Public key recovery for EC leaves in P2MR (BIP-360)

Posted by conduition

Jun 10, 2026/22:35 UTC

The discussion revolves around a potential abstraction of a cryptographic scheme, specifically adapting an idea initially discussed in relation to Bitcoin into a general-purpose signature mechanism that can stand securely on its own. The core of this scheme involves the use of a secret key and auxiliary data. The secret key is represented by a scalar value $0 < p < n$, while the auxiliary data is denoted as $d$. In terms of public verification, the public key is constructed through a hashing process that commits both to the product of the scalar and a generator point ($pG$) along with the auxiliary data ($d$), formulated mathematically as $q = H(pG, d)$.

In the signing process, the method employs a Schnorr signature approach, where the message is prefixed not only by the public key but also by the auxiliary data. The signature generation involves several steps: selecting a random scalar $r$ from a set $\mathbb Z_n$, computing a commitment $R = rG$, and creating a challenge $e = H(R | q | d | m)$. The response to this challenge is computed as $s = r + ep$. This process reflects the Fiat-Shamir transformation typical in Schnorr signatures and other sigma protocols.

For verification, the verifier engages in checking the validity of the signature by comparing the hashed output of specific operations involving the signature, the commitment, and the auxiliary data against the public key. Specifically, the verifier calculates if $q \stackrel{?}{=} H(e^{-1}(sG - R), d)$. This step essentially ensures that the signed message and the commitment correspond correctly under the hashed conditions.

While this scheme integrates general elements of cryptographic security, it treats the auxiliary data $d$ as opaque, meaning it does not fully encapsulate or address all the security nuances associated with more complex data structures like the P2MR control block noted in Bitcoin contexts. Thus, while the abstracted signature scheme holds theoretical security under the described operations, its application might need further adaptations to fully capture the security properties of systems with more intricate auxiliary data requirements.

Link to Raw Post
Bitcoin Logo

TLDR

Join Our Newsletter

We’ll email you summaries of the latest discussions from high signal bitcoin sources, like bitcoin-dev, lightning-dev, and Delving Bitcoin.

Explore all Products

ChatBTC imageBitcoin searchBitcoin TranscriptsSaving SatoshiDecoding BitcoinWarnet
Built with 🧡 by the Bitcoin Dev Project
View our public visitor count

We'd love to hear your feedback on this project.

Give Feedback