--- Log opened Fri Nov 16 00:00:22 2018
00:03 -!- setpill [~setpill@unaffiliated/setpill] has joined #bitcoin-wizards
00:21 -!- laptop__ [~laptop@host86-133-255-215.range86-133.btcentralplus.com] has quit [Ping timeout: 240 seconds]
00:27 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has quit [Remote host closed the connection]
00:28 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has joined #bitcoin-wizards
00:28 -!- davec [~davec@cpe-24-243-249-218.hot.res.rr.com] has joined #bitcoin-wizards
00:52 -!- morcos [~morcos@gateway/tor-sasl/morcos] has quit [Remote host closed the connection]
00:53 -!- morcos [~morcos@gateway/tor-sasl/morcos] has joined #bitcoin-wizards
00:53 -!- lukedashjr [~luke-jr@unaffiliated/luke-jr] has joined #bitcoin-wizards
00:56 -!- luke-jr [~luke-jr@unaffiliated/luke-jr] has quit [Ping timeout: 244 seconds]
00:59 -!- lukedashjr is now known as luke-jr
00:59 -!- luke-jr [~luke-jr@unaffiliated/luke-jr] has quit [Excess Flood]
01:00 -!- luke-jr [~luke-jr@unaffiliated/luke-jr] has joined #bitcoin-wizards
01:14 -!- michaelfolkson [~textual@host86-145-25-239.range86-145.btcentralplus.com] has joined #bitcoin-wizards
01:15 -!- michaelfolkson [~textual@host86-145-25-239.range86-145.btcentralplus.com] has quit [Client Quit]
01:19 -!- spinza [~spin@155.93.246.187] has quit [Quit: Coyote finally caught up with me...]
01:20 -!- Hunger- [~Hunger@zer0days.com] has joined #bitcoin-wizards
01:38 -!- spinza [~spin@155.93.246.187] has joined #bitcoin-wizards
01:45 -!- shesek [~shesek@unaffiliated/shesek] has quit [Read error: Connection reset by peer]
01:46 -!- shesek [~shesek@185.3.147.193] has joined #bitcoin-wizards
01:46 -!- shesek [~shesek@185.3.147.193] has quit [Changing host]
01:46 -!- shesek [~shesek@unaffiliated/shesek] has joined #bitcoin-wizards
01:50 -!- copumpkin [~copumpkin@haskell/developer/copumpkin] has quit [Read error: Connection reset by peer]
01:50 -!- booyah_ [~bb@193.25.1.157] has joined #bitcoin-wizards
01:51 -!- drexl_ [~drexl@cpc130676-camd16-2-0-cust445.know.cable.virginm.net] has joined #bitcoin-wizards
01:52 -!- maaku [~maaku@173.234.25.100] has quit [Remote host closed the connection]
01:52 -!- tromp_ [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has joined #bitcoin-wizards
01:52 -!- booyah [~bb@193.25.1.157] has quit [Read error: Connection reset by peer]
01:52 -!- maaku [~maaku@173.234.25.100] has joined #bitcoin-wizards
01:53 -!- drexl [~drexl@cpc130676-camd16-2-0-cust445.know.cable.virginm.net] has quit [Read error: Connection reset by peer]
01:53 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has quit [Ping timeout: 268 seconds]
01:53 -!- fabianfabian [~fabianfab@D9656CCE.cm-27.dynamic.ziggo.nl] has quit [Ping timeout: 268 seconds]
01:53 -!- wpaulino [~wpaulino@unaffiliated/wpaulino] has quit [Ping timeout: 268 seconds]
01:53 -!- baikal [~baikal@107.161.0.78] has quit [Ping timeout: 268 seconds]
01:53 -!- wpaulino [~wpaulino@142.93.92.243] has joined #bitcoin-wizards
01:53 -!- JackH [~laptop@62.232.170.181] has joined #bitcoin-wizards
01:53 -!- adiabat [~adiabat@63.209.32.102] has quit [Ping timeout: 268 seconds]
01:54 -!- adiabat [~adiabat@63.209.32.102] has joined #bitcoin-wizards
01:55 -!- baikal [~baikal@107.161.0.78] has joined #bitcoin-wizards
01:55 -!- contrapumpkin [~copumpkin@haskell/developer/copumpkin] has joined #bitcoin-wizards
02:00 -!- Zenton [~user@unaffiliated/vicenteh] has joined #bitcoin-wizards
02:28 -!- jrayhawk [~jrayhawk@unaffiliated/jrayhawk] has quit [Ping timeout: 244 seconds]
02:33 -!- jrayhawk [~jrayhawk@unaffiliated/jrayhawk] has joined #bitcoin-wizards
02:47 -!- xnaclay [~xnaclay@xnaclay.powered.by.lunarbnc.net] has quit [Quit: Free ZNC ~ Powered by LunarBNC: https://LunarBNC.net]
02:47 -!- xnaclay [~xnaclay@xnaclay.powered.by.lunarbnc.net] has joined #bitcoin-wizards
02:48 -!- spinza [~spin@155.93.246.187] has quit [Quit: Coyote finally caught up with me...]
02:56 -!- spinza [~spin@155.93.246.187] has joined #bitcoin-wizards
03:10 -!- shesek [~shesek@unaffiliated/shesek] has quit [Read error: Connection reset by peer]
03:11 -!- shesek [~shesek@185.3.147.193] has joined #bitcoin-wizards
03:11 -!- shesek [~shesek@185.3.147.193] has quit [Changing host]
03:11 -!- shesek [~shesek@unaffiliated/shesek] has joined #bitcoin-wizards
03:12 -!- spinza [~spin@155.93.246.187] has quit [Quit: Coyote finally caught up with me...]
