Topic: Did satoshi not know that public key is recoverable from ECDSA signature? (Read 1928 times)

This is a very interesting remark and I wonder if it explains why he disappeared. The ability to pick up preexisting tools and ideas in a field not your own and see how to use them to create something entirely new and important like bitcoin (coupled with the intelligence and determination to carry your vision all the way through to proof-of-concept) is a very special kind of genius. For someone like that, once you have achieved proof of concept, your work is done. Someone like this probably has other Big Ideas that are completely unrelated to bitcoin. It could very well be the case that he is of greater service to humanity working on proof of concept of yet another Big Idea than he is continuing to work on bitcoin.

If so .... I wonder whether he plans to use his bitcoins to help him develop his next project .... 

Totally agree

There is this rule:

If you don't want something stolen from the Internet, don't post it there to begin with. With that in mind, when transferring stuffs over da Interwebs, you want the least amount of data transferred back and forth, so that if it is compromised, it's not that big a deal. But the data itself cannot be that significant, or if it is, it needs to be masked in a way that it's hard to decrypt. However, I don't think you'd want to decrease the size of transactions (bytes), assuming that's what OP is talking about. The more convolution, the harder it is to crack. You don't encrypt something in 64-bits, then go back to 16-bits.

I suspect you don't have much experience with protocols.  Variable length encoding are obnoxious to deal with and are a frequent source of security vulnerabilities, especially for cases where future parsing is conditional on the data being read.  Bitcoin already arguably overuses variable length encodings (and has had some sources of problems arising from them), using a constant length version identifier is a sound decision and consistent with many other protocols.

There are potential patent complications related to public key recovery, it also requires a more CPU expensive verification. I would vigorously oppose using it in the protocol even today. One can define a compression format for long sequences of blocks that uses pubkey recovery to reduce the size without ever having them be the committed data and thus forcing other people to deal with them.

DeathAndTaxes' points are fine, though keep in mind there is a cost to pealing back the black box of cryptographic primitives too much. With the distorting benefit of hindsight many people miss how well Bitcoin was designed overall (go look at the orgy of failure hardfork frenzy that many altcoins that were complete rewrites have been); time spend discovering that DER could be safely stripped (or the like) would likely have meant less time refining the rest. 8 bytes of overhead or so isn't the end of the world, esp for something that can be mooted by new soft-fork-added checksig operators.

I don't know why you think that.  Why isn't the version field 1 byte?  Or at least a varint?

Honestly the wire protocol is very poorly done.

I believe it wasn't known to him or he didn't understand it enough to trust it.  PubKey recovery was certainly known prior to 2009.  There are a number of other "nuts and bolts" decisions (oversights?) which make me believe Satoshi's background was not cryptography.  He probably had exposure to and experience working with cryptography but wasn't a cryptographer.

In addition to PubKey recovery here are just a few other "quirks":
* Transaction Malleability (Bitcoin Specific). It is cumbersome to fix to fix today but with a different txn structure it would be impossible.
* Signature Malleability (ECDSA).  ECDSA can have multiple signatures for the same digest the solution is to either not make the signature part of the txn hash or limit Bitcoin to a single form.
* DER encoding serves no purpose.  Even if OpenSSL was used the DER bits could be striped.
* Lack of Compressed Keys.  Optimally the only valid key would be a compressed key and thus not only is key size reduced but there is only one format to consider.
* Unusual choice of double hashing.  Normally done to prevent length extension attacks which don't exist in Bitcoin.

This isn't to say Satoshi wasn't a genius, the magic in Bitcoin isn't the cryptographic primitives used.  It is in the way he elegantly used existing systems (digital signatures & hashing algorithms) to create a timestamp and consensus finding system that is very simple and yet very difficult to attack.

I was remembered to https://bitcointalksearch.org/topic/ecdsa-signatures-allow-recovery-of-the-public-key-6430 where sipa points to a paper desribing how to extract public key from the signature and the signed digest.

Satoshi eliminated every redundant byte in transactions and blocks, think of the compressed encoding of difficulty or the 32 bit date.

Why did he miss this significant opportunity of transaction size reduction?
Was it not known by 2009 or was it not known to him or is there more in this decision ?