The 445 BTC gridchain case

Posted by: Adam Gibson | in Bitcoin, Joinmarket | 1 month, 2 weeks ago | 3 comments

For those time-constrained or non-technical, it may make sense to read only the Summary section of this article. It goes without saying that the details do matter, and reading the other sections will give you a much better overall picture.

Schnorrless Scriptless Scripts

Posted by: Adam Gibson | in Bitcoin, Cryptography | 3 months, 4 weeks ago | 0 comments


The weekend of April 4th-5th 2020 we had a remote "Lightning Hacksprint" organized by the ever-excellent Fulmo, one Challenge was related to "Payment Points" (see here; see lots more info about the hacksprint at that wiki) and was based around a new innovation recently seen in the world of adaptor signatures. Work was led by Nadav Kohen of Suredbits and Jonas Nick of Blockstream; the latter's API for the tech described below can be seen currently as a PR to the secp256k1 project here. The output from Suredbits was a demo as show here on their youtube, a PTLC (point time locked contract, see their blog for more details on that).

Avoiding Wagnerian tragedies

Posted by: Adam Gibson | in Cryptography | 8 months, 3 weeks ago | 0 comments

This blog post is all about this paper by David Wagner from 2002.

Multiparty S6

Posted by: Adam Gibson | in Bitcoin | 1 year, 3 months ago | 11 comments

The multiparty symmetrical Schnorr signature scriptless script shuffle

This blog is in the category of "a new-ish idea about privacy tech"; like similar previous ones (e.g.: CoinJoinXT) it is little more than an idea, in this case I believe it is correct, but (a) I could be wrong and there could be a flaw in the thinking and (b) it's not entirely clear how practically realistic it will be. What I do hope, however, is that the kernel of this idea is useful, perhaps in Layer 2 tech or in something I haven't even thought about.

Ring signatures

Posted by: Adam Gibson | in Cryptography | 1 year, 5 months ago | 1 comment


  • Basic goal of 1-of-\(N\) ring signatures
  • Recap: the \(\Sigma\)-protocol
  • OR of \(\Sigma\)-protocols, CDS 1994
  • Abe-Ohkubo-Suzuki (AOS) 2002 (broken version)
  • Security weaknesses
  • Key prefixing
  • Borromean, Maxwell-Poelstra 2015
  • Linkability and exculpability
  • AND of \(\Sigma\)-protocols, DLEQ
  • Liu-Wei-Wong 2004
  • Security arguments for the LWW LSAG
  • Back 2015; compression, single-use
  • Fujisaki-Suzuki 2007 and Cryptonote 2014
  • Monero MLSAG

Basic goal of 1-of-\(N\) ring signatures

The idea of a ring signature (the term itself is a bit sloppy in context, but let's stick with it for now) is simple enough: