1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
|
Delivery-date: Wed, 01 Oct 2025 16:20:31 -0700
Received: from mail-oa1-f56.google.com ([209.85.160.56])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBAABBNPO63DAMGQENDUJWAI@googlegroups.com>)
id 1v467b-0000md-4n
for bitcoindev@gnusha.org; Wed, 01 Oct 2025 16:20:31 -0700
Received: by mail-oa1-f56.google.com with SMTP id 586e51a60fabf-319c4251788sf584888fac.3
for <bitcoindev@gnusha.org>; Wed, 01 Oct 2025 16:20:30 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1759360825; cv=pass;
d=google.com; s=arc-20240605;
b=bjkk8UlSRWbQ0xv9vRBzfE5JVkIcU5U2iTq9ZLt/Js2Pw8S5H0yx6HpAYIcTsdjWV7
/bYNhBtZ2VmT8gFeXXWkQCoiYDqBu/t5KeQzptW/Uf5/qzYtdsgF6HTKfNZbSxesQl9U
EZuBMJFOB78jnQk21Xt/+KwpKC93rCPpq1SpXhCMo+9F8Slv6sWTaNBOl8qvA/Eh2J4F
6WNlNHNzPt56tEwhMVpNutrcecl2AN+7jEFcca8OcSYV+IrvUBkOl3aGDQRFFAhfm5KD
ZeCcjY6nj5CDa8tSigTaVtTMyRD24dxcRcjFo1R95WRpxfbnjzGKwulTZA8x9HkUuE+y
+igg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:in-reply-to:content-disposition
:mime-version:references:message-id:subject:to:from:date:sender
:dkim-signature;
bh=Fg6sJS6/YxCF6Iwyr9Gd00p0vBuh/gMIueZYKYLTzfM=;
fh=plKWz7QWAGc/Rdgb/xgl+ryEQL2YO+tzzcCz2KfKaJw=;
b=diwMyUfPjbLkMMsRWsOxk2lNKFiqhO2tKIRYYFtmRColKWGJryIufCvyZUSBl6jKSr
aoTWnuCun1QQTNmU2CZQ7YimA9VF68fIUZabpw1liWOxjeBR12fw++p43hreoN2ix7Bj
0pdsYZ20BZfjR+eV+zA76zwaarekD4FRHJ0Vhe0TH8lYYnKm+mSgsN1ZgJX+UW5z5KUJ
9u50zn+2cPqJenp5cwu7OK8PxLGgIDtDC+j70/mg4EOx43P/Q1G/XWZwNfuG9YtC63PG
iH94AxLjIZgb+N3TxbBeOF6y7vX/dT0DkzHXX8hXQaDE5TY1c81BUqpi9peEHvJEbr77
gcDA==;
darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
dkim=pass header.i=@mail.wpsoftware.net header.s=default header.b=YXXfInh+;
spf=pass (google.com: domain of apoelstra@wpsoftware.net designates 66.183.0.127 as permitted sender) smtp.mailfrom=apoelstra@wpsoftware.net;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=wpsoftware.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1759360825; x=1759965625; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:in-reply-to:content-disposition:mime-version
:references:message-id:subject:to:from:date:sender:from:to:cc
:subject:date:message-id:reply-to;
bh=Fg6sJS6/YxCF6Iwyr9Gd00p0vBuh/gMIueZYKYLTzfM=;
b=hP8nzDLt4HxNnOdkYNBHCVm8XrpQa9BRzFdtSuFgCHHZ/mk1diRvObHR++lP3rwpUc
3dOC3D0JYOY0W5Kn6RLqycftD14aV0dKkeiPCZS+JZHe5IDD2WvHR/z9HE04mKxPAhu6
YMFjYLCnodP/O9/A5I53Hu9DZpSfSTzAWwyOD+7xTuXFMbQ7P+Kea6YxQ3UUZyqGGNGQ
xfZLPdPXZr1taeVMOca3/oVsvnXrQgwoaYonVxtGupG9eiV+xO92qULRIyASLXx8bFI+
Lv8EXFUCsL7yWP8e/8woo6/DFzKZgASTmkrnOWNe3G+xyC8uldA0USB+NUF1VxHBxLVw
pp2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1759360825; x=1759965625;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:in-reply-to:content-disposition:mime-version
:references:message-id:subject:to:from:date:x-beenthere
:x-gm-message-state:sender:from:to:cc:subject:date:message-id
:reply-to;
bh=Fg6sJS6/YxCF6Iwyr9Gd00p0vBuh/gMIueZYKYLTzfM=;
b=ngjiW542NHlnFCWe4j3bRVHeDr8izWd6TmY6NliX4ij7HCNezujkbbL/yTvWKHT0Sg
JgUgv110OnZPfsS4qRW3kmRwQnmyhK5x6eiuJ+0LBHnEV+EXP43Ykb/AgNqYjCgMN2el
L+aNlhSCGdLBtk6oDYKpTW4MO7oUpJeNn1DjT4DeETixMmjk8HPjfHMK0Xj21AO8oy75
O7XTE/a2F9o3ljAPdiamSF4wIdWEceepn7oVdjsXdaEyvs9nBoPX5vUnbSD1DPtLcT8/
2RsfumEIIVu4SgMGmWoIjlGQ9/okcp3uS4gXs23b4QFIaieHvSb2UTFLPnai42m1ZhuZ
xOsA==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=2; AJvYcCV9DJkbzCkIOeRh1DTyO5OJf6UV5tswn2IUFfJ4qVBvjBTQ3HekcSi8PCEczCrG0Tv2KeCEggQtvTy4@gnusha.org