03:18 -!- Murch [~murch@p579488D7.dip0.t-ipconnect.de] has joined #bitcoin-wizards
03:35 -!- setpill [~setpill@unaffiliated/setpill] has quit [Ping timeout: 264 seconds]
03:45 -!- spinza [~spin@155.93.246.187] has joined #bitcoin-wizards
03:54 -!- AaronvanW [~AaronvanW@unaffiliated/aaronvanw] has joined #bitcoin-wizards
04:04 -!- kallewoof [~quassel@240d:1a:759:6000:a7b1:451a:8874:e1ac] has quit [Remote host closed the connection]
04:14 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has joined #bitcoin-wizards
04:41 -!- JackH [~laptop@62.232.170.181] has quit [Ping timeout: 260 seconds]
04:46 -!- thrmo [~thrmo@gateway/tor-sasl/thrmo] has quit [Remote host closed the connection]
04:46 -!- JackH [~laptop@62.232.170.181] has joined #bitcoin-wizards
04:57 -!- fabianfabian [~fabianfab@D9656CCE.cm-27.dynamic.ziggo.nl] has joined #bitcoin-wizards
05:01 -!- rh0nj [~rh0nj@136.243.139.96] has quit [Remote host closed the connection]
05:02 -!- rh0nj [~rh0nj@136.243.139.96] has joined #bitcoin-wizards
05:05 -!- thomasan_ [~thomasand@2605:a601:b021:f00:7c84:b81e:832:a4a] has joined #bitcoin-wizards
05:09 -!- thomasan_ [~thomasand@2605:a601:b021:f00:7c84:b81e:832:a4a] has quit [Ping timeout: 250 seconds]
05:09 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 252 seconds]
05:32 -!- lukedashjr [~luke-jr@unaffiliated/luke-jr] has joined #bitcoin-wizards
05:34 -!- luke-jr [~luke-jr@unaffiliated/luke-jr] has quit [Ping timeout: 245 seconds]
05:36 -!- lukedashjr is now known as luke-jr
05:45 -!- shesek [~shesek@unaffiliated/shesek] has quit [Read error: No route to host]
05:46 -!- shesek [~shesek@unaffiliated/shesek] has joined #bitcoin-wizards
06:18 -!- Guyver2 [AdiIRC@guyver2.xs4all.nl] has joined #bitcoin-wizards
06:25 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has joined #bitcoin-wizards
06:43 -!- nuncanada [~dude@187.65.64.52] has joined #bitcoin-wizards
06:44 -!- nuncanada [~dude@187.65.64.52] has quit [Remote host closed the connection]
06:45 -!- nuncanada [~dude@187.65.64.52] has joined #bitcoin-wizards
06:47 -!- brianhoffman [~brianhoff@pool-71-163-147-195.washdc.fios.verizon.net] has quit [Quit: brianhoffman]
06:50 -!- brianhoffman [~brianhoff@pool-71-163-147-195.washdc.fios.verizon.net] has joined #bitcoin-wizards
06:58 -!- instagibbs [~instagibb@pool-100-15-135-248.washdc.fios.verizon.net] has joined #bitcoin-wizards
07:45 -!- michaelsdunn1 [~michaelsd@38.126.31.226] has joined #bitcoin-wizards
07:45 -!- michaelsdunn1 [~michaelsd@38.126.31.226] has quit [Changing host]
07:45 -!- michaelsdunn1 [~michaelsd@unaffiliated/michaelsdunn1] has joined #bitcoin-wizards
07:54 -!- Murch [~murch@p579488D7.dip0.t-ipconnect.de] has quit [Quit: Snoozing.]
08:22 -!- Murch [~murch@p579488D7.dip0.t-ipconnect.de] has joined #bitcoin-wizards
08:26 -!- Murch [~murch@p579488D7.dip0.t-ipconnect.de] has quit [Client Quit]
09:02 -!- Zenton [~user@unaffiliated/vicenteh] has quit [Ping timeout: 246 seconds]
09:10 -!- thomasan_ [~thomasand@2605:a601:b021:f00:7c84:b81e:832:a4a] has joined #bitcoin-wizards
09:15 -!- thomasan_ [~thomasand@2605:a601:b021:f00:7c84:b81e:832:a4a] has quit [Ping timeout: 252 seconds]
09:26 -!- JackH [~laptop@62.232.170.181] has quit [Quit: Leaving]
09:32 -!- shesek [~shesek@unaffiliated/shesek] has quit [Read error: Connection reset by peer]
09:35 -!- shesek [~shesek@185.3.147.193] has joined #bitcoin-wizards
09:35 -!- shesek [~shesek@185.3.147.193] has quit [Changing host]
09:35 -!- shesek [~shesek@unaffiliated/shesek] has joined #bitcoin-wizards
09:47 -!- Krellan [~Krellan@2601:640:4000:a876:6d3d:b601:8e82:37ed] has joined #bitcoin-wizards
10:05 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 246 seconds]
10:13 < dgenr8> given a pubkey, how difficult is it to find a valid signature for a 256-bit message if you don't care what the message is?
10:15 < andytoshi> do you care that it's a hash with a known preimage?
