--- Log opened Tue Feb 05 00:00:41 2019
00:13 -!- rh0nj [~rh0nj@88.99.167.175] has quit [Remote host closed the connection]
00:14 -!- rh0nj [~rh0nj@88.99.167.175] has joined #bitcoin-wizards
00:29 -!- phwalkr [~phwalkr@192.32.61.94.rev.vodafone.pt] has joined #bitcoin-wizards
00:31 -!- rusty [~rusty@pdpc/supporter/bronze/rusty] has joined #bitcoin-wizards
00:31 -!- Empact_ [~textual@192-195-80-225.PUBLIC.monkeybrains.net] has joined #bitcoin-wizards
00:32 -!- Empact_ [~textual@192-195-80-225.PUBLIC.monkeybrains.net] has quit [Client Quit]
00:35 -!- enemabandit [~enemaband@185.227.37.188.rev.vodafone.pt] has joined #bitcoin-wizards
01:11 -!- setpill [~setpill@unaffiliated/setpill] has joined #bitcoin-wizards
01:51 < nsh> (springer DCC is not open access. paper also available here: https://eprint.iacr.org/2018/068.pdf )
01:57 -!- jungly [~quassel@79.8.200.97] has joined #bitcoin-wizards
02:33 -!- spinza [~spin@155.93.246.187] has quit [Quit: Coyote finally caught up with me...]
02:42 -!- rusty [~rusty@pdpc/supporter/bronze/rusty] has quit [Quit: Leaving.]
02:47 -!- spinza [~spin@155.93.246.187] has joined #bitcoin-wizards
03:05 -!- triazo [~adam@104.168.155.31] has quit [Ping timeout: 245 seconds]
03:05 -!- stiell [~stian@fsf/member/stiell] has quit [Ping timeout: 244 seconds]
03:05 -!- davec [~davec@cpe-24-243-249-218.hot.res.rr.com] has quit [Ping timeout: 245 seconds]
03:05 -!- wxss [~user@mail.deeplinkmedia.com] has quit [Ping timeout: 245 seconds]
03:06 -!- TheoStorm [~TheoStorm@host-lzquwqj.cbn1.zeelandnet.nl] has joined #bitcoin-wizards
03:06 -!- davec [~davec@cpe-24-243-249-218.hot.res.rr.com] has joined #bitcoin-wizards
03:06 -!- wxss [~user@mail.deeplinkmedia.com] has joined #bitcoin-wizards
03:09 -!- stiell [~stian@fsf/member/stiell] has joined #bitcoin-wizards
03:11 -!- triazo [~adam@104.168.155.31] has joined #bitcoin-wizards
03:20 -!- spinza [~spin@155.93.246.187] has quit [Quit: Coyote finally caught up with me...]
03:21 -!- nephyrin [~neph@2601:600:817f:a19a:a5cf:8446:c53:57b2] has quit [Ping timeout: 264 seconds]
03:21 -!- nephyrin [~neph@2601:600:817f:a19a:a5cf:8446:c53:57b2] has joined #bitcoin-wizards
03:30 -!- spinza [~spin@155.93.246.187] has joined #bitcoin-wizards
03:51 -!- AaronvanW [~AaronvanW@unaffiliated/aaronvanw] has joined #bitcoin-wizards
04:25 -!- arubi [~ese168@gateway/tor-sasl/ese168] has joined #bitcoin-wizards
04:26 -!- marcoagner [~user@2001:8a0:fee8:9001:f21d:827f:7aa5:c011] has quit [Quit: WeeChat 1.0.1]
04:48 < luke-jr> I wonder if there's a good way to make it so if you don't run a full node, your coins can be stolen trivially
04:49 < luke-jr> maybe keeping a running UTXO-set-history hash that needs to be committed to in the tx somehow, and if it doesn't match, the outputs can be malleated?
05:04 -!- TheoStorm [~TheoStorm@host-lzquwqj.cbn1.zeelandnet.nl] has quit [Quit: Leaving]
05:19 -!- riclas [riclas@148.63.37.111] has joined #bitcoin-wizards
05:31 -!- Guyver2 [AdiIRC@guyver2.xs4all.nl] has joined #bitcoin-wizards
06:03 -!- rafalcpp [~racalcppp@84-10-11-234.static.chello.pl] has quit [Ping timeout: 250 seconds]
06:56 -!- TheoStorm [~TheoStorm@host-lzquwqj.cbn1.zeelandnet.nl] has joined #bitcoin-wizards
07:31 -!- setpill [~setpill@unaffiliated/setpill] has quit [Quit: o/]
07:40 -!- michaelsdunn1 [~michaelsd@38.126.31.226] has joined #bitcoin-wizards
07:40 -!- michaelsdunn1 [~michaelsd@38.126.31.226] has quit [Changing host]
07:40 -!- michaelsdunn1 [~michaelsd@unaffiliated/michaelsdunn1] has joined #bitcoin-wizards
08:17 -!- rafalcpp [~racalcppp@84-10-11-234.static.chello.pl] has joined #bitcoin-wizards
08:21 -!- rockhouse [~rockhouse@unaffiliated/rockhouse] has quit [Quit: Leaving ... but you never know maybe I come back!]
