[bitcoin-dev] Why is deriving public key from the signature not used in Segwit?

Gregory Maxwell greg at xiph.org
Wed Jan 24 04:25:28 UTC 2018


On Wed, Jan 24, 2018 at 3:50 AM, Артём Литвинович via bitcoin-dev
<bitcoin-dev at lists.linuxfoundation.org> wrote:
> Greetings.
>
> I wanted to ask what was the rationale behind still having both public
> key and signature in Segwit witness?
>
> As is known for a while, the public key can be derived from the
> signature and a quadrant byte, a trick that is successfully used both
> in Bitcoin message signing algorithm and in Ethereum transaction
> signatures. The later in particular suggests that this is a perfectly
> functional and secure alternative.
> Leaving out the public key would have saved 33 bytes per signature,
> which is quite a lot.
>
> So, the question is - was there a good reason to do it the old way
> (security, performance, privacy, something else?), or was it something
> that haven't been thought of/considered at the time?

It is slow to verify, incompatible with batch validation, doesn't save
space if hashing isn't used, and is potentially patent encumbered.


More information about the bitcoin-dev mailing list