bitcoin-dev

BIP: DLEQ

Original Postby waxwing/ AdamISZ

Posted on: October 25, 2024 14:49 UTC

The email highlights several considerations and suggestions regarding the design of a cryptographic protocol, emphasizing flexibility for future application across various protocols.

The sender expresses a desire to see the Fiat Shamir challenge incorporate space for a message (m), noting the usefulness of such an inclusion in making Zero-Knowledge Proofs of Knowledge (ZkPoKs) transferable. This suggestion stems from the observation that current implementations focus on a singular generator (G), as is default with secp, which may be too restrictive. The possibility of more complex protocols requiring Discrete Logarithm Equality (DLEQ) proofs across different pairs of bases suggests a need to include these other bases in the Fiat Shamir challenge to accommodate such scenarios.

Further, the sender acknowledges the choice of proof encoding in the discussed design aligns with their own earlier work in Joinmarket, specifically the selection of (e,s) over (R1, R2,s). However, they commend the advanced approach to k-generation presented in the current design. Another significant point raised concerns the generation of Nothing-Up-My-Sleeve (NUMS) generators, highlighting their widespread utility in Bitcoin protocols. The sender suggests the potential value of a dedicated Bitcoin Improvement Proposal (BIP) focused solely on NUMS generator generation, given its necessity for reproducibility by counterparties and frequent redefinition across various applications. The mention of BIP341 in context to provably unspendable paths underscores the relevance and possible wastefulness in the lack of a standardized approach to NUMS generator production within the ecosystem.