--- Day changed Sat Apr 16 2016
09:41 -!- jtimon [~quassel@18.29.134.37.dynamic.jazztel.es] has joined #secp256k1
10:34 < andytoshi> sipa: in your schnorrstage2 branch you create a couple functions secp256k1_multischnorr_compute_tweak, secp256k1_multischnorr_compute_tweaked_privkey, secp256k1_multischnorr_compute_tweaked_pubkey which compute H(P)*P from P ... can you move those functions to their own commit so that i can cherry-pick them for another project?
10:36 < andytoshi> in general computing and signing with A := Q + H(P)*P, is a proof that you know the DL of P *and* the DL of Q. so if you're the owner of Q you can use this to prove control of arbitrary addresses
10:38 < sipa> andytoshi: eh, i plan to rewrite them, as the sum(H(X)*X) approach isn't generally secure
10:39 < andytoshi> oh, i see ... i haven't tried too hard, but for what i'm doing i'm fairly sure the problem you're referring to doesn't apply
10:39 < sipa> i agree
10:39 < andytoshi> oh, yeah, it doesn't apply because i've only got a single point H(P)*P, there's no collection to take any subsets of
10:39 < sipa> indeed
10:42 < andytoshi> OK, thanks, when i decide where i want these functions i'll just use `git rebase -i` to pull them out of the existing branch, then we'll have correct authorship trail and you won't have to do any more on this dead branch..
10:58 < andytoshi> oh, for those reading my above comment, it's a proof that you know the DL of P and Q for *fixed* Q, arbitary P. as in, Q needs to be chosen before A. (then the hash forces P to be chosen before A)
22:35 -!- jtimon [~quassel@18.29.134.37.dynamic.jazztel.es] has quit [Ping timeout: 260 seconds]