BLS signatures (better than Schnorr)

[cellard]

Recently I've learned about BLS  (Boneh-Lynn-Shacham) signatures and it sounds all great. Fixes the problems Schnorr brought to the table.

My questions are: Is this to be deployed with a hard-fork or soft-fork?

If it's a soft-fork, when can we expect it to happen? Since it would be a new address format if im not mistaken, would it be controversial like SegWit was? Also could we bypass Schnorr and just go BLS?

[1713455072]

1713455072

[1713455072]

1713455072

[Carlton Banks]

Recently I've learned about BLS  (Boneh-Lynn-Shacham) signatures and it sounds all great. Fixes the problems Schnorr brought to the table.

I thought patent retrictions were the only issue with Schnorr sigs. What are these issues, and how are BLS sigs different that they are better?

My questions are: Is this to be deployed with a hard-fork or soft-fork?

If it's a soft-fork, when can we expect it to happen? Since it would be a new address format if im not mistaken, would it be controversial like SegWit was?

Supposedly a soft fork can be done to allow Schnorr sigs. What's controversial about address formats? Or the Segwit address format? Never heard that said before.

[cellard]

I thought patent retrictions were the only issue with Schnorr sigs. What are these issues, and how are BLS sigs different that they are better?

ECDSA signatures are ok. They do their job and do it well, but nothing more. We can’t combine signatures or keys and every signature has to be verified independently. With multisig transactions it becomes especially annoying. We have to check all the signatures and the corresponding public keys one by one, waste a lot of space in a block and pay large fees.

Schnorr signatures are awesome — if we do it right we can combine all signatures and public keys in the transaction to a single key and a signature and nobody will find out that they correspond to multiple keys. Also block validation can be faster — we can validate all signatures at once. There are a few issues though:

    Multisig scheme requires two communication rounds. This can be very annoying with cold storage.
    With signature aggregation we have to rely on random number generator — we can’t choose random point R deterministically like we do in ECDSA
    m-of-n multisig scheme is tricky — we need to make a merkle tree of public keys that can get pretty large for large m and n.
    We can‘t combine all signatures in the block to a single signature.

See full article here:

https://medium.com/@snigirev.stepan/bls-signatures-better-than-schnorr-5a7fe30ea716

Apparently this could be deployed via soft-fork.

Supposedly a soft fork can be done to allow Schnorr sigs. What's controversial about address formats? Or the Segwit address format? Never heard that said before.

Yes Schnorrs can be deployed via soft-fork. The immediate problem of a different address format is of course adoption of said address format: It is a mess at first, takes time for users and merchants to set it up.

The controversy with SegWit is due the anyonecanspend/mining cartel vector attack. Read posts by user anunymint. Anything that adds new angles to attack Bitcoin is always going to be controversial.

[Carlton Banks]

There are a few issues though:

    Multisig scheme requires two communication rounds. This can be very annoying with cold storage.
    With signature aggregation we have to rely on random number generator — we can’t choose random point R deterministically like we do in ECDSA
    m-of-n multisig scheme is tricky — we need to make a merkle tree of public keys that can get pretty large for large m and n.
    We can‘t combine all signatures in the block to a single signature.

So Schnorr sigs are a compromise in those areas. Not familiar enough with the BLS scheme to compare them though (I think MAST improves the 3rd issue on that list when using Schnorr sigs, but doesn't nullify it)

The immediate problem of a different address format is of course adoption of said address format: It is a mess at first, takes time for users and merchants to set it up.

Are you sure that all changes involving signatures lead to a change in the address format?

The controversy with SegWit is due the anyonecanspend/mining cartel vector attack. Read posts by user anunymint. Anything that adds new angles to attack Bitcoin is always going to be controversial.

This is not a credible attack. Or at least no more credible than any other unilateral hard fork is. If a majority of hashpower imposes new rules on Bitcoin to steal Segwit addresses, why stop there?

[cellard]

Are you sure that all changes involving signatures lead to a change in the address format?

