Author: Dr Adam Back 2019-01-22 20:22:36
Published on: 2019-01-22T20:22:36+00:00
The Brands n-show credential uses a precommitment like single show where the address becomes A=H(R,Q) with Q as the public key, and n-show becomes A=H(R1,...,Rn,Q). Signing requires providing i,Ri,Q to satisfy a ScriptPubKey that includes the three. The method used would work for Schnorr or DSA, but one must be careful not to use related nonces (k=nonce committed to by R=kG), as they are highly vulnerable to simultaneous equation two samples solvable. There was a 2013 era #bitcoin-wizards discussion on this topic where if you spend twice miners can take your money, as a strong way to "discourage" address reuse. One side effect is requiring ACID log oriented storage on wallets, which could pose a risk model similar to lightning penalty. Wallets with low power devices or in VMs could be snapshotted or rolled back. The fragility to related nonces, and cost of ACID log structured storage levels of reliability in wallets makes it important to store the Ri values in a merkle tree to avoid providing n inputs, but log(n) or some other structuring. Another possibility to derive R values unique for each block height is through standard hierarchical derivation, and revealing the staking pubkey to the sidechain network as actually being `staking_pubkey = P + hash(P || parent_R) * G` to sign for a blockheight h using public key P and the specific R derived from hierarchical derivation from parent_R and the blockheight as index.
Updated on: 2023-06-13T16:42:02.579416+00:00