--- Log opened Tue Nov 16 00:00:34 2021
00:26 -!- ghost43 [~ghost43@gateway/tor-sasl/ghost43] has quit [Ping timeout: 276 seconds]
00:26 -!- ghost43 [~ghost43@gateway/tor-sasl/ghost43] has joined #bitcoin-wizards
00:36 -!- Guyver2 [Guyver@guyver2.xs4all.nl] has joined #bitcoin-wizards
01:29 -!- Guyver2 [Guyver@guyver2.xs4all.nl] has quit [Remote host closed the connection]
01:39 -!- vysn [~vysn@user/vysn] has joined #bitcoin-wizards
01:42 -!- vysn [~vysn@user/vysn] has quit [Client Quit]
01:42 -!- vysn [~vysn@user/vysn] has joined #bitcoin-wizards
02:03 -!- kexkey_ [~kexkey@static-198-54-132-101.cust.tzulo.com] has quit [Ping timeout: 260 seconds]
02:51 -!- b10c [uid500648@ilkley.irccloud.com] has quit [Quit: Connection closed for inactivity]
03:19 < andytoshi> ok, so i have a practical use for the OTP encryption: encrypting shares when they are in transit (with the intention that the recipient will decrypt them once they receive both the share and the key, in separate shipments, nad verify they are untampered with)
03:20 < andytoshi> the fact that it's ephemeral and only used during setup should mean that it doesn't weaken your robustness too much
03:39 -!- b10c [uid500648@ilkley.irccloud.com] has joined #bitcoin-wizards
04:10 -!- jtrag [~jtrag@user/jtrag] has joined #bitcoin-wizards
04:20 -!- Guyver2 [Guyver@guyver2.xs4all.nl] has joined #bitcoin-wizards
04:24 -!- jtrag [~jtrag@user/jtrag] has quit [Read error: Connection reset by peer]
04:25 -!- z9z0b3t1c [z9z0b3t1c@gateway/vpn/protonvpn/z9z0b3t1c] has joined #bitcoin-wizards
04:32 -!- vysn [~vysn@user/vysn] has quit [Ping timeout: 264 seconds]
04:57 -!- bitdex [~bitdex@gateway/tor-sasl/bitdex] has quit [Ping timeout: 276 seconds]
05:05 -!- bitdex [~bitdex@gateway/tor-sasl/bitdex] has joined #bitcoin-wizards
05:20 -!- roconnor [~roconnor@host-45-58-217-8.dyn.295.ca] has joined #bitcoin-wizards
05:23 < roconnor> 2-of-2 SSS is basically OTP, with checksums.
05:44 -!- bitdex [~bitdex@gateway/tor-sasl/bitdex] has quit [Ping timeout: 276 seconds]
05:45 -!- bitdex [~bitdex@gateway/tor-sasl/bitdex] has joined #bitcoin-wizards
06:01 -!- smartin [~Icedove@88.135.18.171] has joined #bitcoin-wizards
06:06 -!- grubman9000 [~ufotofu@user/ufotofu] has joined #bitcoin-wizards
06:23 < andytoshi> it would be easier to construct a word with a QQQQQQQQQQQQQ checksum and then directly xor that with my key, since i then don't need to use the recovery volvelle
06:23 < andytoshi> but in principle yes, it would be better to use 2-of-2 SSS so that i'm not inventing ad-hoc schemes
06:23 < andytoshi> i will try to use the recovery volvelle today to understand how it feels
06:26 < roconnor> That is true.
06:26 < roconnor> I think QQQ* codes were not used in Bech32 because it is clear that appending Q's wouldn't invalidate the checksum.
06:27 < roconnor> But still fell into a similar trap wit Q*P
06:28 < roconnor> But length extensions on OTP is probably less problemantic.
06:28 < roconnor> because if your OTP doesn't match your encrypted message length, then it will be obviously wrong.
06:31 < andytoshi> yep
06:32 < andytoshi> yeah, funny how similar the Q*P thing was to the "obvious" QQQ* problem...i hope to learn the history of this as i learn about BCH codes
06:32 < andytoshi> sipa: i presume the existing literature says "don't use 0 as a checksum or you'll have length extension attacks"? but it doesn't say "don't use 1 or you'll get a less obvious sort of length extension attack"?
