--- Log opened Wed Jan 15 00:00:08 2020 00:16 < gmaxwell> nsh: if the generator isn't treated as part of the identity, yes. 00:16 < gmaxwell> either the generator shouldn't be changable or the 'identity' should include it. 00:33 -!- real_or_random [~real_or_r@173.249.7.254] has quit [Ping timeout: 265 seconds] 00:39 -!- real_or_random [~real_or_r@2a02:c207:3002:7468::1] has joined #secp256k1 00:58 < nsh> right, thanks 01:07 -!- gmaxwell [gmaxwell@wikimedia/KatWalsh/x-0001] has left #secp256k1 [] 01:13 -!- jonatack [~jon@213.152.162.15] has joined #secp256k1 02:08 < elichai2> is cmovl constant time? 02:10 < real_or_random> yep, the cmov family should be fine in general 02:11 < elichai2> thanks. was just testing the asm of #709 02:12 < elichai2> gmaxwell: doesn't the "coice of generator" only affect security *after* you have known public keys in the curve? (ie if I want to fake a sign by PK. I can set G=PK/2 and use 2 as the private key) 02:57 -!- jonatack [~jon@213.152.162.15] has quit [Ping timeout: 260 seconds] 03:08 -!- belcher [~belcher@unaffiliated/belcher] has joined #secp256k1 03:57 < sipa> elichai2: you can set generator=pubkey in this attack and sign with privkey 1 03:58 < elichai2> right :) but you need *to first select a public key to attack* ie for a new curve that doesn't have known public key on it the generator shouldn't matter too mcuh 03:58 -!- jonatack [~jon@2a01:e0a:53c:a200:bb54:3be5:c3d0:9ce5] has joined #secp256k1 04:03 < sipa> elichai2: the certificate chooses the key parameters 04:04 < elichai2> yes, that's why it's exploitable, I was commenting on Greg's msg on why the choice of generator is important. which I think for new curves it shouldn't be important but choosing your own generator on an *existing* curve is a real problem 04:04 < sipa> right 05:35 < real_or_random> it's great for performance to have pk = generator 05:36 < real_or_random> but the speedup is larger the attacker :p 05:38 < sipa> ha 09:19 < elichai2> sipa: still trying to figure it out but there's a bug in your python schnorr impl (taproot branch) 09:19 < elichai2> https://repl.it/repls/ThisThornyEvents 09:20 < elichai2> this is a copy of your code and at the end there's the sample 09:20 < elichai2> tested against libsecp and it's producing the exact same sig, but verification passes on libsecp but here it fails 09:26 < elichai2> the exact same inputs for libsecp: https://pastebin.com/raw/ZkDpxy3k 09:46 -!- gleb [sid306870@gateway/web/irccloud.com/x-ygxmnjkyvaqipiud] has quit [] 09:46 -!- gleb [sid306870@gateway/web/irccloud.com/x-ttggrkubveamjixs] has joined #secp256k1 09:49 < elichai2> I hope I'm not missing anything obvious here but I really can't figure out what's the problem. it seems like all the inputs are correct up to `SECP256k1.mul` but the resulting `R` is wrong somehow :O 09:51 < sipa> elichai2: hmm, i haven't heard about this yet 09:55 < sipa> elichai2: the python code says the jacobi test fails 09:56 < elichai2> right. if you convert the R point to affine and print it both in sign and in verify you get 2 different points 09:59 < sipa> i don't understand this 09:59 < elichai2> you don't understand what's the problem or why is it happening? 