XTE/a2F9o3ljAPdiamSF4wIdWEceepn7oVdjsXdaEyvs9nBoPX5vUnbSD1DPtLcT8/
         2RsfumEIIVu4SgMGmWoIjlGQ9/okcp3uS4gXs23b4QFIaieHvSb2UTFLPnai42m1ZhuZ
         xOsA==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=2; AJvYcCV9DJkbzCkIOeRh1DTyO5OJf6UV5tswn2IUFfJ4qVBvjBTQ3HekcSi8PCEczCrG0Tv2KeCEggQtvTy4@gnusha.org
X-Gm-Message-State: AOJu0YyDO7w9f7ls0qve40DR8Nuea3P7zHoHwgbXGQOTjMXeGDAzwlec
	pv6/f67+0IdThOv0q1758xI4AFhVq7GX2FiAhqpmCDaAAGwM0ieLXD4B
X-Google-Smtp-Source: AGHT+IEF4/q12k5pU//g67QtimaTo5WjA5mb9vJohW7jJntUzjVemdElktyRwaM249kuf4wPf+6lyw==
X-Received: by 2002:a05:6870:8108:b0:2ff:8c8e:c222 with SMTP id 586e51a60fabf-39b90fea260mr3719124fac.14.1759360824645;
        Wed, 01 Oct 2025 16:20:24 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com; h="ARHlJd43NUKsUUsYUIg9HmTyG9cwWXizra8dehRK7sGM7p/8Hw=="
Received: by 2002:a05:687c:2003:10b0:368:a529:d5d9 with SMTP id
 586e51a60fabf-3ac00570387ls151749fac.2.-pod-prod-03-us; Wed, 01 Oct 2025
 16:20:21 -0700 (PDT)
X-Received: by 2002:a05:6808:1818:b0:43f:7287:a5cb with SMTP id 5614622812f47-43fa4108c0emr2400652b6e.21.1759360821477;
        Wed, 01 Oct 2025 16:20:21 -0700 (PDT)
Received: by 2002:a05:620a:2720:b0:82b:15c1:88e9 with SMTP id af79cd13be357-877c4926138ms85a;
        Wed, 1 Oct 2025 16:11:42 -0700 (PDT)
X-Received: by 2002:ac8:588c:0:b0:4d8:ce8f:dff8 with SMTP id d75a77b69052e-4e41c15f337mr75408311cf.7.1759360301485;
        Wed, 01 Oct 2025 16:11:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1759360301; cv=none;
        d=google.com; s=arc-20240605;
        b=Pjxr+LmWIx1n62H4i/6DZqVPUF4COOEV3QtN1H9knOtP/REx2M3l5N3n7fLI3SMbJS
         /5DcH5+Qs/A6FHI2IymzjY9I7kjI0RdP/muTseJ91LIHv2snA3diOJU6cb95sfSx4nk/
         q9ZjGI1ubkXQe8t8Xx8Ku7qXvu8SlDlfnyMF0vHCHvDFq0pHa1lzpuoTSr20VfP2hDGp
         bdolZ20B+J4RxjI/LGCDTFvZ1DthdQb16I6ah8FOinuVkzbiHQkas2qH3HPxEDlBZldH
         QzTPweEB6aenyG/21mBI7r6ST35XGzBkeCn1lKkDsff100egSWUzxugBcqAXSz7BeH6Z
         MWJQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:to:from:dkim-signature:date;
        bh=SbbDZtukBpzgVEx43DoZjzwFfKvI96ZB1KKU6vOYSAE=;
        fh=DMP0F9ULS1guKiqimntQRCN8ZraraesEgQuVcn7F0Z0=;
        b=YzdNdIQCkpWDGf2qK9NgwSW7nzCOb4Ce96mvDlsDdIdOCL55Xxjpm52rrzNzASKfj/
         9I+WmXa4CzpJLFtJ/5oieOz0nFpuanMJkR56ZmWCJ8D2xHPKYyAPGYOZwy1qtWpiZ7tA
         nZcY3gsoFS1jS5i7KEcUnxvp8b/HXAe+O3RBhW57BDa8izGc/cUX0jPHcfYCWkLpYUlO
         ZHzUzPrBivVeY/5JmNWnevuJmDOl0jkuGpb/9GauaLiipAOamsJGQMXm2102ZSITEegT
         tXMQ5niLaBS4g71/D0D+vgjTZg79SUzeMcVtiQhHyWFKl/UbbwNM/kF5XbqQjtIcidvm
         05Mg==;
        dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       dkim=pass header.i=@mail.wpsoftware.net header.s=default header.b=YXXfInh+;
       spf=pass (google.com: domain of apoelstra@wpsoftware.net designates 66.183.0.127 as permitted sender) smtp.mailfrom=apoelstra@wpsoftware.net;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=wpsoftware.net
Received: from mail.wpsoftware.net (s66-183-0-127.mail.wpsoftware.net. [66.183.0.127])
        by gmr-mx.google.com with ESMTPS id af79cd13be357-87776e59f73si4586385a.6.2025.10.01.16.11.41
        for <bitcoindev@googlegroups.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 01 Oct 2025 16:11:41 -0700 (PDT)
Received-SPF: pass (google.com: domain of apoelstra@wpsoftware.net designates 66.183.0.127 as permitted sender) client-ip=66.183.0.127;
Date: Wed, 1 Oct 2025 23:11:37 +0000
From: Andrew Poelstra <apoelstra@wpsoftware.net>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Subject: Re: [bitcoindev] On (in)ability to embed data into Schnorr
Message-ID: <aN21KbXTORgXAVH0@mail.wpsoftware.net>
References: <0f6c92cc-e922-4d9f-9fdf-69384dcc4086n@googlegroups.com>
 <CAAS2fgQRz=EJ+Nm2rxrB_SEpqroFbcc+hUhmghJJ1jrJc-WUDA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="W3fq7Rcg/H7ctoXC"
Content-Disposition: inline
In-Reply-To: <CAAS2fgQRz=EJ+Nm2rxrB_SEpqroFbcc+hUhmghJJ1jrJc-WUDA@mail.gmail.com>
X-Original-Sender: apoelstra@wpsoftware.net
X-Original-Authentication-Results: gmr-mx.google.com;       dkim=pass
 header.i=@mail.wpsoftware.net header.s=default header.b=YXXfInh+;
       spf=pass (google.com: domain of apoelstra@wpsoftware.net designates
 66.183.0.127 as permitted sender) smtp.mailfrom=apoelstra@wpsoftware.net;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=wpsoftware.net
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.8 (/)