06:33 < andytoshi> or was even the "don't use 0" thing an innovation from you and gmax
06:44 -!- vysn [~vysn@user/vysn] has joined #bitcoin-wizards
06:58 < andytoshi> BTW heads up that i just recorded a "blockstream podcast" and i shilled volvelles in the last couple minutes. i don't know if anybody watches this podcast or what
07:06 < sipa> andytoshi: i got the "don't use 0" from the wikipedia article on CRC or BCH or so
07:08 -!- kexkey [~kexkey@static-198-54-132-85.cust.tzulo.com] has joined #bitcoin-wizards
07:13 < andytoshi> interesting .. i'll bet it's just folklore
07:15 < andytoshi> roconnor: there is a bug in your dice tables! in the d6/d6 table 9 appears twice (the first one should be R i believe)
07:16 < andytoshi> the dice table code is pretty opaque :P i can't see how this happens
07:19 -!- kexkey [~kexkey@static-198-54-132-85.cust.tzulo.com] has quit [Ping timeout: 256 seconds]
07:21 -!- kexkey [~kexkey@static-198-54-132-167.cust.tzulo.com] has joined #bitcoin-wizards
07:34 < sipa> andytoshi: 0xfffff... is common for CRCs
07:34 < sipa> which i guess is generally better than 1, but i wasn't aware of why at the time
07:48 -!- AaronvanW [~AaronvanW@190.150.26.4] has joined #bitcoin-wizards
08:36 -!- Guyver2_ [Guyver@guyver2.xs4all.nl] has joined #bitcoin-wizards
08:38 -!- Guyver2 [Guyver@guyver2.xs4all.nl] has quit [Ping timeout: 250 seconds]
08:38 -!- Guyver2_ is now known as Guyver2
08:47 < roconnor> andytoshi: indeed.
08:47 < roconnor> dice tables were generated form Dicetables.tbl
08:47 < roconnor> I can fix it, but I think they need to be thrown away and replaced with unbiased bit generators.
08:49 < roconnor> andytoshi: This is some serious CIA stuff.
08:57 < andytoshi> lol, yeah, this is like stuxnet for paper computers
08:58 < andytoshi> so. generating 128 bits and doing the 13-char checksum seems to take me a bit over an hour per shot. definitley meaningfully more work than bech32.
08:58 < roconnor> an hour seems like an acceptable amount of time.
08:58 < andytoshi> agreed
08:59 < sipa> what is a "shot" in this context?
09:00 < roconnor> I took it to mean one share.
09:01 < roconnor> a 44 character share with (including) the 13 character checksum
09:05 < roconnor> maybe 47 characters.
09:07 -!- gene [~gene@gateway/tor-sasl/gene] has joined #bitcoin-wizards
09:17 -!- AaronvanW [~AaronvanW@190.150.26.4] has quit [Remote host closed the connection]
09:23 -!- AaronvanW [~AaronvanW@190.150.26.4] has joined #bitcoin-wizards
09:30 < andytoshi> yep
09:31 -!- AaronvanW [~AaronvanW@190.150.26.4] has quit [Remote host closed the connection]
09:31 < andytoshi> so, generating 21 random chars then computing the 13 checksum chars
09:31 -!- AaronvanW [~AaronvanW@190.150.26.4] has joined #bitcoin-wizards
09:32 -!- AaronvanW [~AaronvanW@190.150.26.4] has quit [Client Quit]
09:36 < andytoshi> err 31
10:19 -!- morcos_ [~morcos@gateway/tor-sasl/morcos] has joined #bitcoin-wizards
10:21 < roconnor> [5:37:57 PM EST] <andytoshi> so i _think_ with a distance-9 code, if you have 8 missing characters you could actually correct all 8
10:22 < sipa> if they are consecutive this is always possible
10:22 < roconnor> This isn't the case.  An unreadable character is worse than a maybe wrong character.
