Intuitively it sounds likely, -- just in that the available values are a image on the curve and a value summed with a hash dependent on everything else. I think it would be hard to prove.
But is it even really worth the analysis when grinding gets you a 12% embedding rate in that signature at not that significant cost? (because you can independently grind the nonce and signature itself, or nonce and pubkey) -- and when beyond the cost of the additional signature (making the output 3x its cost) requiring signing when forming the address completely kills public derivation, multisig with cold keys. etc? ... and then any of whatever spam concerns people have would likely be exacerbated by the spammers using more resources due to the embedding rate? Also re private key leaking an utxo set, well not so if it's part of an explicit multisig. E.g. 2 of 2 with leaked key and a secure one. On Wed, Oct 1, 2025 at 7:50 PM waxwing/ AdamISZ <[email protected]> wrote: > Hi all, > > https://github.com/AdamISZ/schnorr-unembeddability/ > > Here I'm analyzing whether the following statement is true: "if you can > embed data into a (P, R, s) tuple (Schnorr pubkey and signature, BIP340 > style), without grinding or using a sidechannel to "inform" the reader, you > must be leaking your private key". > > See the abstract for a slightly more fleshed out context. > > I'm curious about the case of P, R, s published in utxos to prevent usage > of utxos as data. I think this answers in the half-affirmative: you can > only embed data by leaking the privkey so that it (can) immediately fall > out of the utxo set. > > (To emphasize, this is different to the earlier observations (including by > me!) that just say it is *possible* to leak data by leaking the private > key; here I'm trying to prove that there is *no other way*). > > However I still am probably in the large majority that thinks it's > appalling to imagine a sig attached to every pubkey onchain. > > Either way, I found it very interesting! Perhaps others will find the > analysis valuable. > > Feedback (especially of the "that's wrong/that's not meaningful" variety) > appreciated. > > Regards, > AdamISZ/waxwing > > -- > You received this message because you are subscribed to the Google Groups > "Bitcoin Development Mailing List" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/d/msgid/bitcoindev/0f6c92cc-e922-4d9f-9fdf-69384dcc4086n%40googlegroups.com > <https://groups.google.com/d/msgid/bitcoindev/0f6c92cc-e922-4d9f-9fdf-69384dcc4086n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/CAAS2fgQRz%3DEJ%2BNm2rxrB_SEpqroFbcc%2BhUhmghJJ1jrJc-WUDA%40mail.gmail.com.
