In theory could a pubkeyhash script be solved without the public key in the scriptSig?

When signing a pubkeyhash UTXO, it is required to provide both a signature and a public key. The public key is duplicated and one copy is provided to op_checksigverify to ensure the signature is valid, and the other copy is hashed to ensure it matches the pubkeyhash.

In theory, is it possible to build an opcode like op_checksigverify_pushkey that takes only the signature of the transaction and extracts the public key from the signature? With this it would be possible to only specify the signature and no need to provide the public key. The public key of course could be arbitrary, but would fail when hashed and compared against the vout pubkeyhash.

Earlz

Posted 2018-12-05T04:53:08.557

Reputation: 980

Answers

It's possible, but:

It's much slower
Pubkey recovery for this kind of application is arguably patented

For a "signature only" scriptpubkey, we already have p2pk. Hopefully in the future, segwit programs will have bare pubkeys in the scriptpubkey, allowing for similar (and more advanced) constructions.

arubi

Posted 2018-12-05T04:53:08.557

Reputation: 1 460

+1 This might provide an explanation of how: https://crypto.stackexchange.com/questions/18105/how-does-recovering-the-public-key-from-an-ecdsa-signature-work

– JBaczuk – 2018-12-05T05:08:51.520

Correction: There is a way to extract the public key from the signature + message

In order to verify a signature using ECDSA, you must provide both the signature and the public key, or you have no key to verify against. It is not possible to extract the public key from the signature.

The reason for this requires an understanding of how the ECDSA algorithm works, so I'd suggest the link above for a mathematical explanation.

JBaczuk

Posted 2018-12-05T04:53:08.557

Reputation: 6 172

>> It is not possible to extract the public key from the signature .

It is possible to extract a pubkey from a signature + message pair – arubi – 2018-12-05T05:01:35.290

I am unaware of that can you provide more info? Why doesn't Bitcoin do this? – JBaczuk – 2018-12-05T05:04:14.930

My understanding is an ECDSA signature actually contains the public key, there is just no opcode in Bitcoin Script for extracting it. For instance, it is possible in Ethereum using ecrecover to fetch a public key that signs a message. It is then on you to verify that the public key that signed the message matches who you expected – Earlz – 2018-12-05T05:04:57.077

A signature doesn't contain the pubkey, but for any signature and message pair it is possible to recover at least two pubkeys which will "verify" the message.

If the message contains the hash of the pubkey, then it's possible to "backtrack" validation for the message this way. – arubi – 2018-12-05T05:09:38.090

1Yes, this is possible; it is called ECDSA pubkey recovery. @Earlz It isn't the case that the signature 'contains' the public key. Rather, given a message and a signature, it is possible to compute the public key(s) for which that msg/sig pair would be valid. That computation is slower than verifying the signature outright though. – Pieter Wuille – 2018-12-05T05:09:44.543

Signature verification is one of the main computational bottlenecks with newly syncing nodes so it would slow that process down. Cool learned something new today :) – JBaczuk – 2018-12-05T05:11:47.523

1It's only slightly slower (around 5%), but the reason it isn't really considered for improvements to Bitcoin is because it is inherently incompatible with batch validation or signature aggregation (which give much bigger savings). – Pieter Wuille – 2018-12-05T05:25:52.763

Interesting! Sounds like your answer @Earlz – JBaczuk – 2018-12-05T05:31:45.450