--- Log opened Sat Oct 10 00:00:42 2020
00:22 -!- luke-jr [~luke-jr@unaffiliated/luke-jr] has quit [Excess Flood]
00:23 -!- luke-jr [~luke-jr@unaffiliated/luke-jr] has joined #secp256k1
01:49 -!- jonatack [~jon@213.152.162.15] has quit [Ping timeout: 240 seconds]
02:29 -!- jonatack [~jon@37.166.6.124] has joined #secp256k1
02:51 -!- midnight [~midnight@unaffiliated/midnightmagic] has quit [Ping timeout: 240 seconds]
02:54 -!- midnight [~midnight@unaffiliated/midnightmagic] has joined #secp256k1
02:54 -!- jonatack [~jon@37.166.6.124] has quit [Ping timeout: 272 seconds]
02:56 -!- jonatack [~jon@213.152.161.170] has joined #secp256k1
03:05 -!- reallll [~belcher@unaffiliated/belcher] has joined #secp256k1
03:08 -!- belcher_ [~belcher@unaffiliated/belcher] has quit [Ping timeout: 265 seconds]
03:32 -!- jonatack [~jon@213.152.161.170] has quit [Quit: jonatack]
04:43 -!- reallll is now known as belcher
05:38 < michaelfolkson> Ok sorry for more bugging :)
05:38 < michaelfolkson> https://bitcoin.stackexchange.com/questions/99418/how-do-i-tweak-the-bip340-test-vectors-to-check-that-signature-verification-fail
05:41 < michaelfolkson> I'm not sure what is going on here. Doesn't every possible private key map to two possible public key coordinates? And you need a tiebreaker to choose between them? Why does this particular private key (4) result in the "wrong" public key according to squaredness tiebreaker?
07:06 -!- luke-jr [~luke-jr@unaffiliated/luke-jr] has quit [Quit: ZNC - http://znc.sourceforge.net]
07:06 -!- luke-jr [~luke-jr@unaffiliated/luke-jr] has joined #secp256k1
07:08 -!- jonatack [~jon@185.206.225.51] has joined #secp256k1
08:00 -!- luke-jr [~luke-jr@unaffiliated/luke-jr] has quit [Quit: ZNC - http://znc.sourceforge.net]
08:01 -!- luke-jr [~luke-jr@unaffiliated/luke-jr] has joined #secp256k1
08:53 < sipa> michaelfolkson: every scalar has exactly one corresponding point
08:54 < sipa> in bip340 we retrict ourselves to public keys with an even Y coordinate, so only half of the public keys are valid... meaning only half of the scalars are valid as well
08:55 < sipa> this is undesirable, so instead, we say that every private key has a public key, and if dG has the wrong Y coordinate, we effectively sign with -d
09:03 < sipa> so with that change, you could say that every scalar is a valid private key, and there are two private keys that map to the same public key
09:18 -!- luke-jr [~luke-jr@unaffiliated/luke-jr] has quit [Quit: ZNC - http://znc.sourceforge.net]
09:19 -!- luke-jr [~luke-jr@unaffiliated/luke-jr] has joined #secp256k1
09:30 < michaelfolkson> Ah cool, makes sense. Thanks sipa
11:38 -!- roconnor [~roconnor@host-45-78-205-7.dyn.295.ca] has quit [Ping timeout: 265 seconds]
12:06 -!- belcher_ [~belcher@unaffiliated/belcher] has joined #secp256k1
12:09 -!- belcher [~belcher@unaffiliated/belcher] has quit [Ping timeout: 260 seconds]
12:16 -!- belcher_ is now known as belcher
12:49 < michaelfolkson> If we switched from squaredness to evenness why check for squaredness in the BIP 340 test vectors? There is no harm done if the check is redundant but surely there are some public keys that would pass the evenness check that fail the squaredness check?
12:53 < sipa> michaelfolkson: that's literally explained in test-vectors.py
12:53 < michaelfolkson> Oops ok, sorry missed it
12:58 < michaelfolkson>     # For historical reasons (pubkey tiebreaker was squareness and not evenness)
12:58 < michaelfolkson>     # we should have at least one test vector where the the point reconstructed
12:58 < michaelfolkson>     # from the public key has a square and one where it has a non-square Y
12:58 < michaelfolkson>     # coordinate. In this one Y is non-square.
12:58 < michaelfolkson> That's the one I think
12:59 < michaelfolkson> I don't understand how that answers my question if that is the right explanation
13:00 < michaelfolkson> There's an assert error message [ assert(not has_square_y(pubkey_point)) ]
13:02 < michaelfolkson> I don't know why we care whether it is squared or not now. Or why we have that assert. If it is a redundant then fine but surely it isn't
13:02 < sipa> it's just there to catch the case where someone would have implemented BIP340 with the old squaredness check instead of even/oddness
13:03 < sipa> that's exactly as redundant as everything else the vectors try to cover
13:04 < michaelfolkson> Oh ok gotcha, thanks
14:37 -!- belcher_ [~belcher@unaffiliated/belcher] has joined #secp256k1
14:39 -!- belcher [~belcher@unaffiliated/belcher] has quit [Ping timeout: 264 seconds]
20:36 -!- luke-jr [~luke-jr@unaffiliated/luke-jr] has quit [Quit: ZNC - http://znc.sourceforge.net]
20:38 -!- luke-jr [~luke-jr@unaffiliated/luke-jr] has joined #secp256k1
21:52 -!- fanquake_ [sid369002@gateway/web/irccloud.com/x-hhjwpoqkkctrgveh] has joined #secp256k1
21:54 -!- fanquake [sid369002@gateway/web/irccloud.com/x-mlmfxisownwkerez] has quit [Ping timeout: 240 seconds]
21:54 -!- fanquake_ is now known as fanquake
--- Log closed Sun Oct 11 00:00:43 2020