10:22 -!- morcos [~morcos@gateway/tor-sasl/morcos] has quit [Ping timeout: 276 seconds]
10:22 -!- morcos_ is now known as morcos
10:22 < sipa> if not, it is not necessarily true for a BCH code IIRC
10:22 < sipa> for RS codes this is possible
10:23 < roconnor> oh hmm
10:23 < sipa> roconnor: erasures is the term you're looking for
10:23 < sipa> and they are definitely easier to correct that errors in unknown locations
10:23 < roconnor> So my reading of this error recovery stuff, is that you replace the unreadable characters with 0, and then, more or less, force the locator polynomial to count that as an error.
10:23 < andytoshi> i think, even with a BCH code, if i have all correct characters but 8 erasures, then there sholud be exactly one codeword that fills in the missing characters
10:24 < roconnor> even if 0 happens to be correct.
10:24 < andytoshi> it maybe that efficient BCH decoders can't find this
10:24 < andytoshi> but i think theoretically it's true
10:24 < sipa> let me think
10:24 < roconnor> but ya, you do make a good point.
10:25 < sipa> roconnor: it's obvious that erausres are easier right? you don't need to infer both location and error info; just error info
10:25 < roconnor> maybe you are right.
10:25 < sipa> so you want the lines in the check matrix corresponding to the erased positions to be linearly independent
10:25 < sipa> if that is the case, you can trivially solve for it
10:26 < roconnor> so adding a missing location reduced the number of syndromes by 1 through various massaging.
10:26 < sipa> by inverting that matrix, and multiplying with the checksum error
10:26 < roconnor> but I guess you need 2 syndroms per error correction.
10:26 < roconnor> so I guess two missing locations is equal to one error.
10:26 < sipa> in RS it works like that
10:26 < sipa> because locations and errors are the same "domain"
10:27 < sipa> but in BCH codes, the syndromes are of higher degree, and sort-of "too much" for a single error
10:27 < roconnor> ah Right I was misreading this formal.
10:27 < sipa> (RS is BCH with the encoding and decoding fields equal, so a "degree 1" BCH code)
10:27 < roconnor> In Euclidean algorithm, we try to correct at most 1/2 ( d − 1 − k ) errors (on readable positions), 
10:27 < roconnor> "In Euclidean algorithm, we try to correct at most 1/2 ( d − 1 − k ) errors (on readable positions), "
10:28 < roconnor> where k is the number of missing locations.
10:28 < roconnor> okay.
10:28 < sipa> in RS codes the distance is exactly the number of syndromes + 1
10:28 < sipa> and each syndrome either lets you solve for an error location, or for an error in a known location
10:28 < sipa> but RS codes are limited to length (fieldsize - 1)
10:29 < roconnor> that seems bad when the fieldsize = 2.
10:29 < andytoshi> this is great stuff, thanks. i am not quite to BCH and RS codes in my textbook
10:30 < sipa> roconnor: well in bech32 the encoder field is GF(32) and the decoder field is GF(1024)
10:30 < sipa> you could work with an RS code consisting of GF(1024) symbols that are two characters each, e.g.
10:31 < sipa> but this will be worse than just using an appropriate BCH code
10:31 < sipa> BCH codes have strictly more freedom than RS codes
10:37 < sipa> i'm wrong
10:38 < sipa> a distance N linear code can correct N-1 erasures, always
10:38 < sipa> (and more generally, distance N can correct K erasures and E errors as long as K+2*E < N)
10:41 < sipa> it doesn't even require the code to be linear for that to be the case, but with linear distance=N code, correcting N-1 erasures is algorithmically easy
10:41 < sipa> and computationally; just solving a set of linear equations
10:49 < sipa> (over the encoder field)
11:04 < roconnor> I have a bit of a puzzle on how to do error correction in mixed case.
11:04 < roconnor> Presumably one of the two cases, lower or upper, counts as an unreadable character?
11:08 < sipa> i'm not sure what uppercase/lowercase has to do with this?
11:08 < sipa> they're all just ways of encoding GF(32) elements
11:09 < roconnor> The rule is that chacaters all must be uppercase or all must be lowercase.
11:09 < sipa> oh, of course
11:09 < roconnor> to be legal, which is fine.
