--- Log opened Sat Feb 09 00:00:45 2019
00:05 -!- deusexbeer [~deusexbee@093-092-176-118-dynamic-pool-adsl.wbt.ru] has joined #bitcoin-wizards
00:07 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has joined #bitcoin-wizards
00:23 -!- maluk [~maluk@static-208-124-107-200.consolidated.net] has joined #bitcoin-wizards
00:39 -!- deusexbeer [~deusexbee@093-092-176-118-dynamic-pool-adsl.wbt.ru] has quit [Remote host closed the connection]
02:07 -!- spinza [~spin@155.93.246.187] has quit [Quit: Coyote finally caught up with me...]
02:14 -!- tiagotrs [~user@unaffiliated/tiagotrs] has joined #bitcoin-wizards
02:19 -!- spinza [~spin@155.93.246.187] has joined #bitcoin-wizards
02:19 -!- CubicEarth [~CubicEart@c-73-181-185-197.hsd1.wa.comcast.net] has quit [Ping timeout: 246 seconds]
02:21 -!- tiagotrs [~user@unaffiliated/tiagotrs] has quit [Ping timeout: 244 seconds]
03:00 -!- jtimon [~quassel@92.28.134.37.dynamic.jazztel.es] has quit [Ping timeout: 268 seconds]
03:10 -!- rh0nj [~rh0nj@88.99.167.175] has quit [Remote host closed the connection]
03:11 -!- rh0nj [~rh0nj@88.99.167.175] has joined #bitcoin-wizards
03:18 -!- TheoStorm [~TheoStorm@host-lzquwqj.cbn1.zeelandnet.nl] has joined #bitcoin-wizards
03:36 -!- tiagotrs [~user@unaffiliated/tiagotrs] has joined #bitcoin-wizards
04:49 -!- drexl [~drexl@cpc130676-camd16-2-0-cust445.know.cable.virginm.net] has joined #bitcoin-wizards
05:09 -!- CryptoDavid [uid14990@gateway/web/irccloud.com/x-pjnwkqlzruafnnjz] has joined #bitcoin-wizards
05:20 -!- jimmysong_ [~jimmysong@72-48-253-51.dyn.grandenetworks.net] has quit [Read error: Connection reset by peer]
05:21 -!- jimmysong_ [~jimmysong@72-48-253-51.dyn.grandenetworks.net] has joined #bitcoin-wizards
05:21 -!- drexl [~drexl@cpc130676-camd16-2-0-cust445.know.cable.virginm.net] has quit [Read error: Connection reset by peer]
05:22 -!- drexl_ [~drexl@cpc130676-camd16-2-0-cust445.know.cable.virginm.net] has joined #bitcoin-wizards
05:48 -!- jtimon [~quassel@92.28.134.37.dynamic.jazztel.es] has joined #bitcoin-wizards
06:05 -!- comedy [~comedy@ool-182ec644.dyn.optonline.net] has joined #bitcoin-wizards
06:08 -!- nephyrin [~neph@2601:600:817f:a19a:a5cf:8446:c53:57b2] has quit [Ping timeout: 250 seconds]
06:11 -!- nephyrin [~neph@2601:600:817f:a19a:a5cf:8446:c53:57b2] has joined #bitcoin-wizards
06:15 -!- _whitelogger [~whitelogg@uruz.whitequark.org] has quit [Remote host closed the connection]
06:16 -!- _whitelogger [~whitelogg@uruz.whitequark.org] has joined #bitcoin-wizards
06:22 -!- drexl_ [~drexl@cpc130676-camd16-2-0-cust445.know.cable.virginm.net] has quit [Quit: drexl_]
06:49 -!- drexl [~drexl@cpc130676-camd16-2-0-cust445.know.cable.virginm.net] has joined #bitcoin-wizards
06:51 -!- comedy [~comedy@ool-182ec644.dyn.optonline.net] has quit [Quit: comedy]
07:37 -!- nephyrin [~neph@2601:600:817f:a19a:a5cf:8446:c53:57b2] has quit [Ping timeout: 268 seconds]
07:41 -!- nephyrin [~neph@2601:600:817f:a19a:a5cf:8446:c53:57b2] has joined #bitcoin-wizards
08:32 -!- CryptoDavid [uid14990@gateway/web/irccloud.com/x-pjnwkqlzruafnnjz] has quit [Quit: Connection closed for inactivity]
08:53 -!- Guyver2 [AdiIRC@guyver2.xs4all.nl] has joined #bitcoin-wizards
09:02 -!- spinza [~spin@155.93.246.187] has quit [Quit: Coyote finally caught up with me...]
