bitcoin-dev

BIP: DLEQ

BIP: DLEQ

Original Postby Andrew Toth

Posted on: October 24, 2024 01:51 UTC

The proposed BIP (Bitcoin Improvement Proposal) introduces a standard method for generating and verifying discrete logarithm equality proofs (DLEQ proofs) over the secp256k1 elliptic curve, which is fundamental to the operation of Bitcoin and many other cryptocurrencies.

This initiative is particularly aimed at enhancing the security and reliability of silent payments in PSBTs (Partially Signed Bitcoin Transactions), but its utility extends beyond this specific application. The inspiration for this proposal comes from existing work on ECDSA adaptor signatures and seeks compatibility with an implementation by BlockstreamResearch.

At the heart of this proposal is the creation of 64-byte zero-knowledge proofs that enable a prover to demonstrate knowledge of a scalar 'a' linking two elliptic curve points 'A' and 'C', such that 'A' equals 'a' multiplied by the generator point 'G', and 'C' equals 'a' multiplied by another point 'B', without disclosing any information about 'a'. This capability is critical in scenarios like ECDH (Elliptic Curve Diffie-Hellman), where proving that the same secret key 'a' is used for generating both public keys ('A' and 'B') and their shared secret ('C') is necessary without revealing the secret key itself.

The motivation behind this standardization effort is to address a specific requirement set forth by BIP352, which mandates that senders compute output scripts using ECDH shared secrets derived from the same secret keys used for signing inputs. Incorrectly generated output scripts, while still potentially valid in terms of consensus, pose a risk of funds being lost when broadcasted. By enabling the generation of DLEQ proofs for these ECDH shared secrets, the proposal aims to allow signing entities to assure others of the correctness of their output scripts without compromising their private keys.

The specification details the algorithms for both generating and verifying DLEQ proofs. The generation process involves taking a secret key 'a', a corresponding public key 'B', and some auxiliary random data 'r' to produce a proof that can be independently verified by others. Verification requires the public key 'A', the second public key 'B', the result of their multiplication 'C', and the proof itself. Successful verification indicates that the proof is valid and that the shared secret has been correctly computed without revealing the secret key.

This BIP represents a significant step forward in the pursuit of more secure and verifiable cryptographic operations within the Bitcoin ecosystem. It encapsulates a formal approach to ensuring that encrypted communication and transactions are both safe and correctly executed, underscoring the ongoing evolution of blockchain technology and its underlying principles.