Dmitry Petukhov has implemented low-R grinding in python-bitcointx 1.1.2dev (not in a release yet), and this behaviour would align it with Core.
(What's "low-R grinding"? The nonce can be anything in an ECDSA signature, so we would like to shave off a byte if we can by making the EC point "R" be smaller than half the max (DER's exotic behaviour plays in here); though the nonce generation is deterministic, space for extra randomness is allowed in RFC6979, see section 3.6).
@pete fwiw i didn't read the discussions at the time, but i probably would have been a NACK on this in Core, i don't see the point of adding such code for (on average) less than one byte's difference. I'd be curious why my assessment is wrong, there.
@waxwing @pete If applied to all transactions, it'd add roughly a block per day of extra capacity to the network for an entropy reduction of 1 bit per sig. That seems like a good tradeoff to me.
You mention the fingerprinting risk, but at the time it was implemented, Bitcoin Core was also one of the only wallets using anti-fee-sniping, which is an even stronger fingerprint. Now there are a few other wallets doing that (including C-Lightning, which also low-R grinds).
@waxwing @pete FWIW, here's the times when Optech has reported on this:
- https://bitcoinops.org/en/newsletters/2018/08/14/#bitcoin-core-wallet-to-begin-only-creating-low-r-signatures
- https://bitcoinops.org/en/newsletters/2019/11/06/#c-lightning-3220
@harding @pete yes, now you mention it, I do remember the reporting. thanks.
Back of the envelope it makes sense, we're talking on the order of 1% (2 bytes, maybe, out of 200, maybe). It sounds bigger when you say "a block a day" :) I think that is a very small win (I even remember vaguely thinking that at the time), but of course it doesn't mean my assessment of the effort vs the effect is correct.
Re: anti-fee sniping, yep agreed, I know Electrum and JM both match that, as well as c-lightning.
@waxwing @harding @pete fwiw stats on low-r values:
https://transactionfee.info/charts/bitcoin-script-ecdsa-r-value/
@harding @waxwing @pete
FWIW NBitcoin implemented it at the same time that Bitcoin Core. https://github.com/MetacoSA/NBitcoin/pull/510
@lontivero @waxwing @pete Nice!
@waxwing With serialization, you can always get the benefits of variable-length by having a fixed-size format and compressing the zeros with a compression layer.
@pete right, DER, sheesh, and let's not even get into ASN 1 in general , oh the horror ...