> Yes, that's an intentional design choice in BIP340, see note 5: > https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki#cite_ref-5-0. > The choice is either batch verifiability or public key recovery.
The way I understood the BIP, was that a user can do batch recovery or single-key recovery. Can you explain how it is possible to recover a public key from a single-key signature, because a few days earlier on the BIP-notatether-messageverify thread I was told (I think it was achow) that Schnorr doesn't allow for public key recovery. At any case, I was already planning on just concatenating the public key after the signature (the other option I was thinking of, appending it after the Taproot address, is quite unruly in my opinion). > I think it would be much better if people would cooperate to get BIP322 to > move forward than to keep inventing other formats. It's the obvious solution > in my opinion: not restricted to single-key policies, compatible with every > script type, and trivially extensible to future schemes. This is why I especially tried to avoid making a new format - My BIP is strictly an Informational one. That strategy worked pretty well up to now, but now I find myself forced to make a small concession in the design to support the verification of Taproot address. But I'm glad it's quite trivial as appending a single variable. So at least this BIP won't be an obstacle to any such effort. [Besides, since I'm also planning on detecting BIP137 in the verification methods, I can assume the Signature field contains arbitrary data.] > > , just like BIP340). > > > How so? Every taproot compatible wallet has a BIP340 implementation. I guess I made an assumption, since almost all of the wallets I have seen did not have a sign message feature, not even for legacy addresses. - Ali ------- Original Message ------- On Thursday, July 28th, 2022 at 3:27 PM, Pieter Wuille <bitcoin-...@wuille.net> wrote: > ------- Original Message ------- > On Thursday, July 28th, 2022 at 3:27 AM, Ali Sherief via bitcoin-dev > bitcoin-dev@lists.linuxfoundation.org wrote: > > > Essentially, zero-knowledge proofs such as Schnorr are not compatible with > > address message signing - the public key cannot be retrieved from the > > address or the signature, so the address does not actually prove the > > authenticity of a Schnorr signature. That's why the public key is required > > as an input in the first place. > > > Yes, that's an intentional design choice in BIP340, see note 5: > https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki#cite_ref-5-0. > The choice is either batch verifiability or public key recovery. > > I regret ever using public key recovery when introducing the old legacy > message signing scheme. It should just have used script signatures like > BIP322 proposes. > > > In order to make it compatible with the address signing mechanism, the > > zero-knowledge part would have to be sacrificed in my BIP, or else a > > completely separate message signing format just for Taproot would be > > required > > > You can avoid relying on public key recovery, and include the public key + > BIP340 signature in the encoded signature. > > > (which, in my view, is redundant - there is already the draft BIP322 which > > can verify anything and everything, but nobody is implementing that > > > I think it would be much better if people would cooperate to get BIP322 to > move forward than to keep inventing other formats. It's the obvious solution > in my opinion: not restricted to single-key policies, compatible with every > script type, and trivially extensible to future schemes. > > > , just like BIP340). > > > How so? Every taproot compatible wallet has a BIP340 implementation. > > Cheers, > > -- > Pieter _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
