📅 Original date posted:2018-03-21
📝 Original message:On Wed, Mar 21, 2018 at 03:53:59AM -0400, ZmnSCPxj wrote:
> Good morning aj,
Good evening Zeeman!
[pulled from the bottom of your mail]
> This way, rather than gathering signatures, we gather public keys for aggregate signature checking.
Sorry, I probably didn't explain it well (or at all): during the script,
you're collecting public keys and messages (ie, BIP 143 style digests)
which then go into the signing/verification algorithm to produce/check
the signature.
You do need to gather signatures from each private key holder when
producing the aggregate signature, but that happens at the wallet/p2p
level, rather than the consensus level.
> I am probably wrong, but could solution 2 be simplified by using the below opcodes for aggregated signatures?
>
> OP_ADD_AGG_PUBKEY - Adds a public key for verification of an aggregated signature.
> OP_CHECK_AGG_SIG[VERIFY] - Check that the gathered public keys matches the aggregated signature.
Checking the gathered public keys match the aggregated signature is
something that only happens for the entire transaction as a whole, so
you don't need an opcode for it in the scripts, since they're per-input.
Otherwise, I think that's pretty similar to what I was already saying;
having:
SIGHASH_ALL|BUCKET_1 pubkey OP_CHECKSIG
would be adding "pubkey" and a message hash calculated via the SIGHASH_ALL
hashing rules to the list of things that the signature for bucket 1 verifies.
FWIW, the Bellare-Neven verification algorithm looks something like:
s*G = R + K (s,R is the signature)
K = sum( H(R, L, i, m) * X_i ) for i corresponding to each pubkey X_i
L = the concatenation of all the pubkeys, X_0..X_n
m = the concatenation of all the message hashes, m_0..m_n
So the way I look at it is each input puts a public key and a message hash
(X_i, m_i) into the bucket via a CHECKSIG operation (or similar), and once
you're done, you look into the bucket and there's just a single signature
(s,R) left to verify. You can't start verifying any of it until you've
looked through all the scripts because you need to know L and m before
you can do anything, and both of those require info from every part of
the aggregation.
[0] [1]
> The effect is that in the OP_CHECKCOVENANT case, pre-softfork nodes will not actually do any checking.
Pre-softfork nodes not doing any checking doesn't work with cross-input
signature aggregation as far as I can see. If it did, all you would have
to do to steal people's funds is mine a non-standard transaction:
inputs:
my-millions:
pay-to-pubkey pubkey1
witness=SIGHASH_ALL|BUCKET_1
your-two-cents:
pay-to-script-hash script=[1 OP_RETURN_TRUE pubkey2 CHECKSIG]
witness=SIGHASH_ALL|BUCKET_1
bucket1: 64-random-bytes
output:
all-the-money: you
Because there's no actual soft-fork at this point every node is an "old"
node, so they all see the OP_RETURN_TRUE and stop validating signatures,
accepting the transaction as valid, and giving you all my money, despite
you being unable to actually produce my signature.
Make sense?
Cheers,
aj
[0] For completeness: constructing the signature for Bellare-Neven
requires two communication phases amongst the signers, and looks
roughly like:
1. each party generates a random variable r_i, and sharing the
corresponding curve point R_i=r_i*G and their sighash choice
(ie, m_i) with the other signers.
2. this allows each party to calculate R=sum(R_i) and m,
and hence H(R,L,i,m), at which point each party calculates a
partial signature using their respective private key, x_i:
s_i = r_i + H(R,L,i,m)*x_i
all these s_i values are then communicated to each signer.
3. these combine to give the final signature (s,R),
with s=sum(s_i), allowing each signer to verify that the signing
protocol completed successfully, and any signer can broadcast
the transaction to the blockchain
[1] muSig differs in the details, but is basically the same.
