diff options
| author | Pieter Wuille <pieter.wuille@gmail.com> | 2019-12-12 19:53:08 -0800 |
|---|---|---|
| committer | Pieter Wuille <pieter.wuille@gmail.com> | 2020-01-19 14:47:33 -0800 |
| commit | 3c1f46637253e20b2f12dcaecfb88881f792a4cf (patch) | |
| tree | 0f448632c25f43ef3a650091ee6878413e05df8f | |
| parent | 687ec4ba8e378e4d5a049cb3846e55b24bca071d (diff) | |
| download | bips-3c1f46637253e20b2f12dcaecfb88881f792a4cf.tar.xz | |
Completely specified
| -rw-r--r-- | bip-schnorr.mediawiki | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/bip-schnorr.mediawiki b/bip-schnorr.mediawiki index 36652c3..542ed0c 100644 --- a/bip-schnorr.mediawiki +++ b/bip-schnorr.mediawiki @@ -37,6 +37,7 @@ made: * '''Signature encoding''': Instead of using [https://en.wikipedia.org/wiki/X.690#DER_encoding DER]-encoding for signatures (which are variable size, and up to 72 bytes), we can use a simple fixed 64-byte format. * '''Public key encoding''': Instead of using ''compressed'' 33-byte encodings of elliptic curve points which are common in Bitcoin today, public keys in this proposal are encoded as 32 bytes. * '''Batch verification''': The specific formulation of ECDSA signatures that is standardized cannot be verified more efficiently in batch compared to individually, unless additional witness data is added. Changing the signature scheme offers an opportunity to address this. +* '''Completely specified''': To be safe for usage in consensus systems, the verification algorithm must be completely specified at the byte level. This guarantees that nobody can construct a signature that is valid to some verifiers but not all. This is traditionally not a requirement for digital signature schemes, and the lack of exact specification for the DER parsing of ECDSA signatures has caused problems for Bitcoin [https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-July/009697.html in the past], needing [https://github.com/bitcoin/bips/blob/master/bip-0146.mediawiki BIP66] to address it. In this document we aim to meet this property by design. For batch verification, which is inherently non-deterministic as the verifier can choose their batches, this property implies that the outcome of verification may only differ from individual verifications with negligible probability, even to an attacker who intentionally tries to make batch- and non-batch verification differ. By reusing the same curve as Bitcoin uses for ECDSA, we are able to retain existing mechanisms for choosing secret and public keys, and we avoid introducing new assumptions about elliptic curve group security. |