08:21 -!- victorSN [~victorSN@unaffiliated/victorsn] has quit [Quit: Leaving ... but you never know maybe I come back!]
08:24 -!- rockhouse [~rockhouse@unaffiliated/rockhouse] has joined #bitcoin-wizards
08:25 -!- victorSN [~victorSN@unaffiliated/victorsn] has joined #bitcoin-wizards
08:32 -!- jtimon [~quassel@92.28.134.37.dynamic.jazztel.es] has joined #bitcoin-wizards
08:40 < waxwing> interesting reading: https://z.cash/blog/zcash-counterfeiting-vulnerability-successfully-remediated/
08:41 < sarang> This explains both the transparent-pool requirement and the absurd transcript story
08:41 < waxwing> heh, was jsut going to quote:
08:41 < waxwing> "The Zcash Company adopted and maintained a cover story that the transcript was missing due to accidental deletion. "
08:42 < waxwing> but what if that itself is another cover story? :thinks:
08:42 < sarang> I had (have) many problems with the whole "turnstile" process and their handling of it...
08:46  * nsh frowns
08:46 < nsh> it'd be interesting to compare the process to bitcoin's recent inflation vuln and how that was handled
08:47 < nsh> undoubtedly this will occur again
08:47 < sarang> zooko had indicated a desire for another transparent migration at their next release
08:48 < waxwing> why 'undoubtedly'?
08:48 < cjd> probably because statistical blahblahblah no system is safe
08:48 < nsh> well, i suppose there exist last-mistakes-of-a-class but they're rare
08:48 < cjd> right
08:48 < nsh> or sparse in the category of mistakes
08:49 < nsh> it'd be nice to have an phylogenetic tree of zk cryptosystems so it'd be easy/easier to see which inherited the vulnerability
08:50 < nsh> i suppose cite graph gives clues
08:51 < nsh> also it's an interesting cost to this remediation that the MPC protocol transcript is now unavailable [unless you know someone who archived it]
08:51 < nsh> oh no, misread; it's reposted after the fix
08:52 < waxwing> this is why i've been leaning against blinding of amount based on hardness assumptions even though it's a heretical position, including against myself :) it's not the hardness assumpmtion or the QCs that get you, it's the implementation (likely).
08:52 < instagibbs> cost being no one could validate the privacy of the setup, right?
08:52 < waxwing> and even security proofs are unreliable unless they're really really simple. i think.
08:53 < nsh> it seems [very] hard in general to prove that you haven't introduced fresh assumptions while implementing or adapting from previous results
08:54 < nsh> "Ariel Gabizon, a cryptographer employed by the Zcash Company at the time of discovery, uncovered a soundness vulnerability. The key generation procedure of [BCTV14], in step 3, produces various elements that are the result of evaluating polynomials related to the statement being proven. Some of these elements are unused by the prover and were included by mistake; but their presence allows a cheating prover to circumvent a consistency check, and thereby
08:54 < nsh> transform the proof of one statement into a valid-looking proof of a different statement. This breaks the soundness of the proving system."
08:54 < nsh> point to whoever works this out in a SAGE notebook...
08:54 -!- jungly [~quassel@79.8.200.97] has quit [Remote host closed the connection]
08:54 < nsh> or something that can be followed precisely
08:54 < nsh> so it was effectively a trusted setup leak through redundant parameters in transcript
08:55 < sarang> I assume Peter Todd feels a certain amount of deserved smugness after this :D
08:55 < sarang> (regarding the transcript)
08:55 < nsh> aka pretty much a catastrophic failure of the ceremony
08:55 < sarang> ^
08:58 < nsh> so i guess one thing to do is add a proof that a transcript of a protocol doesn't just satisfy the verifier but it also does so minimally, ie without any extraneous data whatsoever
08:58 < nsh> which seems a harder task
08:59 -!- pinheadmz [~matthewzi@104-56-112-203.lightspeed.sntcca.sbcglobal.net] has joined #bitcoin-wizards
08:59 < sarang> Or, you know, avoid MPCs with secret-infused CRS/SRS...
09:02  * nsh smiles
09:04 < sarang> From a non-technical standpoint, I'm now interested in seeing how many company posts/statements/comments dance around the issue of a flaw without outright misleading, prior to disclosure
09:04 < sarang> it'd be a fascinating study in maintaining the ruse
09:08 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #bitcoin-wizards
09:08 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Read error: Connection reset by peer]
09:08 -!- nephyrin [~neph@2601:600:817f:a19a:a5cf:8446:c53:57b2] has quit [Ping timeout: 240 seconds]
09:09 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #bitcoin-wizards
09:09 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Read error: Connection reset by peer]
09:10 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #bitcoin-wizards
09:11 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Read error: Connection reset by peer]
09:11 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #bitcoin-wizards
09:11 -!- nephyrin [~neph@2601:600:817f:a19a:a5cf:8446:c53:57b2] has joined #bitcoin-wizards
09:20 < nsh> okay wow i wasn't expecting the transcript to be 6.9GB...