10:16 < andytoshi> with schnorr it's impossible and i think this can be proven .. with ECDSA i also think it's impossible but i wouldn't bet money on that
10:17 < sipa> i think it's easy to prove that's impossible in idealized ECDSA (where you treat extracting the X coordinate of a point as a RO)
10:18 < andytoshi> oh, hm, maybe.. all i know is there is no "message recovery" analogous to "pubkey recovery"
10:19 < sipa> you'd need to find (s, k, m) such that s*k = m + H(k*G)*P, given P
10:19 < sipa> ah, no, not necessarily
10:20 < sipa> you'd need to find (s, R, m) such that s*R = m + H(R)*P
10:21 < dgenr8> andytoshi: no, the idea is that someone may claim it's the hash of an unknown preimage. the question is how much does weight the signature have
10:28 < sipa> andytoshi: i think you can use the forking lemma to extract the private key even if the 2 signatures are for different messages with the same R
10:29 < sipa> (and R has to be chosen first as it's the input to a hash function in idealized ECDSA)
10:29 < andytoshi> yeah that sounds right
10:29 < andytoshi> though like, if m = 0 then you can do it
10:29 < andytoshi> so there's still something about m you have to express in your proof
10:30 < sipa> if m=0 then it's even easier for the extractor
10:30 < sipa> oh, wait
10:30 < andytoshi> then your proof doesn't work, because it's trivial irl to produce such 'forgeries' :)
10:30 < sipa> right
10:32 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has joined #bitcoin-wizards
10:36 -!- AaronvanW [~AaronvanW@unaffiliated/aaronvanw] has quit [Remote host closed the connection]
10:46 -!- Krellan [~Krellan@2601:640:4000:a876:6d3d:b601:8e82:37ed] has quit [Remote host closed the connection]
10:46 -!- AaronvanW [~AaronvanW@unaffiliated/aaronvanw] has joined #bitcoin-wizards
10:48 -!- tromp_ [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has quit [Ping timeout: 260 seconds]
10:51 -!- rh0nj [~rh0nj@136.243.139.96] has quit [Remote host closed the connection]
10:51 -!- AaronvanW [~AaronvanW@unaffiliated/aaronvanw] has quit [Ping timeout: 252 seconds]
10:54 -!- rh0nj [~rh0nj@136.243.139.96] has joined #bitcoin-wizards
11:07 < dgenr8> https://twitter.com/satoshi/status/1063501015385866240
11:12 < fabianfabian> dgenr8: what are we looking at?
11:12 < dgenr8> this account claims to have signed a hash with the key to coinbase 9
11:14 < dgenr8> do I understand correctly that this is trivial by choosing message=0?
11:14 < nsh> the first thing to check is that it's not a recycled signature or m=0 aye
11:15 < dgenr8> he he he
11:16 -!- shesek [~shesek@unaffiliated/shesek] has quit [Read error: Connection reset by peer]
11:16 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has joined #bitcoin-wizards
11:16 -!- Zenton [~user@unaffiliated/vicenteh] has joined #bitcoin-wizards
11:17 < waxwing> it always amuses me to think that, to make a transferrable signature, you have to take an identification protocol (here Schnorr's), and make it non-interactive (fiat-shamir), but then if you want to use your signature protocol to prove identity, you have to put back the interactivity you took out :)
11:20 -!- shesek [~shesek@unaffiliated/shesek] has joined #bitcoin-wizards
11:31 -!- AaronvanW [~AaronvanW@unaffiliated/aaronvanw] has joined #bitcoin-wizards
11:47 -!- wizkid057 [~wk@unaffiliated/wizkid057] has quit [Ping timeout: 252 seconds]
11:48 < gmaxwell> andytoshi: it's trivially possible to just go find a pretexting signature and publish it though,  like scamtoshi did.
11:49 < drexl_> that's what faketoshi tried to do https://www.reddit.com/r/Bitcoin/comments/4hflr3/craig_wrights_signature_is_worthless/
11:49 -!- wizkid057 [~wk@unaffiliated/wizkid057] has joined #bitcoin-wizards
11:54 -!- drexl_ is now known as drexl
12:10 -!- Zenton [~user@unaffiliated/vicenteh] has quit [Read error: Connection reset by peer]
12:10 -!- Zenton [~user@unaffiliated/vicenteh] has joined #bitcoin-wizards
12:15 -!- shesek [~shesek@unaffiliated/shesek] has quit [Read error: Connection reset by peer]
12:17 -!- shesek [~shesek@185.3.147.193] has joined #bitcoin-wizards
12:17 -!- shesek [~shesek@185.3.147.193] has quit [Changing host]
12:17 -!- shesek [~shesek@unaffiliated/shesek] has joined #bitcoin-wizards
12:18 -!- shesek [~shesek@unaffiliated/shesek] has quit [Read error: Connection reset by peer]
12:19 -!- shesek [~shesek@unaffiliated/shesek] has joined #bitcoin-wizards
12:20 -!- shesek [~shesek@unaffiliated/shesek] has quit [Read error: No route to host]
12:24 -!- shesek [~shesek@185.3.147.193] has joined #bitcoin-wizards
12:24 -!- shesek [~shesek@185.3.147.193] has quit [Changing host]
