--- Day changed Fri Sep 07 2018
01:12 -!- waxwing [~waxwing@193.29.57.116] has joined #secp256k1     
01:12 -!- waxwing [~waxwing@193.29.57.116] has quit [Changing host]     
01:12 -!- waxwing [~waxwing@unaffiliated/waxwing] has joined #secp256k1     
03:24 -!- belcher_ [~belcher@unaffiliated/belcher] has joined #secp256k1     
03:46 -!- belcher_ [~belcher@unaffiliated/belcher] has quit [Ping timeout: 272 seconds]     
04:18 -!- belcher_ [~belcher@unaffiliated/belcher] has joined #secp256k1     
08:30 < gmaxwell> andytoshi: oy, Aronesty replied to me but looks like he fell offlist
08:48 < andytoshi> gmaxwell: he admitted on-list that his scheme involved interaction, so i'm satisfied
08:50 < gmaxwell> yes, in his reply he's saying its interactive. He's still rejecting the possibility of a rogue key attack.
08:50 < gmaxwell> https://0bin.net/paste/WAdKiBGG5rNmeph8#2kSu80t6CWEC8hOGp5YIWqFlPeAJ0eNSzN1Y1XslcAn
08:51 < gmaxwell> maybe I need to write a wagner solver and come up with a set of keys that I know the discrete log of the sum of, that includes the genesis block pubkey or something.
08:57 < nsh> hmm     
09:01 < sipa> gmaxwell: i don't know; wagner is just an example here
09:02 < sipa> he's relying on the assumption that something can't be broken because he doesn't see how it could be
09:02 < sipa> that's not how you reason about security
09:04 < gmaxwell> his first messages on the subject made me think that, but this latest one makes a concrete security claim, but lacks any proof. "attack the hash function to produce a predictable R based on a known mesage or attack the DLP directly to influence x or k"
09:05 < gmaxwell> and, in fact, wagner attack could be seen as an attack on a generalized DLP. He just keeps ignoring it because he doesn't understand it.
09:06 < andytoshi> agree with sipa ... actually breaking his system may send the wrong message
09:06 < andytoshi> well, cynically i think it would send no message at all ;)
09:06 < gmaxwell> I think thats likely.
09:07 < gmaxwell> I have seen cases where someone posts a cryptosystem, and I break it, and they actually switch sides.
09:07 < gmaxwell> But more often they just patch around the break and say it's sure to be secure now since its fixed.
09:07 < andytoshi> yeah, true, there's a good chance he'll do that
09:07 < gmaxwell> but I think he can't actually do that here?
09:07 < andytoshi> right..or else he'll just add a second hash somewhere so wagner is impractical
09:07 < andytoshi> and say "done"
09:08 < andytoshi> well like, if he hashed pairs of keys or something
09:08 < gmaxwell> well actually no, he already handwaved saying rogue keys aren't possible because of the interpolation lagrange constants, so if I didn't construct it exactly like he was thinking he'd probably dismiss the result.
09:09 < andytoshi> heh, it's probably nearly trivial to work around the lagrange constants ... but i personally wouldn't take the time to figure out how :P
09:10 < gmaxwell> yes, its trivial.
09:10 < gmaxwell> he handwaved (but failed to specify precisely) that each point's interpolation location is the hash of the point.
09:11 < gmaxwell> If his scheme were changed to be the hash of all the points, it would effectiely be musig.
09:26 < nsh> heh     
11:09 < midnightmagic> also, if you break it and they patch it and claim it's fixed, now they have your name as an attacker who "can no longer break it" and you've just vetted their system.
11:10 < nsh> the road to hubris is paved with kind critiques
11:11 < midnightmagic> and at the end is ethereum and vitalik saying "thanks for the cash suckas"
11:12 < nsh> :)     
15:20 -!- belcher_ [~belcher@unaffiliated/belcher] has quit [Quit: Leaving]