09:07 -!- math_ [~mario@p57BDABB3.dip0.t-ipconnect.de] has quit [Ping timeout: 246 seconds]
09:07 -!- math_ [~mario@p57BDA5AC.dip0.t-ipconnect.de] has joined #bitcoin-wizards
09:09 -!- DeanGuss [~dean@gateway/tor-sasl/deanguss] has quit [Remote host closed the connection]
09:09 -!- DeanGuss [~dean@gateway/tor-sasl/deanguss] has joined #bitcoin-wizards
09:15 -!- spinza [~spin@155.93.246.187] has joined #bitcoin-wizards
09:30 -!- adiabat [~adiabat@63.209.32.102] has quit [Ping timeout: 240 seconds]
09:57 -!- tiagotrs [~user@unaffiliated/tiagotrs] has quit [Ping timeout: 272 seconds]
10:03 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #bitcoin-wizards
10:09 -!- comedy [~comedy@ool-182ec644.dyn.optonline.net] has joined #bitcoin-wizards
10:10 < comedy> 🤨
10:55 -!- adiabat [~adiabat@63.209.32.102] has joined #bitcoin-wizards
10:57 -!- adiabat [~adiabat@63.209.32.102] has quit [Remote host closed the connection]
11:03 -!- elichai2 [uid212594@gateway/web/irccloud.com/x-gwcoyqcfqesadfxx] has joined #bitcoin-wizards
11:05 -!- adiabat [~adiabat@63.209.32.102] has joined #bitcoin-wizards
11:12 -!- rh0nj [~rh0nj@88.99.167.175] has quit [Remote host closed the connection]
11:13 -!- rh0nj [~rh0nj@88.99.167.175] has joined #bitcoin-wizards
12:05 -!- fabianfabian [~fabianfab@D9656CCE.cm-27.dynamic.ziggo.nl] has joined #bitcoin-wizards
12:12 -!- tiagotrs [~user@unaffiliated/tiagotrs] has joined #bitcoin-wizards
12:47 -!- comedy [~comedy@ool-182ec644.dyn.optonline.net] has quit [Quit: comedy]
13:22 -!- elichai2 [uid212594@gateway/web/irccloud.com/x-gwcoyqcfqesadfxx] has quit [Quit: Connection closed for inactivity]
13:28 -!- comedy [~comedy@ool-182ec644.dyn.optonline.net] has joined #bitcoin-wizards
13:40 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Remote host closed the connection]
13:41 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #bitcoin-wizards
13:50 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Ping timeout: 250 seconds]
13:58 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #bitcoin-wizards
14:09 -!- comedy [~comedy@ool-182ec644.dyn.optonline.net] has quit [Ping timeout: 245 seconds]
14:17 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Ping timeout: 246 seconds]
14:18 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #bitcoin-wizards
14:21 -!- spinza [~spin@155.93.246.187] has quit [Quit: Coyote finally caught up with me...]
14:26 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Remote host closed the connection]
14:27 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #bitcoin-wizards
14:29 -!- spinza [~spin@155.93.246.187] has joined #bitcoin-wizards
14:32 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Ping timeout: 272 seconds]
14:35 -!- tiagotrs [~user@unaffiliated/tiagotrs] has quit [Ping timeout: 244 seconds]
14:52 -!- wizkid057 [~wk@unaffiliated/wizkid057] has quit [Quit: reboot]
14:56 -!- comedy [~comedy@ool-182ec644.dyn.optonline.net] has joined #bitcoin-wizards
14:58 -!- wizkid057 [~wk@unaffiliated/wizkid057] has joined #bitcoin-wizards
15:04 -!- enemabandit [~enemaband@bl17-168-123.dsl.telepac.pt] has joined #bitcoin-wizards
15:08 -!- phwalkr [~phwalkr@192.32.61.94.rev.vodafone.pt] has quit [Read error: Connection reset by peer]
15:09 -!- Guyver2 [AdiIRC@guyver2.xs4all.nl] has quit [Quit: Going offline, see ya! (www.adiirc.com)]
15:12 -!- rusty [~rusty@pdpc/supporter/bronze/rusty] has joined #bitcoin-wizards
15:13 -!- phwalkr [~phwalkr@192.32.61.94.rev.vodafone.pt] has joined #bitcoin-wizards
15:13 -!- phwalkr [~phwalkr@192.32.61.94.rev.vodafone.pt] has quit [Remote host closed the connection]
15:15 -!- rusty [~rusty@pdpc/supporter/bronze/rusty] has quit [Client Quit]
15:15 -!- phwalkr [~phwalkr@192.32.61.94.rev.vodafone.pt] has joined #bitcoin-wizards
15:15 -!- phwalkr [~phwalkr@192.32.61.94.rev.vodafone.pt] has quit [Remote host closed the connection]
15:15 -!- phwalkr [~phwalkr@192.32.61.94.rev.vodafone.pt] has joined #bitcoin-wizards
15:15 -!- Cory [~Cory@unaffiliated/cory] has quit [Ping timeout: 250 seconds]
15:15 -!- phwalkr [~phwalkr@192.32.61.94.rev.vodafone.pt] has quit [Remote host closed the connection]
15:20 -!- Pasha [~Cory@unaffiliated/cory] has joined #bitcoin-wizards
15:24 -!- Pasha is now known as Cory
15:38 -!- comedy [~comedy@ool-182ec644.dyn.optonline.net] has quit [Quit: comedy]
15:40 -!- comedy [~comedy@ool-182ec644.dyn.optonline.net] has joined #bitcoin-wizards
15:42 -!- DeanGuss [~dean@gateway/tor-sasl/deanguss] has quit [Ping timeout: 256 seconds]
15:52 -!- fabianfabian [~fabianfab@D9656CCE.cm-27.dynamic.ziggo.nl] has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
15:59 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has quit [Remote host closed the connection]
16:17 -!- rockhouse [~rockhouse@unaffiliated/rockhouse] has quit [Read error: Connection reset by peer]
16:17 -!- rockhouse [~rockhouse@unaffiliated/rockhouse] has joined #bitcoin-wizards
16:18 -!- enemabandit [~enemaband@bl17-168-123.dsl.telepac.pt] has quit [Ping timeout: 245 seconds]
16:29 -!- kallewoof [~quassel@240d:1a:759:6000:a7b1:451a:8874:e1ac] has quit [Read error: Connection reset by peer]
16:33 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has joined #bitcoin-wizards
16:37 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has quit [Ping timeout: 246 seconds]
16:52 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has joined #bitcoin-wizards
16:57 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has quit [Ping timeout: 268 seconds]
17:17 -!- fkinglag [~fkinglag@unaffiliated/fkinglag] has quit [Read error: Connection reset by peer]
17:17 -!- fkinglag [~fkinglag@unaffiliated/fkinglag] has joined #bitcoin-wizards
17:24 -!- comedy [~comedy@ool-182ec644.dyn.optonline.net] has quit [Quit: comedy]
18:23 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has joined #bitcoin-wizards
18:27 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has quit [Ping timeout: 245 seconds]
18:57 -!- DeanGuss [~dean@gateway/tor-sasl/deanguss] has joined #bitcoin-wizards
18:57 -!- jtimon [~quassel@92.28.134.37.dynamic.jazztel.es] has quit [Ping timeout: 246 seconds]
19:02 -!- TheoStorm [~TheoStorm@host-lzquwqj.cbn1.zeelandnet.nl] has quit [Quit: Leaving]
19:02 -!- drexl [~drexl@cpc130676-camd16-2-0-cust445.know.cable.virginm.net] has quit [Quit: drexl]
19:10 -!- Belkaar [~Belkaar@unaffiliated/belkaar] has quit [Read error: Connection reset by peer]
19:13 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has joined #bitcoin-wizards
19:14 -!- Belkaar [~Belkaar@xdsl-78-35-72-17.nc.de] has joined #bitcoin-wizards
19:14 -!- Belkaar [~Belkaar@xdsl-78-35-72-17.nc.de] has quit [Changing host]
19:14 -!- Belkaar [~Belkaar@unaffiliated/belkaar] has joined #bitcoin-wizards
19:17 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has quit [Ping timeout: 246 seconds]
19:56 -!- Emcy [~Emcy@unaffiliated/emcy] has quit [Ping timeout: 244 seconds]
19:57 -!- Emcy [~Emcy@unaffiliated/emcy] has joined #bitcoin-wizards
20:18 -!- mappum_ [uid43795@gateway/web/irccloud.com/x-spsynmjhocecrtoi] has joined #bitcoin-wizards
20:25 -!- DeanGuss [~dean@gateway/tor-sasl/deanguss] has quit [Remote host closed the connection]
20:26 -!- DeanGuss [~dean@gateway/tor-sasl/deanguss] has joined #bitcoin-wizards
21:00 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has joined #bitcoin-wizards
21:05 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has quit [Ping timeout: 245 seconds]
21:55 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has joined #bitcoin-wizards
21:57 -!- DarkNetizen [~DarkNetiz@host-72-174-19-24.msl-mt.client.bresnan.net] has joined #bitcoin-wizards
22:00 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has quit [Ping timeout: 244 seconds]
22:02 -!- DarkNetizen [~DarkNetiz@host-72-174-19-24.msl-mt.client.bresnan.net] has quit [Quit: leaving]
22:07 -!- DarkNetizen [~DarkNetiz@host-72-174-19-24.msl-mt.client.bresnan.net] has joined #bitcoin-wizards
22:09 -!- DarkNetizen [~DarkNetiz@host-72-174-19-24.msl-mt.client.bresnan.net] has quit [Client Quit]
22:09 -!- DarkNetizen [~DarkNetiz@host-72-174-19-24.msl-mt.client.bresnan.net] has joined #bitcoin-wizards
22:11 < mappum_> would a variant of Schnorr work if you reused the nonce but multiplied it by some deterministic, publicly derivable scalar for each signature?
22:13 < sipa> no, that will instantly leak your private key
22:17 < mappum_> this might be impossible, but i'm trying to find a scheme where R can be publicly derived based on the message. seems easy to do interactively, e.g. the signer picks a random nonce k and reveals kG for each signature they will make, but is it possible to do with only picking one k at key generation time?
22:21 -!- _whitelogger [~whitelogg@uruz.whitequark.org] has quit [Remote host closed the connection]
22:22 -!- _whitelogger [~whitelogg@uruz.whitequark.org] has joined #bitcoin-wizards
22:23 < mappum_> sipa: btw for my first message, i mean the scalar is different for each signature
22:24 < gmaxwell> No, doing that instantly reveals the key.
22:24 < gmaxwell> Yes, thats clear, and it instantly reveals the keys.
22:24 < sipa> mappum_: it doesn't matter that the nonce is different
22:24 < gmaxwell> if there is any known relationship between the nonces, you leak the key.
22:26 < sipa> the nonce needs to be completely unpredictable to the attacker
22:27 < gmaxwell> take your signatures, and write them out ---  k_n G = s_n G + e_n xG   and if your system of equations has doesn't have more unknown variables than distinct equations, its solvable and you can find the key(s).
22:27 < sipa> even a slight bias favoring some nonces over others may be enough to leak your keys
22:27 < gmaxwell> Even partial knoweldge of the Ks, like knowing that they're all 160 bit numbers,  is enough to break the security.
22:31 < mappum_> interesting, thanks. so there's no way to deterministically derive k' from k, while allowing people to publicly derive k'G from kG?
22:34 < gmaxwell> There are plenty of ways but they're inherently insecure.  Only linear operations allow you to modify both k and kG.  And if the k in two distinct signatures are related via any known linear relation, then you can write one in terms of the other, and solve the linear system.
22:34 < sipa> no, there are ways to do it deterministically, but it certainly won't result in an observable relation between tbe public nonces
22:36 < gmaxwell> You can do "Generate N values in advance, and then use them to generate up to N secure nonces later.".. but that also isn't terribly useful.