12:24 -!- shesek [~shesek@unaffiliated/shesek] has joined #bitcoin-wizards
12:24 -!- shesek [~shesek@unaffiliated/shesek] has quit [Read error: Connection reset by peer]
12:26 -!- shesek [~shesek@185.3.147.193] has joined #bitcoin-wizards
12:26 -!- shesek [~shesek@185.3.147.193] has quit [Changing host]
12:26 -!- shesek [~shesek@unaffiliated/shesek] has joined #bitcoin-wizards
12:27 -!- shesek [~shesek@unaffiliated/shesek] has quit [Read error: Connection reset by peer]
12:29 -!- shesek [~shesek@185.3.147.193] has joined #bitcoin-wizards
12:29 -!- shesek [~shesek@185.3.147.193] has quit [Changing host]
12:29 -!- shesek [~shesek@unaffiliated/shesek] has joined #bitcoin-wizards
12:31 -!- shesek [~shesek@unaffiliated/shesek] has quit [Read error: Connection reset by peer]
12:32 -!- shesek [~shesek@unaffiliated/shesek] has joined #bitcoin-wizards
12:32 -!- shesek [~shesek@unaffiliated/shesek] has quit [Read error: Connection reset by peer]
12:39 -!- shesek [~shesek@185.3.147.193] has joined #bitcoin-wizards
12:39 -!- shesek [~shesek@185.3.147.193] has quit [Changing host]
12:39 -!- shesek [~shesek@unaffiliated/shesek] has joined #bitcoin-wizards
12:40 -!- wpaulino [~wpaulino@142.93.92.243] has quit [Changing host]
12:40 -!- wpaulino [~wpaulino@unaffiliated/wpaulino] has joined #bitcoin-wizards
12:42 -!- shesek [~shesek@unaffiliated/shesek] has quit [Read error: Connection reset by peer]
12:42 -!- laurentmt [~Thunderbi@77.247.178.186] has joined #bitcoin-wizards
12:42 -!- shesek [~shesek@unaffiliated/shesek] has joined #bitcoin-wizards
12:44 -!- shesek [~shesek@unaffiliated/shesek] has quit [Read error: Connection reset by peer]
12:47 -!- shesek [~shesek@185.3.147.193] has joined #bitcoin-wizards
12:47 -!- shesek [~shesek@185.3.147.193] has quit [Changing host]
12:47 -!- shesek [~shesek@unaffiliated/shesek] has joined #bitcoin-wizards
12:51 -!- shesek [~shesek@unaffiliated/shesek] has quit [Read error: Connection reset by peer]
12:54 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 252 seconds]
12:55 -!- shesek [~shesek@unaffiliated/shesek] has joined #bitcoin-wizards
12:57 -!- enemabandit [~enemaband@16.77.54.77.rev.vodafone.pt] has joined #bitcoin-wizards
12:57 -!- drolmer [~drolmer@unaffiliated/drolmer] has joined #bitcoin-wizards
12:59 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has joined #bitcoin-wizards
13:02 -!- nickstum [c124f105@gateway/web/freenode/ip.193.36.241.5] has joined #bitcoin-wizards
13:06 -!- shesek [~shesek@unaffiliated/shesek] has quit [Read error: No route to host]
13:07 -!- nickstum [c124f105@gateway/web/freenode/ip.193.36.241.5] has left #bitcoin-wizards []
13:08 -!- shesek [~shesek@unaffiliated/shesek] has joined #bitcoin-wizards
13:08 -!- opdenkamp [~opdenkamp@kodi/staff/dushmaniac] has quit [Ping timeout: 252 seconds]
13:10 -!- shesek [~shesek@unaffiliated/shesek] has quit [Read error: Connection reset by peer]
13:13 -!- opdenkamp [~opdenkamp@kodi/staff/dushmaniac] has joined #bitcoin-wizards
13:16 -!- shesek [~shesek@185.3.147.193] has joined #bitcoin-wizards
13:16 -!- shesek [~shesek@185.3.147.193] has quit [Changing host]
13:16 -!- shesek [~shesek@unaffiliated/shesek] has joined #bitcoin-wizards
13:17 -!- shesek [~shesek@unaffiliated/shesek] has quit [Read error: No route to host]
13:18 -!- shesek [~shesek@185.3.147.193] has joined #bitcoin-wizards
13:18 -!- shesek [~shesek@185.3.147.193] has quit [Changing host]
13:18 -!- shesek [~shesek@unaffiliated/shesek] has joined #bitcoin-wizards
13:19 -!- thomasan_ [~thomasand@2605:a601:b021:f00:7c84:b81e:832:a4a] has joined #bitcoin-wizards
13:19 -!- satwo [~textual@2600:1700:3691:2a30:d961:4b97:14e8:2b9a] has joined #bitcoin-wizards
13:20 -!- shesek [~shesek@unaffiliated/shesek] has quit [Read error: No route to host]
13:21 -!- shesek [~shesek@185.3.147.193] has joined #bitcoin-wizards
13:21 -!- shesek [~shesek@185.3.147.193] has quit [Changing host]
13:21 -!- shesek [~shesek@unaffiliated/shesek] has joined #bitcoin-wizards
13:22 -!- shesek [~shesek@unaffiliated/shesek] has quit [Read error: No route to host]
13:23 -!- shesek [~shesek@185.3.147.193] has joined #bitcoin-wizards
13:23 -!- shesek [~shesek@185.3.147.193] has quit [Changing host]
13:23 -!- shesek [~shesek@unaffiliated/shesek] has joined #bitcoin-wizards
13:24 -!- thomasan_ [~thomasand@2605:a601:b021:f00:7c84:b81e:832:a4a] has quit [Ping timeout: 250 seconds]
13:24 -!- shesek [~shesek@unaffiliated/shesek] has quit [Read error: Connection reset by peer]
13:35 -!- Krellan [~Krellan@50-242-94-241-static.hfc.comcastbusiness.net] has joined #bitcoin-wizards
14:07 -!- spinza [~spin@155.93.246.187] has quit [Quit: Coyote finally caught up with me...]