10:01 < sipa> i don't understand how this can happen 10:01 < sipa> the jacobi symbol implementation is correct 10:01 < sipa> (i verified it by comparing with modsqrt) 10:01 < elichai2> did you check that the R point being checked is correct? 10:09 < elichai2> found it sipa 10:09 < elichai2> https://github.com/sipa/bitcoin/blob/taproot/test/functional/test_framework/key.py#L369 10:10 < elichai2> does this line look weird to you? :D 10:10 < elichai2> it should be `e = SECP256K1_ORDER - e` 10:10 < elichai2> lol 10:12 < elichai2> I was going crazy 10:13 < sipa> ? 10:13 < elichai2> sipa: the line has `e = SECP256K1_ORDER - 1` *order minus 1` 10:13 < sipa> oh 10:14 < sipa> ha 10:14 < elichai2> so if the pubkey is positive you replace e with just `-1` and obviously get a different R (sG-kG instead of sG-ekG) 10:17 < sipa> why do my tests not fail? 10:17 < elichai2> I'm so glad we found it and I can now go home and continue my evening in peace lol 10:17 < elichai2> sipa: good question. maybe somehow all the pubkeys aren't positive? 10:19 < sipa> nope 10:19 < sipa> my tests literally never call verify_schnorr 10:19 < sipa> they only use the signing code in python 10:20 < elichai2> hehe I was going to grep for it now 10:29 -!- fjahr [sid374480@gateway/web/irccloud.com/x-xxqryhzcklprwjpv] has quit [Read error: Connection reset by peer] 10:30 -!- CodeShark__ [sid126576@gateway/web/irccloud.com/x-nlyydfzifileatrj] has quit [Ping timeout: 246 seconds] 10:30 -!- wallet42 [sid154231@gateway/web/irccloud.com/x-jtxugexkwtmwjqjm] has quit [Ping timeout: 250 seconds] 10:30 -!- gmaxwell [gmaxwell@wikimedia/KatWalsh/x-0001] has joined #secp256k1 10:30 -!- gmaxwell [gmaxwell@wikimedia/KatWalsh/x-0001] has left #secp256k1 [] 10:31 -!- elichai2 [sid212594@gateway/web/irccloud.com/x-fhihlxwdowbujcbx] has quit [Ping timeout: 250 seconds] 10:33 -!- fjahr [sid374480@gateway/web/irccloud.com/x-mkriuzmixspqdtqj] has joined #secp256k1 10:33 -!- wallet42 [sid154231@gateway/web/irccloud.com/x-wpeejzujfdfzrykk] has joined #secp256k1 10:33 -!- digi_james [sid281632@gateway/web/irccloud.com/x-hcjqmmywqumzjqio] has quit [Read error: Connection reset by peer] 10:34 -!- elichai2 [sid212594@gateway/web/irccloud.com/x-cmfmvnkrwyqzfqpe] has joined #secp256k1 10:35 -!- digi_james [sid281632@gateway/web/irccloud.com/x-etbhgsojdikkrkqs] has joined #secp256k1 10:38 -!- CodeShark__ [sid126576@gateway/web/irccloud.com/x-whduealtbzmnkwik] has joined #secp256k1 10:43 -!- fjahr [sid374480@gateway/web/irccloud.com/x-mkriuzmixspqdtqj] has quit [Ping timeout: 272 seconds] 11:02 < sipa> elichai2: thanks, fixed in my branch now 11:02 < sipa> and added a test for the schnorr verify code itself 11:13 -!- elichai23 [d5895f14@213.137.95.20] has joined #secp256k1 11:13 -!- elichai23 [d5895f14@213.137.95.20] has quit [Changing host] 11:13 -!- elichai23 [d5895f14@unaffiliated/elichai2] has joined #secp256k1 11:13 < elichai23> the IRC bouncer i'm using is dead 11:17 < elichai23> sipa do you want to fix this in the rebase or should I open a PR? (I'll guess you prefer not PRing into your branch heh) 11:17 < elichai23> ops I see you already fix it. Thanks :) 11:41 -!- elichai23 [d5895f14@unaffiliated/elichai2] has quit [Ping timeout: 260 seconds] 12:02 < sipa> yup 12:18 -!