|
| 1 | +--- |
| 2 | +title: 'Bitcoin Optech Newsletter #35' |
| 3 | +permalink: /en/newsletters/2019/02/26/ |
| 4 | +name: 2019-02-26-newsletter |
| 5 | +type: newsletter |
| 6 | +layout: newsletter |
| 7 | +lang: en |
| 8 | +--- |
| 9 | +This week's newsletter describes the availability of a libsecp256k1 fork |
| 10 | +implementing BIP-Schnorr compatible signatures, lists popular questions |
| 11 | +and answers for February from the Bitcoin StackExchange, and describes |
| 12 | +notable merges in popular Bitcoin infrastructure projects. |
| 13 | + |
| 14 | +## Action items |
| 15 | + |
| 16 | +None this week. |
| 17 | + |
| 18 | +## News |
| 19 | + |
| 20 | +- **Schnorr-ready fork of libsecp256k1 available:** Blockstream |
| 21 | + cryptographer Andrew Poelstra [announced][schnorr libsecp256k1-zkp] |
| 22 | + that the [libsecp256k1-zkp][] library used in [Elements Project][] |
| 23 | + based sidechains (such as [Liquid][]) now supports [BIP-Schnorr][] |
| 24 | + compatible signatures in a variety of configurations: |
| 25 | + |
| 26 | + - Basic single pubkeys and signatures. These are almost identical |
| 27 | + in use to those with Bitcoin's current ECDSA algorithm, although |
| 28 | + signatures are serialized to use about eight fewer bytes and can |
| 29 | + be efficiently verified in batches. |
| 30 | + |
| 31 | + - [MuSig][] for multiparty signatures. Onchain, these look |
| 32 | + identical to single pubkeys and signatures but the public keys and |
| 33 | + signatures are generated by a set of |
| 34 | + private keys using a multi-step protocol. Whereas |
| 35 | + multisig using current Bitcoin Script requires *n* pubkeys |
| 36 | + and *k* signatures for k-of-n multisig security, MuSig can provide the |
| 37 | + same security using just one public key and one signature---reducing |
| 38 | + block chain space, improving verification efficiency, increasing |
| 39 | + privacy, and allowing much larger sets of signers than supported |
| 40 | + by Bitcoin Script's current byte-size and signature-operation |
| 41 | + limits. But it does have two downsides: the increase in privacy |
| 42 | + also destroys provable accountability---there's no way to know |
| 43 | + which particular authorized signers were part of the subset that |
| 44 | + created a signature---and the multi-step protocol requires |
| 45 | + especially careful management of secret nonces to avoid accidentally |
| 46 | + revealing private keys. Addressing the second issue, Poelstra's post details |
| 47 | + how libsecp256k1-zkp attempts to minimize the risk of |
| 48 | + nonce-related failures and teases the possibility of even better |
| 49 | + solutions in the future. |
| 50 | + |
| 51 | + - Adapter signatures for scriptless scripts. Using a multi-step |
| 52 | + protocol, Alice can prove to Bob that her final signature for |
| 53 | + spending a certain payment will reveal to him a value that will |
| 54 | + satisfy some specified condition. For example, that value could |
| 55 | + be another signature that will allow Bob himself to claim a |
| 56 | + certain other payment, such as an atomic swap or an LN payment |
| 57 | + commitment. To everyone besides Alice and Bob, the signature is |
| 58 | + just another valid signature with no special meaning. This can |
| 59 | + often improve the privacy and efficiency of the onchain parts of |
| 60 | + protocols by removing the need for including special data onchain, |
| 61 | + such as the current use of hashes and hashlocks in atomic swaps |
| 62 | + and LN payment commitments. |
| 63 | + |
| 64 | + The updated library doesn't make the features available on |
| 65 | + sidechains by itself, but it does provide the code upon which both |
| 66 | + signature generation and verification can be performed---allowing |
| 67 | + developers to build the tools necessary to put Schnorr-based systems |
| 68 | + into production. It is hoped that the code will receive additional |
| 69 | + review and be ported into the upstream [libsecp256k1][] library for |
| 70 | + eventual use in Bitcoin Core related to a soft fork proposal. To |
| 71 | + learn more, read the [blog post][schnorr libsecp256k1-zkp] or |
| 72 | + [developer documentation][schnorr docs]. |
| 73 | + |
| 74 | +## Selected Q&A from Bitcoin StackExchange |
| 75 | + |
| 76 | +*[Bitcoin StackExchange][bitcoin.se] is one of the first places Optech |
| 77 | +contributors look for answers to their questions---or when we have a |
| 78 | +few spare moments of time to help curious or confused users. In |
| 79 | +this monthly feature, we highlight some of the top voted questions and |
| 80 | +answers made since our last update.* |
| 81 | + |
| 82 | +{% comment %}<!-- https://bitcoin.stackexchange.com/search?tab=votes&q=created%3a1m..%20is%3aanswer -->{% endcomment %} |