Anthony Towns [ARCHIVE] /
npub17r…x9l2h
2023-06-07 18:11:19
in reply to nevent1q…jtlv
Author Public Key
npub17rld56k4365lfphyd8u8kwuejey5xcazdxptserx03wc4jc9g24stx9l2hPublished at
2023-06-07 18:11:19Event JSON
{
"id": "51ee38b3135025e89f66596b84646df5796696b61274d87d9b9a1d9d1bb47b9a",
"pubkey": "f0feda6ad58ea9f486e469f87b3b9996494363a26982b864667c5d8acb0542ab",
"created_at": 1686161479,
"kind": 1,
"tags": [
[
"e",
"c642cb03cf53d09173f83ef94f54b92b8b7adc0fc71062ee502c68afe8983be5",
"",
"root"
],
[
"e",
"2a6fd3168477f720fc48adb6ea324917f7afb4d3a824568a7b35ccb4f1151b6c",
"",
"reply"
],
[
"p",
"ee55eb03423bd4db01d5c92ad434d52c602d9da1de37ed37cc5bf7d2a13a4cab"
]
],
"content": "📅 Original date posted:2018-03-21\n📝 Original message:On Wed, Mar 21, 2018 at 03:53:59AM -0400, ZmnSCPxj wrote:\n\u003e Good morning aj,\n\nGood evening Zeeman!\n\n[pulled from the bottom of your mail]\n\u003e This way, rather than gathering signatures, we gather public keys for aggregate signature checking. \n\nSorry, I probably didn't explain it well (or at all): during the script,\nyou're collecting public keys and messages (ie, BIP 143 style digests)\nwhich then go into the signing/verification algorithm to produce/check\nthe signature.\n\nYou do need to gather signatures from each private key holder when\nproducing the aggregate signature, but that happens at the wallet/p2p\nlevel, rather than the consensus level.\n\n\u003e I am probably wrong, but could solution 2 be simplified by using the below opcodes for aggregated signatures?\n\u003e \n\u003e OP_ADD_AGG_PUBKEY - Adds a public key for verification of an aggregated signature.\n\u003e OP_CHECK_AGG_SIG[VERIFY] - Check that the gathered public keys matches the aggregated signature.\n\nChecking the gathered public keys match the aggregated signature is\nsomething that only happens for the entire transaction as a whole, so\nyou don't need an opcode for it in the scripts, since they're per-input.\n\nOtherwise, I think that's pretty similar to what I was already saying;\nhaving:\n\n SIGHASH_ALL|BUCKET_1 pubkey OP_CHECKSIG\n\nwould be adding \"pubkey\" and a message hash calculated via the SIGHASH_ALL\nhashing rules to the list of things that the signature for bucket 1 verifies.\n\nFWIW, the Bellare-Neven verification algorithm looks something like:\n\n s*G = R + K (s,R is the signature)\n K = sum( H(R, L, i, m) * X_i ) for i corresponding to each pubkey X_i\n L = the concatenation of all the pubkeys, X_0..X_n\n m = the concatenation of all the message hashes, m_0..m_n\n\nSo the way I look at it is each input puts a public key and a message hash\n(X_i, m_i) into the bucket via a CHECKSIG operation (or similar), and once\nyou're done, you look into the bucket and there's just a single signature\n(s,R) left to verify. You can't start verifying any of it until you've\nlooked through all the scripts because you need to know L and m before\nyou can do anything, and both of those require info from every part of\nthe aggregation.\n\n[0] [1]\n\n\u003e The effect is that in the OP_CHECKCOVENANT case, pre-softfork nodes will not actually do any checking.\n\nPre-softfork nodes not doing any checking doesn't work with cross-input\nsignature aggregation as far as I can see. If it did, all you would have\nto do to steal people's funds is mine a non-standard transaction:\n\n inputs:\n my-millions:\n pay-to-pubkey pubkey1\n witness=SIGHASH_ALL|BUCKET_1\n your-two-cents:\n pay-to-script-hash script=[1 OP_RETURN_TRUE pubkey2 CHECKSIG]\n witness=SIGHASH_ALL|BUCKET_1\n\n bucket1: 64-random-bytes\n output:\n all-the-money: you\n\nBecause there's no actual soft-fork at this point every node is an \"old\"\nnode, so they all see the OP_RETURN_TRUE and stop validating signatures,\naccepting the transaction as valid, and giving you all my money, despite\nyou being unable to actually produce my signature.\n\nMake sense?\n\nCheers,\naj\n\n[0] For completeness: constructing the signature for Bellare-Neven\n requires two communication phases amongst the signers, and looks\n roughly like:\n\n 1. each party generates a random variable r_i, and sharing the\n corresponding curve point R_i=r_i*G and their sighash choice\n (ie, m_i) with the other signers.\n\n 2. this allows each party to calculate R=sum(R_i) and m,\n and hence H(R,L,i,m), at which point each party calculates a\n partial signature using their respective private key, x_i:\n\n s_i = r_i + H(R,L,i,m)*x_i\n\n all these s_i values are then communicated to each signer.\n\n 3. these combine to give the final signature (s,R),\n with s=sum(s_i), allowing each signer to verify that the signing\n protocol completed successfully, and any signer can broadcast\n the transaction to the blockchain\n\n[1] muSig differs in the details, but is basically the same.",
"sig": "feea0c62d8d636396e062ffd3a37d39373788b37ee02a5c8145a74eba4911a22adbb51c8dda90558bf279e45e895b0191c18e9bb9d924a008ca5afac110177a0"
}