X-Gm-Message-State: AOJu0YyDO7w9f7ls0qve40DR8Nuea3P7zHoHwgbXGQOTjMXeGDAzwlec
pv6/f67+0IdThOv0q1758xI4AFhVq7GX2FiAhqpmCDaAAGwM0ieLXD4B
X-Google-Smtp-Source: AGHT+IEF4/q12k5pU//g67QtimaTo5WjA5mb9vJohW7jJntUzjVemdElktyRwaM249kuf4wPf+6lyw==
X-Received: by 2002:a05:6870:8108:b0:2ff:8c8e:c222 with SMTP id 586e51a60fabf-39b90fea260mr3719124fac.14.1759360824645;
Wed, 01 Oct 2025 16:20:24 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com; h="ARHlJd43NUKsUUsYUIg9HmTyG9cwWXizra8dehRK7sGM7p/8Hw=="
Received: by 2002:a05:687c:2003:10b0:368:a529:d5d9 with SMTP id
586e51a60fabf-3ac00570387ls151749fac.2.-pod-prod-03-us; Wed, 01 Oct 2025
16:20:21 -0700 (PDT)
X-Received: by 2002:a05:6808:1818:b0:43f:7287:a5cb with SMTP id 5614622812f47-43fa4108c0emr2400652b6e.21.1759360821477;
Wed, 01 Oct 2025 16:20:21 -0700 (PDT)
Received: by 2002:a05:620a:2720:b0:82b:15c1:88e9 with SMTP id af79cd13be357-877c4926138ms85a;
Wed, 1 Oct 2025 16:11:42 -0700 (PDT)
X-Received: by 2002:ac8:588c:0:b0:4d8:ce8f:dff8 with SMTP id d75a77b69052e-4e41c15f337mr75408311cf.7.1759360301485;
Wed, 01 Oct 2025 16:11:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1759360301; cv=none;
d=google.com; s=arc-20240605;
b=Pjxr+LmWIx1n62H4i/6DZqVPUF4COOEV3QtN1H9knOtP/REx2M3l5N3n7fLI3SMbJS
/5DcH5+Qs/A6FHI2IymzjY9I7kjI0RdP/muTseJ91LIHv2snA3diOJU6cb95sfSx4nk/
q9ZjGI1ubkXQe8t8Xx8Ku7qXvu8SlDlfnyMF0vHCHvDFq0pHa1lzpuoTSr20VfP2hDGp
bdolZ20B+J4RxjI/LGCDTFvZ1DthdQb16I6ah8FOinuVkzbiHQkas2qH3HPxEDlBZldH
QzTPweEB6aenyG/21mBI7r6ST35XGzBkeCn1lKkDsff100egSWUzxugBcqAXSz7BeH6Z
MWJQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
h=in-reply-to:content-disposition:mime-version:references:message-id
:subject:to:from:dkim-signature:date;
bh=SbbDZtukBpzgVEx43DoZjzwFfKvI96ZB1KKU6vOYSAE=;
fh=DMP0F9ULS1guKiqimntQRCN8ZraraesEgQuVcn7F0Z0=;
b=YzdNdIQCkpWDGf2qK9NgwSW7nzCOb4Ce96mvDlsDdIdOCL55Xxjpm52rrzNzASKfj/
9I+WmXa4CzpJLFtJ/5oieOz0nFpuanMJkR56ZmWCJ8D2xHPKYyAPGYOZwy1qtWpiZ7tA
nZcY3gsoFS1jS5i7KEcUnxvp8b/HXAe+O3RBhW57BDa8izGc/cUX0jPHcfYCWkLpYUlO
ZHzUzPrBivVeY/5JmNWnevuJmDOl0jkuGpb/9GauaLiipAOamsJGQMXm2102ZSITEegT
tXMQ5niLaBS4g71/D0D+vgjTZg79SUzeMcVtiQhHyWFKl/UbbwNM/kF5XbqQjtIcidvm
05Mg==;
dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
dkim=pass header.i=@mail.wpsoftware.net header.s=default header.b=YXXfInh+;
spf=pass (google.com: domain of apoelstra@wpsoftware.net designates 66.183.0.127 as permitted sender) smtp.mailfrom=apoelstra@wpsoftware.net;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=wpsoftware.net
Received: from mail.wpsoftware.net (s66-183-0-127.mail.wpsoftware.net. [66.183.0.127])
by gmr-mx.google.com with ESMTPS id af79cd13be357-87776e59f73si4586385a.6.2025.10.01.16.11.41
for <bitcoindev@googlegroups.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 01 Oct 2025 16:11:41 -0700 (PDT)
Received-SPF: pass (google.com: domain of apoelstra@wpsoftware.net designates 66.183.0.127 as permitted sender) client-ip=66.183.0.127;
Date: Wed, 1 Oct 2025 23:11:37 +0000
From: Andrew Poelstra <apoelstra@wpsoftware.net>
To: Bitcoin Development Mailing List <bitcoindev@googlegroups.com>
Subject: Re: [bitcoindev] On (in)ability to embed data into Schnorr
Message-ID: <aN21KbXTORgXAVH0@mail.wpsoftware.net>
References: <0f6c92cc-e922-4d9f-9fdf-69384dcc4086n@googlegroups.com>