14:20 -!- _Sam-- [greybits@gateway/vpn/privateinternetaccess/sam--/x-37783179] has joined #bitcoin-wizards
14:26 -!- spinza [~spin@155.93.246.187] has joined #bitcoin-wizards
14:34 -!- douglas_ [~douglas@c-24-34-137-83.hsd1.nh.comcast.net] has quit [Ping timeout: 252 seconds]
14:49 -!- laurentmt [~Thunderbi@77.247.178.186] has quit [Read error: Connection reset by peer]
14:54 -!- AaronvanW [~AaronvanW@unaffiliated/aaronvanw] has quit [Remote host closed the connection]
14:54 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 268 seconds]
15:04 -!- AaronvanW [~AaronvanW@unaffiliated/aaronvanw] has joined #bitcoin-wizards
15:06 -!- Guyver2 [AdiIRC@guyver2.xs4all.nl] has quit [Quit: Going offline, see ya! (www.adiirc.com)]
15:06 -!- AaronvanW [~AaronvanW@unaffiliated/aaronvanw] has quit [Remote host closed the connection]
15:07 -!- AaronvanW [~AaronvanW@unaffiliated/aaronvanw] has joined #bitcoin-wizards
15:07 -!- michaelsdunn1 [~michaelsd@unaffiliated/michaelsdunn1] has quit [Remote host closed the connection]
15:12 -!- AaronvanW [~AaronvanW@unaffiliated/aaronvanw] has quit [Remote host closed the connection]
15:19 -!- rh0nj [~rh0nj@136.243.139.96] has quit [Remote host closed the connection]
15:20 < andytoshi> dgenr8: o.O so, gmaxwell showed me the example you posted (which appears to have been taken down) and i think this is actually a novel way to produce a fake ECDSA signature on a "hash" which is some forced 256-bit value
15:20 -!- rh0nj [~rh0nj@136.243.139.96] has joined #bitcoin-wizards
15:20 < arubi> andytoshi, did you see that r == -s in both signatures?
15:21 < andytoshi> arubi: yeah, gmax pointed that out to me. it's important to the forgery
15:21 < arubi> so I still can't figure out how to do that
15:21 < andytoshi> the key observation is that s = -r in these signatures ... so the verification equation sR = mG + rP can be rewritten as s(R + P) = mG
15:21 < arubi> right
15:21 < andytoshi> so ... pick R so that R + P = cG, for some `c` that you know
15:21 < andytoshi> then set m = c*s
15:22 < andytoshi> so, R is forced by c, then r is forced by R, and s is forced by r... so you can't control this quantity
15:22 -!- AaronvanW [~AaronvanW@unaffiliated/aaronvanw] has joined #bitcoin-wizards
15:23 < arubi> sorry I've been away for too long, I'm trying to follow this :)
15:24 < andytoshi> heh, it's the kinda thing that's super annoying to follow on IRC
15:24 < belcher> thanks for the explanation andytoshi
15:24 < andytoshi> cuz it's a bunch of ascii-fied equations in a horizontal line of english text
15:27 -!- AaronvanW [~AaronvanW@unaffiliated/aaronvanw] has quit [Ping timeout: 240 seconds]
15:28 < arubi> got it.  thanks andytoshi.  that's a really neat trick
15:28 -!- shesek [~shesek@unaffiliated/shesek] has joined #bitcoin-wizards
15:29 < arubi> waxwing you probably will be interested too ^ :)
15:29 < andytoshi> interestingly, the forger did not have to be so clumsy .. i wonder if s/he wanted to be noticed by using s = -r like that, because it gave a critical hint to how it was done
15:29 < nsh> was it not required to have s = -r?
15:29 < andytoshi> so, there's a simple variant where you make s be some multiple of -r
15:29 < drexl> he uploaded 3 so far and then took them down
15:29 < drexl> all have r = -s
15:29 < andytoshi> and if you don't reveal the multiple they'll look uncorrelated
15:30 < nsh> ah
15:30 < drexl> https://pastebin.com/wR0xybzA
15:30 < belcher> maybe his next tweet will do that if he's in here watching
15:30  * nsh smiles
15:31 < gmaxwell> They took it down instantly when I mentioned it in bitcoin-forks
15:31 < gmaxwell> maybe coincidence.
15:34 < sipa> you can generalize it
15:35 < sipa> choose R = c*G + a*P, and then s = R.x/a, and m = c*R.x/a
15:35 < andytoshi> oh, nice, that's super simple
15:36 < sipa> which is indistinguighable from random valid signatures
15:36 < andytoshi> and you can see why you can't control s, R or m very well
15:38 < sipa> this attack doesn't apply to Schnorr, as m is under a hash
15:40 -!- douglas_ [~douglas@c-24-34-137-83.hsd1.nh.comcast.net] has joined #bitcoin-wizards
15:41 < andytoshi> you can solve for both `c` and `a` here ... in the twitter thing clearly `a = 1`, but `c` looks like it's just some big random number, it's not especially small or anything interesting
15:41 < andytoshi> or ascii
15:41 < sipa> a=-1 actually
15:42 < andytoshi> eh, right
15:43 -!- shesek [~shesek@unaffiliated/shesek] has quit [Read error: Connection reset by peer]
15:45 -!- shesek [~shesek@unaffiliated/shesek] has joined #bitcoin-wizards
15:45 < sipa> you can also recover a,s from the signature; a = R.x/s, c = m/s
15:45 < sipa> eh, a and c
15:45 < sipa> right, of course - that's the ECDSA verification equation
15:45 < andytoshi> yeah .. a little disappointing, i was hoping there'd be something that e.g. only the actual key owner could recover
15:46 < andytoshi> but i think i'd tried "ecdsa as encryption" some years ago and never got something that worked
15:46 < sipa> andytoshi: that would be in contradiction with being able to use them for forgeries :p
15:46 < andytoshi> heh, yeah, i guess so
15:47 -!- shesek [~shesek@unaffiliated/shesek] has quit [Read error: Connection reset by peer]
15:48 -!- opdenkamp [~opdenkamp@kodi/staff/dushmaniac] has quit [Quit: ZNC 1.6.5+deb1+deb9u1 - http://znc.in]
15:49 -!- shesek [~shesek@unaffiliated/shesek] has joined #bitcoin-wizards
15:51 -!- Murch [~murch@p579488D7.dip0.t-ipconnect.de] has joined #bitcoin-wizards
15:52 < uiuc-slack> <smk7> If i understand correctly, the problem is because m = H(message) in ECDSA and that it could be fixed by making m = H(message || R) .
