📅 Original date posted:2018-01-24
📝 Original message:On Wed, Jan 24, 2018 at 3:50 AM, Артём Литвинович via bitcoin-dev
<bitcoin-dev at lists.linuxfoundation.org> wrote:
> Greetings.
>
> I wanted to ask what was the rationale behind still having both public
> key and signature in Segwit witness?
>
> As is known for a while, the public key can be derived from the
> signature and a quadrant byte, a trick that is successfully used both
> in Bitcoin message signing algorithm and in Ethereum transaction
> signatures. The later in particular suggests that this is a perfectly
> functional and secure alternative.
> Leaving out the public key would have saved 33 bytes per signature,
> which is quite a lot.
>
> So, the question is - was there a good reason to do it the old way
> (security, performance, privacy, something else?), or was it something
> that haven't been thought of/considered at the time?
It is slow to verify, incompatible with batch validation, doesn't save
space if hashing isn't used, and is potentially patent encumbered.
Gregory Maxwell [ARCHIVE] /
npub1f2…crwet
2023-06-07 18:10:15
in reply to nevent1q…65qx
Author Public Key
npub1f2nvlx49er5c7sqa43src6ssyp6snd4qwvtkwm5avc2l84cs84esecrwetPublished at
2023-06-07 18:10:15Event JSON
{
"id": "fcfeb05266e97d06a57e7204cf39017f7db47d41f1566ac393cadc59027526d8",
"pubkey": "4aa6cf9aa5c8e98f401dac603c6a10207509b6a07317676e9d6615f3d7103d73",
"created_at": 1686161415,
"kind": 1,
"tags": [
[
"e",
"3f6c7b22fbffeeff2e300773ac429967bfcda0290cd9410855825712403ad534",
"",
"root"
],
[
"e",
"cad9595cda1cd48d155a6f5f085cb41411b366bba9801d8f9224d5791e6e9a93",
"",
"reply"
],
[
"p",
"42a88be9ef829076184e5a392761d358bd5fb4ed9ca07181809f9b3b5711915f"
]
],
"content": "📅 Original date posted:2018-01-24\n📝 Original message:On Wed, Jan 24, 2018 at 3:50 AM, Артём Литвинович via bitcoin-dev\n\u003cbitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\u003e Greetings.\n\u003e\n\u003e I wanted to ask what was the rationale behind still having both public\n\u003e key and signature in Segwit witness?\n\u003e\n\u003e As is known for a while, the public key can be derived from the\n\u003e signature and a quadrant byte, a trick that is successfully used both\n\u003e in Bitcoin message signing algorithm and in Ethereum transaction\n\u003e signatures. The later in particular suggests that this is a perfectly\n\u003e functional and secure alternative.\n\u003e Leaving out the public key would have saved 33 bytes per signature,\n\u003e which is quite a lot.\n\u003e\n\u003e So, the question is - was there a good reason to do it the old way\n\u003e (security, performance, privacy, something else?), or was it something\n\u003e that haven't been thought of/considered at the time?\n\nIt is slow to verify, incompatible with batch validation, doesn't save\nspace if hashing isn't used, and is potentially patent encumbered.",
"sig": "44a904d29e1efb990d570c38ae592329e2afa29692a1ff6c2a69e18997c7c0787a4fabd0cbb416f69a2a3733d4d30b900e517e0056681400b2f0443aaa94092c"
}