I spent a good long while thinking about this issue in more detail, even to the point of writing out formal security arguments, and I came to the conclusion that there's no real-world way to prevent at least a 20% leakage of data (i.e. data can be published at 20% of the size of the utxo) in the hypothetical scheme where you require a signature on the pubkey, so (P, (R, s)), in scriptPubkeys. Why 20%? Think of it like this: the nonce being deducible is absolutely unavoidable. You could ban repeated nonces, you could ban ultra-low value nonces, you could ban other specific patterns but there will always be a way to leak it to interested observers - it could be something as neat as "the secret nonce is exactly the previous block's block hash" or something more messy like a function of the time of day, or ... whatever. That will mean that in *any* one signature we can broadcast the private key at least. In a (P, R, s) scheme that means 32 bytes in 160. In reality, grinding could add a few more bytes to that so it's a little higher. In the repeated scheme, you leak 64 bytes out of 320 bytes, which is still 20%. But 20%-ish with the massive caveat that you let others control the key and thus eject the data from the utxo set. It's *academically* super-interesting but I'm not sure any "bad actor" would ever choose this channel, unless perhaps they were forced out of other ones. "Academically interesting" because while outputs don't work like this now, and probably never will, it would not totally solve the problem of "spam data in unpruneable utxos". It would make it less efficient, but at the cost of making Bitcoin as a whole also much less efficient. View quoted note →

Apparently Bitmex research last month wrote an excellent article using the same idea about data in private keys that I mentioned on the mailing list last May:

Delving Bitcoin

Response to Pieter Wuille's StackExchange Answer Re: Nuking the Opreturn Filter

Oh I hadn’t seen that recent article by Bitmex Research, very interesting that they came up with the same idea I had a while back in May on the m...

(I don't think they had seen my post). Jokes aside, it is kinda fascinating to try to formally prove that you can't embed data in Schnorr in P, (R,s) without doing this. I have a vague outline but it's quite unclear.

Not sure if it's of interest to anyone here, but I tried to make a formal reduction from silentpayments unlinkability to DDH here. Haven't had any review yet. It wasn't 100% trivial (also I couldn't find earlier papers that had analyzed this), but it also feels, to me, unlikely that there's any problem here, at the base level. It says nothing about ways you could screw up privacy with usage patterns.

GitHub

GitHub - AdamISZ/silentpayments-unlinkability-note: Short writeup of unlinkability property of Silent Payments (BIP352)

Short writeup of unlinkability property of Silent Payments (BIP352) - AdamISZ/silentpayments-unlinkability-note

#cryptography View quoted note →

Unsurprisingly people are really clueless about Argentina and so if they decided Milei is bad they don't really have to check more than the headline, they already "know" the reasons behind the story ... View quoted note →

Is anyone else having a lot of trouble getting things to load on Amethyst after the recent update?

A response to some of Chris Guida's points I posted on Delving:

Delving Bitcoin

Response to Pieter Wuille's StackExchange Answer Re: Nuking the Opreturn Filter

Reading both yours and @mechanic ‘s points here (though forgive me I have not read all of your post yet!) is helpful to me, thanks. Yes, this ...

Re:

Delving Bitcoin

Provable Cryptography for Bitcoin: An Introduction (Workbook)

I’m excited to share a comprehensive cryptography workbook that we developed for an interactive workshop on Bitcoin cryptography. This workbook c...

that was recently advertised As I spent some time this summer working through this material (with a bunch of other people), I can heartily recommend it, but, it's not for the faint of heart! I think it would be much more useful to explain why the title is what it is - "*provable* cryptography". Without getting technical, let me give you some background that might inspire you to get involved: The concept of "provable security" sounds a bit bland; of course you want to prove things are secure, rather than just hope it! But in the history of cryptography, it .. wasn't always like that. Pre- asymmetric encryption (think from Caesar cipher to Enigma machines, so until 1960ish), cryptography and cryptanalysis were in a constant battle - one side came up with clever ciphers, the other side found clever ways of breaking them. Like an arms race (except ciphers are not weapons! they're armor .. so, an armor race). As far as I know, nobody tried to *prove* the Enigma machine's complex cipher was secure at the time. But in the 70s and 80s, after Diffie and Hellman's groundbreaking work introduced practical cryptography without having to share a secret key (the DH protocols, and RSA around the same time), things started to change for a definite reason: these protocols were based on a deep "fact" (usually not a proven fact, but a belief) about number theory. The classic one is factoring: the "fact" that factoring a very large number takes an exponentially long time. Rapidly, many other similar "very hard problems" were found, the one most familiar to readers will be the "elliptic curve discrete log problem" (find the private key, given only the public key). Cryptosystems were being built with these "hard problems" as foundation. And people started using the concept of "reduction", which is slippery logically but very powerful: I build cryptosystem A. If you can break A (notice: I'm not saying how, I'm just saying if you can break it *in any way*) with some magical machine, you can take that same magical machine and ... find a private key given only a public key. If you think about it, it makes sense to describe that as "reducing the security of A to the elliptic curve discrete log problem". The reason this gained traction through the 80s and 90s is because it circumvents the cryptographer-cryptanalyst war we mentioned at the start (at least, in theory it does!). The cryptographer doesn't have to consider all the different ways the cryptanalyst might break his system. He only has to believe that the math problem (e.g. factoring) is indeed hard, because if it is, and because he has a reduction, he knows that any such clever cryptanalyst is breaking the factoring problem, too. I'll admit I balked a bit at this "backwards" logic when I first encountered it. I thought "hmm well maybe the clever cryptanalyst is going to use his technique against my cryptosystem A, and *actually* break ECDLP by doing it!". (I remember Greg Maxwell's response when I expressed this was "good luck" 🙂 ). But I hope you can see that this is generally missing the point, since the reduction isn't saying anything at all about ECDLP or factoring or whatever. It's just making a bridge from your specific thing, to the general "hardness" of the "big" problem like factoring. A bit like how money is useful because we don't need an unreasonable number of barter prices; everything is compared, numerically, with one central thing. Similarly there is a zoo of crypto protocols that use ECDLP as their "foundation", their security can be (even numerically) related to the security of that underlying thing. As usual I'm now waffling a bit, but the main point I'm trying to get across is: "provable security" is based on these reductions, and in the "modern era" of cryptography, it's the main way you have any chance of navigating the huge complexity of answering the question "is this cryptosystem secure"? If you can reduce it to a known problem, you are done. Of course such reductions are sometimes wrong, and sometimes fail to model certain details that occur in real implementations, so they're not a panacea, but they are the best we have. #cryptography