15:54 -!- booyah_ is now known as booyah
15:55 < sipa> smk7: well, not really - the above lets you 'forge' a signature if the attacker can choose m
15:55 < sipa> but m in the writeup above is H(message)
15:55 < uiuc-slack> <smk7> Ignore it. I realize the point of this entire thing was signatures are meaningless unless I provide message.
15:55 < sipa> So the result is not technically an ECDSA signature without knowing the preimage of m
15:56 -!- Murch [~murch@p579488D7.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
16:00 < gmaxwell> https://0bin.net/paste/7-tnWL-IgsKqGFcS#4Ez46tgnqboi3Te4CFn93TYI7pWlgqJNcCith9EvEnT
16:00 < gmaxwell> is a sage script
16:00 < andytoshi> nice :)
16:01 < wallet42> look at me i'm satoshi now!
16:02 < Lightsword> this related? https://bitcoin.stackexchange.com/questions/80670/whats-wrong-with-the-calculation-python
16:03 < sipa> https://twitter.com/pwuille/status/1063582706288586752
16:06 < sipa> gmaxwell: instead of (R.xy())[0] you can use R[0]
16:06 < andytoshi> relaly?
16:06 < andytoshi> niice
16:07 < sipa> i didn't even know about .xy() ...
16:07 < andytoshi> sipa: .xy() gives you an actual tuple so you can write "%x %x" % G.xy() ... which is used in the comment describing how to compute the Elements H generator
16:08 < andytoshi> R[0], R[1], R[2] are all well define and appear to be jacobian (or projective? can't tell when z = 1) coordinates .. but "%x %x %x" % R does not work
16:08 -!- shesek [~shesek@unaffiliated/shesek] has quit [Read error: Connection reset by peer]
16:08 < sipa> R[2] always gives 1 for me
16:08 < sipa> (for whatever operations i do with EC points in sage)
16:09 -!- shesek [~shesek@185.3.147.193] has joined #bitcoin-wizards
16:09 -!- shesek [~shesek@185.3.147.193] has quit [Changing host]
16:09 -!- shesek [~shesek@unaffiliated/shesek] has joined #bitcoin-wizards
16:12 -!- shesek [~shesek@unaffiliated/shesek] has quit [Read error: Connection reset by peer]
16:12 -!- floam412 [~floam412@unaffiliated/floam412] has joined #bitcoin-wizards
16:14 -!- shesek [~shesek@185.3.147.193] has joined #bitcoin-wizards
16:14 -!- shesek [~shesek@185.3.147.193] has quit [Changing host]
16:14 -!- shesek [~shesek@unaffiliated/shesek] has joined #bitcoin-wizards
16:14 < uiuc-slack> <smk7> I guess we also say similar about bypassing the hash step in Schnorr? Set R = sG - mP . I pick(s,m) and get a R value.
16:15 < andytoshi> the thing with schnorr is that you can't really "bypass the hash step"
16:16 < andytoshi> if you don't hash R the whole thing is trivially insecure
16:18 < andytoshi> the difference i guess is that in the ECDSA version you don't get to pick m, it's picked for you
16:21 -!- shesek [~shesek@unaffiliated/shesek] has quit [Read error: Connection reset by peer]
16:24 -!- shesek [~shesek@185.3.147.193] has joined #bitcoin-wizards
16:24 -!- shesek [~shesek@185.3.147.193] has quit [Changing host]
16:24 -!- shesek [~shesek@unaffiliated/shesek] has joined #bitcoin-wizards
16:27 -!- michaelsdunn1 [~michaelsd@unaffiliated/michaelsdunn1] has joined #bitcoin-wizards
16:31 -!- michaelsdunn1 [~michaelsd@unaffiliated/michaelsdunn1] has quit [Ping timeout: 260 seconds]
16:37 -!- floam412 [~floam412@unaffiliated/floam412] has quit [Ping timeout: 240 seconds]
16:38 -!- spinza [~spin@155.93.246.187] has quit [Quit: Coyote finally caught up with me...]
16:45 -!- spinza [~spin@155.93.246.187] has joined #bitcoin-wizards
16:52 -!- douglas_ [~douglas@c-24-34-137-83.hsd1.nh.comcast.net] has quit [Ping timeout: 244 seconds]
17:01 -!- harrymm [~harrymm@69.161.195.103] has quit [Remote host closed the connection]
17:09 -!- Dizzle [~Dizzle@unaffiliated/dizzle] has joined #bitcoin-wizards
17:18 -!- shesek [~shesek@unaffiliated/shesek] has quit [Read error: Connection reset by peer]
17:19 -!- shesek [~shesek@unaffiliated/shesek] has joined #bitcoin-wizards
17:29 -!- thomasan_ [~thomasand@2605:a601:b021:f00:7c84:b81e:832:a4a] has joined #bitcoin-wizards
17:30 -!- IGHOR [~quassel@93.178.216.72] has quit [Quit: http://quassel-irc.org ? ??????????? ?????????. ????-??.]
