Dmitry Petukhov has implemented low-R grinding in python-bitcointx 1.1.2dev (not in a release yet), and this behaviour would align it with Core.

(What's "low-R grinding"? The nonce can be anything in an ECDSA signature, so we would like to shave off a byte if we can by making the EC point "R" be smaller than half the max (DER's exotic behaviour plays in here); though the nonce generation is deterministic, space for extra randomness is allowed in RFC6979, see section 3.6).

#bitcoin

See github.com/Simplexum/python-bi

Background:

ECDSA sigs are (R, s), R is an EC point, s is a scalar.

R has for a long time by most libraries been generated "deterministically" (to avoid f-ups in sourcing randomness), by doing a very fancy version of "hash the message and the private key", that fancy version is called RFC6979. low-R grinding can make it a tiny bit smaller, on average.

If different wallets do/do not grind, that's a potential fingerprint.

Follow

@waxwing Good argument for fixed length serializations...

@pete right, DER, sheesh, and let's not even get into ASN 1 in general , oh the horror ...

@pete fwiw i didn't read the discussions at the time, but i probably would have been a NACK on this in Core, i don't see the point of adding such code for (on average) less than one byte's difference. I'd be curious why my assessment is wrong, there.

@waxwing @pete If applied to all transactions, it'd add roughly a block per day of extra capacity to the network for an entropy reduction of 1 bit per sig. That seems like a good tradeoff to me.

You mention the fingerprinting risk, but at the time it was implemented, Bitcoin Core was also one of the only wallets using anti-fee-sniping, which is an even stronger fingerprint. Now there are a few other wallets doing that (including C-Lightning, which also low-R grinds).

@harding @pete yes, now you mention it, I do remember the reporting. thanks.
Back of the envelope it makes sense, we're talking on the order of 1% (2 bytes, maybe, out of 200, maybe). It sounds bigger when you say "a block a day" :) I think that is a very small win (I even remember vaguely thinking that at the time), but of course it doesn't mean my assessment of the effort vs the effect is correct.
Re: anti-fee sniping, yep agreed, I know Electrum and JM both match that, as well as c-lightning.

@waxwing With serialization, you can always get the benefits of variable-length by having a fixed-size format and compressing the zeros with a compression layer.

Sign in to participate in the conversation
Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!