From mboxrd@z Thu Jan 1 00:00:00 1970 Delivery-date: Fri, 31 Oct 2025 06:25:37 -0700 Received: from mail-oa1-f59.google.com ([209.85.160.59]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1vEp8L-0005Oo-33 for bitcoindev@gnusha.org; Fri, 31 Oct 2025 06:25:37 -0700 Received: by mail-oa1-f59.google.com with SMTP id 586e51a60fabf-3d405f90fcbsf1443064fac.1 for ; Fri, 31 Oct 2025 06:25:36 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1761917131; cv=pass; d=google.com; s=arc-20240605; b=K4tMrlG6jXXkoPPnPgQL81/U9LsJSocabDrdB4KtyaBy2Efcg4BdXXtW6Vagu6P3AJ T/lAjcsk+OwwZ6h8EIpQP3aiL0zP4jtowdx6s3UrERIOHYyhBi7Jr9uz7tlel5IAsC0H NOJjXYVxqVmml+8c9Q+C1Qp/Z7YGM2Qx5onx2gNRhY1FNGSArOhnOw+KaY4a2TowzkqF h/YY2dzNqDZiaTTx3CQUW5n6OR57Q7pGyEN9KGkA8HgPKD2fCTJ/2r8qEhaoZWX4rhT4 X8lP3ByR6zk9g142qbN24LPYdNbJJ0eSTW5acU92yz4kRVa6pJIlbrYXEURHdIl0pw/A /59Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:sender:dkim-signature :dkim-signature; bh=QTOV0ERXxVM1ac40559QQV/UfjVOV7Kgfww4NdyPjnU=; fh=TAQb+V6KLfmvggmqD0ke/YodC+7sxrhUjDsgi6k7T4k=; b=dMJn4fVDGPh9qxinY/vCuEMvwaqlD9x/QZtyULT+tMJngfrUmQMOqTgihrpUSMSoP+ DUVeRBa52eKsJcFwJ2X7PxCKHkRvFkwIdyvnSpYIjED2TeRKCnjAwrBtBNRg1Jko4yi6 I9TSyLWnaXohDkDGdVBtnDVyEw8+uh+yyCOIjc28rKmCfA48phLPhi5byrxehV9+3Pbu tWz3FvgCqqsdProBG+qNM7FLcQKzOBKPcEzQdFwMK3pC9eOBAVsAvP8uNhaejE6aJ3+y clRspsodizrWuveOg2RUdkCWIfG8bh18bF3SXiC8TSBvB7QIoX6ODiKN6K0E6d3DY8S6 8nYA==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=NuITmnjo; spf=pass (google.com: domain of garlonicon@gmail.com designates 2a00:1450:4864:20::535 as permitted sender) smtp.mailfrom=garlonicon@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1761917131; x=1762521931; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:sender:from:to:cc:subject:date:message-id :reply-to; bh=QTOV0ERXxVM1ac40559QQV/UfjVOV7Kgfww4NdyPjnU=; b=oQWORQorHcybkQB9qLffxsT3CvbC6cwQSVsRFkK0ExsHhaTOvP/kdApk1dd6eSAUwQ 575HcFrZ/yo03rID4ziO9Zy0vKogVT0iLCFtbudh6sxGAdHcCsTLaMKR73Chun2R+40r vJzeUCl85rVtAYxYXXq3Stu9DHUZ3jhmcBcuBrtIGQRankSFIFUI67AU++MZ/LMnwxDP IzkszXUUQ8RHr+Sp3+cWob3EwH5t4U/HKjxkc25/YQ65RdkMhXzlxMUf1UID2sRYuepq rpGWZPBjI12IuZy6W5pnxA4mUngaKH+2o5OyNtkUe85ASWh1AqJ0SRp5DZV6EcXf3tRH 3amA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1761917131; x=1762521931; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:from:to:cc:subject:date:message-id:reply-to; bh=QTOV0ERXxVM1ac40559QQV/UfjVOV7Kgfww4NdyPjnU=; b=GLJRjQ4HguRGE1c3KmQMjtYQIm5Re2t2BJ5kFTCz59HzY5lGpEYd/n2OLpWSNfO1hU Jlwd3xlKmT3h5ApXerF1spxKPdhsuUrTayspl+x7c/EKXuPYvQqKxO1E1HL3YlaD8tER Ssthr4eP3dGnr/t33x7LKtXkhw3h5+RC7LZ+3WO7XIY5O5OvfS1PQieCgjzBu1g2C1i1 t5IK7AI2aAD22RjqUpGrGJAOZcWaWXiKsQ8gJ2ZKNeMqbMIMWFJwr/QFM+xU76e/xxEJ /LXtUidl85rnM+5/PhtzhjI9B3PLq+/zZ/ADD/fzxVIXY+qwZQ1DOb+ZKGD2nsd8qpVB Zn1g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1761917131; x=1762521931; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:x-beenthere:x-gm-message-state:sender:from :to:cc:subject:date:message-id:reply-to; bh=QTOV0ERXxVM1ac40559QQV/UfjVOV7Kgfww4NdyPjnU=; b=k2ny6Rog6UrG7HhA9MrDV2IsAZBHjBYt/wmVNzHrtPGdJf8nc7Os4zFqloKRcygHwV FKsoFcVAwmbR8x9OcKiKHuaEnJiYsFpdssK9nvRLfT55PVZweNNyR1TM6AljNBiKHXLP qgEnVmRp9cl/NeE/OdNb4W3LYHSOWfZfLmVEolzN1hrB6sh0o6iRlnAAUt7BF9vSsgaZ rPkEuFYwA3IDg7jM82zocsQHPLi/tbrVEFytVGs7p7u8QB1qsTn2rP466HXBan07ktgR xbEKeIZvflA//bnaHZqJA1gdSVwd2x7zub02ljf3fOBhdrcsGt1jPHs2fciTjC29neD1 3sfQ== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCVhbvfVqwPjLAntV7fg+4ZbLQerq7y5XAH2sZMdRPkUL+fPQj2OWdDXbMvoVgqPwQS7ZsJp4c6mtfRz@gnusha.org X-Gm-Message-State: AOJu0Yw6/nD5Z/L+8eG7ZNYBDnpsQ6NSg29g00eb7DjX4F7ruR/xjpag jxV8SY5a7IzfTxOF7TMl3cVUk7HgWId2CA0dOUTfU3+G4PCfpccFwEES X-Google-Smtp-Source: AGHT+IEe0daXE0vbEz39pe2InVAImPm3danupxRsGCcPwaPpUOEyAKK+lk51mv3D3WXQUMvRmOFctg== X-Received: by 2002:a05:6870:cb98:b0:3d4:b2ed:e658 with SMTP id 586e51a60fabf-3dacc5d42b4mr855273fac.7.1761917130577; Fri, 31 Oct 2025 06:25:30 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com; h="Ae8XA+aB20agZIEeP8bvQNKQol1kVgQ3/YjbNaua/1lPG2n6lg==" Received: by 2002:a4a:dd81:0:b0:654:efc0:b055 with SMTP id 006d021491bc7-6568249fd91ls707300eaf.2.