17:35 -!- thomasan_ [~thomasand@2605:a601:b021:f00:7c84:b81e:832:a4a] has quit [Ping timeout: 276 seconds]
17:35 -!- IGHOR [~quassel@93.178.216.72] has joined #bitcoin-wizards
17:53 -!- Zenton [~user@unaffiliated/vicenteh] has quit [Read error: Connection reset by peer]
17:56 -!- Zenton [~user@unaffiliated/vicenteh] has joined #bitcoin-wizards
18:01 -!- Zenton [~user@unaffiliated/vicenteh] has quit [Read error: Connection reset by peer]
18:03 -!- AaronvanW [~AaronvanW@unaffiliated/aaronvanw] has joined #bitcoin-wizards
18:03 -!- Zenton [~user@unaffiliated/vicenteh] has joined #bitcoin-wizards
18:08 -!- Zenton [~user@unaffiliated/vicenteh] has quit [Ping timeout: 240 seconds]
18:08 -!- AaronvanW [~AaronvanW@unaffiliated/aaronvanw] has quit [Ping timeout: 268 seconds]
18:08 -!- Zenton [~user@unaffiliated/vicenteh] has joined #bitcoin-wizards
18:12 -!- Krellan [~Krellan@50-242-94-241-static.hfc.comcastbusiness.net] has quit [Remote host closed the connection]
18:13 -!- nuncanada [~dude@187.65.64.52] has quit [Quit: Leaving]
18:16 < gmaxwell> dgenr8: whatever private venue Scamtoshi was sharing those signatures in sounds like an ecochamber that was specifically setup to amplify that sort of fraud. It would probably be mentally healthy for you to avoid such places.
18:50 -!- shesek [~shesek@unaffiliated/shesek] has quit [Ping timeout: 240 seconds]
18:59 -!- floam412 [~floam412@unaffiliated/floam412] has joined #bitcoin-wizards
19:08 -!- mn3monic [jsz@unaffiliated/mn3monic] has quit [Excess Flood]
19:09 -!- mn3monic [jsz@unaffiliated/mn3monic] has joined #bitcoin-wizards
19:09 -!- mn3monic [jsz@unaffiliated/mn3monic] has quit [Excess Flood]
19:10 -!- mn3monic [jsz@unaffiliated/mn3monic] has joined #bitcoin-wizards
19:16 -!- Belkaar [~Belkaar@unaffiliated/belkaar] has quit [Ping timeout: 268 seconds]
19:16 -!- Belkaar [~Belkaar@xdsl-78-35-81-205.nc.de] has joined #bitcoin-wizards
19:16 -!- Belkaar [~Belkaar@xdsl-78-35-81-205.nc.de] has quit [Changing host]
19:16 -!- Belkaar [~Belkaar@unaffiliated/belkaar] has joined #bitcoin-wizards
19:22 -!- floam412 [~floam412@unaffiliated/floam412] has quit [Ping timeout: 240 seconds]
19:27 -!- douglas_ [~douglas@c-24-34-137-83.hsd1.nh.comcast.net] has joined #bitcoin-wizards
19:37 -!- fabianfabian [~fabianfab@D9656CCE.cm-27.dynamic.ziggo.nl] has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
19:47 -!- douglas_ [~douglas@c-24-34-137-83.hsd1.nh.comcast.net] has quit [Ping timeout: 240 seconds]
19:59 -!- ryanofsky_ is now known as ryanofsky
20:00 -!- thomasan_ [~thomasand@2605:a601:b021:f00:7c84:b81e:832:a4a] has joined #bitcoin-wizards
20:04 -!- AaronvanW [~AaronvanW@unaffiliated/aaronvanw] has joined #bitcoin-wizards
20:08 -!- AaronvanW [~AaronvanW@unaffiliated/aaronvanw] has quit [Ping timeout: 240 seconds]
20:18 -!- alferz [~alferz@unaffiliated/alfer] has joined #bitcoin-wizards
20:22 -!- michaelsdunn1 [~michaelsd@unaffiliated/michaelsdunn1] has joined #bitcoin-wizards
20:26 -!- michaelsdunn1 [~michaelsd@unaffiliated/michaelsdunn1] has quit [Ping timeout: 240 seconds]
20:29 -!- alferz [~alferz@unaffiliated/alfer] has quit [Ping timeout: 240 seconds]
20:34 < dongcarl> Did people see this paper: https://arxiv.org/pdf/1805.08281.pdf
20:39 < Varunram> What’s up with that paper dongcarl?
20:40 < dongcarl> Well, seems like a simple paper with a simple solution... But I've come to realize that most papers aren't what they seem, so I'm just wondering people's thoughts and whether it's a good idea or not.
20:42 < gmaxwell> dongcarl: if including orphans prevents difficulty from going down, why would any miner do so, or choose to extent the block of another miner that had?
20:43 < dongcarl> gmaxwell: choose to extend (the block (of another miner) that had included orphans)?
20:44 < gmaxwell> if you commit to some orphans in block N, why wouldn't I just ignore your N when mining? -- including them will make us all earn less. (as I understand their proposal)
20:45 < dongcarl> Right... You're always better off with n' = 0
20:47 < dongcarl> I believe to motivate this, they want to change consensus by " including  a  rule  that,  in  case  of  competition between two blocks with the same height, nodes should always broadcast the block with  the  most  proof-of-work  i.e.,  the  block  which  includes  the  most  proofs  of existence of uncles"
20:49 -!- morcos [~morcos@gateway/tor-sasl/morcos] has quit [Ping timeout: 256 seconds]
20:50 -!- ghost43 [~daer@gateway/tor-sasl/daer] has quit [Ping timeout: 256 seconds]
20:50 < gmaxwell> dongcarl: that has it's own other consequences, but why would any miner follow that rule? it doesn't seem incentive compatible to me.
