--- Day changed Thu Aug 06 2015
00:06 -!- gmaxwell [greg@wikimedia/KatWalsh/x-0001] has joined #secp256k1
00:29 -!- btcdrak [uid52049@gateway/web/irccloud.com/x-qczmgnovsmrqlgsr] has joined #secp256k1
00:39 < gmaxwell> andytoshi: this time I can't decrypt what he's trying to accomplish: https://bitcointalk.org/index.php?topic=1145231.0
01:20 <@sipa> i do
01:22 <@sipa> he is taking the field inverses of (4*G).x and (4*G).y, multiplying those with (2.G).x and (2.G).y, and expecting to get (2*G).x and (2*G).y
03:12 -!- jtimon [~quassel@200.Red-79-148-174.dynamicIP.rima-tde.net] has joined #secp256k1
03:43 -!- dc17523be3 [unknown@gateway/vpn/mullvad/x-nfobdmkishhckxev] has quit [Read error: Connection reset by peer]
03:45 -!- dc17523be3 [~unknown@cpe-66-68-54-206.austin.res.rr.com] has joined #secp256k1
03:49 -!- dc17523be3 [~unknown@cpe-66-68-54-206.austin.res.rr.com] has quit [Ping timeout: 246 seconds]
03:51 -!- dc17523be3 [unknown@gateway/vpn/mullvad/x-xvcmtickqrcbyxsv] has joined #secp256k1
07:16 <@andytoshi> oh, oops, he PM'd me to ask about that and i forgot..
13:11 -!- btcdrak [uid52049@gateway/web/irccloud.com/x-qczmgnovsmrqlgsr] has quit [Ping timeout: 245 seconds]
13:13 -!- btcdrak [uid52049@gateway/web/irccloud.com/x-qcxunlihpnrjysyk] has joined #secp256k1
13:57 < gmaxwell> sipa: I think pubkey recovery should be made a module.
14:06 <@sipa> for ecdsa?
14:06 < gmaxwell> for ecdsa
14:34 <@sipa> sounds reasonable
16:23 -!- jtimon [~quassel@200.Red-79-148-174.dynamicIP.rima-tde.net] has quit [Ping timeout: 256 seconds]
19:18 -!- btcdrak [uid52049@gateway/web/irccloud.com/x-qcxunlihpnrjysyk] has quit [Quit: Connection closed for inactivity]
19:56 < gmaxwell> Anyone looked at using bos-coster (or other similar algorithims) for batch verification?
19:57 < gmaxwell> it's kind of like extgcd... the way it works is we want to compute  aP1 + bP2 + cP3 ...  we put these scalar,point tuples in a max-heap, and pop off the two largest items (x,y) and set x = (x-y),Px y = y,(Px+Py)  then push them back into the heap (unless x becomes 0, in which case it falls out). This keeps going until at the end you have a single remaining value, which should be small, and you then use
19:58 < gmaxwell>  a coventional variable time scalar multiply for it.
20:00 < gmaxwell> It would couple well with the endomorphism split, which the existing batch does not.
20:20 < gmaxwell> a little toy implementation in sage, with a batch size of 512, if I split first (meaning a batch of 1024 half sized entries) I end up needing an average of 16097 point adds total. I think this compares pretty favorably what we currently do (which IIRC does ~32 adds per pubkey, plus about 16 or so to build the precomp)
20:26 < gmaxwell> A really gigantic batch of 4096 gets it down to 24 adds per pubkey.
22:50 < gmaxwell> (I was looking for how to compute an efficient addition chain for polysig when I ran into that)
23:08 -!- btcdrak [uid52049@gateway/web/irccloud.com/x-uhiptojcsqmwqksn] has joined #secp256k1