| 83 | +{% assign bse = "https://bitcoin.stackexchange.com/a/" %} |
| 84 | + |
| 85 | +- [Why does BIP44 have internal and external addresses?]({{bse}}84594) |
| 86 | + External addresses are those you give to other people so that they can |
| 87 | + pay you; internal addresses are those you include in your own |
| 88 | + transactions for receiving change. Pieter Wuille explains that |
| 89 | + [BIP32][], upon which [BIP44][] is based, encourages using separate |
| 90 | + derivation paths for these keys in case you need to prove to an |
| 91 | + auditor how much money you've received but not how much money you've |
| 92 | + spent (or have left). By giving the auditor the extended public key |
| 93 | + (xpub) for just the external addresses, he can track your received |
| 94 | + payments but still not receive any direct information about your |
| 95 | + spending or current balance via the change addresses. |
| 96 | + |
| 97 | +- [Taproot and scriptless scripts both use Schnorr, but how are they |
| 98 | + different?]({{bse}}84086) In separate answers, Gregory Maxwell and |
| 99 | + Andrew Chow each describe the differences between these two proposed |
| 100 | + uses of Schnorr-based signatures. Also includes a description of |
| 101 | + adapter signatures, which can be used to enhance the efficiency and |
| 102 | + privacy of trustless contract protocols. |
| 103 | + |
| 104 | +- [How much of block propagation time is used in verification?]({{bse}}84045) |
| 105 | + Gregory Maxwell explains that it's probably closer to 0% than 1% for |
| 106 | + the normal case, but that it can be much larger for a worst case block |
| 107 | + that was specifically constructed to take a long time to verify. |
| 108 | + |
| 109 | +## Notable code and documentation changes |
| 110 | + |
| 111 | +*Notable changes this week in [Bitcoin Core][bitcoin core repo], |
| 112 | +[LND][lnd repo], [C-Lightning][c-lightning repo], [Eclair][eclair repo], |
| 113 | +[libsecp256k1][libsecp256k1 repo], and [Bitcoin Improvement Proposals |
| 114 | +(BIPs)][bips repo].* |
| 115 | + |
| 116 | +- [Bitcoin Core #15348][] adds a [productivity hints][] document |
| 117 | + describing tools and techniques developers have found to improve their |
| 118 | + efficiency. Although some are specific to Bitcoin Core and C++ |
| 119 | + development, others more generally apply to anyone who develops with |
| 120 | + git or GitHub. |
| 121 | + |
| 122 | +- [C-Lightning #2343][] provides the project's existing documentation in |
| 123 | + a nicer format at [ReadTheDocs.io][cl rtd]. |
| 124 | + |
| 125 | +- [C-Lightning #2353][], [#2360][C-Lightning #2360], and |
| 126 | + [#2365][C-Lightning #2365] updates various RPCs to now accept values |
| 127 | + suffixed with "btc", "sat", or "msat" to indicate the denomination of |
| 128 | + the value. The "btc" value allows up to 11 decimal places and the |
| 129 | + "sat" value up to 3 decimal places but, in both cases, the last three |
| 130 | + of these places must be zeroes for onchain operations where the extra |
| 131 | + precision isn't supported by the Bitcoin protocol. Other RPCs return |
| 132 | + new fields ending in `_msat` that always contain the millisatoshi |
| 133 | + value. Several internal API changes are also made. |
| 134 | + |
| 135 | +- [C-Lightning #2380][] requires transactions have at least one |
| 136 | + confirmation before the wallet will attempt to spend their bitcoins by |
| 137 | + default. This fixes a problem where the wallet would attempt to spend |
| 138 | + its own unconfirmed change outputs but those payments would sometimes |
| 139 | + get stuck because the earlier payments weren't confirming quickly. |
| 140 | + Several RPCs related to payments receive a `minconf` parameter that |
| 141 | + defaults to `1` but can be set to `0` to continue the old behavior or |
| 142 | + set to a higher value if desired. |
| 143 | + |
| 144 | +- [Eclair #821][] improves the heuristics used to help find |
| 145 | + a good route over which to send a payment. |
| 146 | + |
| 147 | +{% include references.md %} |
| 148 | +{% include linkers/issues.md issues="15348,2419,2343,2353,2360,2365,2380,821" %} |
| 149 | +[schnorr libsecp256k1-zkp]: https://blockstream.com/2019/02/18/musig-a-new-multisignature-standard/ |
| 150 | +[libsecp256k1-zkp]: https://github.com/ElementsProject/secp256k1-zkp |
| 151 | +[cl rtd]: https://lightning.readthedocs.io/ |
| 152 | +[elements project]: https://elementsproject.org/ |
| 153 | +[liquid]: https://blockstream.com/liquid/ |
| 154 | +[schnorr docs]: https://github.com/ElementsProject/secp256k1-zkp/blob/secp256k1-zkp/src/modules/musig/musig.md |
| 155 | +[productivity hints]: https://github.com/bitcoin/bitcoin/blob/master/doc/productivity.md |
| 156 | + |
0 commit comments