09:21 < nsh> i thought maybe large but not that large
09:21 < nsh> if every result in known mathematics was encoded into coq theorems it would be significantly smaller
09:26 -!- TheoStorm [~TheoStorm@host-lzquwqj.cbn1.zeelandnet.nl] has quit [Quit: Leaving]
09:34 -!- enemabandit [~enemaband@185.227.37.188.rev.vodafone.pt] has quit [Ping timeout: 240 seconds]
10:06 < jtimon> nsh: what bitcoin's recent inflation vulnerability?
10:09 < nsh> some treatment here: https://hackernoon.com/bitcoin-core-bug-cve-2018-17144-an-analysis-f80d9d373362?gi=77fe6f45bf2c
10:09 < nsh> tl;dr codebase technical debt servicing is hard, even when you are doing your very best
10:10 < jtimon> thanks
10:12 < jtimon> oh, yeah, the consensus rule that was temporarily removed from bitcoin core by mistake, right?
10:14 < nsh> over several pull requests and refactors a consensus check against doublespends was lost in translation
10:14 < nsh> briefly
10:15 < jtimon> yeah, sobody said it was duplicated and it seems most reviewers just believed it
10:15 < sipa> jtimon: there was also a 0.8 thing where master briefly removed the subsidy limit check, but that was discovered before release
10:15 < sipa> this is something else
10:16 < jtimon> hmm, didn't know that one
10:16 -!- Murch [~murch@50-200-105-218-static.hfc.comcastbusiness.net] has joined #bitcoin-wizards
10:17 < jtimon> this one is just the check that the inputs being spend haven't been spent already within the same block, right? we removed that thinking that was duplicated with analogous checks in the mempool, but they weren't the same checks so we put them back
10:17 < sipa> jtimon: within the same *transaction* even
10:18  * jtimon nods
10:18 < sipa> or rather, two pieces of code whose authors believed the other part was responsible for checking within-block double spending
10:18 < sipa> but both got optimized removing the check, leaving only a cross-tx assertion in place, and nothing for within-tx
10:19 < jtimon> oh, I see, it was only the within a tx part that was missing?
10:19 < sipa> right
10:37 -!- enemabandit [~enemaband@16.77.54.77.rev.vodafone.pt] has joined #bitcoin-wizards
10:47 -!- bildramer [~bildramer@p5B010038.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds]
10:47 -!- bildramer [~bildramer@p2003004CEA16C2002D47CC2AD19ED3D2.dip0.t-ipconnect.de] has joined #bitcoin-wizards
11:18 < gmaxwell> The zcash announcement is shocking.  It appears to me that zcash basically spent months slandering Petertodd, who noticed the highly questionable disappearence of the mpc transcript, in an effort to cover up a total lack of soundness (unbounded undetectable inflation),  and zcash company employees continued to double down on the integrity of their trusted setup even when they knew in fact that
11:18 < gmaxwell> it was insecure.
11:19 < gmaxwell> https://z.cash/blog/zcash-counterfeiting-vulnerability-successfully-remediated/
11:19 -!- ghost43 [~daer@gateway/tor-sasl/daer] has quit [Remote host closed the connection]
11:21 -!- vfP56jSe [sid321684@gateway/web/irccloud.com/x-povwmyeuvbgcegmp] has joined #bitcoin-wizards
11:22 -!- ghost43 [~daer@gateway/tor-sasl/daer] has joined #bitcoin-wizards
11:22 < nsh> missed the drama when it happened but if that's so, i'd say he's owed an apology at least
11:22 < nsh> (and/or should have been brought into disclosure process)
11:23 < gmaxwell> I could understand them not doing that, but they could have remained silent. Rather than vigourly doubling down in defense of a system that they had actual knowledge of an insecurity in.
11:23 < vfP56jSe> Hello, I am reading about Taproot. In the cooperative case, what would the signature look like for P?
11:24 < vfP56jSe> In the mailing list it says "one of them just needs to add H(C||S) to their private key", but if it's only one of them, then it isn't cooperative? Please help me understand.
11:25 < gmaxwell> vfP56jSe: how is that not cooperative?
11:26 < vfP56jSe> gmaxwell: Maybe the better question is: do both sides know C?
11:27 < gmaxwell> vfP56jSe: of course.
11:27 -!- rusty [~rusty@pdpc/supporter/bronze/rusty] has joined #bitcoin-wizards
11:27 -!- rusty [~rusty@pdpc/supporter/bronze/rusty] has quit [Client Quit]
11:29 < vfP56jSe> My understanding (which might be completely wrong)is that the signature looks like "a + H(C||S)", and since this is supposed to be cooperative, both parties need to agree to sign, so if Alice knows a, C, and S, in this completely wrong understanding, she would be able to sign for P by herself?
11:29 < gmaxwell> that isn't the signature at all. that is the public key.
11:30 < gmaxwell> The signature is just an ordinary signature, signed using a tweaked key.
11:31 < gmaxwell> I now understand your misunderstanding.