<CAAS2fgQRz=EJ+Nm2rxrB_SEpqroFbcc+hUhmghJJ1jrJc-WUDA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
protocol="application/pgp-signature"; boundary="W3fq7Rcg/H7ctoXC"
Content-Disposition: inline
In-Reply-To: <CAAS2fgQRz=EJ+Nm2rxrB_SEpqroFbcc+hUhmghJJ1jrJc-WUDA@mail.gmail.com>
X-Original-Sender: apoelstra@wpsoftware.net
X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass
header.i=@mail.wpsoftware.net header.s=default header.b=YXXfInh+;
spf=pass (google.com: domain of apoelstra@wpsoftware.net designates
66.183.0.127 as permitted sender) smtp.mailfrom=apoelstra@wpsoftware.net;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=wpsoftware.net
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.8 (/)
--W3fq7Rcg/H7ctoXC
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline
On Wed, Oct 01, 2025 at 10:10:16PM +0000, Greg Maxwell wrote:
> Intuitively it sounds likely, -- just in that the available values are a
> image on the curve and a value summed with a hash dependent on everything
> else. I think it would be hard to prove.
>
> But is it even really worth the analysis when grinding gets you a 12%
> embedding rate in that signature at not that significant cost? (because you
> can independently grind the nonce and signature itself, or nonce and
> pubkey) -- and when beyond the cost of the additional signature (making the
> output 3x its cost) requiring signing when forming the address completely
> kills public derivation, multisig with cold keys. etc? ... and then any of
> whatever spam concerns people have would likely be exacerbated by the
> spammers using more resources due to the embedding rate?
>
Some time ago, I talked to Ethan Heilman about this in the context of PQ
signatures, and he made the interesting point that you can think of
12% embedding rate as representing an 8x discount for real signatures vs
embedded data. And that maybe that's okay, incentive-wise.
Needing to grind out portions of 32-byte blocks probably also reduces
the risk from people trying to embed virus signatures or other malicious
data.
As for waxwing's original question -- I also intuitively believe that
the only way to embed data in a Schnorr signature is by grinding or
revealing your key ... and I'm not convinced you can do it even by
revealing your key. (R is an EC point that you can't force to be any
particular value except by making a NUMS point, which you then can't use
to sign; and s = k + ex where e is a hash of kG (among other things)
so I don't think you can force that value at all.)
--
Andrew Poelstra
Director, Blockstream Research
Email: apoelstra at wpsoftware.net
Web: https://www.wpsoftware.net/andrew
The sun is always shining in space
-Justin Lewis-Webster
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/aN21KbXTORgXAVH0%40mail.wpsoftware.net.
--W3fq7Rcg/H7ctoXC
Content-Type: application/pgp-signature; name=signature.asc
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEkPnKPD7Je+ki35VexYjWPOQbl8EFAmjdtScACgkQxYjWPOQb
l8EuqQf/a9nqRL84KJ5GvIuDol33hP4duxj5I3HF/I9wzFn20AjZDvStJnbt6PPk
azDXivhnniNodlEXcD5DqCrTVL+YAMfDi0Q7bfm5hrUPEiTNSJCphQ2zCkEhnWc3
NO4ipsPt1ps2sWbD0z2BzOHmwVACpcnevHQ988x95nbfVICzPhLrqsubc9aXfPgB
zWd8qXtezxleZ+lOUZo96aLpTDRd9hcpehOmlZaYMBb3sNDW60STM5ymE60G58U8
06qacCWfFNSyn0XBY/MFOXUWu1qtR7hZ8M52ej6B+n6vVi1w9gSPAhGFl6asen2Z
n8lX331UHt84m+XZdIZ1iUMKZDisLg==
=EEBV
-----END PGP SIGNATURE-----
--W3fq7Rcg/H7ctoXC--
|