Im not sure if Schnorr neither BLS would require a new format address to benefit from the positives or not, I was asking about that

This is not a credible attack. Or at least no more credible than any other unilateral hard fork is. If a majority of hashpower imposes new rules on Bitcoin to steal Segwit addresses, why stop there?

It may not be credible for you, but it is credible for other people, hence why it was controversial. It doesn't even need to be practical in it's execution, if the theory says it's possible, it will be controversial.

Miners could gather in a cartel and anonymously steal funds without no consequences for their reputation. They could send these coins back to legacy addresses and wait for confirmations to secure them eventually, so they increase their Bitcoin stacks without actually killing Bitcoin, they are miners and have a tons of gear, it's in their incentive to not do so, so that's why they stop there. Of course some may argue if Bitcoin would survive a post-SegWit attack scenario, that is not clear to me, but it just takes enough people thinking "this may be the opportunity of a lifetime" to start going up again. Anyone that invests after such thing happening is probably going to be someone that knows what's going on because I predict massive amounts of FUD about Bitcoin being dead, broken, unsafe etc (which was never the case assuming the hashrate is still strong by then).

[Carlton Banks]

Miners could gather in a cartel and anonymously steal funds without no consequences for their reputation. They could send these coins back to legacy addresses and wait for confirmations to secure them eventually, so they increase their Bitcoin stacks without actually killing Bitcoin, they are miners and have a tons of gear, it's in their incentive to not do so, so that's why they stop there. Of course some may argue if Bitcoin would survive a post-SegWit attack scenario, that is not clear to me, but it just takes enough people thinking "this may be the opportunity of a lifetime" to start going up again. Anyone that invests after such thing happening is probably going to be someone that knows what's going on because I predict massive amounts of FUD about Bitcoin being dead, broken, unsafe etc (which was never the case assuming the hashrate is still strong by then).

That makes very little sense at all, especially not the part where the new fork continues to have market value.

The miners need "tons of gear" because they need to change Bitcoin's rules to perform the attack. That means they can change any rules they like, not just reverting Segwit. Any 51% attack is always game over, so this attack isn't somehow something new.

[LeGaulois]

If I am right, the Schnorr signature protocol doesn't change address formats, correct me if I am wrong

[Carlton Banks]

The recovery of SegWit donations doesn’t require a 50+% attack. That you continue to repeat that nonsense exemplifies either your dishonesty or incompetence or both.

When the Satoshi miners start spending the anyonecanspend SegWit donations to themselves in blocks that they win, the Core protocol will fork off and not accept those blocks.

There will be two chains. So the Satoshi chain doesn’t need 50+% of the Core chain’s hashrate. The Satoshi protocol chain only needs enough hashrate to get the snowball rolling and then miners will jumping for joy to go anonymously join in the bonanza.

If your proposed fork can't even get a majority hashrate, then everyone currently using Bitcoin will experience it as just the latest minority fork. That's no different to any other Bitcoin hardfork, with the attractive property that the miners following it will be exclusively composed of thieves.

No-one will realistically trust those miners to not steal coins again in another hard fork. Hence your "Satoshi" fork will actually be ThiefCoin, that zero users or businesses will follow. Price crashes, not even worth trying to sell the ThiefCoin airdrop.

You have a genius' 165 IQ, yet this is the best scare story you can summon up? Whatever test you took, ask for your money back IMO

[Carlton Banks]

You keep forgetting that SegWit is forever a donation in Bitcoin’s protocol.

So a hard fork is not needed if the protocol already permits to steal from Segwit addresses (which it doesn't). Get your argument together, you're floundering quite badly. Also, get a reputable IQ test.

[DooMAD]

*ignoring anonymong's thread derailment and continuing with the actual topic*

Some are saying that BLS signatures would take longer to verify (and I think they've now edited the medium post to reflect this), so that would mean they're not necessarily an improvement over Schnorr in some areas.  It might save space, but if it's slower, that might cause other issues.  There are probably trade-offs whichever route we take.  