11:31 < gmaxwell> Now Alice and Bob-- assuming they are both online and agree about the
11:31 < gmaxwell> resolution of their contract-- can jointly form a 2 of 2 signature for
11:31 < gmaxwell> P, and spend as if it were a payment to a single party (one of them
11:31 < gmaxwell> just needs to add H(C||S) to their private key).
11:31 < gmaxwell> is the text from the post.
11:32 < gmaxwell> It's not describing the signing algorithim. The signing algorithim is just a standard signing algorithim for 2 of 2 schnorr.
11:32 < gmaxwell> With the only modification is that instead of signing with their private key, one of the signers needs to sign with a tweaked private key.
11:32  * vfP56jSe reading intently
11:33 < gmaxwell> (or, alternatively, treat it as a 3 of 3 schnorr, with the taproot commitment being one of the private keys, its equivient)
11:35 < vfP56jSe> The "tweaked key" part isn't part of standard schnorr is it? And the tweaking is what is described by "one of them just needs to add H(C||S) to their private key"?
11:35 < sarang> gmaxwell: zooko still claims in a tweet that this wasn't a flaw in the setup
11:36 < sarang> And that it could just as easily happen in a trustless proving system
11:37 < gmaxwell> sarang: thats a weird and distracting claim.  Yes, any bleeding edge hardly reviewable cryptosystem could have unsoundness vulnerablities.
11:38 < gmaxwell> It wasn't a violation of the trusted state, it was a flaw in the additional complex procedure that was needed to try to patch over the insecure setup.
11:40 < gmaxwell> it's also weird that their disclosure does not make clear that they do not, and cannot know, if it was exploited. (only that the total funds that have exited from the unshielded addresses are below the maximum, so any inflation-- if their was any-- was instead converted into theft to parties that were slow to get their funds out of the old accumulator.
11:41 < gmaxwell> )
11:51 < nsh> hmm
11:51 < nsh> so there are potentially bagholders
11:52 < nsh> it would take some computation over all honest accumulator participants to prove there was no counterfeiting
11:53 < nsh> (and that doesn't seem tractable)
11:57 -!- michaelsdunn1 [~michaelsd@unaffiliated/michaelsdunn1] has quit [Remote host closed the connection]
11:57 < gmaxwell> nsh: or all of the funds being exited from the old accumulator.
11:58 -!- michaelsdunn1 [~michaelsd@unaffiliated/michaelsdunn1] has joined #bitcoin-wizards
12:15 -!- Krellan [~Krellan@50-242-94-241-static.hfc.comcastbusiness.net] has joined #bitcoin-wizards
12:25 -!- Murch [~murch@50-200-105-218-static.hfc.comcastbusiness.net] has quit [Quit: Snoozing.]
12:26 -!- Murch [~murch@50-200-105-218-static.hfc.comcastbusiness.net] has joined #bitcoin-wizards
12:26  * nsh nods
12:27 < gmaxwell> which is presumably impossible, since ~someone~ had to have lost their keys by now.
12:28 < nsh> do coins in the old accumulator retain [migrateable] value indefinitely or is there some sunset period?
12:28 < nsh> s/coins/funds/
12:29 -!- CryptoDavid [uid14990@gateway/web/irccloud.com/x-bqbwikeuyhbpdarx] has joined #bitcoin-wizards
12:31 -!- Krellan_ [~Krellan@50-242-94-241-static.hfc.comcastbusiness.net] has joined #bitcoin-wizards
12:32 -!- Murch [~murch@50-200-105-218-static.hfc.comcastbusiness.net] has quit [Quit: Snoozing.]
12:33 -!- michaelsdunn1 [~michaelsd@unaffiliated/michaelsdunn1] has quit [Remote host closed the connection]
12:34 -!- Krellan [~Krellan@50-242-94-241-static.hfc.comcastbusiness.net] has quit [Ping timeout: 272 seconds]
12:34 -!- son0p [~ff@181.136.99.9] has joined #bitcoin-wizards
12:37 -!- michaelsdunn1 [~michaelsd@unaffiliated/michaelsdunn1] has joined #bitcoin-wizards
12:38 -!- Murch [~murch@50-200-105-218-static.hfc.comcastbusiness.net] has joined #bitcoin-wizards
12:41 -!- michaelsdunn1 [~michaelsd@unaffiliated/michaelsdunn1] has quit [Remote host closed the connection]
12:44 -!- michaelsdunn1 [~michaelsd@unaffiliated/michaelsdunn1] has joined #bitcoin-wizards
12:46 -!- Murch [~murch@50-200-105-218-static.hfc.comcastbusiness.net] has quit [Quit: Snoozing.]
12:55 < vfP56jSe> Looking at the Schnorr BIP, in the generic description of Schnorr, does the signer pick R, e, and s?
12:57 < sarang> nsh: for a while zooko indicated wanting a spend sunset for sprout
12:57 < sarang> I hope this is not done
12:57 < andytoshi> vfP56jSe: the signer picks R and s. e is forced
12:59 -!- Guyver2 [AdiIRC@guyver2.xs4all.nl] has quit [Quit: Going offline, see ya! (www.adiirc.com)]
13:00 < vfP56jSe> andytoshi: Because when R is picked, we can get e from "e = H(R || m)" and s from solving "sG = R + eP"?