11:09 < sipa> lol
11:09 < roconnor> so suppose one character is lowercase
11:09 < roconnor> well, that must be an unreadable character.
11:09 < roconnor> I guess.
11:09 < sipa> i think just return "error: mixed case", and let the user fix that themselves :p
11:10 < roconnor> Make the user covert one of the two cases to ???s?
11:10 < roconnor> to '?'s
11:10 < roconnor> assuming we want to mark unreadable characters as ?s.
11:11 < roconnor> I guess we could do that.  It seems like that is something maybe a computer could do.
11:11 < sipa> right
11:12 < roconnor> but do we demand the user retype all Os and 0s to?
11:12 < roconnor> and all I's as l's?
11:13 < sipa> makes sense to do that automatically
11:13 < sipa> or treat them as erasures too
11:14 < roconnor> and do I mandate this sort of behaviour so that everyone gets a consistent error correcting behaviour?
11:15 < sipa> i think it's best to give feedback to the user, actually
11:16 < roconnor> what are you thinking?
11:17 < andytoshi> if possible, i'd like to know which letters the scheme had "auto corrected" by turning o's to 0's etc, and also which letters it had corrected using ECC
11:18 < andytoshi> the former probably i have some insight into (like, i am a shitty typist or am misremembering the alphabet), the latter are probably "real" errors
11:18 < sipa> there is a finite character set; if the user enters something outside of that character set, that implies they're operating on the assumption that the character set is something else, and what the user's belief can be is essentially unbounded
11:18 < andytoshi> that's sorta what i'm saying
11:18 < sipa> by telling these "these characters are not in the character set", you can make the user go back to the original source (print, whatever) and reinterpret the information itself with the correct character set in mind
11:19 < sipa> any auto-correcting is making a guess with less than complete information
11:19 < roconnor> okay so characters outside bech32 are illegal
11:19 < roconnor> error message can be, did you mean "blah" with O->0 like replacements.
11:20 < sipa> right, it can give suggestions like that
11:20 < roconnor> and this can be application defined how they want to do that.
11:20 < sipa> e.g. what if the actual character is a 6, but the user types a lowercase b
11:20 < roconnor> once once we get correct characters, do we do the real BCH corrections.
11:20 < sipa> but really the source material is uppercase, where B is closer to 8
11:20 < andytoshi> i think the real BCH corrections should also be shown to the user
11:21 < sipa> definitely
11:21 < roconnor> sipa: and the b is the only lower case character?
11:21 < roconnor> then i guess you rely on error correction.
11:21 < sipa> no, in my scenario the source material is uppercase, but the user converted it to lowercase when typing it in
11:21 < roconnor> which doesn't seem so bad.
11:22 < sipa> e.g. it was relayed over the phone by someone else, which loses case information (as it's irrelevant anyway)
11:22 < roconnor> I mean (1) the user should probably type in upper case and (2) I gets booted to error correction, which seems fair.
11:22 < roconnor> *it gets booted
11:22 < sipa> i guess there is no harm in treating all invalid/wrongcase character as erasures, but then giving a warning message about them too
11:24 < roconnor> unfortunately that would lead back to the original problem: is a mixed case string supposed to be uppercase or lowercase.
11:25 < sipa> whatever is most common
11:25 < roconnor> in case of a tie?
11:25 < sipa> toss a fair die
11:25 < sipa> actually, it doesn't matter
11:26 < roconnor> I'll just write that in the spec.
11:26 < sipa> because if there are that many, decoding/correcting is going to fail anyway
11:26 < roconnor> I mean, maybe there are 4 upper case characters and 4 lower case characters and the rest are all digits.
11:27 < sipa> that seems extremely unlikely in a 47-character string :)
11:27 < roconnor> we can probably craft an example.
11:28 < roconnor> But still, maybe it doesn't matter?
11:28 < sipa> not with keys generated with fair dice
11:28 < sipa> :)
11:29 < andytoshi> what is the goal of this line of questions? to rigidly define an error correction procedure?
11:29 < roconnor> I still kinda prefer disallowing non bech characters and forcing the user to reenter them correctly, possibly with suggestions.