-pod-prod-03-us; Fri, 31 Oct 2025 06:25:26 -0700 (PDT) X-Received: by 2002:a05:6808:14c9:b0:44d:b966:c982 with SMTP id 5614622812f47-44f95f4639dmr1320964b6e.36.1761917126021; Fri, 31 Oct 2025 06:25:26 -0700 (PDT) Received: by 2002:ab3:61b6:0:b0:2cb:c6e3:5608 with SMTP id a1c4a302cd1d6-2d0b7fd0598msc7a; Fri, 31 Oct 2025 06:19:19 -0700 (PDT) X-Received: by 2002:a05:6512:2254:b0:593:f74:91a2 with SMTP id 2adb3069b0e04-5941d513938mr1565741e87.24.1761916756580; Fri, 31 Oct 2025 06:19:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1761916756; cv=none; d=google.com; s=arc-20240605; b=DU8RBf7j4JM4PmH2aeI+bd03wGRQUzqvgF+Z9JPsw4l2Vrx8t4VBlIgLVegPgD+qjl Ct/pV7wRx+v8QYJ1h8c8w9lG7NpT4nY9VpgZ9/urjlEgqmKdB81JjRhEbf9rTP1IY8Uk d3j9vCcurR5wUjrSqcW7xrezFnFdj5YjS5hRW8PEhTrjCxiVpl/Qxxmnv8tATmUzMzor y+HRCx/NI4dLYrz1pdszkc1GQ805nzWaboR2ebQF1aLQ+8/RKNLzMkklIUZygcREF5Qz alen7Wh26kVYx6Oc6qgdqL5QsO8F38AD3R+ysVnVBu0010Wv1SAwo1dN2HjRvGBH2Aah 2AYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=mn7wdr5m2SuANyM2k902mePAD5bKSH9HPClflIqcke0=; fh=zfrgopOiIZUyW/QOQMW3tlf+B0T0p2fpIoXRbxgb3Y8=; b=M01VrUQEYMX0Cq4G+2pr2y8H1h/uTbbIOYdXEjeS2CjstE+8g+9hmVYUIwmoEI2WdT HWB1lNC6Kee6VtHyNmpptJv7KOQeaAPq2C8foXWtrnU9L5kR0tQHmx8MUa3tuMiht5jW p20DXstrfQrxHzR2XvpVieAltcgG/W0whdWgjGtzTHmqphKXmL6MQizb6Q8mCuMIO43W IHkCJDcZJTTAFajorL/FfJH3K4UE0h6QowjtROHKFfUEqvlGu4UxZMJlZoM/WujT/R4p wpVj4VELpyac9oaOkLq9Y/qaWqjElIUSsE4MCHEP1dqcZbnWrseyPmBREzcHqmPkJjYn k7Pw==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=NuITmnjo; spf=pass (google.com: domain of garlonicon@gmail.com designates 2a00:1450:4864:20::535 as permitted sender) smtp.mailfrom=garlonicon@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Received: from mail-ed1-x535.google.com (mail-ed1-x535.google.com. [2a00:1450:4864:20::535]) by gmr-mx.google.com with ESMTPS id 2adb3069b0e04-5941f38b907si163605e87.2.2025.10.31.06.19.16 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 31 Oct 2025 06:19:16 -0700 (PDT) Received-SPF: pass (google.com: domain of garlonicon@gmail.com designates 2a00:1450:4864:20::535 as permitted sender) client-ip=2a00:1450:4864:20::535; Received: by mail-ed1-x535.google.com with SMTP id 4fb4d7f45d1cf-63c556b4e0cso4905731a12.1 for ; Fri, 31 Oct 2025 06:19:16 -0700 (PDT) X-Gm-Gg: ASbGncuqz38l85Rf1Hc0fWG8TUSd+NGn5kq1UfZhqYnGEaJCzDq2ni+Zvjk7+gIzgW3 o6OUAX9eNyV3d/ZFL9T1tMg0KiyqoXi+fbCJsLY1cn3kCAQ1YOTBrpdpY2C0i7EPE+KtWmbbl1i im4fhgaH1pyus6Ka1T0byuF7hxvW78XPvA0jASNW8gpoiUTrvweIW7duwk9xyvKtdKxbN+Aph1t x0OgxYbA1lv4QJ9cVHWYnmUh9/7m98wtGT7JV1G2x5X6/iaqEs2aAUC5WjYGYu7MLsmvQ== X-Received: by 2002:a05:6402:268d:b0:62f:2f9f:88bf with SMTP id 4fb4d7f45d1cf-640771f1590mr2743876a12.38.1761916755604; Fri, 31 Oct 2025 06:19:15 -0700 (PDT) MIME-Version: 1.0 References: <0f6c92cc-e922-4d9f-9fdf-69384dcc4086n@googlegroups.com> In-Reply-To: <0f6c92cc-e922-4d9f-9fdf-69384dcc4086n@googlegroups.com> From: Garlo Nicon Date: Fri, 31 Oct 2025 14:19:03 +0100 X-Gm-Features: AWmQ_bkN0aRjJW6BsRGijdsNNeGoskhIJNuM26UbmFk0dJwE5daUldYucT4p0wM Message-ID: Subject: Re: [bitcoindev] On (in)ability to embed data into Schnorr To: "waxwing/ AdamISZ" Cc: Bitcoin Development Mailing List Content-Type: multipart/alternative; boundary="00000000000057766c06427436e2" X-Original-Sender: garlonicon@gmail.