13:01 < sipa> you pick k
13:01 < sipa> from k you compute R = kG
13:02 < sipa> and you compute s = k + H(R || m)x
13:03 < vfP56jSe> P = xG too?
13:03 < vfP56jSe> (just verifying assumptions)
13:03 < sipa> yes, but long before (that's the creation of pubjey)
13:04 -!- HitamSusu [4db7691e@gateway/web/freenode/ip.77.183.105.30] has joined #bitcoin-wizards
13:05 -!- phwalkr [~phwalkr@192.32.61.94.rev.vodafone.pt] has quit [Quit: Leaving...]
13:06 -!- HitamSusu [4db7691e@gateway/web/freenode/ip.77.183.105.30] has quit [Client Quit]
13:06 < vfP56jSe> sipa: That's very clear. I'm wondering, in the case where we don't consider k and just consider R, it's mentioned in the BIP that the signer can either reveal e or R, I'm curious why s can't be revealed
13:07 < sipa> s is alwaya revealed
13:07 < vfP56jSe> Sorry to make myself clear
13:07 < sipa> the signature is either (R,s) or (e,s)
13:07 < vfP56jSe> why can't it be (R, e)
13:07 < sipa> you can't validate that
13:10 < andytoshi> `s` can only be computed by the signer
13:12  * vfP56jSe digesting
13:14 < vfP56jSe> s can only be computed by the signer because only the signer has k and x, in which x is the signer's private key and k is picked by the signer
13:14 < sipa> yes
13:15 -!- Aaronvan_ [~AaronvanW@unaffiliated/aaronvanw] has joined #bitcoin-wizards
13:16 < vfP56jSe> I'm trying to see why (R, e) _necessarily_ can't be validated, my tentative answer is that since given m they HAVE to satisfy e = H(R || m) by definition, so that equation becomes unuseful...
13:17 < vfP56jSe> because the satisfy conditions for both (e, s) and (R, s) combine "e = H(R || m)" and "sG = R + eP"
13:18 < sipa> it's a strange question
13:18 < sipa> i understand you're asking this from a perspective of "oh A and B are possible, why isn't C possible too?"
13:18 < sipa> but on itself, it's already quite surprising there are two formulations of schnorr to begin with
13:19 < sipa> typically there isn't some random transformation of this type that you can do on a cryptographic scheme without breaking it
13:19 -!- AaronvanW [~AaronvanW@unaffiliated/aaronvanw] has quit [Ping timeout: 272 seconds]
13:21 < vfP56jSe> I see. Yeah I do admit it's more for my own curiosity.
13:21  * vfP56jSe continues reading the BIP
13:24 -!- Murch [~murch@50-200-105-218-static.hfc.comcastbusiness.net] has joined #bitcoin-wizards
13:28 -!- Newyorkadam [~Newyorkad@wikipedia/Newyorkadam] has joined #bitcoin-wizards
13:43 < petertodd> gmaxwell: they just told me "please shut up, we have a really good reason" I would have
13:44 < sipa> you're mising an "if" there?
13:44 < petertodd> gmaxwell: for the record, they never gave me any indication there was an issue... other than well after it was fixed being really weird about the missing transcript - zooko really didn't want the communication about it being made public. but that was after everything was fixed AFAICT so I don't see why
13:44 < petertodd> sipa: sorry, if they just told me "please shut up, we have a really good reason" I would have
13:46 < sarang> petertodd: FWIW calling them out at the time was the right thing to do IMO
13:47 < sarang> The more I read about the timeline on this whole situation, the more upset I'm becoming
13:47 < petertodd> sarang: thanks, though frankly I'm worried at whether or not I lost work over that - whisper networks suck
13:49 < sarang> I noticed the Zcash Foundation is calling for an examination of Sprout address deprecation without defining what that means
13:50 < vfP56jSe> For "Implicit Y coordinate," I understand why out of the 2 possible Y coordinates, one and only one is the quadratic residue, but I cannot find how "quadratic residue of the Y coordinate can be computed directly for points represented in Jacobian coordinates"
13:50 < petertodd> sarang: it'd be because the old-style scheme is still allowed, albeit with a new proof system, so best to depreciate it asap
13:50 < sarang> Is this supposed to imply eventual unspendability? Because zooko advocated for that, and it seemed bonkers to me
13:51 < sarang> (of course, now I know that he was aware of the flaw when he said this)
13:51 < sipa> vfP56jSe: the (affine) y coordinate is a quadratic residue if either both or neither the Y and Z jacobian coordinates are quadratic residue (but not if only one of them is)
13:52 < sipa> because y = Y/Z^3; if you multiply with Z^4 (which is definitely a quadratic residue, so it doesn't affect the residuosity of the result), yiu get YZ
13:52 < sipa> so the residuosity of y equals that of YZ
13:55  * vfP56jSe in awe
13:59 -!- son0p [~ff@181.136.99.9] has quit [Remote host closed the connection]
14:00 -!- esotericnonsense [~esotericn@unaffiliated/esotericnonsense] has quit [Remote host closed the connection]
14:02 -!- Newyorkadam [~Newyorkad@wikipedia/Newyorkadam] has quit [Quit: Newyorkadam]
14:03 -!- esotericnonsense [~esotericn@unaffiliated/esotericnonsense] has joined #bitcoin-wizards
14:07 -!- spinza [~spin@155.93.246.187] has quit [Quit: Coyote finally caught up with me...]