[Carlton Banks]

Anonymint

If you know Satoshi's protocol, you would know that ANYONECANPAY has existed since the very early days, and was always intended as a feature to upgrade script types such that old nodes didn't experience the new scripts as a hard fork, no doubt ANYONECANSPEND was used for the introduction of multisig addresses too (yet you're leaving those out of your TheftCoin idea for no reason at all). So you can keep pretending that the developers have deliberately created a vulnerable new spend type all you like, you're not fooling anyone (except apparently cellard, and your alter ego friend from trilemma.com).

[cellard]

The recovery of SegWit donations doesn’t require a 50+% attack. That you continue to repeat that nonsense exemplifies either your dishonesty or incompetence or both.

When the Satoshi miners start spending the anyonecanspend SegWit donations to themselves in blocks that they win, the Core protocol will fork off and not accept those blocks.

There will be two chains. So the Satoshi chain doesn’t need 50+% of the Core chain’s hashrate. The Satoshi protocol chain only needs enough hashrate to get the snowball rolling and then miners will jumping for joy to go anonymously join in the bonanza.

If your proposed fork can't even get a majority hashrate, then everyone currently using Bitcoin will experience it as just the latest minority fork. That's no different to any other Bitcoin hardfork, with the attractive property that the miners following it will be exclusively composed of thieves.

No-one will realistically trust those miners to not steal coins again in another hard fork. Hence your "Satoshi" fork will actually be ThiefCoin, that zero users or businesses will follow. Price crashes, not even worth trying to sell the ThiefCoin airdrop.

You have a genius' 165 IQ, yet this is the best scare story you can summon up? Whatever test you took, ask for your money back IMO

You can't never know if the hashrate supporting the SegWit-friendly fork is going to be honest in the future, you can't even know if they were part of the thieft. Attempting to cartel-up on legacy addresses doesn't take the same resources as moving SegWit addresses. If/After SegWit gets expossed, I fail to understand why anyone would ever trust a SegWit-supporting fork?

Anonymint

If you know Satoshi's protocol, you would know that ANYONECANPAY has existed since the very early days, and was always intended as a feature to upgrade script types such that old nodes didn't experience the new scripts as a hard fork, no doubt ANYONECANSPEND was used for the introduction of multisig addresses too (yet you're leaving those out of your TheftCoin idea for no reason at all). So you can keep pretending that the developers have deliberately created a vulnerable new spend type all you like, you're not fooling anyone (except apparently cellard, and your alter ego friend from trilemma.com).

Wrong, I have always questioned if Bitcoin could survive a post-SegWit attack scenario and still do, miners would need to consider if it's worth it because if it ends up killing Bitcoin they would be left with massive amounts of useless gear they cannot use again to milk from transactions since trust in crypto as a whole would be lost. I don't believe this will happen 100% guaranteed but you can't claim it will not happen 100% guaranteed (and if you do, it's a mistake), therefore it's only sane to move your funds in 1addresses, I don't lose anything by doing so.

[Carlton Banks]

If you know Satoshi's protocol, you would know that ANYONECANPAY has existed since the very early days, and was always intended as a feature to upgrade script types such that old nodes didn't experience the new scripts as a hard fork, no doubt ANYONECANSPEND was used for the introduction of multisig addresses too (yet you're leaving those out of your TheftCoin idea for no reason at all). So you can keep pretending that the developers have deliberately created a vulnerable new spend type all you like, you're not fooling anyone (except apparently cellard, and your alter ego friend from trilemma.com).

Wrong, I have always questioned if Bitcoin could survive a post-SegWit attack scenario and still do, miners would need to consider if it's worth it because if it ends up killing Bitcoin they would be left with massive amounts of useless gear they cannot use again to milk from transactions since trust in crypto as a whole would be lost. I don't believe this will happen 100% guaranteed but you can't claim it will not happen 100% guaranteed (and if you do, it's a mistake), therefore it's only sane to move your funds in 1addresses, I don't lose anything by doing so.

Replies are for meaningful conversations, you have to say at least something about what the person you're replying to said.


You've got no reason to believe Segwit addresses are a special case somehow, if a hard fork is to steal BTC, then everything is up for grabs. Provide reasoning.

Why do you continue to evade this point? Is it because your whole argument relies on evading reality? *




* Notice how this (at least broadly) addresses your non-reply

[Carlton Banks]

ANYONECANSPEND is put there so that any idiot scammers who want to soft fork provide the miners the means to force the soft fork to forkoff in a hard fork by taking P2SH transactions as donations. It is provided so that miners and the economic majority (i.e. the whales) decide when to cause a soft fork to hardfuckoff. It is also put there to give the useless idiots a belief that they have some political control over Bitcoin to serve as a spanking lesson about how Satoshi Bitcoin destroys and disintermediates politics (even disintermediating the sovereignty of nation-states with jurisdictional arbitrage).

Right, so Satoshi specifically introduced ANYONECANPAY so that miners would steal funds from any scripts using softforked protocol rules ? That's actually what your argument is?

And you've changed your argument, you're now claiming all P2SH funds are vulnerable? Have you changed your argument because of it's inconsistency with the ways that ANYONECANPAY has been used before the Segwit soft fork to introduce new script types? What if you're ignorant about other script types that have been soft-forked using ANYONECANPAY backwards compatibility? Why wouldn't you be, after this concession? Do you know?

 
What about people who use P2SH as a way of using compressed keys? What next, are compressed keys anti-Satoshi too, whether P2SH wrapped or not? Have you thought any of this through? Will you change your argument again?

I am not worried at all. The future looks like $billionaire around the corner for me. Now if y’all don‘t mind, I will STFU because I can’t get my work done while arguing on BCT.

Please do, we're all really, really interested in the latest developments in your years of work on your coin. Or, any information at all would suffice, seeing as you've never produced even some beta testing code after 5 years of (alot of) talk

[Pine.cone]

Anonymint

If you know Satoshi's protocol, you would know that ANYONECANPAY has existed since the very early days, and was always intended as a feature to upgrade script types such that old nodes didn't experience the new scripts as a hard fork, no doubt ANYONECANSPEND was used for the introduction of multisig addresses too (yet you're leaving those out of your TheftCoin idea for no reason at all). So you can keep pretending that the developers have deliberately created a vulnerable new spend type all you like, you're not fooling anyone (except apparently cellard, and your alter ego friend from trilemma.com).

You are mistaken yet again, OP_CHECKMULTISIG does not require P2SH:

https://bitcoin.org/en/glossary/multisig

ANYONECANSPEND is put there so that any idiot scammers who want to soft fork provide the miners the means to force the soft fork to forkoff in a hard fork by taking P2SH transactions as donations. It is provided so that miners and the economic majority (i.e. the whales) decide when to cause a soft fork to hardfuckoff. It is also put there to give the useless idiots a belief that they have some political control over Bitcoin to serve as a spanking lesson about how Satoshi Bitcoin destroys and disintermediates politics (even disintermediating the sovereignty of nation-states with jurisdictional arbitrage).

Gavin proposed OP_CHECKMULTISIG and P2SH. Let’s remember that that Gavin and John Nash were both at Princeton at the same time. Hmm.

What we can see is that Satoshi put in some invariants (1MB block size, limited number of sigs in a multi-sig) that would tempt others to want to attempt to upgrade his protocol. Those upgrades (no matter how they would have been proposed in a BIP) would only be a soft fork if old clients treat them as “cannot decode”. If there’s UTXO that is “cannot decode” then miners can create a spend script which has no sig for the payer from that “cannot decode” UTXO to a new UTXO which is a standard output understood by the Satoshi protocol. So that is why I say although Gavin proposed P2SH, Satoshi actually designed ANYONECANSPEND into his original protocol via the invariants and what he knew humans would try to do to his protocol.

There is no doubt in mind that Bitcoin will prosper when Core is kicked off.

