--- Log opened Wed Jul 14 00:00:06 2021
00:26 -!- reallll is now known as belcher
00:55 -!- smitop [~smitop@user/smitop] has quit [Ping timeout: 268 seconds]
01:01 -!- aechu [~major@gateway/tor-sasl/major] has joined #bitcoin-wizards
01:10 -!- smitop [~smitop@user/smitop] has joined #bitcoin-wizards
01:14 -!- harrigan [~harrigan@ptr-93-89-242-235.ip.airwire.ie] has quit [Read error: Connection reset by peer]
01:16 -!- harrigan [~harrigan@ptr-93-89-242-235.ip.airwire.ie] has joined #bitcoin-wizards
01:25 -!- smitop [~smitop@user/smitop] has quit [Ping timeout: 255 seconds]
01:29 -!- aechu [~major@gateway/tor-sasl/major] has quit [Remote host closed the connection]
01:30 -!- aechu [~major@gateway/tor-sasl/major] has joined #bitcoin-wizards
01:39 -!- smitop [~smitop@user/smitop] has joined #bitcoin-wizards
02:01 -!- smitop [~smitop@user/smitop] has quit [Ping timeout: 245 seconds]
02:02 -!- smitop [~smitop@user/smitop] has joined #bitcoin-wizards
02:04 -!- kexkey [~kexkey@static-198-54-132-119.cust.tzulo.com] has quit [Ping timeout: 252 seconds]
02:04 -!- kexkey [~kexkey@static-198-54-132-151.cust.tzulo.com] has joined #bitcoin-wizards
02:40 -!- koolazer [~koo@user/koolazer] has quit [Ping timeout: 272 seconds]
02:43 -!- koolazer [~koo@user/koolazer] has joined #bitcoin-wizards
02:54 -!- bitdex [~bitdex@gateway/tor-sasl/bitdex] has quit [Quit: = ""]
03:15 -!- koolazer [~koo@user/koolazer] has quit [Ping timeout: 265 seconds]
04:16 -!- koolazer [~koo@user/koolazer] has joined #bitcoin-wizards
04:48 -!- koolazer [~koo@user/koolazer] has quit [Ping timeout: 265 seconds]
05:47 -!- koolazer [~koo@user/koolazer] has joined #bitcoin-wizards
05:58 -!- jnewbery_ is now known as jnewbery
06:13 -!- gene [~gene@2a0a:3840:1337:127:0:b9c1:7fec:1337] has quit [Quit: drained and gutted]
06:20 -!- koolazer [~koo@user/koolazer] has quit [Ping timeout: 245 seconds]
07:17 -!- ariard__ is now known as ariard
07:20 -!- rockhouse [~rockhouse@user/rockhouse] has quit [Remote host closed the connection]
07:36 -!- AaronvanW [~AaronvanW@190.57.73.116] has joined #bitcoin-wizards
07:55 -!- CrashTestDummy3 [~CrashTest@ool-ad02813b.dyn.optonline.net] has joined #bitcoin-wizards
07:56 -!- koolazer [~koo@user/koolazer] has joined #bitcoin-wizards
07:59 -!- CrashTestDummy2 [~CrashTest@ool-ad02813b.dyn.optonline.net] has quit [Ping timeout: 268 seconds]
08:15 -!- rockhouse [~rockhouse@user/rockhouse] has joined #bitcoin-wizards
08:16 -!- rockhouse [~rockhouse@user/rockhouse] has quit [Remote host closed the connection]
08:16 -!- rockhouse [~rockhouse@user/rockhouse] has joined #bitcoin-wizards
08:20 -!- CrashTestDummy2 [~CrashTest@ool-ad02813b.dyn.optonline.net] has joined #bitcoin-wizards
08:24 -!- CrashTestDummy3 [~CrashTest@ool-ad02813b.dyn.optonline.net] has quit [Ping timeout: 272 seconds]
08:34 -!- koolazer [~koo@user/koolazer] has quit [Ping timeout: 258 seconds]
09:48 -!- CrashTestDummy3 [~CrashTest@ool-ad02813b.dyn.optonline.net] has joined #bitcoin-wizards
09:50 -!- andrewtoth [~andrewtot@gateway/tor-sasl/andrewtoth] has joined #bitcoin-wizards
09:50 -!- instantp10neer [~instantp1@user/instantp10neer] has joined #bitcoin-wizards
09:51 -!- CrashTestDummy2 [~CrashTest@ool-ad02813b.dyn.optonline.net] has quit [Ping timeout: 255 seconds]
10:05 -!- b10c [uid500648@id-500648.charlton.irccloud.com] has joined #bitcoin-wizards
10:19 -!- koolazer [~koo@user/koolazer] has joined #bitcoin-wizards
10:25 -!- deusexbeer [~hedeo@37-146-228-227.broadband.corbina.ru] has quit [Read error: Connection reset by peer]
10:25 -!- deusexbeer [~hedeo@37-146-228-227.broadband.corbina.ru] has joined #bitcoin-wizards
10:54 -!- koolazer [~koo@user/koolazer] has quit [Ping timeout: 246 seconds]
11:08 -!- AaronvanW [~AaronvanW@190.57.73.116] has quit [Quit: Leaving...]