14:12 < vfP56jSe> So when we encode `R` for the signature, we only encode its x-coordinate (affine). But during verification we never reconstruct the y-coordinate from this affine x-coordinate, but rather, after we calculate R = sG - H(r || P || m)P, we check that the x-coordinate of R is r and that the y-coordinate of R is a quadratic residue?
14:13 < vfP56jSe> When R is calculated from R = sG - H(r || P || m)P, is it in affine form or jacobian?
14:14 < sipa> whatever you wa t
14:18 < vfP56jSe> it seems that after calculating R = sG - H(r || P || m)P, we want 1. The affine x-coordinate of R, to check that it is the same as r 2. The jacobian y,z-coordinate of R, to check the residuosity of YZ ? Is that correct?
14:20 < sipa> you can compare an affine coordinate pair with a jacobian one (to see if they refer to the same point) without converting from jacobian to affine
14:21 -!- spinza [~spin@155.93.246.187] has joined #bitcoin-wizards
14:22 -!- pinheadmz [~matthewzi@104-56-112-203.lightspeed.sntcca.sbcglobal.net] has quit [Quit: pinheadmz]
14:27 -!- Jackielove4u [uid43977@gateway/web/irccloud.com/x-feahpfoxkewnmcgt] has joined #bitcoin-wizards
14:29 -!- enemabandit [~enemaband@16.77.54.77.rev.vodafone.pt] has quit [Ping timeout: 240 seconds]
14:30 -!- michaelsdunn1 [~michaelsd@unaffiliated/michaelsdunn1] has quit [Remote host closed the connection]
14:31 < vfP56jSe> So, because, given a jacobian coordinate, it is cheap to
14:31 < vfP56jSe> 1. Check if it refers to the same point as an affine pair, 2. Check the residuosity of its affine equivalent's y-coordinate
14:31 < vfP56jSe> BUT not cheap to
14:31 < vfP56jSe> 1. Check if its affine equivalent's y coordinate is in the lower half,  2. Check if its affine equivalent's y coordinate is even
14:31 < vfP56jSe> this method is more efficient, correct?
14:32 < gmaxwell> checking if the y is 'even' requires converting it to affine.
14:32 < gmaxwell> which is expensive.
14:34 < vfP56jSe> gmaxwell: I see! Do you have nits with my understanding above?
14:37 < gmaxwell> your understanding is correct. Converting to affine is expensive because it requires a modular inversion.  But you can do an exact comparsion by converting the affine value to jacobian with the same denominator, by multiplying.
14:37 < gmaxwell> You can't, however, do an even/oddness test that way.
14:38 < gmaxwell> Also really, QRness is really a much more natural tie breaker for point compression.  Even/oddness is pretty non-algebraic but just happens to work because the field is prime.
14:38 -!- Murch [~murch@50-200-105-218-static.hfc.comcastbusiness.net] has quit [Quit: Snoozing.]
14:38 < sipa> s/prime/odd/
14:39 < gmaxwell> prime implies odd. :P except for 2... :P
14:39 < gmaxwell> more natural in the sense that the _reason_ that there are even two possibilities is because the sqrt has two possibilities.
14:39 < sipa> yes, but it'd also work for a field of size large-prime-squared e.g.
14:39 -!- Murch [~murch@50-200-105-218-static.hfc.comcastbusiness.net] has joined #bitcoin-wizards
14:41 < gmaxwell> For characteristic-2 curves, there are also multiple possibilities, but you cannot use even/oddness for selecting points,  instead you use the trace of the value, which is most similar to testing QRness in other characteristics.
14:46 -!- bitcoin-wizards3 [0ec88d5d@gateway/web/freenode/ip.14.200.141.93] has joined #bitcoin-wizards
14:47 -!- bitcoin-wizards3 [0ec88d5d@gateway/web/freenode/ip.14.200.141.93] has quit [Client Quit]
14:47 -!- bitcoin-wizards8 [0ec88d5d@gateway/web/freenode/ip.14.200.141.93] has joined #bitcoin-wizards
14:47 -!- TheoStorm [~TheoStorm@213.34.250.235] has joined #bitcoin-wizards
15:00 -!- Murch [~murch@50-200-105-218-static.hfc.comcastbusiness.net] has quit [Quit: Snoozing.]