20:51 < gmaxwell> as any decision to do so will lower all miner's income.
20:51 < gmaxwell> if miners ignore that particular preference, it doesn't matter what other nodes do.
20:54 -!- morcos [~morcos@gateway/tor-sasl/morcos] has joined #bitcoin-wizards
20:54 < dongcarl> as in the miners will be incentivized to only make blocks with n' = 0 making the change null and void? If a single miner followed that preference, wouldn't the rest be forced to follow it too? Or I guess they can just fork away to a chain where consensus doesn't include this "uncles" preference?
20:55 -!- michaelfolkson [~textual@host86-131-209-198.range86-131.btcentralplus.com] has joined #bitcoin-wizards
20:55 < gmaxwell> dongcarl: consensus can't really 'include' a preference, a preference is invisible.
20:55 -!- ghost43 [~daer@gateway/tor-sasl/daer] has joined #bitcoin-wizards
20:59 < dongcarl> Oh I see... In this case it only matters what the miners do, as they're the only one producing blocks, and are incentivized heavily to not mine on anything with n' > 0
21:04 -!- thomasan_ [~thomasand@2605:a601:b021:f00:7c84:b81e:832:a4a] has quit [Ping timeout: 260 seconds]
21:05 -!- michaelfolkson [~textual@host86-131-209-198.range86-131.btcentralplus.com] has quit [Quit: Sleep mode]
21:46 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has quit [Remote host closed the connection]
21:46 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has joined #bitcoin-wizards
22:03 -!- peornvweporn [6b4dcf73@gateway/web/freenode/ip.107.77.207.115] has joined #bitcoin-wizards
22:03 -!- peornvweporn [6b4dcf73@gateway/web/freenode/ip.107.77.207.115] has left #bitcoin-wizards []
22:04 -!- AaronvanW [~AaronvanW@unaffiliated/aaronvanw] has joined #bitcoin-wizards
22:07 < RubenSomsen> From the sidechains paper: "A futuristic idea for a low-value or experimental sidechain is to invoke a trusted authority, whose only job is to execute a trusted setup for a SNARK scheme. Then blocks could be constructed which prove their changes to the unspent-output set, but do so in zero-knowledge in the actual transactions. [...] These proofs could also replace the DMMSes used to move coins from another chain
22:07 < RubenSomsen> by proving that the sending chain is valid according to some rules previously defined."
22:07 < RubenSomsen> Is the assumption here that the trusted authority still commits block hashes into the bitcoin blockchain? Otherwise it seems you could have multiple valid chains.
22:08 -!- AaronvanW [~AaronvanW@unaffiliated/aaronvanw] has quit [Ping timeout: 240 seconds]
22:09 -!- mikestevens [6b4dcf73@gateway/web/freenode/ip.107.77.207.115] has joined #bitcoin-wizards
22:11 < RubenSomsen> The reason I ask is because of Poelstra's PoS paper: "Is it necessary to use a DMMS to produce a distributed consensus? This is an open question. The author’s guess is “no”. In particular, simple changes to Bitcoin’s protocol, such as rewarding miners with “coupons” to mine far-future blocks with lower difficulty[BCD+14, Section 6.1] seem unlikely to harm consensus while definitely not satisfying the
22:11 < RubenSomsen> given definition of DMMS."
22:11 < RubenSomsen> It seems to me you still require DMMS for block ordering.
22:13 < RubenSomsen> andytoshi: am I misunderstanding the quote?
22:14 -!- rh0nj [~rh0nj@136.243.139.96] has quit [Remote host closed the connection]
22:26 -!- shesek [~shesek@109.253.214.56] has joined #bitcoin-wizards
22:26 -!- shesek [~shesek@109.253.214.56] has quit [Changing host]
22:26 -!- shesek [~shesek@unaffiliated/shesek] has joined #bitcoin-wizards
22:40 -!- shesek [~shesek@unaffiliated/shesek] has quit [Ping timeout: 240 seconds]
22:41 -!- shesek [~shesek@unaffiliated/shesek] has joined #bitcoin-wizards
22:57 -!- shesek [~shesek@unaffiliated/shesek] has quit [Read error: Connection reset by peer]
22:57 -!- Krellan [~Krellan@2601:640:4000:a876:28aa:470d:5184:ca88] has joined #bitcoin-wizards
23:10 -!- satwo [~textual@2600:1700:3691:2a30:d961:4b97:14e8:2b9a] has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
23:11 -!- mikestevens [6b4dcf73@gateway/web/freenode/ip.107.77.207.115] has quit [Quit: Page closed]
23:24 -!- satwo [~textual@2600:1700:3691:2a30:2c18:f42:cbcc:ae93] has joined #bitcoin-wizards
23:24 -!- satwo [~textual@2600:1700:3691:2a30:2c18:f42:cbcc:ae93] has quit [Client Quit]
23:49 -!- Murch [~murch@p579488D7.dip0.t-ipconnect.de] has joined #bitcoin-wizards
23:54 -!- Murch [~murch@p579488D7.dip0.t-ipconnect.de] has quit [Ping timeout: 268 seconds]
--- Log closed Sat Nov 17 00:00:23 2018