--W3fq7Rcg/H7ctoXC
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline

On Wed, Oct 01, 2025 at 10:10:16PM +0000, Greg Maxwell wrote:
> Intuitively it sounds likely, -- just in that the available values are a
> image on the curve and a value summed with a hash dependent on everything
> else.  I think it would be hard to prove.
> 
> But is it even really worth the analysis when grinding gets you a 12%
> embedding rate in that signature at not that significant cost? (because you
> can independently grind the nonce and signature itself, or nonce and
> pubkey) -- and when beyond the cost of the additional signature (making the
> output 3x its cost) requiring signing when forming the address completely
> kills public derivation, multisig with cold keys. etc?  ... and then any of
> whatever spam concerns people have would likely be exacerbated by the
> spammers using more resources due to the embedding rate?
>

Some time ago, I talked to Ethan Heilman about this in the context of PQ
signatures, and he made the interesting point that you can think of
12% embedding rate as representing an 8x discount for real signatures vs
embedded data. And that maybe that's okay, incentive-wise.

Needing to grind out portions of 32-byte blocks probably also reduces
the risk from people trying to embed virus signatures or other malicious
data.

As for waxwing's original question -- I also intuitively believe that
the only way to embed data in a Schnorr signature is by grinding or
revealing your key ... and I'm not convinced you can do it even by
revealing your key. (R is an EC point that you can't force to be any
particular value except by making a NUMS point, which you then can't use
to sign; and s = k + ex where e is a hash of kG (among other things)
so I don't think you can force that value at all.)

-- 
Andrew Poelstra
Director, Blockstream Research
Email: apoelstra at wpsoftware.net
Web:   https://www.wpsoftware.net/andrew

The sun is always shining in space
    -Justin Lewis-Webster

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/aN21KbXTORgXAVH0%40mail.wpsoftware.net.

--W3fq7Rcg/H7ctoXC
Content-Type: application/pgp-signature; name=signature.asc

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEkPnKPD7Je+ki35VexYjWPOQbl8EFAmjdtScACgkQxYjWPOQb
l8EuqQf/a9nqRL84KJ5GvIuDol33hP4duxj5I3HF/I9wzFn20AjZDvStJnbt6PPk
azDXivhnniNodlEXcD5DqCrTVL+YAMfDi0Q7bfm5hrUPEiTNSJCphQ2zCkEhnWc3
NO4ipsPt1ps2sWbD0z2BzOHmwVACpcnevHQ988x95nbfVICzPhLrqsubc9aXfPgB
zWd8qXtezxleZ+lOUZo96aLpTDRd9hcpehOmlZaYMBb3sNDW60STM5ymE60G58U8
06qacCWfFNSyn0XBY/MFOXUWu1qtR7hZ8M52ej6B+n6vVi1w9gSPAhGFl6asen2Z
n8lX331UHt84m+XZdIZ1iUMKZDisLg==
=EEBV
-----END PGP SIGNATURE-----

--W3fq7Rcg/H7ctoXC--