Squareness vs oddness tie-breaker for public keys about bips HOT 8 CLOSED

I don't know if we care about this ~5us speedup at signing time (because when you do care, perhaps you want signing with precomputed public key data, which avoids this cost in both cases), but there seems to be basically no gain apart from consistency with R (which is arguably very different, as handling of R is generally limited in scope to the signing code, while public keys are obviously exposed to applications (and things like the taproot tweak break the perfect blackboxy ness of them).

I think the question is not so much whether we care. We care about the details, and here it seems to me that switching to oddness is faster and it's basically for free because there is no point in consistency.

• As you point out, handling R is fully internally anyway.
• I would care about consistency if it was to avoid implementing two algorithms. But in this case, the oddnest test is a one-line algorithm.
• I think then consistency with existing keys is actually the nicer consistency because -- as you point out -- public keys (and their tie-breaker to some extent) are user-facing and sticking to the thing that people and that is mathematically simpler is probably better for implementers.

from bips.

@roconnor-blockstream pointed on IRC that the even-tiebreaker also adds a normalization step to the verifier.

from bips.

careful with too much public key consistency. That's how you people blowing their security by using the same key/nonce with ecdsa and schnorr, or burning their coins by writing uncompressed pubkeys into the output. :P

I don't think this one matters too much one way or another. It's nice if the flagged public key can just be an ordinary 'compressed' public key.

Looks like 'oddness' (yuck) for the pubkey would just plain be faster because jacobi is slower than a multiply, unlike for r and we get the square and inverse for free as a product of the x projection to affine. Even if you assume that the pubkey is going to be precomputed in signing (as it should be), that precomputation would still be faster.

@sipa and half a negate.

from bips.

So, I think we should change BIP340 to use implicit-even as tiebreaker. To avoid inconsistently breaking potential code people may have written already, we should probably also change the challenge hash tag. How about "Schnorr/secp256k1" or so?

from bips.

This also means changing BIP341 to change the flag in the control block to be the odd/even bit of Q, rather than its squaredness.

Implementation-wise, I wonder if this means we can't just drop a bunch of the x-only code, and just use the existing pubkey tweaking functions in the consensus verifier.

from bips.

I share the slight preference for implicit-even as tiebreaker because it simplifies the scheme (by avoiding the jacobi symbol), despite the additional verification branch. Also, implementation-wise this makes the full/auxiliary pubkey type identical to the existing one and there's no need for a tiebreaker flag.

As for compatibility between auxiliary/flagged and compressed pubkeys, it seems like compressed pubkeys are already compatible with xonly pubkeys. An adversary can easily convert between the two. At least I'm not able to come up with a non-adverserial scenario or practical attack where this matters.

from bips.

I think the only reason squareness was chosen over evenness was because we'd already specced has_square_y(P) and P = lift_x(x) conversion functions for dealing with R. Switching to evenness sounds like a good tradeoff if it makes implementation/use a bit easier.

from bips.

Fixed by #192.

from bips.