15:02 -!- smileygiant [4e117fcd@gateway/web/freenode/ip.78.17.127.205] has joined #bitcoin-wizards
15:03 -!- smileygiant [4e117fcd@gateway/web/freenode/ip.78.17.127.205] has quit [Client Quit]
15:04 -!- bildramer1 [~bildramer@p2003004CEA16C2008528E1A8AAEFE15E.dip0.t-ipconnect.de] has joined #bitcoin-wizards
15:04 -!- pinheadmz [~matthewzi@c-76-102-227-220.hsd1.ca.comcast.net] has joined #bitcoin-wizards
15:05 -!- IGHOR [~quassel@93.178.216.72] has quit [Ping timeout: 244 seconds]
15:07 -!- IGHOR [~quassel@93.178.216.72] has joined #bitcoin-wizards
15:07 -!- bildramer [~bildramer@p2003004CEA16C2002D47CC2AD19ED3D2.dip0.t-ipconnect.de] has quit [Ping timeout: 252 seconds]
15:08 -!- Murch [~murch@50-200-105-218-static.hfc.comcastbusiness.net] has joined #bitcoin-wizards
15:23 -!- DeanGuss [~dean@gateway/tor-sasl/deanguss] has quit [Ping timeout: 256 seconds]
15:59 -!- vpb [~vpb@host-2-101-89-220.as13285.net] has joined #bitcoin-wizards
16:00 -!- Murch [~murch@50-200-105-218-static.hfc.comcastbusiness.net] has quit [Quit: Snoozing.]
16:08 -!- Murch [~murch@50-200-105-218-static.hfc.comcastbusiness.net] has joined #bitcoin-wizards
16:20 -!- spinza [~spin@155.93.246.187] has quit [Quit: Coyote finally caught up with me...]
16:29 -!- spinza [~spin@155.93.246.187] has joined #bitcoin-wizards
16:30 -!- vpb [~vpb@host-2-101-89-220.as13285.net] has quit [Quit: Leaving]
16:44 -!- Newyorkadam [~Newyorkad@wikipedia/Newyorkadam] has joined #bitcoin-wizards
16:50 -!- bitcoin-wizards8 [0ec88d5d@gateway/web/freenode/ip.14.200.141.93] has quit [Quit: Page closed]
16:53 -!- Murch [~murch@50-200-105-218-static.hfc.comcastbusiness.net] has quit [Quit: Snoozing.]
16:55 -!- Murch [~murch@50-200-105-218-static.hfc.comcastbusiness.net] has joined #bitcoin-wizards
17:02 -!- oopsydanger [~textual@42.60.170.197] has joined #bitcoin-wizards
17:15 -!- AaronvanW [~AaronvanW@unaffiliated/aaronvanw] has joined #bitcoin-wizards
17:15 -!- AaronvanW [~AaronvanW@unaffiliated/aaronvanw] has quit [Client Quit]
17:18 -!- Aaronvan_ [~AaronvanW@unaffiliated/aaronvanw] has quit [Ping timeout: 245 seconds]
17:21 -!- Murch [~murch@50-200-105-218-static.hfc.comcastbusiness.net] has quit [Quit: Snoozing.]
17:26 -!- Newyorkadam [~Newyorkad@wikipedia/Newyorkadam] has quit [Quit: Newyorkadam]
17:27 -!- Murchone [~murch@50-200-105-218-static.hfc.comcastbusiness.net] has joined #bitcoin-wizards
17:28 -!- Murchone [~murch@50-200-105-218-static.hfc.comcastbusiness.net] has quit [Client Quit]
17:47 -!- jcorgan [~jcorgan@unaffiliated/jcorgan] has joined #bitcoin-wizards
17:50 -!- borlando [~borlando@179.187.225.34.dynamic.adsl.gvt.net.br] has joined #bitcoin-wizards
17:52 -!- oopsydanger [~textual@42.60.170.197] has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
17:53 -!- Newyorkadam [~Newyorkad@wikipedia/Newyorkadam] has joined #bitcoin-wizards
17:54 -!- borlando [~borlando@179.187.225.34.dynamic.adsl.gvt.net.br] has quit [Client Quit]
17:56 -!- oopsydanger [~oopsydang@42.60.170.197] has joined #bitcoin-wizards
17:56 -!- Newyorkadam [~Newyorkad@wikipedia/Newyorkadam] has quit [Client Quit]
17:57 -!- Newyorkadam [~Newyorkad@wikipedia/Newyorkadam] has joined #bitcoin-wizards
17:57 -!- Newyorkadam [~Newyorkad@wikipedia/Newyorkadam] has quit [Client Quit]
18:13 -!- Murch [~murch@50-200-105-218-static.hfc.comcastbusiness.net] has joined #bitcoin-wizards
18:15 -!- DeanGuss [~dean@gateway/tor-sasl/deanguss] has joined #bitcoin-wizards
18:16 -!- TheoStorm [~TheoStorm@213.34.250.235] has quit [Quit: Leaving]
18:17 -!- pinheadmz [~matthewzi@c-76-102-227-220.hsd1.ca.comcast.net] has quit [Quit: pinheadmz]
18:23 -!- pinheadmz [~matthewzi@c-76-102-227-220.hsd1.ca.comcast.net] has joined #bitcoin-wizards
18:24 -!- riclas [riclas@148.63.37.111] has quit [Ping timeout: 245 seconds]
18:32 -!- Belkaar [~Belkaar@unaffiliated/belkaar] has quit [Ping timeout: 245 seconds]
18:33 -!- Belkaar [~Belkaar@xdsl-78-35-70-217.nc.de] has joined #bitcoin-wizards
18:33 -!- Belkaar [~Belkaar@xdsl-78-35-70-217.nc.de] has quit [Changing host]
18:33 -!- Belkaar [~Belkaar@unaffiliated/belkaar] has joined #bitcoin-wizards
18:41 -!- oopsydanger [~oopsydang@42.60.170.197] has quit [Quit: Textual IRC Client: www.textualapp.com]
18:50 -!- Murch [~murch@50-200-105-218-static.hfc.comcastbusiness.net] has quit [Quit: Snoozing.]