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=NuITmnjo; spf=pass (google.com: domain of garlonicon@gmail.com designates 2a00:1450:4864:20::535 as permitted sender) smtp.mailfrom=garlonicon@gmail.com; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com; dara=pass header.i=@googlegroups.com Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.5 (/) --00000000000057766c06427436e2 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable > if you can embed data into a (P, R, s) tuple (Schnorr pubkey and signature, BIP340 style), without grinding or using a sidechannel to "inform" the reader, you must be leaking your private key You can embed data into a valid signature. For example: R=3Dk*G P=3Dd*G k=3Dfirst_chunk_of_data d=3Dsecond_chunk_of_data And then, keys are "weak", because people can use "known plaintext attack", to get them. However, if you want to push random data, that is unknown to the reader, then it is known only by the holder of the data. Which means, that the efficiency of this encoding is somewhere around 66%, by grinding SHA-256 hashes, it could probably reach around 70% in practice. Only s-value is something, that needs any grinding, for k-value and d-value, you need only the data, and nothing else. So, I guess it is a spectrum: something like 70% efficiency means, that you need "known plaintext attack" to get the data. And then, you can use less and less bits per public key, to make it arbitrarily weaker. Then, instead of relying on a timelock, you can rely on computation difficulty for the reader, for example: "how many bits I need to leak, to make it breakable by lattice attack". =C5=9Br., 1 pa=C5=BA 2025 o 21:50 waxwing/ AdamISZ nap= isa=C5=82(a): > Hi all, > > https://github.com/AdamISZ/schnorr-unembeddability/ > > Here I'm analyzing whether the following statement is true: "if you can > embed data into a (P, R, s) tuple (Schnorr pubkey and signature, BIP340 > style), without grinding or using a sidechannel to "inform" the reader, y= ou > must be leaking your private key". > > See the abstract for a slightly more fleshed out context. > > I'm curious about the case of P, R, s published in utxos to prevent usage > of utxos as data. I think this answers in the half-affirmative: you can > only embed data by leaking the privkey so that it (can) immediately fall > out of the utxo set. > > (To emphasize, this is different to the earlier observations (including b= y > me!) that just say it is *possible* to leak data by leaking the private > key; here I'm trying to prove that there is *no other way*). > > However I still am probably in the large majority that thinks it's > appalling to imagine a sig attached to every pubkey onchain. > > Either way, I found it very interesting! Perhaps others will find the > analysis valuable. > > Feedback (especially of the "that's wrong/that's not meaningful" variety) > appreciated. > > Regards, > AdamISZ/waxwing > > -- > You received this message because you are subscribed to the Google Groups > "Bitcoin Development Mailing List" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to bitcoindev+unsubscribe@googlegroups.com. > To view this discussion visit > https://groups.google.com/d/msgid/bitcoindev/0f6c92cc-e922-4d9f-9fdf-6938= 4dcc4086n%40googlegroups.com > > . > --=20 You received this message because you are subscribed to the Google Groups "= Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/= CAN7kyNhE39gJyV7xCRNpZAu-jkP7bu2DvkhZ7FdLsGxa-QLjQw%40mail.gmail.com. --00000000000057766c06427436e2 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
> if you can embed data into a (P, R, s) tuple (Schnorr= pubkey and signature, BIP340 style), without grinding or using a sidechann= el to "inform" the reader, you must be leaking your private key
You can embed data into a valid signature. For example:

