On Wed, Jan 24, 2018 at 3:50 AM, Артём Литвинович via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote: > Greetings. > > I wanted to ask what was the rationale behind still having both public > key and signature in Segwit witness? > > As is known for a while, the public key can be derived from the > signature and a quadrant byte, a trick that is successfully used both > in Bitcoin message signing algorithm and in Ethereum transaction > signatures. The later in particular suggests that this is a perfectly > functional and secure alternative. > Leaving out the public key would have saved 33 bytes per signature, > which is quite a lot. > > So, the question is - was there a good reason to do it the old way > (security, performance, privacy, something else?), or was it something > that haven't been thought of/considered at the time?
It is slow to verify, incompatible with batch validation, doesn't save space if hashing isn't used, and is potentially patent encumbered. _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
