-
@ waxwing
2025-05-09 18:11:09
Hi nostr:nprofile1qqsgdp0taan9xwxadyc79nxl8svanu895yr8eyv0ytnss8p9tru047qpz3mhxue69uhhyetvv9ujuerpd46hxtnfduq3samnwvaz7tmwdaehgu3wwdc8ymmkdahhxapwdekqzrthwden5te0dehhxtnvdakqm9jn0c nostr:nprofile1qqsw34nugddy5kfsfc2pg2qwj5h0u9a7gf20egnez6lk870h8e22hfqpvemhxue69uhkv6tvw3jhytnwdaehgu3wwa5kuef0dec82c33weskgcmxd3hrgat8wsexswtjw4mhxathw56hvaf4v9kng7rpddsnwurhxeknwctc0ymnjct30958qdn4x4cnj6mww46nw0mzwfhkzerrv9ehg0t5wf6k2qq6h6n enjoyed the podcast, good job.
An academic detail that interested me is the idea of attaching a signature to every published pubkey to prevent embedding data. It's interesting that for ECDSA specifically, it is possible to "recover" a pubkey from an essentially "fake" signature. It works like this: the base equation is s = k^-1 (Hash(message) +R_x * p) where p is the private key, R_x is the x-coord of the point R, where R = kG.
In the general case you can "back-out" a random pubkey from a signature you choose; you don't even need a private key! Choose s at random (which could be 32 bytes of text or jpg), then for a given message m, calculate H(m) as normal, then choose k at random as normal, yielding value for R_x as normal. Then, the public key for which (R, s) validates will be P = (R_x)^-1 * (sR - H(m) G), as you can check by simple algebra.
so the pubkey will appear on chain as random, but the attached signature (R, s) will contain the same amount of "published" data. However, not only can this "leak"/"hole" in the idea be trivially avoided, but also it doesn't work in Schnorr. For ECDSA, the "message" will of course be a matter of consensus (**), and if it includes the public key itself, this trick is avoided. In Schnorr we already have the same defence because it is "pubkey-prefixed" Schnorr, forcing the pubkey inside the challenge hash.
It's still amusing to look for other similar "holes" in the idea though .. even though such a scheme would never be viable, adding 64++ bytes to each output ...
(**) (another detail is that when m is a bitcoin transaction message, it implicitly commits to the pubkey via the prevout you're spending from)
#bitcoin #cryptography