19:01 < vfP56jSe> sipa gmaxwell Thank you both for your patient explanations, sorry had to go afk but the above make things much more clear.
19:16 -!- Krellan_ [~Krellan@50-242-94-241-static.hfc.comcastbusiness.net] has quit [Ping timeout: 268 seconds]
19:28 -!- pinheadmz [~matthewzi@c-76-102-227-220.hsd1.ca.comcast.net] has quit [Quit: pinheadmz]
19:41 -!- drexl [~drexl@cpc130676-camd16-2-0-cust445.know.cable.virginm.net] has quit [Quit: drexl]
19:56 < midnightmagic> :-o
20:01 < sipa> vfP56jSe: yw
20:09 -!- rh0nj [~rh0nj@88.99.167.175] has quit [Remote host closed the connection]
20:10 -!- rh0nj [~rh0nj@88.99.167.175] has joined #bitcoin-wizards
20:12 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Remote host closed the connection]
20:12 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #bitcoin-wizards
20:17 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Ping timeout: 250 seconds]
20:30 -!- _whitelogger [~whitelogg@uruz.whitequark.org] has quit [Remote host closed the connection]
20:31 -!- _whitelogger [~whitelogg@uruz.whitequark.org] has joined #bitcoin-wizards
20:54 -!- pinheadmz [~matthewzi@c-76-102-227-220.hsd1.ca.comcast.net] has joined #bitcoin-wizards
21:18 -!- pinheadmz [~matthewzi@c-76-102-227-220.hsd1.ca.comcast.net] has quit [Quit: pinheadmz]
21:20 -!- pinheadmz [~matthewzi@c-76-102-227-220.hsd1.ca.comcast.net] has joined #bitcoin-wizards
21:33 -!- _whitelogger [~whitelogg@uruz.whitequark.org] has quit [Remote host closed the connection]
21:34 -!- _whitelogger [~whitelogg@uruz.whitequark.org] has joined #bitcoin-wizards
21:40 -!- pinheadmz [~matthewzi@c-76-102-227-220.hsd1.ca.comcast.net] has quit [Quit: pinheadmz]
21:56 -!- ppisati [~ppisati@net-2-35-7-108.cust.vodafonedsl.it] has quit [Quit: leaving]
21:56 -!- bildramer [~bildramer@p5B010E46.dip0.t-ipconnect.de] has joined #bitcoin-wizards
21:59 -!- jtimon [~quassel@92.28.134.37.dynamic.jazztel.es] has quit [Ping timeout: 268 seconds]
22:00 -!- bildramer1 [~bildramer@p2003004CEA16C2008528E1A8AAEFE15E.dip0.t-ipconnect.de] has quit [Ping timeout: 268 seconds]
22:02 -!- ghost43 [~daer@gateway/tor-sasl/daer] has quit [Remote host closed the connection]
22:02 -!- ppisati [~ppisati@net-109-115-35-123.cust.vodafonedsl.it] has joined #bitcoin-wizards
22:03 -!- ghost43 [~daer@gateway/tor-sasl/daer] has joined #bitcoin-wizards
22:17 -!- go1111111 [~go11111@104.200.153.100] has quit [Ping timeout: 240 seconds]
22:19 -!- pinheadmz [~matthewzi@c-76-102-227-220.hsd1.ca.comcast.net] has joined #bitcoin-wizards
22:20 -!- Krellan [~Krellan@2601:640:4000:a876:3da2:b0b9:ae66:5e50] has joined #bitcoin-wizards
22:21 -!- Krellan_ [~Krellan@2601:640:4000:a876:b069:431a:196b:f929] has joined #bitcoin-wizards
22:25 -!- Krellan [~Krellan@2601:640:4000:a876:3da2:b0b9:ae66:5e50] has quit [Ping timeout: 268 seconds]
22:32 -!- go1111111 [~go11111@104.156.98.86] has joined #bitcoin-wizards
23:02 -!- pinheadmz [~matthewzi@c-76-102-227-220.hsd1.ca.comcast.net] has quit [Quit: pinheadmz]
23:04 -!- warren [~warren@fedora/wombat/warren] has quit [Ping timeout: 240 seconds]
23:05 -!- warren [~warren@fedora/wombat/warren] has joined #bitcoin-wizards
23:09 -!- rodolfo912 [sid307427@gateway/web/irccloud.com/x-eobmcofxmcyuncur] has joined #bitcoin-wizards
--- Log closed Wed Feb 06 00:00:42 2019