From: Peter Todd <pete@petertodd.org>
To: Anthony Towns <aj@erisian.com.au>
Cc: Murch <murch@murch.one>, bitcoindev@googlegroups.com
Subject: Re: [bitcoindev] One Time Signatures ≠ One Message Signed
Date: Mon, 8 Jun 2026 10:04:56 +0000 [thread overview]
Message-ID: <aiaTyHPHzrj3iZ_8@petertodd.org> (raw)
In-Reply-To: <aiKAytZNfih0ABff@erisian.com.au>
[-- Attachment #1: Type: text/plain, Size: 1725 bytes --]
On Fri, Jun 05, 2026 at 05:54:50PM +1000, Anthony Towns wrote:
> On Thu, Jun 04, 2026 at 11:01:25AM +0000, Peter Todd wrote:
> > Note that you can design a message signing scheme where you can use a pubkey to
> > sign a merkle tree of messages. In the case of a transaction, multiple
> > conflicting versions of the transaction with different fee rates.
>
> There's a balance to be had between what's considered part of the message
> signing scheme versus what's part of the scripting language.
>
> The scheme above could also be thought of as signing a single message
> "spend this utxo is valid if this script's conditions are meant",
> where the script is "or(fee <= 0.5, and(nSequence >= 100, fee <= 1.0),
> and(nSequence >= 1000, fee <= 30.0))"
No, that's a very different scheme. Also, I believe it is vulnerable to miners
simply picking the best possible fee rate for them; nSequence isn't big enough
to avoid being guessed.
Indeed, I neglected to point out something important in the above: you probably
want to include secret nonces (or similar) in each individual branch of the
signature tree, to ensure that different versions of it can't be brute forced.
Thus to reveal a new option for miners, you make public a previously secret
nonce. 128-bits would be sufficiently large to prevent brute-forcing.
--
https://petertodd.org 'peter'[:-1]@petertodd.org
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/aiaTyHPHzrj3iZ_8%40petertodd.org.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
prev parent reply other threads:[~2026-06-08 10:45 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-20 17:41 [bitcoindev] One Time Signatures as an Advantage? Jason Resch
2026-05-21 9:54 ` 'Mikhail Kudinov' via Bitcoin Development Mailing List
2026-05-21 13:33 ` Jason Resch
2026-05-28 17:25 ` Murch
2026-06-04 11:01 ` [bitcoindev] One Time Signatures ≠ One Message Signed Peter Todd
2026-06-05 7:54 ` Anthony Towns
2026-06-08 10:04 ` Peter Todd [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aiaTyHPHzrj3iZ_8@petertodd.org \
--to=pete@petertodd.org \
--cc=aj@erisian.com.au \
--cc=bitcoindev@googlegroups.com \
--cc=murch@murch.one \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox