Bitcoin Forum>Bitcoin>Development & Technical Discussion
Author

Topic: What is the current status of Schnorr signatures, MAST, Taproot and Graftroot (Read 226 times)

achow101
staff
Activity: 3458
Merit: 6793
Just writing some code
What is the current status of Schnorr signatures, MAST, Taproot and Graftroot
August 17, 2019, 11:09:42 PM
#6
Quote from: pooya87 on August 17, 2019, 10:24:32 PM
is something different with Schnorr regarding signature verification using public key?
i don't have any code to test ECSDSA but i could check ECDSA and in there you can't use -P for verification or it fails.
in other words if we use 32 byte public keys then we have no way of knowing which Y is the correct answer, as a result we would have 2 public key points (P and -P) one of which fails the verification.
so how did the discussion solve this?
Given a public/private key pair, by negating the private key, you can obtain another public key that has the same X coordinate but a Y coordinate that is of opposite oddness. For example, if key k has a pubkey P where the Y coordinate is odd, then the key -k has a public key with the same X but the Y is even.

Knowing that, the solution is to dictate that all 32 byte public keys must use the even Y value. For signing, if the pubkey has an odd Y value, then the signer just negates the private key. For verifiers, when computing the Y value, they choose the even one.
pooya87
legendary
Activity: 3472
Merit: 10611
Re: What is the current status of Schnorr signatures, MAST, Taproot and Graftroot
August 17, 2019, 10:24:32 PM
#5
Quote from: achow101 on August 17, 2019, 11:53:16 AM
Recently there has been discussion on the mailing list on using just 32 byte public keys rather than using the standard 33 byte public keys.

is something different with Schnorr regarding signature verification using public key?
i don't have any code to test ECSDSA but i could check ECDSA and in there you can't use -P for verification or it fails.
in other words if we use 32 byte public keys then we have no way of knowing which Y is the correct answer, as a result we would have 2 public key points (P and -P) one of which fails the verification.
so how did the discussion solve this?
achow101
staff
Activity: 3458
Merit: 6793
Just writing some code
Re: What is the current status of Schnorr signatures, MAST, Taproot and Graftroot
August 17, 2019, 11:53:16 AM
#4
The taproot and schnorr proposed BIPs are still being worked on. Recently there has been discussion on the mailing list on using just 32 byte public keys rather than using the standard 33 byte public keys.

There are implementations of taproot and schnorr in one of sipa's branches but he has not yet opened a PR to merge them into Core. The proposed BIPs also do not have a BIP number yet as they are still in flux.

Graftroot does not yet have a proposed BIP.
Andriian
newbie
Activity: 22
Merit: 151
Re: What is the current status of Schnorr signatures, MAST, Taproot and Graftroot
August 17, 2019, 04:07:10 AM
#3
Quote from: ABCbits on August 17, 2019, 03:29:34 AM
Since all of those improvement offer reduced transaction size and privacy to some degree (except for Graphtroot which i never heard), there are few obvious opportunities :

That was my misspelling. Graftroot is correct one. Here is Gregory Maxwell's proposal for it https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-February/015700.html

P.S. Have fixed subject in the initial message as well
ABCbits
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
Re: What is the current status of Schnorr signatures, MAST, Taproot and Graftroot
August 17, 2019, 03:29:34 AM
#2
Quote from: Andriian on August 17, 2019, 02:39:27 AM
Hi. It seems that there were no discussions specific to the subject for the last year. So would like to collect a summary regarding the following

There are few threads discuss those improvement you mentioned, such as :
MuSig: Schnorr Multisig and signature aggregation
Taproot proposal
[Schnorr] Should batched verification result in reduced weight per sig?

Quote from: Andriian on August 17, 2019, 02:39:27 AM
  • Current status of corresponding BIPs and its development
  • Any kind of technical or economical obstacles for including into Bitcoin Core release
I don't join Bitcoin dev mailing or Bitcoin IRC channel, so i can't answer this one.

Quote from: Andriian on August 17, 2019, 02:39:27 AM
  • New opportunities for business and users if that is released
Since all of those improvement offer reduced transaction size and privacy to some degree (except for Graphtroot which i never heard), there are few obvious opportunities :
1. Spend less Bitcoin for transaction fees
2. Prevent release whole script when spend UTXO (on MAST & Taproot)
3. Allow more transaction fit into a block due to reduced transaction size
4. Prevent de-anonymization by analyzing transaction (on Schnorr & Taproot)
5. Improve privacy for those who use mixers and CoinJoin

P.S. it's only high level overview
Andriian
newbie
Activity: 22
Merit: 151
Re: What is the current status of Schnorr signatures, MAST, Taproot and Graftroot
August 17, 2019, 02:39:27 AM
#1
Hi. It seems that there were no discussions specific to the subject for the last year. So would like to collect a summary regarding the following
  • Current status of corresponding BIPs and its development
  • Any kind of technical or economical obstacles for including into Bitcoin Core release
    • New opportunities for business and users if that is released
    Thank you.
Bitcoin Forum>Bitcoin>Development & Technical Discussion
Jump to: