--- Log opened Thu Apr 11 00:00:41 2019
00:00 < NicolasDorier> Say you have a transaction with where you own all inputs with valyes (2,4,6) and on output (10) back to you. The attacker can say to the hw you only own input n1, then the wallet would say "cool, I am making money, I agree to sign!". Then the attacker then do the same for n2 and n3. The HW would sign all of them.
00:01 < NicolasDorier> now the attacker broadcast a transaction, but the owner of the wallet actually just lost 2 BTC
00:03 < NicolasDorier> To prevent this, one solution is to encode the sequences of indices that the attacker ask to sign to the HW inside the keypath of the output address, and have the HW enforce it.
00:03 < NicolasDorier> Say the attack asks the HW to sign input n1 and n2, the HW would check the output is "1/2". If the attacker then asks to send n3, the HW would check the output is "3".
00:03 < NicolasDorier> Now the attacker would not be able to combine those two signatures into one transaction
00:04 < NicolasDorier> But then we can't easily recover the wallet without remembering all the keypaths of outputs we used (no way to rescan everything)
00:10 -!- pinheadmz [~matthewzi@c-76-102-227-220.hsd1.ca.comcast.net] has quit [Quit: pinheadmz]
00:11 -!- _L0ki [~kn0wmad@207.189.30.147] has joined #bitcoin-wizards
00:25 -!- vtnerd [~Lee@173-23-103-30.client.mchsi.com] has joined #bitcoin-wizards
00:40 -!- enemabandit [~enemaband@185.227.37.188.rev.vodafone.pt] has joined #bitcoin-wizards
00:47 < waxwing> NicolasDorier, i believe instagibbs had thoughts along these lines on the mailing list about a year or two ago, but i will struggle to find it. if he's here perhaps he can comment.
00:51 -!- enemabandit [~enemaband@185.227.37.188.rev.vodafone.pt] has quit [Quit: leaving]
00:51 -!- enemabandit [~enemaband@185.227.37.188.rev.vodafone.pt] has joined #bitcoin-wizards
01:01 < NicolasDorier> ooooh it was instagibbs . Damn I remembered having this conversation I could not remember with who it was.
01:18 -!- ccdle12 [~ccdle12@223.197.137.165] has quit [Read error: Connection reset by peer]
01:18 -!- ccdle12 [~ccdle12@223.197.137.165] has joined #bitcoin-wizards
01:22 -!- laptop500 [~laptop@host109-149-118-169.range109-149.btcentralplus.com] has quit [Ping timeout: 246 seconds]
01:31 -!- setpill [~setpill@unaffiliated/setpill] has joined #bitcoin-wizards
01:31 -!- mryandao [~mryandao@gateway/tor-sasl/mryandao] has joined #bitcoin-wizards
01:32 -!- renlord [~renlord@gateway/tor-sasl/renlord] has joined #bitcoin-wizards
01:36 -!- renlord [~renlord@gateway/tor-sasl/renlord] has quit [Remote host closed the connection]
01:36 -!- mryandao [~mryandao@gateway/tor-sasl/mryandao] has quit [Remote host closed the connection]
01:36 -!- renlord [~renlord@gateway/tor-sasl/renlord] has joined #bitcoin-wizards
01:37 -!- mryandao [~mryandao@gateway/tor-sasl/mryandao] has joined #bitcoin-wizards
01:37 -!- ccdle12 [~ccdle12@223.197.137.165] has quit [Ping timeout: 245 seconds]
01:38 -!- ccdle12 [~ccdle12@223.197.137.165] has joined #bitcoin-wizards
01:39 -!- mryandao [~mryandao@gateway/tor-sasl/mryandao] has quit [Remote host closed the connection]
01:39 -!- renlord [~renlord@gateway/tor-sasl/renlord] has quit [Remote host closed the connection]
01:40 -!- mryandao [~mryandao@gateway/tor-sasl/mryandao] has joined #bitcoin-wizards
01:40 -!- renlord [~renlord@gateway/tor-sasl/renlord] has joined #bitcoin-wizards
02:19 -!- laptop500 [~laptop@62.232.170.180] has joined #bitcoin-wizards
02:24 -!- laptop500 [~laptop@62.232.170.180] has quit [Quit: Leaving]
02:28 -!- AaronvanW [~AaronvanW@unaffiliated/aaronvanw] has joined #bitcoin-wizards
02:30 -!- TheoStorm [~TheoStorm@host-g4sn8hj.cbn1.zeelandnet.nl] has joined #bitcoin-wizards
02:33 -!- ccdle12 [~ccdle12@223.197.137.165] has quit [Remote host closed the connection]
03:22 -!- enemabandit [~enemaband@185.227.37.188.rev.vodafone.pt] has quit [Quit: Lost terminal]
03:23 -!- enemabandit [~enemaband@185.227.37.188.rev.vodafone.pt] has joined #bitcoin-wizards
03:51 -!- spinza [~spin@155.93.246.187] has quit [Quit: Coyote finally caught up with me...]
03:57 < instagibbs> yes, recent related/updated discussion: https://github.com/trezor/trezor-core/issues/465
03:58 < instagibbs> (email is linked there by nothingmuch)
04:01 < instagibbs> original proposal in e-mail was broken, I think https://github.com/trezor/trezor-core/issues/465#issuecomment-480939709 is the best we can do without exposing keypaths as you say
04:16 < waxwing> ah thanks for link to that thread. very interesting discussion.
04:16 -!- harrymm [~harrymm@209.58.188.77] has quit [Ping timeout: 258 seconds]
04:27 -!- spinza [~spin@155.93.246.187] has joined #bitcoin-wizards
04:29 -!- harrymm [~harrymm@209.58.188.77] has joined #bitcoin-wizards
05:11 -!- Jeremy_Rand_Talo [jeremyra1@gateway/shell/matrix.org/x-iodogxoeotanlxos] has quit [Ping timeout: 250 seconds]
05:11 -!- hsngrmpf[m] [hsngrmpfma@gateway/shell/matrix.org/x-cdvdvissguromlhn] has quit [Ping timeout: 252 seconds]
05:11 -!- azdrianz[m] [azdrianzma@gateway/shell/matrix.org/x-nbstjpfhblgyaigd] has quit [Ping timeout: 252 seconds]
05:11 -!- TheFuzzStone[m] [thefuzzsto@gateway/shell/matrix.org/x-ibznohmkvugkqpop] has quit [Ping timeout: 252 seconds]
05:11 -!- knuteis[m] [knuteismat@gateway/shell/matrix.org/x-vdizrqjvdeoafgyi] has quit [Ping timeout: 250 seconds]
05:12 -!- tomtau[m] [tomtaumatr@gateway/shell/matrix.org/x-ltnicgakcraqdkga] has quit [Ping timeout: 250 seconds]
05:12 -!- devdig[m] [devdigmatr@gateway/shell/matrix.org/x-szemptwylnurlaha] has quit [Ping timeout: 252 seconds]
05:12 -!- charuto [charutocaf@gateway/shell/matrix.org/x-mimbnhjuqvyskaif] has quit [Ping timeout: 252 seconds]
05:12 -!- kewde[m] [kewdematri@gateway/shell/matrix.org/x-rgtboodqstzgmxkm] has quit [Ping timeout: 264 seconds]
05:12 -!- catcow [wavepruner@gateway/shell/matrix.org/x-prxfgpmktrnpcxzl] has quit [Ping timeout: 268 seconds]
05:14 -!- koshii [~mike@c-68-38-246-130.hsd1.in.comcast.net] has quit [Ping timeout: 246 seconds]
05:14 -!- koshii [~mike@c-68-38-246-130.hsd1.in.comcast.net] has joined #bitcoin-wizards
05:15 -!- Belkaar [~Belkaar@unaffiliated/belkaar] has quit [Ping timeout: 255 seconds]
05:16 -!- Belkaar [~Belkaar@xdsl-85-197-55-233.nc.de] has joined #bitcoin-wizards
05:16 -!- Belkaar [~Belkaar@xdsl-85-197-55-233.nc.de] has quit [Changing host]
05:16 -!- Belkaar [~Belkaar@unaffiliated/belkaar] has joined #bitcoin-wizards
05:42 -!- TheoStorm [~TheoStorm@host-g4sn8hj.cbn1.zeelandnet.nl] has quit [Quit: Leaving]
06:25 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has quit [Remote host closed the connection]
06:49 < waxwing> instagibbs, wrt https://github.com/trezor/trezor-core/issues/465#issuecomment-480939709 and the following comment by Pavol Rusnak, I don't understand how *either* suggestion could count as a proof of non-ownership. suppose the HW wallet generates such sigs on each input it signs, what's to stop an attacker replacing it with garbage?
06:50 < waxwing> i mean it's pretty clear i haven't understood your mechanism, but i can't figure it out
06:51 < waxwing> oh. it has to be a signature, so it can be verified against the key tied to the utxo. huh, that's interesting.
06:53 < waxwing> yeah i think that works. it's kinda surprising. since the message has fixed format there is no shenanigans to fake it.
07:01 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has joined #bitcoin-wizards
07:04 -!- Cyber-Monnik [~Monnik@89.205.227.176] has joined #bitcoin-wizards
07:05 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has quit [Ping timeout: 252 seconds]
07:06 -!- pinheadmz [~matthewzi@c-76-102-227-220.hsd1.ca.comcast.net] has joined #bitcoin-wizards
07:14 -!- TheoStorm [~TheoStorm@host-g4sn8hj.cbn1.zeelandnet.nl] has joined #bitcoin-wizards
07:16 -!- Cyber-Monnik [~Monnik@89.205.227.176] has quit [Ping timeout: 252 seconds]
07:18 -!- Monnik [~Monnik@89.205.227.176] has joined #bitcoin-wizards
07:26 -!- Cyber-Monnik [~Monnik@145.15.244.22] has joined #bitcoin-wizards
07:29 -!- Monnik [~Monnik@89.205.227.176] has quit [Ping timeout: 250 seconds]
07:55 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has joined #bitcoin-wizards
08:00 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has quit [Ping timeout: 252 seconds]
08:02 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has joined #bitcoin-wizards
08:07 -!- Guyver2 [AdiIRC@guyver2.xs4all.nl] has joined #bitcoin-wizards
08:07 < waxwing> instagibbs, can you let me know whether i've described it correctly here? https://0bin.net/paste/cyf1phgvbCYaJsOr#uDpknGe6zIlCsuCtDx5qQQWFLtKrBNRSHH361vlqw8Q
08:08 -!- Cyber-Monnik [~Monnik@145.15.244.22] has quit [Ping timeout: 252 seconds]
08:14 -!- TheoStorm [~TheoStorm@host-g4sn8hj.cbn1.zeelandnet.nl] has quit [Ping timeout: 250 seconds]
08:16 -!- Monnik [~Monnik@145.15.244.22] has joined #bitcoin-wizards
08:19 -!- setpill [~setpill@unaffiliated/setpill] has quit [Quit: o/]
08:20 -!- TheoStorm [~TheoStorm@host-g4sn8hj.cbn1.zeelandnet.nl] has joined #bitcoin-wizards
08:35 -!- jb55 [~jb55@S010660e327dca171.vc.shawcable.net] has joined #bitcoin-wizards
08:39 -!- Monnik [~Monnik@145.15.244.22] has quit [Remote host closed the connection]
09:28 -!- inersha [~greg@193.28.36.25] has joined #bitcoin-wizards
09:33 -!- inersha [~greg@193.28.36.25] has left #bitcoin-wizards []
09:34 < instagibbs> waxwing, yeah reads correct.
09:36 < instagibbs> yeah imo the problem itself is really hard to reason about compared to how trivial I think it should be
09:39 < instagibbs> during generation of signature, you need to make sure you control U(host gives derivation path up front), and the amount needs to be verified by the full previous txns, of course
09:40 -!- enemabandit [~enemaband@185.227.37.188.rev.vodafone.pt] has quit [Ping timeout: 255 seconds]
09:58 -!- laptop500 [~laptop@host109-149-118-169.range109-149.btcentralplus.com] has joined #bitcoin-wizards
10:02 < achow101> instagibbs: wouldn't you essentially have to have a script interpreter to know that the proof for a particular input is valid?
10:02 < achow101> otherwise you wouldn't know that the pubkey for the proof for an input actually belongs to that input
10:04 < waxwing> that sounds like a rather good point .. i guess a hardware wallet could restrict this feature to a specific script type? or something?
10:09 < achow101> it also breaks down with weird scripts and/or multisig I think. but those erode your privacy anyways
10:11 -!- thomasan_ [~thomasand@cpe-172-116-160-42.socal.res.rr.com] has joined #bitcoin-wizards
10:14 -!- thomasan_ [~thomasand@cpe-172-116-160-42.socal.res.rr.com] has quit [Remote host closed the connection]
10:14 < andytoshi> miniscript lets you do this with a lot of generality and without a general script interpreter
10:15 < andytoshi> sipa: does writing a C miniscript library designed for hw wallets sound fun to you?   ;)
10:16 < gmaxwell> andytoshi: ... that works in 64kb ram + stack.
10:16 < achow101> andytoshi: miniscript doesn't cover p2pkh or p2wpkh though
10:16 -!- thomasan_ [~thomasand@cpe-172-116-160-42.socal.res.rr.com] has joined #bitcoin-wizards
10:18 < andytoshi> ah, yeah, i mean "miniscript embedded in output descriptors"
10:18 < sipa> what is the issue?
10:18 < achow101> sipa: proving that an input for a coinjoin belongs to a hardware wallet
10:19 < sipa> proving to whom?
10:19 < achow101> proving to the hardware device
10:19 < sipa> to another hardware device?
10:19 < andytoshi> (full descriptor+miniscript support is probably overkill here .. but it would give us a clean/general way to extract public keys from a script)
10:19 < achow101> instagibbs suggest this: https://0bin.net/paste/cyf1phgvbCYaJsOr#uDpknGe6zIlCsuCtDx5qQQWFLtKrBNRSHH361vlqw8Q (writeup by waxwing)
10:19 < sipa> oh, i see
10:20 < gmaxwell> instagibbs: another way to let the hw wallet work, I think would be to have some input/output correspondance map commited to by something signed in the txn, and revealed to the hardware wallet.
10:20 < andytoshi> the goal is to assure the hw device of which outputs it owns, and which outputs it doesn't own (thuogh it doesn't care who owns it beyond "me/not me")
10:20 < achow101> sipa: the issue is that a malicious coinjoin creator can lie to a hardware wallet that some inputs do not belong to the device even though they actually do
10:20 < achow101> the goals is to prove that inputs do or do not belong to the device
10:24 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has quit [Remote host closed the connection]
10:30 < gmaxwell> I think it's better to prove that any input being signed for is paid back to the device, in a way that prevents double dipping.
10:30 < gmaxwell> so for example if every output was a p2c privately commiting to its input.
10:34 -!- thomasan_ [~thomasand@cpe-172-116-160-42.socal.res.rr.com] has quit [Remote host closed the connection]
10:49 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has joined #bitcoin-wizards
10:51 -!- nothingmuch [~nothingmu@unaffiliated/nothingmuch] has joined #bitcoin-wizards
10:51 -!- thomasan_ [~thomasand@cpe-172-116-160-42.socal.res.rr.com] has joined #bitcoin-wizards
10:58 -!- thomasan_ [~thomasand@cpe-172-116-160-42.socal.res.rr.com] has quit [Remote host closed the connection]
11:00 -!- elichai2 [uid212594@gateway/web/irccloud.com/x-cuaqqjoxrlrhvpmj] has joined #bitcoin-wizards
11:09 -!- DeanGuss [~dean@gateway/tor-sasl/deanguss] has quit [Ping timeout: 256 seconds]
11:24 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has quit [Remote host closed the connection]
11:45 -!- jeremyrubin [~jr@c-67-180-60-249.hsd1.ca.comcast.net] has joined #bitcoin-wizards
12:00 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has joined #bitcoin-wizards
12:05 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has quit [Ping timeout: 250 seconds]
12:33 -!- cfields_ [~cfields@unaffiliated/cfields] has quit [Quit: cfields_]
12:34 -!- cfields [~cfields@unaffiliated/cfields] has joined #bitcoin-wizards
13:02 < instagibbs> achow101, non-single-key addresses are left as an exercise, especially considering this mode would require multiple hosts plugged in for a multisig or something...
13:04 < achow101> instagibbs: well it could be something that goes from a multisig to a single key after some time has passed. that's still a single signer and your scheme would still work, it's just a bit harder to verify that the pubkey attached to the proof is correct
13:05 < instagibbs> eh sure, exercise to reader
13:06 < instagibbs> gmaxwell, ah yeah that's related to something I was pontificating on, you could also commit to arbitrary signing policies
13:07 < instagibbs> like "I'll ellide change output if the prevouts all come from same paired xpub set"
13:08 < instagibbs> (ledger for example makes no assumption, only assumes for single-key destinations it has derivation path for)
13:14 < waxwing> it might be worth elucidating more carefully the exact security model/threat model we're trying to address here, since it seems we're talking about a significantly different usage model of a hardware wallet.
13:15 < waxwing> usually after all it pays stuff out. then in some coinjoin scenario it might be required not to pay out (lose money), or it might be required to only pay out "a thing" (like in that thread they talked about a wasabi fee and a bitcoin tx fee, which can be another can of worms)
13:16 < waxwing> one could even imagine using such a thing to do coinswaps (sign N different transactions all-or-nothing based on an assessment of total balance change) ... i guess with LN you can't say something similar, but i'm really not sure.
13:16 < waxwing> for coinswaps also read coinjoinxt ideas (sets of connected txs instead of disconnected)
13:22 < gmaxwell> Goal: hardware wallet should be willing to sign transactions that don't make any coins inaccessible to it, but merely shuffle it around.  But cannot sign things (without auth) that take coins away.
13:22 < gmaxwell> waxwing: swaps are a little harder because you can lose funds just by timing out.
13:23 < waxwing> yeah cancel all that stuff. that's a bit of a mess.
13:24 < waxwing> i think 'don't take coins away' is a bit too simple though, it seems that the goal is "don't pay more than X" is the goal (at least as some people are thinking about it), whether network fees or coinjoin fees.
13:24 < gmaxwell> right perhaps a dumber and more general way to address is that if the HWW just had a velocity limit.
13:24 < gmaxwell> that could be run without human interaction.
13:24 < gmaxwell> and just keep your join traffic below that.
13:25 < gmaxwell> or even more snazzy, let deposits credit against that limit
13:25 < instagibbs> you also have to do some reasoning about wallet utxo sizes
13:31 < waxwing> instagibbs, "sizes" here being btc amounts or bytes?
13:32 < waxwing> so it seems like the thinking is, we ask for automated signing, we assume the host can be 100% compromised, so may be doing its best to siphon funds, and simplest case we have the HW wallet insist on not paying anything, or relax it with a fee setting (which ofc would not be automated, so 2FA or some such). sorry for blethering i just want to be sure i know what the goal is.
13:41 -!- laptop_ [~laptop@host109-149-118-169.range109-149.btcentralplus.com] has joined #bitcoin-wizards
13:45 -!- laptop500 [~laptop@host109-149-118-169.range109-149.btcentralplus.com] has quit [Ping timeout: 268 seconds]
13:48 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has joined #bitcoin-wizards
13:53 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has quit [Ping timeout: 252 seconds]
13:55 -!- Guyver2 [AdiIRC@guyver2.xs4all.nl] has quit [Quit: Going offline, see ya! (www.adiirc.com)]
14:28 -!- thomasan_ [~thomasand@cpe-172-116-160-42.socal.res.rr.com] has joined #bitcoin-wizards
14:30 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has joined #bitcoin-wizards
14:34 -!- DeanGuss [~dean@gateway/tor-sasl/deanguss] has joined #bitcoin-wizards
14:44 -!- thomasan_ [~thomasand@cpe-172-116-160-42.socal.res.rr.com] has quit [Remote host closed the connection]
14:45 -!- thomasanderson [~thomasand@cpe-172-116-160-42.socal.res.rr.com] has joined #bitcoin-wizards
14:50 -!- son0p [~son0p@181.136.99.9] has joined #bitcoin-wizards
15:13 -!- thomasanderson [~thomasand@cpe-172-116-160-42.socal.res.rr.com] has quit [Remote host closed the connection]
15:13 -!- thomasanderson [~thomasand@cpe-172-116-160-42.socal.res.rr.com] has joined #bitcoin-wizards
15:15 -!- laptop_ [~laptop@host109-149-118-169.range109-149.btcentralplus.com] has quit [Quit: Leaving]
15:18 -!- DeanGuss [~dean@gateway/tor-sasl/deanguss] has quit [Remote host closed the connection]
15:19 -!- DeanGuss [~dean@gateway/tor-sasl/deanguss] has joined #bitcoin-wizards
15:22 -!- spinza [~spin@155.93.246.187] has quit [Quit: Coyote finally caught up with me...]
15:24 -!- DeanGuss [~dean@gateway/tor-sasl/deanguss] has quit [Ping timeout: 256 seconds]
15:29 -!- Logicwax [~Logicwax@c-76-126-174-152.hsd1.ca.comcast.net] has quit [Read error: Connection reset by peer]
15:29 -!- Logicwax [~Logicwax@c-76-126-174-152.hsd1.ca.comcast.net] has joined #bitcoin-wizards
15:30 -!- Zenton [~user@unaffiliated/vicenteh] has quit [Ping timeout: 246 seconds]
15:36 -!- TheoStorm [~TheoStorm@host-g4sn8hj.cbn1.zeelandnet.nl] has quit [Ping timeout: 240 seconds]
15:47 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has quit [Remote host closed the connection]
15:50 -!- thomasanderson [~thomasand@cpe-172-116-160-42.socal.res.rr.com] has quit [Remote host closed the connection]
15:53 -!- riperk [uid352992@gateway/web/irccloud.com/x-ipkdkamidhcxxohb] has joined #bitcoin-wizards
15:55 -!- son0p [~son0p@181.136.99.9] has quit [Quit: leaving]
16:10 -!- spinza [~spin@155.93.246.187] has joined #bitcoin-wizards
16:21 -!- Netsplit *.net <-> *.split quits: gwillen, luny, jasonzhouu, harding, davec, Madars, dgenr8
16:26 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has joined #bitcoin-wizards
16:28 -!- Netsplit over, joins: harding, gwillen, jasonzhouu, Madars, davec, dgenr8, luny
16:31 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has quit [Ping timeout: 252 seconds]
17:06 -!- davterra [~none@185.156.175.171] has quit [Quit: Leaving]
17:29 -!- Emcy [~Emcy@unaffiliated/emcy] has quit [Ping timeout: 245 seconds]
17:38 -!- DeanGuss [~dean@gateway/tor-sasl/deanguss] has joined #bitcoin-wizards
17:38 -!- elichai2 [uid212594@gateway/web/irccloud.com/x-cuaqqjoxrlrhvpmj] has quit [Quit: Connection closed for inactivity]
17:39 -!- Emcy [~Emcy@unaffiliated/emcy] has joined #bitcoin-wizards
18:00 -!- dergigi [~gigi@189.177.110.124] has quit [Ping timeout: 245 seconds]
18:14 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has joined #bitcoin-wizards
18:16 -!- Tralfaz [~androirc@199.249.223.130] has joined #bitcoin-wizards
18:19 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has quit [Ping timeout: 252 seconds]
18:21 -!- _L0ki [~kn0wmad@207.189.30.147] has quit [Ping timeout: 246 seconds]
18:57 -!- Emcy [~Emcy@unaffiliated/emcy] has quit [Remote host closed the connection]
19:01 -!- Emcy [~Emcy@unaffiliated/emcy] has joined #bitcoin-wizards
19:20 < achow101> is it possible to create a proof which proves that a blob of data is an encrypted private key which corresponds to a given public key?
19:25 < gmaxwell> achow101: your question is underspecified, I don't see how it excludes that tautology that pubkey is a self cooresponding encryption of 1 with its provate key.
19:27 -!- AaronvanW [~AaronvanW@unaffiliated/aaronvanw] has quit []
19:38 < achow101> gmaxwell: apparently some scammers have taken to adding a ckey record to wallet files where the "encrypted key" is just garbage and not the private key that corresponds to the public key in that record
19:38 < achow101> I was thinking whether it was possible to construct some proof to append to the ckey record that proves the encrypted private key is actually the private key
19:39 < achow101> but it's a pointless thing to do because scammers will just use old wallet versions which don't support this change
19:40 < gmaxwell> scammers? you mean saviors of mankind.