Bitcoin is not driven by these useless minnows who think Bitcoin was created to be a popular transaction scalability system.

Besides when someone releases a proof-of-stake system without the nothing-at-stake flaw, then the on-chain transaction scalability problem is going to disappear overnight.

That will drive huge widespread demand for cryptocurrency in general and Bitcoin will continue to be the unit-of-account for power money. Thus my work will actually help grow Bitcoin.

I am not worried at all. The future looks like $billionaire around the corner for me. Now if y’all don‘t mind, I will STFU because I can’t get my work done while arguing on BCT.

Hi, Newbie here

I posit that the "event" that results in Core being kicked off Bitcoin won't necessarily be greed motivated but will be a direct result of "Re-introducing imperial barnacles".

Can someone point me to more information about "Safe" addresses. Are those legacy addresses? Or just 1addresses? How best to create, use?


http://trilema.com/2017/integration-is-bad-for-bitcoin/

I. Re-introducing imperial barnacles into the Bitcoin protocol is of no service to the Republic and something the Empire is entirely dependent on. There is absolutely no conceivable reason you might have to open a ssl connection to whoever you're paying. If you're willing to do that, which is to say : if you're willing to include the Great Inca in your payment structure, just fucking send a wire. It will be "cheaper"ii and "safer" than dicking around with Bitcoin, which evidently is not for you.

II. Giving minersiii pretexts to break the protocol is not in anyone's interest (miners themselves included). Excluding a validly signed transaction for any reason is breakage of Bitcoin, and should not be tolerated for the directly obvious consideration : the reasons will change down the road.

So no, integration is not good for Bitcoin, irrespective of whether you mean "integration of NSA into your payment flow", or "integration of merchants and customers", or "integration of payers and miners" or any other kind. Bitcoin is valuable and powerful for being fragmentary, not for being unitary. There already exists such a thing as the unitary payment stack, and not only everyone hates paypal but moreover we're here in the first place because we wanted an alternative. Which we now have. What's the grand idea, "take these torrents and make them moar like netflix" ? That's not much of an idea, is it now!

Needless to say, the reference Bitcoin implementation as maintained by the Bitcoin foundation (not to be confused with various scammers' phishing attemptsiv) will never implement or support such nonsense. I suppose, given Bitpay's absolutely minuscule size we don't even need to revisit 2015-era points about who's got the money and therefore who makes the rules.v

Never forget :

Bitcoin is valuable today because for the past five+ years I've been intransigently sinking each and every attempt of all the scum and barnacles sticking to its mighty hull to make it "more acceptable to governments" which is to say useless and stupid.

It was true in 2015 like it was true in 2013 like it is true in 2017 and like it will stay true in 2019.

http://trilema.com/2018/the-republic-without-mp/

-Snip
They'll want to have a Republic without MP, a WoT without the WoT, a Pizarro without the Pizarro, a this without the that. Absolutely typical pantsuitism,

-Snip

Bitcoin is feudal, you understand. Do you understand ?

Do you ?

The time while the lords are still even looking for more knights is drawing to a close, like all windows of opportunity ever

[Carlton Banks]

Bitcoin version 0.1 cannot decode P2PKH (the type of address you claim is safe from the "booty" attack)

Explain why your theory means that miners won't steal every Bitcoin going back to the introduction of P2PKH scripts



(BIP 65 is a typo I meant BIP66, strict canonical DER signatures )

[goddog]

Here's the major irony: this means P2PKH is out too, huh? Bitcoin addreses starting 1 are not safe either, miners will take it all as donations, Anonymint has spoken!!! Bitcoin 0.1 cannot decode P2PKH, it's back to P2PK for everyone! Hey that's kind of interesting, as only Satoshi era mining rewards are still held in P2PK outputs! Satoshi set everyone up, only his money from 2009 is safe, everyone else is going against his sacred immutability!