11:26 -!- vtnerd [~weechat@50-82-248-114.client.mchsi.com] has joined #bitcoin-wizards
11:28 -!- carine [~carine@212.83.183.62] has joined #bitcoin-wizards
11:32 -!- carine [~carine@212.83.183.62] has quit []
11:48 -!- roconnor [~roconnor@host-45-58-231-199.dyn.295.ca] has joined #bitcoin-wizards
12:07 -!- koolazer [~koo@user/koolazer] has joined #bitcoin-wizards
12:30 -!- koolazer [~koo@user/koolazer] has quit [Ping timeout: 272 seconds]
13:00 -!- kexkey_ [~kexkey@static-198-54-132-151.cust.tzulo.com] has joined #bitcoin-wizards
13:03 -!- kexkey [~kexkey@static-198-54-132-151.cust.tzulo.com] has quit [Ping timeout: 265 seconds]
13:05 -!- b10c [uid500648@id-500648.charlton.irccloud.com] has quit [Quit: Connection closed for inactivity]
13:26 -!- jb55 [jb55@jb55.com] has quit [Quit: jb55]
13:40 -!- meshcollider [meshcollid@user/meshcollider] has quit [Remote host closed the connection]
14:01 -!- meshcollider [meshcollid@meshcollider.jujube.ircnow.org] has joined #bitcoin-wizards
14:15 -!- kexkey [~kexkey@static-198-54-132-151.cust.tzulo.com] has joined #bitcoin-wizards
14:18 -!- kexkey_ [~kexkey@static-198-54-132-151.cust.tzulo.com] has quit [Ping timeout: 258 seconds]
14:19 -!- koolazer [~koo@user/koolazer] has joined #bitcoin-wizards
14:56 -!- pinheadmz_ is now known as pinheadmz
15:11 -!- andrewtoth_ [~andrewtot@gateway/tor-sasl/andrewtoth] has joined #bitcoin-wizards
15:13 -!- luke-jr [~luke-jr@user/luke-jr] has quit [Read error: Connection reset by peer]
15:13 -!- andrewtoth [~andrewtot@gateway/tor-sasl/andrewtoth] has quit [Ping timeout: 244 seconds]
15:13 -!- luke-jr [~luke-jr@user/luke-jr] has joined #bitcoin-wizards
15:37 -!- Guyver2 [Guyver@guyver2.xs4all.nl] has quit [Quit: Going offline, see ya! (www.adiirc.com)]
15:40 -!- kexkey [~kexkey@static-198-54-132-151.cust.tzulo.com] has quit [Ping timeout: 268 seconds]
15:44 -!- kexkey [~kexkey@static-198-54-132-151.cust.tzulo.com] has joined #bitcoin-wizards
16:06 < harding> Trying to understand musig2; IIUC, when Alice and Bob exchange pubkeys they can also exchange their nonce pairs at the same time in order to create signatures with no further direct interaction (e.g. they can just send their nonces and partial signature to a possibly-third-party aggregator who renders the final signature).  What I want to know is whether they have to communicate separate nonce pairs for each signature they expect to participate 
16:06 < harding> in or whether they can, in that initial communication round, send a seed that will be used to deterministically generate their nonces for each subsequent signing (e.g. in combination with a BIP32-style xpub for deterministic key generation).  That seems safe to me if I understand the following sentence in the Blockstream blog post correctly, but I haven't seen anyone explicitly say that musig2 will allow something like that.  "The coefficient b 
16:06 < harding> is the output of a hash function applied to all signers’ nonces, the aggregated public key, and the message."