R=3Dk*G
P=3Dd*G
k=3Dfirst_chunk_of_da= ta
d=3Dsecond_chunk_of_data

And then, keys are "weak&= quot;, because people can use "known plaintext attack", to get th= em. However, if you want to push random data, that is unknown to the reader= , then it is known only by the holder of the data.

Which means, that= the efficiency of this encoding is somewhere around 66%, by grinding SHA-2= 56 hashes, it could probably reach around 70% in practice. Only s-value is = something, that needs any grinding, for k-value and d-value, you need only = the data, and nothing else.

So, I guess it is a spectrum: something = like 70% efficiency means, that you need "known plaintext attack"= to get the data. And then, you can use less and less bits per public key, = to make it arbitrarily weaker. Then, instead of relying on a timelock, you = can rely on computation difficulty for the reader, for example: "how m= any bits I need to leak, to make it breakable by lattice attack".
=C5=9Br., 1 pa=C5=BA 2025 o 21:50=C2=A0waxwing/ AdamISZ &l= t;ekaggata@gmail.com> napisa= =C5=82(a):
Hi al= l,


Here I'm analyzing whether the follo= wing statement is true: "if you can embed data into a (P, R, s) tuple = (Schnorr pubkey and signature, BIP340 style), without grinding or using a s= idechannel to "inform" the reader, you must be leaking your priva= te key".

See the abstract for a slightly more= fleshed out context.

I'm curious about the ca= se of P, R, s published in utxos to prevent usage of utxos as data. I think= this answers in the half-affirmative: you can only embed data by leaking t= he privkey so that it (can) immediately fall out of the utxo set.

(To emphasize, this is different to the earlier observation= s (including by me!) that just say it is *possible* to leak data by leaking= the private key; here I'm trying to prove that there is *no other way*= ).

However I still am probably in the large majori= ty that thinks it's appalling to imagine a sig attached to every pubkey= onchain.

Either way, I found it very interesting!= Perhaps others will find the analysis valuable.

F= eedback (especially of the "that's wrong/that's not meaningful= " variety) appreciated.

Regards,
Ad= amISZ/waxwing

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.googl= e.com/d/msgid/bitcoindev/0f6c92cc-e922-4d9f-9fdf-69384dcc4086n%40googlegrou= ps.com.

--
You received this message because you are subscribed to the Google Groups &= quot;Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to bitcoind= ev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/ms= gid/bitcoindev/CAN7kyNhE39gJyV7xCRNpZAu-jkP7bu2DvkhZ7FdLsGxa-QLjQw%40mail.g= mail.com.
--00000000000057766c06427436e2--