22:37 < mappum_> @gmaxwell i was afraid that would be the best way to do it
22:37 < mappum_> it might still be ok for my application
22:41 < mappum_> someone on the bitcoin-dev mailing list got my hopes up, saying "One possibility is to derive `R` using standard hierarchical derivation." but I couldn't figure it out
22:45 < sipa> nope, that definitely doesn't work
22:46 < mappum_> this paper from May 2017 (https://eprint.iacr.org/2017/394) mentions a scheme where public keys include a precommitment to R in the output to prevent double-spends, since double-spends  would then reveal the private key. this can be used to increase confidence in unconfirmed txs
22:46 < mappum_> is there some reason this hasn't been discussed more by the core devs?
22:47 < gmaxwell> it's an old idea called a single show signature, you can see conversations about them back in 2013 in here.
22:48 < gmaxwell> They're exceptionally fragle (like .. revise your fees? oops lost your coins), and don't actually prevent theft-- since they just cause coins loss.
22:51 < gmaxwell> also, specific to that paper, they're using opcodes that don't exist in bitcoin. (OP_AND)
22:52 < mappum_> right, i would have thought it would end up as its own opcode where the public key was concatenated with R, and the signature was just s
22:52 < gmaxwell> seems pointless.
22:55 < gmaxwell> (I mean there is no reason to add special functionality which is otherwise covered by boring usage of OP_CAT, just to cover a single specialized use case which has ambigious utility)
22:57 < mappum_> makes sense. well i'm trying to do bitcoin proof-of-stake where block signers (similar to the Liquid strong federation) can have outputs stolen from them if they sign multiple blocks at the same height since their private key can be derived, but the best I have right now is the one-precomitted-R-per-block design
22:58 < mappum_> then i was going to see if i could combine a scheme for that with MuSig, but now i see i'm out of my element here
22:58 < gmaxwell> Why does that even incentivize them to behave? they can just steal their own outputs first?
22:59 < mappum_> not necessarily, their chances of stealing it are based on their bitcoin hashpower
23:00 < gmaxwell> Aside for that sort of thing, what you probably want is a CHECKSIGFROMSTACK (like in liquid) and then you could acutally check for two distinct signatures and don't need any wonky R fragility thing.
23:00 < mappum_> the outputs are stolen on the mainchain
23:01 < mappum_> interesting, guess i didn't see liquid mention that opcode, what's your confidence interval on that being enforced by a majority of the bitcoin hashrate in the next 2 years?
23:02 < mappum_> basically i'm trying to see what i can do with whatever will realistically get deployed for schnorr opcodes
23:02 < gmaxwell> more likely than any specific machinery for a single show signature, at least.
23:04 < gmaxwell> The fact that no one seemed to really care about trying anything out using that opcode in elements (other than roconnor's kinda crazy valt construction) doesn't really bode that well for its actual utility.
23:06 < gmaxwell> in any case, there are probably other ways to do what you want that don't require any additions to bitcoin, but are just more complex outside of it.
23:07 < mappum_> well if you have any hints on how then i'm all ears
23:08 < gmaxwell> oh I see you were already thinking of using a single show signature to sign your blocks, then just allowing that to leak a key used in bitcoin. So you were already not assuming any changes.
23:12 < gmaxwell> mappum_: you can, for example, staple to your blocks a zero knoweldge proof that the k used in the block signature (with pubkey   xG)  is H(x||height).
23:12 < gmaxwell> then no need to communicate the nonces in advance.
23:12 < gmaxwell> but a duplicate signature at the same height will leak the key.
23:13 -!- spinza [~spin@155.93.246.187] has quit [Quit: Coyote finally caught up with me...]
23:18 < mappum_> sounds like something i can't implement myself, but i guess now i'll try to read the bulletproofs whitepaper and see if i can get my brain closer to that
23:20 < mappum_> until then i'll have a static set of validators/block signers
23:22 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has joined #bitcoin-wizards
23:26 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has quit [Ping timeout: 250 seconds]
23:32 -!- spinza [~spin@155.93.246.187] has joined #bitcoin-wizards
23:38 -!- fabianfabian [~fabianfab@D9656CCE.cm-27.dynamic.ziggo.nl] has joined #bitcoin-wizards
--- Log closed Sun Feb 10 00:00:45 2019