16:55 -!- belcher [~belcher@user/belcher] has quit [Read error: Connection reset by peer]
16:56 -!- belcher_ [~belcher@user/belcher] has joined #bitcoin-wizards
17:12 -!- roconnor_ [~roconnor@host-45-58-212-52.dyn.295.ca] has joined #bitcoin-wizards
17:12 -!- roconnor [~roconnor@host-45-58-231-199.dyn.295.ca] has quit [Ping timeout: 255 seconds]
17:14 -!- roconnor_ is now known as roconnor
17:22 < _aj_> harding: yeah separate nonce pairs (R1,R2) for every sig
17:35 -!- szarka [~szarka@2001-48F8-9004-E05-8EA-C1C4-A485-6287-dynamic.midco.net] has joined #bitcoin-wizards
18:12 < kanzure> "Publicly Auditable MPC-as-a-Service with succinct verification and universal setup" https://arxiv.org/pdf/2107.04248.pdf
18:22 -!- belcher_ is now known as belcher
18:55 < harding> _aj_: so no way to derive them from a seed?  E.g., Alice and Bob want to be able to make 1,000 signatures over the lifetime of their relationship, so they need to share 32*2*1000 bytes of data up front?  Or, in otherwords, there won't be a compact descriptor for musig2([alice_keypath]alice_xpub, [bob_keypath]bob_xpub)?  :-(
18:56 < _aj_> doesn't need to be upront, can generate the next sig's nonces and send it with the previous sig?
18:56 < kalle> Upfront is useful tho
18:56 < _aj_> these are the sig nonces, the descriptor is fine
18:57 < harding> Sending it with the previous sig requires every-party-to-every-party comms though, right?
18:57 < _aj_> yes, you need broadcast comms
18:58 < roconnor> I think jonas was working on a O(n) communications model with a leader.  not sure about doing another set of signatures.
19:00 < harding> Drat, I thought MuSig2 was more of a drop-in replacement for current OP_CMS workflows.
19:00 < roconnor> Since MuSig2 is supposed to be robust against a parallel sessions, I don't see what's wrong with giving a bunch of nonces for signature upfront, nor do I see what would be wrong with using a seed.  However, this is also exactly the sort of thing that might look secure but somehow isn't, as always seems to be the case.
19:00 < _aj_> you can't let other people calculate your nonce from a seed
19:01 < _aj_> /you/ could use a seed though
19:01 < roconnor> what's the difference between me running a computation to produce 1000 nonces and handing them over versus handing over a seed to them and having them do the computation
19:03 < _aj_> they can do maths when you give them signatures and recover your private key?
19:03 < roconnor> Is your concern about the seed or the 1000 nonces upfront?
19:04 < _aj_> mine is the seed, harding's is the 1000 nonce traffic
19:05 < roconnor> assuming the generation is computationally indistiguishable from random, then there shouldn't be any maths that you can do with the seed that you cannot do with 1000 nonces.
19:05 < roconnor> I claim by waving my hands vigerously.
19:06 < _aj_> calculate the 1001st nonce?
19:06 < harding> Make it infinite nonces?
19:06 < roconnor> For the sake of argument I'm assuming we are rekeying after 1000 nonces.
19:07 < roconnor> thus computing the 1001st nonce doens't help. 
19:07 < roconnor> it is just an unused number indistiguishable from random.
19:07 < roconnor> (more waving of hands).
