Matt Whitlock [ARCHIVE] on Nostr: 📅 Original date posted:2014-04-04 📝 Original message:On Friday, 4 April 2014, ...
📅 Original date posted:2014-04-04
📝 Original message:On Friday, 4 April 2014, at 5:51 pm, Nikita Schmidt wrote:
> On 4 April 2014 01:42, Matt Whitlock <bip at mattwhitlock.name> wrote:
> > The fingerprint field, Hash16(K), is presently specified as a 16-bit field. Rationale: There is no need to consume 4 bytes just to allow shares to be grouped together. And if someone has more than 100 different secrets, they probably have a good system for managing their shares and won't need the hash anyway.
>
> Right, of course. Sorry, I didn't notice there was an update. Two
> bytes are plenty.
>
> I'm worried however about the dependency on SHA-512, which may be
> stretching it for a tiny embedded application. The other uses of
> HashL can be avoided. We are balancing here between consistency with
> the rest of this proposal, where everything is done via HashL, and
> consistency with the general practice of generating fingerprints with
> SHA-256, like in Base58Check.
I'd be fine with changing the key fingerprint algorithm to something else. Do you like CRC16?
> >> Speaking of encoding, is it not wasteful to allocate three different
> >> application/version bytes just for the sake of always starting with
> >> 'SS'? It would be OK if it were accepted as a BIP, but merely as a
> >> de-facto standard it should aim at minimising future chances of
> >> collision.
> >
> > I agree on principle, however I think the more user-acceptable behavior is for all base58-encoded Shamir shares to begin with a common prefix, such as "SS". Users are accustomed to relying on the prefix of the base58 encoding to understand what the object is: "1" for mainnet pubkey hash, "3" for mainnet script hash, "5" for uncompressed private key, "P" for passphrase-protected private key, etc.
>
> Yes, "5" for uncompressed private key and "K" or "L" for compressed
> private key. One A/VB and three prefixes in base58. Am I the only
> one to see this as a counter-example?
>
> However, thinking about this, I can find logic in wanting to stabilise
> text prefixes at a cost of six A/V bytes (as per the latest spec).
> There are only 58 first characters versus 256 AVBs, so we should
> rather be saving the former.
The type of a base58-encoded object is determined not only by the application/version byte but by the payload length as well. For example, a base58-encoded object with an application/version byte of 0x80 but a payload length of 16 bytes would not be mistakable for a Bitcoin private key, even though AVB 0x80 does denote a Bitcoin private key when the payload length is 32 or 33 bytes. So it's not as simple as saying that this proposal costs 6 AVBs. It really costs one AVB for 18-byte payloads, one AVB for 21-byte payloads, one AVB for 34-byte payloads, one AVB fo 37-byte payloads, one AVB for 66-byte payloads, and one AVB for 69-byte payloads.
> >> What about using the same P256 prime as for the elliptic curve? Just
> >> for consistency's sake.
> >
> > The initial draft of this BIP used the cyclic order (n) of the generator point on the secp256k1 elliptic curve as the modulus. The change to the present scheme was actually done for consistency's sake, so all sizes of secret can use a consistently defined modulus.
>
> Fair enough. Although I would have chosen the field order (p) simply
> because that's how all arithmetic already works in bitcoin. One field
> for everybody. It's also very close to 2^256, although still smaller
> than your maximum prime. Now of course with different bit lengths we
> have to pick one consistency over others.
As Gregory Maxwell pointed out, you can't use p when you're dealing with private keys, as that is the order of the finite field over which the elliptic curve is defined, but private keys are not points on that curve; a private key is a scalar number of times to multiply the generator point. That means you have to use the order of the generator point as the modulus when working with private keys.
> >> Also, I'm somewhat inclined towards using the actual x instead of j in
> >> the encoding. I find it more direct and straightforward to encode the
> >> pair (x, y). And x=0 can denote a special case for future extensions.
> >> There is no technical reason behind this, it's just for (subjective)
> >> clarity and consistency.
> >
> > There is a technical reason for encoding j rather than x[j]: it allows for the first 256 shares to be encoded, rather than only the first 255 shares.
>
> Wow, big deal. It's hard to imagine anyone needing exactly 256
> shares, but who knows. And with j = x (starting from 1) we'd get
> user-friendly share numbering and simpler formulas in the spec and
> possibly in the implementation, with no off-by-one stuff. And M
> instead of M-2...
It's common for implementation limits to be powers of two. I don't foresee any off-by-one errors, as the spec is clear on the value of each byte in the encoding.