That's really the essence of your argument; anything that Bitcoin 0.1 cannot cope with is going to get eaten by a massive miner-led hardfork that takes us all the way back to January 3rd 2009. Have fun with that

trb follow bitcoin 0.5.3 protocol(not bitcoin 0.1 as you say), with some bug fixes. They call it bitcoin 0.5.4. the fight begun when p2sh was introduced(3address). MP not liked it and forked. I hope the main reason segwit was introduced as a softfork is because mp, and trb. Most users use an updated version of core client, and are able to update their node, so the only real reason I can think is mp.

I was thinking like you, but reading Anonymint arguments I began to reflect. Found mp and his follower are very powerful and influent. So his argument started to make some sense for me.

Segwit was an honeypot as previous <cannotdecode> transactions was not really commonly used and large amounts of bitcoins was stored in 1address format. Now with segwit a lot of bitcoins will be stored on p2wsh and p2wpk addresses, so the booty will grow too.

bitcoin 0.5.4 rules, as bitcoin 0.16 rule is the chain with the most accumulated pow is valid. Witness data is not inside the blockchain so his persistence cannot be guaranteed.

I see exchanges selling futures contracts, the eth/etc war, a lot of developers starting acting as politician and forking bitcoin blockchain as the new fashion manner to airdrop shitcoins.

I don't know if a chain that steal all coin in a cannotdecode output will have some value, but I hope it will happen for sure, the only question is: when?.


EDIT: please stop spamming this topic in every thread. That's not fair. Start a new thread if you want to talk about a segwit theft

[Carlton Banks]

trb follow bitcoin 0.5.3 protocol(not bitcoin 0.1 as you say), with some bug fixes. They call it bitcoin 0.5.4

Completely arbitrary according to the "cannot decode" basis of this proposed attack


If cannot decode "breaks Satoshi immutability" (such is the claim), then P2PKH (Bitcoin addresses beginning with 1) is also in violation, and hence unsafe to store money as it's subject to hard fork confiscation. There is no reason why miners shouldn't extend this attack to take all the Bitcoins from P2PKH addresses according to the "logic" of this hard forking attack


Any claims that this "Satoshi's Pure Bitcoin" has a following is a complete joke, there are no 0.5 nodes at all on the Bitcoin network, that's zero precisely. I wonder why this Mircea Popescu troll account Anonymint is pushing this FUD now, it's not like we're in a bear market waiting to capitulate or anything

[DooMAD]

Recently I've learned about BLS  (Boneh-Lynn-Shacham) signatures and it sounds all great. Fixes the problems Schnorr brought to the table.

My questions are: Is this to be deployed with a hard-fork or soft-fork?

If it's a soft-fork, when can we expect it to happen? Since it would be a new address format if im not mistaken, would it be controversial like SegWit was? Also could we bypass Schnorr and just go BLS?

At this stage, I'd recommend posting a brand new, self-moderated, topic to discuss this elsewhere.  Then you can nuke anything off-topic.  I don't think we're going to salvage this one.

there are no 0.5 nodes at all on the Bitcoin network, that's zero precisely.  

I wouldn't be so sure about that part.  I distinctly recall some of MP's fervent disciples openly encouraging client spoofing as a means to derail support for XT.  It's unlikely they're displaying their actual software version.  It's not difficult to change.  And it makes sense if you're an extremist who wants to stay under the radar.  I'd agree there probably aren't many "0.5.4." nodes running, but I suspect it's more than zero.

[Last of the V8s]

there are no 0.5 nodes at all on the Bitcoin network, that's zero precisely.  

I wouldn't be so sure about that part.  I distinctly recall some of MP's fervent disciples openly encouraging client spoofing as a means to derail support for XT.  It's unlikely they're displaying their actual software version.  It's not difficult to change.  And it makes sense if you're an extremist who wants to stay under the radar.  I'd agree there probably aren't many "0.5.4." nodes running, but I suspect it's more than zero.

It's ten TRB nodes for now: https://coin.dance/nodes (note you may need to follow this too http://btcbase.org/log-search?q=emergent+consensus lol)