19:07 < _aj_> roconnor: if you have two nonce pairs, and can calculate the second in terms of the first i think that gives you the private key, provided you can relate the two public keys
19:08 < _aj_> (ie, they're not hardened derivation, in which case you'd be sending 1000 public keys anyway)
19:08 < roconnor> Right, I think we are just talking about pregenerating the first nonces.
19:10 < roconnor> Just to be clear, I'm not saying that this is secure and it is okay to use; just that my very imperfect understanding doesn't lead me to belive it would be insecure and maybe you should ask jonas or tim before giving up on the idea of using a seed.
19:11 < roconnor> based on my understanding of how pseudo random streams of numbers work and my very vague understanding of the security of parallel sessions with musig2.
19:12 < roconnor> I mean tim was talking about doing threshold signatures by running a enoumous set of signing sessions in parallel just in case some people drop off the comms, and that was all to sign the same message!
19:13 < roconnor> If it is okay to use a bunch of different nonces simulateously in an attempt to make a threshold signature on the same message, I don't see how running multiple signing sessions on different messages in musig2 could be any worse.
19:14 < roconnor> and preloading 1000 nonces upfront is exactly what it means to start parallel signing sessions.
19:14 < roconnor> Apparenly it is 4:14 am in Berlin.
19:15 < harding> nickler_: real_or_random ^
19:16 < harding> _aj_: roconnor: thanks for your replies!  Now I'm even more curious.  :-)
19:17 < roconnor> My main hesitation is that there have been tens of other similarly obviously safe looking optimizations in MuSig2 that all turned out to be extremely broken.
19:29 < roconnor> Ah I now see what _aj_ is getting at.
19:29 < roconnor> generating nonces from a seed seems hard.   You cannot just use a pseudo-random number genrator.
19:31 -!- CrashTestDummy2 [~CrashTest@ool-ad02813b.dyn.optonline.net] has joined #bitcoin-wizards
19:31 < roconnor> If you try to use a HD generation scheme for nonces, if you use unharded derivations, all the nonces are related to each other, which seems like it will be very very bad.
19:32 < roconnor> or you use hardened derivations which means they cannot be generated with only public data.
19:32 < roconnor> so that is useless beyond sending 1000 nonces upfront.
19:32 < roconnor> _aj_: sorry for my being slow.
19:34 -!- CrashTestDummy3 [~CrashTest@ool-ad02813b.dyn.optonline.net] has quit [Ping timeout: 258 seconds]
19:42 < _aj_> roconnor: \o/
19:59 < roconnor> Ya, I don't see how to transport 1000 independently generated curve points to your counterparty in a compressed way; and if there was a compressed way, it probably means that DLog is broken.
20:04 < harding> :-( (but thanks for the explanations)
20:14 -!- bitdex [~bitdex@gateway/tor-sasl/bitdex] has joined #bitcoin-wizards
21:19 -!- torokun [~torokun@65.131.67.163] has joined #bitcoin-wizards
21:22 -!- torokun [~torokun@65.131.67.163] has quit [Remote host closed the connection]
21:26 -!- torokun [~torokun@65.131.67.163] has joined #bitcoin-wizards
21:28 -!- torokun [~torokun@65.131.67.163] has quit [Remote host closed the connection]
21:28 -!- torokun [~torokun@65.131.67.163] has joined #bitcoin-wizards
21:31 -!- jessepos_ [~jesse@2601:647:0:89:f5e8:30ac:87ba:ab6e] has joined #bitcoin-wizards
21:31 -!- torokun [~torokun@65.131.67.163] has quit [Remote host closed the connection]
21:31 -!- jesseposner [~jesse@2601:647:0:89:6434:3ce9:af91:46cf] has quit [Ping timeout: 240 seconds]
21:49 -!- smitop [~smitop@user/smitop] has quit [Ping timeout: 255 seconds]
21:55 -!- smitop [~smitop@user/smitop] has joined #bitcoin-wizards
23:53 -!- Guyver2 [Guyver@guyver2.xs4all.nl] has joined #bitcoin-wizards
--- Log closed Thu Jul 15 00:00:07 2021