- jonatack [~jon@2a01:e0a:53c:a200:bb54:3be5:c3d0:9ce5] has quit [Quit: jonatack] 12:22 -!- jonatack [~jon@2a01:e0a:53c:a200:bb54:3be5:c3d0:9ce5] has joined #secp256k1 16:18 -!- CodeShark__ [sid126576@gateway/web/irccloud.com/x-whduealtbzmnkwik] has quit [Read error: Connection reset by peer] 16:20 -!- CodeShark__ [sid126576@gateway/web/irccloud.com/x-dxibyjzsxxqqujht] has joined #secp256k1 16:42 -!- CodeShark__ [sid126576@gateway/web/irccloud.com/x-dxibyjzsxxqqujht] has quit [Read error: Connection reset by peer] 16:42 -!- elichai2 [sid212594@gateway/web/irccloud.com/x-cmfmvnkrwyqzfqpe] has quit [Ping timeout: 260 seconds] 16:44 -!- digi_james [sid281632@gateway/web/irccloud.com/x-etbhgsojdikkrkqs] has quit [Ping timeout: 272 seconds] 16:46 -!- gleb [sid306870@gateway/web/irccloud.com/x-ttggrkubveamjixs] has quit [Ping timeout: 245 seconds] 16:53 -!- RubenSomsen [sid301948@gateway/web/irccloud.com/x-ljnsyxugfwixcbdn] has quit [Ping timeout: 246 seconds] 16:53 -!- wallet42 [sid154231@gateway/web/irccloud.com/x-wpeejzujfdfzrykk] has quit [Ping timeout: 245 seconds] 17:09 -!- RubenSomsen [sid301948@gateway/web/irccloud.com/x-dlowkpemhdlkzhfb] has joined #secp256k1 17:09 -!- RubenSomsen [sid301948@gateway/web/irccloud.com/x-dlowkpemhdlkzhfb] has quit [Excess Flood] 17:24 -!- zmanian_ [sid113594@gateway/web/irccloud.com/x-wrpewajemeemlhgf] has quit [Ping timeout: 260 seconds] 17:26 -!- elichai2 [sid212594@gateway/web/irccloud.com/x-mpwqnwutrypgdtsz] has joined #secp256k1 17:26 -!- elichai2 [sid212594@gateway/web/irccloud.com/x-mpwqnwutrypgdtsz] has quit [Excess Flood] 17:34 -!- luke-jr [~luke-jr@unaffiliated/luke-jr] has quit [Ping timeout: 240 seconds] 17:39 -!- luke-jr [~luke-jr@unaffiliated/luke-jr] has joined #secp256k1 17:50 -!- BlueMatt [~BlueMatt@unaffiliated/bluematt] has quit [Ping timeout: 265 seconds] 17:55 -!- BlueMatt [~BlueMatt@unaffiliated/bluematt] has joined #secp256k1 18:09 -!- belcher [~belcher@unaffiliated/belcher] has quit [Quit: Leaving] 19:08 -!- BlueMatt [~BlueMatt@unaffiliated/bluematt] has quit [Ping timeout: 246 seconds] 19:09 -!- BlueMatt [~BlueMatt@unaffiliated/bluematt] has joined #secp256k1 22:18 -!- gleb [sid306870@gateway/web/irccloud.com/x-hukqpvbpfjfsdlix] has joined #secp256k1 22:42 -!- gleb [sid306870@gateway/web/irccloud.com/x-hukqpvbpfjfsdlix] has quit [Ping timeout: 260 seconds] 22:44 -!- gleb [sid306870@gateway/web/irccloud.com/x-tapoouknqpxtsqlo] has joined #secp256k1 22:49 -!- CodeShark__ [sid126576@gateway/web/irccloud.com/x-itgiqtyaunszslas] has joined #secp256k1 22:53 -!- RubenSomsen [sid301948@gateway/web/irccloud.com/x-ychgpeigdrmerrwf] has joined #secp256k1 22:53 -!- digi_james [sid281632@gateway/web/irccloud.com/x-ujprzhctynzlzsgm] has joined #secp256k1 22:53 -!- elichai2 [sid212594@gateway/web/irccloud.com/x-comdeojcshxsgfje] has joined #secp256k1 22:56 -!- wallet42 [sid154231@gateway/web/irccloud.com/x-wujafbfeuezoucze] has joined #secp256k1 23:07 -!- zmanian_ [sid113594@gateway/web/irccloud.com/x-epftvlcofnwkeeop] has joined #secp256k1 23:11 -!- fjahr [sid374480@gateway/web/irccloud.com/x-ycxxkxjyiukxhegd] has joined #secp256k1 --- Log closed Thu Jan 16 00:00:07 2020