--- Log opened Sun Nov 03 00:00:53 2019 01:57 -!- echonaut2 [~echonaut@46.101.192.134] has joined #secp256k1 01:01 -!- afk11 [~afk11@gateway/tor-sasl/afk11] has quit [Ping timeout: 260 seconds] 01:03 -!- afk11 [~afk11@gateway/tor-sasl/afk11] has joined #secp256k1 01:06 -!- echonaut [~echonaut@46.101.192.134] has quit [Ping timeout: 265 seconds] 01:48 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 01:53 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Ping timeout: 264 seconds] 03:41 -!- jonatack [~jon@37.172.188.89] has joined #secp256k1 03:56 -!- jonatack [~jon@37.172.188.89] has quit [Ping timeout: 268 seconds] 03:58 -!- jonatack [~jon@213.152.162.109] has joined #secp256k1 06:07 -!- arubi [~ese168@gateway/tor-sasl/ese168] has quit [Ping timeout: 260 seconds] 06:46 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 06:51 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Ping timeout: 276 seconds] 09:00 -!- arubi [~ese168@gateway/tor-sasl/ese168] has joined #secp256k1 09:04 -!- jonatack [~jon@213.152.162.109] has quit [Ping timeout: 246 seconds] 10:28 < midnight> I'm a little surprised openacc is making its way into gcc 10:29 < midnight> PGI keeps making these obnoxious little inroads 10:58 -!- reallll [~belcher@unaffiliated/belcher] has joined #secp256k1 11:01 -!- belcher [~belcher@unaffiliated/belcher] has quit [Ping timeout: 265 seconds] 11:06 -!- reallll is now known as belcher 13:39 -!- andytoshi [~apoelstra@wpsoftware.net] has joined #secp256k1 13:39 -!- andytoshi [~apoelstra@wpsoftware.net] has quit [Changing host] 13:39 -!- andytoshi [~apoelstra@unaffiliated/andytoshi] has joined #secp256k1 14:25 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 15:12 -!- andytoshi [~apoelstra@unaffiliated/andytoshi] has quit [Ping timeout: 240 seconds] 15:21 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Remote host closed the connection] 15:53 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 16:00 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Ping timeout: 264 seconds] 16:08 < waxwing> sipa, i saw somewhere or other the statement that there's no other malleability for ECDSA than the sign one. I had it in my head that that wasn't a known fact, was I wrong, is there in fact a proof of that? 16:09 < waxwing> uh 'somewhere or other', let me not be lazy, i mean: https://github.com/sipa/bips/issues/107#issuecomment-544681949 16:10 < waxwing> or are you referring to the Fersch thing 16:11 < sipa> yes, the paper linked above 16:12 < gmaxwell> Doesn't ECDSA also have the same malleability that non-pubkey-commiting schnorr has? e.g. if you know some valid signature then you also know a signature for a related key and a different message? 16:12 < gmaxwell> (thats outside the normal definition of malleability, but it totally produces vulnerablities in plausable system) 16:16 < waxwing> right, the Fersch paper was interesting, didn't get on top of it, but the outline makes some sense to me, also there's actually a talk by Fersch about it on youtube btw. 16:16 < waxwing> still given how screwy ECDSA is i kinda feel like the bar has to be pretty high :) 16:19 < sipa> gmaxwell: multiply P and m by the same factor, and divide s by it 16:19 < sipa> but given that m has to be a hash of a known value, that isn't technically ecdsa 16:21 < gmaxwell> sipa: compute m2 via hashing, find it's relation to m through divison? multiply P by it and divide S by it? 16:21 < waxwing> i was just reading the amusing fact that you can create one signature that's valid for two different messages in ECDSA too. ECDSA is really fun for all the family. 16:22 < waxwing> ( https://link.springer.com/content/pdf/10.1007%2F3-540-45708-9_7.pdf ) 16:22 < gmaxwell> coming soon to a fake proof of satoshi near you... 16:22 < gmaxwell> waxwing: with EdDSA you can make one signature thats good for all messages! (use '0' as your pubkey/privatekey) 16:23 < gmaxwell> (but warning: different implementations will randomly disagree on the validity of that trick) 16:23 < waxwing> lol. you can't beat DJB on performance. 16:23 < gmaxwell> I'm imaginging a joke paper now that argues that EdDSA has the fastest signing because of that ability. :P 16:24 < gmaxwell> "EdDSA provides amortized O(0) signing, performance unmatched by any NIST standard." 16:25 < sipa> gmaxwell: oh, right 16:26 < sipa> sR = mG + rP 16:27 < sipa> so (m2/m*s)*R = m2*G + r*(m2/m*P) 16:30 < waxwing> right, so it ends up being like with non-key-prefixed schnorr, that you can make the same sig work for a new message, on a new but unpredictable key? 16:31 < sipa> right 16:31 < sipa> for schnorr it's worse because the message does not change 16:32 < sipa> also, for schnorr it's an additive key tweak; for ecdsa it's a multiplicative ome 16:32 < waxwing> oh but wait, can't you do both in schnorr? i wrote about this in one of my blogs. 16:32 < sipa> sG = R + H(R,m)P 16:32 < waxwing> when i say both, i mean either :) 16:33 < gmaxwell> waxwing: right, but a 'related' key... which could be used to fool some plausable protocols. 16:33 < gmaxwell> like the additive tweak could be used to attack something that thought identities were BIP32 chains, and the multiplicative tweak could be used to attack things that thought identity were armory public derrivation chains. 16:34 < waxwing> yeah. it's just like a pandora's box you don't open, either the key exists before the protocol, or it doesn't, in which case you must fix it because it's part of the conversation transcript. 16:34 < sipa> (s+a*H(R,m))*G = R + H(R,m)*(P + aG) 16:34 < sipa> that's the only way i know of for schnorr, but there certainly may be others 16:35 < waxwing> i believe the multiplicative works too for the other way, search "Completely different messages on tweaked keys, with the same signature" in https://joinmarket.me/blog/blog/ring-signatures/ 16:36 < waxwing> but i mean, whatever, i could be wrong in some detail, basically it's not secure if the keys aren't "known" and aren't hashed. 16:41 < sipa> oh, of course 16:42 < sipa> the signature remains ezactly the same, but you tweak the key to undo the ratio in the message 16:43 < gmaxwell> I think tor HSv3 also multiplies the related public key. I think it might actually be vulnerable in practice if it wasn't using a key-prefixed schnorr. 16:44 < gmaxwell> (er, I should have said 'if it was using ECDSA') 16:46 < gmaxwell> I wish someone kept a catalog of near misses in cryptography... protocols that would be vulnerable except for some incidental choice that plausably could have gone the other way. 17:29 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 17:34 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Ping timeout: 245 seconds] 18:58 -!- nsh [~lol@wikipedia/nsh] has quit [Read error: Connection reset by peer] 19:10 -!- nsh [~lol@wikipedia/nsh] has joined #secp256k1 23:36 -!- jonatack [~jon@lfbn-bay-1-242-229.w83-193.abo.wanadoo.fr] has joined #secp256k1 --- Log closed Mon Nov 04 00:00:55 2019