19:41 < gmaxwell> people who buy stolen wallets to crack are the bad guys...
19:42 < achow101> I presume the scam is along the lines of "heres an encrypted wallet with money and we will sell you the password"
19:43 < gmaxwell> it would be easy to design the wallet in such a way that you couldn't make fake encrypted wallets... but you couldn't prevent there from being a real encrypted wallet where the password will never be guessable.
19:43 < gmaxwell> achow101: well your requested proof wouldn't prevent that scam.
19:44 < achow101> right, i've turned this into a thought experiment :)
19:51 -!- davterra [~none@185.156.175.35] has joined #bitcoin-wizards
19:51 -!- Tralfaz [~androirc@199.249.223.130] has quit [Quit: AndroIRC - Android IRC Client ( http://www.androirc.com )]
19:53 -!- Emcy [~Emcy@unaffiliated/emcy] has quit [Ping timeout: 246 seconds]
19:55 -!- dergigi [~gigi@189.177.110.124] has joined #bitcoin-wizards
20:02 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has joined #bitcoin-wizards
20:07 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has quit [Ping timeout: 250 seconds]
20:07 -!- Emcy [~Emcy@unaffiliated/emcy] has joined #bitcoin-wizards
20:16 < luke-jr> could you "encrypt" the private key by saving only a signature made with K=passphrase?
20:16 < luke-jr> then you could verify the signature to prove it is the correct private key
20:18 < luke-jr> achow101: gmaxwell: ^
20:23 -!- Belkaar [~Belkaar@unaffiliated/belkaar] has quit [Ping timeout: 255 seconds]
20:24 < achow101> luke-jr: that's an interesting idea
20:24 -!- Belkaar [~Belkaar@xdsl-85-197-58-13.nc.de] has joined #bitcoin-wizards
20:24 -!- Belkaar [~Belkaar@xdsl-85-197-58-13.nc.de] has quit [Changing host]
20:24 -!- Belkaar [~Belkaar@unaffiliated/belkaar] has joined #bitcoin-wizards
20:44 -!- thomasanderson [~thomasand@cpe-172-116-160-42.socal.res.rr.com] has joined #bitcoin-wizards
20:46 -!- thomasanderson [~thomasand@cpe-172-116-160-42.socal.res.rr.com] has quit [Remote host closed the connection]
20:47 -!- thomasanderson [~thomasand@cpe-172-116-160-42.socal.res.rr.com] has joined #bitcoin-wizards
20:49 -!- thomasanderson [~thomasand@cpe-172-116-160-42.socal.res.rr.com] has quit [Remote host closed the connection]
20:53 -!- riperk [uid352992@gateway/web/irccloud.com/x-ipkdkamidhcxxohb] has quit [Quit: Connection closed for inactivity]
21:03 -!- brianhoffman [~brianhoff@pool-72-83-155-130.washdc.fios.verizon.net] has quit [Read error: Connection reset by peer]
21:04 -!- brianhoffman [~brianhoff@pool-72-83-155-130.washdc.fios.verizon.net] has joined #bitcoin-wizards
21:13 -!- thomasanderson [~thomasand@cpe-172-116-160-42.socal.res.rr.com] has joined #bitcoin-wizards
21:16 -!- thomasanderson [~thomasand@cpe-172-116-160-42.socal.res.rr.com] has quit [Remote host closed the connection]
21:51 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has joined #bitcoin-wizards
21:51 < gmaxwell> I still don't see what you're trying to prove.
21:55 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has quit [Ping timeout: 252 seconds]
22:35 -!- ghost43 [~daer@gateway/tor-sasl/daer] has quit [Ping timeout: 256 seconds]
22:39 -!- ghost43 [~daer@gateway/tor-sasl/daer] has joined #bitcoin-wizards
22:45 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has joined #bitcoin-wizards
22:50 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has quit [Ping timeout: 264 seconds]
22:53 < luke-jr> gmaxwell: he wants to prove that some passphrase in fact does exist which would reveal a private key; arguably this is not useful to prove, so it's become a thought exercise
23:52 -!- tromp [~tromp@ip-217-103-3-94.ip.prioritytelecom.net] has joined #bitcoin-wizards
--- Log closed Fri Apr 12 00:00:42 2019