Closed real-or-random closed 1 year ago
Forced-push to address @jonasnick's comments.
Updated. This also takes the #211 into account now.
@jonasnick @sipa Would be nice to have ACKs on the method before I'll generate test vectors.
You seem to have a bunch of unrelated commits in here?
@sipa Can you update the
bip-taproot
brach tobitcoin/master
@real-or-random Oops, I didn't realize this was opened against my repo.
@real-or-random I've updated my bip-taproot branch, in case you want to update.
rebased
Concept ACK
cc @llfourn
ACK. 33 bytes seems straightforward and easy to explain. It looks like in schnorr_fun
I already did the 64 byte pad. I'll probably just leave that as is and document it.
@jonasnick suggested in https://github.com/jonasnick/bips/pull/24#discussion_r940614556 to have an explicit upper limit of message size, e.g., 2^48 (we could also make it 2^60 or even 2^62):
Pros:
Cons:
My opinion:
I don't think "Pro 4" is helpful in practice: Even if we have an upper bound of 2^48, this does not guarantee that all implementation will accept messages of this size. Many implementations will want reject them, e.g., implementations on 32-bit platforms.
Similarly, I think a limit wouldn't help make verification identical across implementations (again because implementations will have their own upper bounds).
So I tend to think that "Noone will ever sign a message of size 2048 PiB." convinces me. My standpoint is that we're just giving a generic algorithms, any application or protocol using the BIP will need to specify message formats, and this include a maximum message size, which will probably be well below 2^48. If formal methods need a limit, they could still introduce one in their theorems, and then the restricted theorem would still cover any real world protocol.
An upper bound on the message length that's much smaller than 2^61 would allow claiming that BIP-musig can sign any message that BIP-schnorr can or that BIP-half-agg can verify any signature that BIP-schnorr can. With the assumption that "Noone will ever hash an input of size 2048 PiB" (slightly strong than "Noone will ever sign a message of size 2048 PiB") then you can still make this claim (even with formal methods). I'm fine working under this assumption to avoid complexity. If you'd want to make use of an upper bound like 2^48 in a half aggregation spec you'd need to do annoying caclulations to figure out how many signatures you can actually verify and put an upper bound on that as well (the current draft already has an upper bound on it due to potential integer overflows).
Stating the upper bound that stems from SHA256 explicitly (close to 2^61
) doesn't seem particularly useful right now. I think the footnote is fine.
This could also cite https://ed25519.cr.yp.to/eddsa-20150704.pdf for its last paragraph.
Concept ACK apart from nits.
addressed all nits by @sipa
This could also cite ed25519.cr.yp.to/eddsa-20150704.pdf for its last paragraph.
I made the effort to mention their main arguments instead (reliance on collision-resistance, need to keep the message in memory while signing). And then there's no need to cite this, this is common knowledge...
forced-push to address nits by @sipa
Do you want to just PR it to the bips repo now?
Do you want to just PR it to the bips repo now?
No, we have more local changes here: https://github.com/bitcoin/bips/compare/master...sipa:bips:bip-taproot
Opened BIPs repo PR: https://github.com/bitcoin/bips/pull/1446
Solves https://github.com/sipa/bips/issues/207.
I tried to avoid going into collision-resistance vs random-prefix resistance. It's hard to explain, and the situation is not entirely clear, e.g., due to https://eprint.iacr.org/2015/509.pdf which claims a flaw in the paper http://www.neven.org/papers/schnorr.pdf which cite in the BIP (we may want to add a footnote to the BIP...).
TODO:
@sipa Can you update the
bip-taproot
brach tobitcoin/master