Published at
2023-06-07 15:17:08Event JSON
{
"id": "d51e222c8443c7a49dc0e880f32779aa451c602cfdd70acaad6dff6ef7079bc6",
"pubkey": "f00d0858b09287e941ccbc491567cc70bdbc62d714628b167c1b76e7fef04d91",
"created_at": 1686151028,
"kind": 1,
"tags": [
[
"e",
"ec3db7ea61043d2181c683590cc6472afc1e727a155c1437be680d2ee4f9939c",
"",
"root"
],
[
"e",
"651173785d83e459d78759c046e3ffc419c615df7b26b715af62641d05f50cd8",
"",
"reply"
],
[
"p",
"f00d0858b09287e941ccbc491567cc70bdbc62d714628b167c1b76e7fef04d91"
]
],
"content": "📅 Original date posted:2014-04-04\n📝 Original message:On Friday, 4 April 2014, at 5:51 pm, Nikita Schmidt wrote:\n\u003e On 4 April 2014 01:42, Matt Whitlock \u003cbip at mattwhitlock.name\u003e wrote:\n\u003e \u003e The fingerprint field, Hash16(K), is presently specified as a 16-bit field. Rationale: There is no need to consume 4 bytes just to allow shares to be grouped together. And if someone has more than 100 different secrets, they probably have a good system for managing their shares and won't need the hash anyway.\n\u003e \n\u003e Right, of course. Sorry, I didn't notice there was an update. Two\n\u003e bytes are plenty.\n\u003e \n\u003e I'm worried however about the dependency on SHA-512, which may be\n\u003e stretching it for a tiny embedded application. The other uses of\n\u003e HashL can be avoided. We are balancing here between consistency with\n\u003e the rest of this proposal, where everything is done via HashL, and\n\u003e consistency with the general practice of generating fingerprints with\n\u003e SHA-256, like in Base58Check.\n\nI'd be fine with changing the key fingerprint algorithm to something else. Do you like CRC16?\n\n\u003e \u003e\u003e Speaking of encoding, is it not wasteful to allocate three different\n\u003e \u003e\u003e application/version bytes just for the sake of always starting with\n\u003e \u003e\u003e 'SS'? It would be OK if it were accepted as a BIP, but merely as a\n\u003e \u003e\u003e de-facto standard it should aim at minimising future chances of\n\u003e \u003e\u003e collision.\n\u003e \u003e\n\u003e \u003e I agree on principle, however I think the more user-acceptable behavior is for all base58-encoded Shamir shares to begin with a common prefix, such as \"SS\". Users are accustomed to relying on the prefix of the base58 encoding to understand what the object is: \"1\" for mainnet pubkey hash, \"3\" for mainnet script hash, \"5\" for uncompressed private key, \"P\" for passphrase-protected private key, etc.\n\u003e \n\u003e Yes, \"5\" for uncompressed private key and \"K\" or \"L\" for compressed\n\u003e private key. One A/VB and three prefixes in base58. Am I the only\n\u003e one to see this as a counter-example?\n\u003e \n\u003e However, thinking about this, I can find logic in wanting to stabilise\n\u003e text prefixes at a cost of six A/V bytes (as per the latest spec).\n\u003e There are only 58 first characters versus 256 AVBs, so we should\n\u003e rather be saving the former.\n\nThe type of a base58-encoded object is determined not only by the application/version byte but by the payload length as well. For example, a base58-encoded object with an application/version byte of 0x80 but a payload length of 16 bytes would not be mistakable for a Bitcoin private key, even though AVB 0x80 does denote a Bitcoin private key when the payload length is 32 or 33 bytes. So it's not as simple as saying that this proposal costs 6 AVBs. It really costs one AVB for 18-byte payloads, one AVB for 21-byte payloads, one AVB for 34-byte payloads, one AVB fo 37-byte payloads, one AVB for 66-byte payloads, and one AVB for 69-byte payloads.\n\n\u003e \u003e\u003e What about using the same P256 prime as for the elliptic curve? Just\n\u003e \u003e\u003e for consistency's sake.\n\u003e \u003e\n\u003e \u003e The initial draft of this BIP used the cyclic order (n) of the generator point on the secp256k1 elliptic curve as the modulus. The change to the present scheme was actually done for consistency's sake, so all sizes of secret can use a consistently defined modulus.\n\u003e \n\u003e Fair enough. Although I would have chosen the field order (p) simply\n\u003e because that's how all arithmetic already works in bitcoin. One field\n\u003e for everybody. It's also very close to 2^256, although still smaller\n\u003e than your maximum prime. Now of course with different bit lengths we\n\u003e have to pick one consistency over others.\n\nAs Gregory Maxwell pointed out, you can't use p when you're dealing with private keys, as that is the order of the finite field over which the elliptic curve is defined, but private keys are not points on that curve; a private key is a scalar number of times to multiply the generator point. That means you have to use the order of the generator point as the modulus when working with private keys.\n\n\u003e \u003e\u003e Also, I'm somewhat inclined towards using the actual x instead of j in\n\u003e \u003e\u003e the encoding. I find it more direct and straightforward to encode the\n\u003e \u003e\u003e pair (x, y). And x=0 can denote a special case for future extensions.\n\u003e \u003e\u003e There is no technical reason behind this, it's just for (subjective)\n\u003e \u003e\u003e clarity and consistency.\n\u003e \u003e\n\u003e \u003e There is a technical reason for encoding j rather than x[j]: it allows for the first 256 shares to be encoded, rather than only the first 255 shares.\n\u003e \n\u003e Wow, big deal. It's hard to imagine anyone needing exactly 256\n\u003e shares, but who knows. And with j = x (starting from 1) we'd get\n\u003e user-friendly share numbering and simpler formulas in the spec and\n\u003e possibly in the implementation, with no off-by-one stuff. And M\n\u003e instead of M-2...\n\nIt's common for implementation limits to be powers of two. I don't foresee any off-by-one errors, as the spec is clear on the value of each byte in the encoding.",
"sig": "7bbbbe15201c348a435eee89114ab2bac0fff9e37d3bb8d81a51559b9e33c615174857ef8297b75eaf25a897b42658a23a7fc8395a5b87da97c097be494b57a1"
}