11:30 < andytoshi> i *think* the user should ack/nack all corrections, so then you have a human element and there's no hope of being rigidly defined anyway
11:30 < roconnor> andytoshi: more or less.
11:30 < andytoshi> yeah, ack disallowing non-bech characters
11:30 < andytoshi> and mixed case
11:30 < roconnor> I mean, BCH correction gives a well defined answer that every system should impelement.
11:30 < andytoshi> with suggestions
11:31 -!- b10c [uid500648@ilkley.irccloud.com] has quit [Quit: Connection closed for inactivity]
11:32 < andytoshi> yeah, fair enough. you can imagine a situation where a non-codeword key is being stored and people just keep using the corrected version when they use the key
11:32 < andytoshi> without fixing the storage
11:32 < andytoshi> and you don't want that to change
11:52 -!- AaronvanW [~AaronvanW@190.150.26.4] has joined #bitcoin-wizards
11:58 < roconnor> interesting, SLIP-39 recommends not doing automatic error correction, claiming there is a risk of loss of funds due to a misentered mnemonic.
11:59 < roconnor> I don't know how I feel about this.  I guess they may have a point.
12:01 < roconnor> my proposed checksum is much larger.
12:01 < roconnor> and random characters seem even more unlikely to be accidently valid.
12:02 < roconnor> but I guess they all randomly error correct to something.
12:05 -!- Guyver2_ [Guyver@guyver2.xs4all.nl] has joined #bitcoin-wizards
12:07 -!- Guyver2 [Guyver@guyver2.xs4all.nl] has quit [Ping timeout: 265 seconds]
12:07 -!- Guyver2_ is now known as Guyver2
12:20 -!- AaronvanW [~AaronvanW@190.150.26.4] has quit [Quit: Leaving...]
12:45 -!- bfsfhkacjzgcytf [~bfsfhkacj@user/bfsfhkacjzgcytf] has quit [Ping timeout: 268 seconds]
13:02 -!- smartin [~Icedove@88.135.18.171] has quit [Remote host closed the connection]
13:03 -!- smartin [~Icedove@88.135.18.171] has joined #bitcoin-wizards
13:13 -!- Guyver2 [Guyver@guyver2.xs4all.nl] has quit [Quit: Going offline, see ya! (www.adiirc.com)]
13:45 -!- smartin [~Icedove@88.135.18.171] has quit [Quit: smartin]
14:02 < andytoshi> roconnor: i made a more "natural" permutation of the characters on the top volvelle https://github.com/apoelstra/SSS32/commit/360a05bb0f7ee402930c2f6bf2c7823d5cecee1f
14:02 < andytoshi> i haven't tried it yet but i expect it will be possible to memorize this way faster than the original
14:03 -!- b10c [uid500648@ilkley.irccloud.com] has joined #bitcoin-wizards
14:10 < roconnor> andytoshi: is it just a rotation? We could probably reuse it for the addtion wheel.
14:10 < roconnor> which is, ... circular.
14:17 < andytoshi> i'm not sure what you mean by "reuse it for the additional wheel", what i mean is that i changed the top half of all the volvelles
14:17 < andytoshi> and it's not a rotation, it's some nontrivial permutation that i came up with by visually deciding where i "expected" each letter to be
14:30 < andytoshi> so, regarding 2-of-2 encrypting with OTP .. it is much simpler (takes 1/3 the work :)) to do OTP
14:31 < andytoshi> with OTP i just have to add all the characters together, with 2SS i need to first translate the shares with the recovery wheel, then add them together
14:31 < andytoshi> i guess the translation would be pretty quick actually
14:31 < andytoshi> since i don't need to rotate the volvelle
14:39 < andytoshi> encryption is also somewhat easier than creating a share, since encryption uses xor which is commutative, so you don't need to pay attention to the direction of the arrows on the volvelle
14:39 < andytoshi> vs creating a share, which is not commutative, so you have to use the "create share" volvelle in the correct direction
15:19 -!- Common [~Common@096-033-221-075.res.spectrum.com] has joined #bitcoin-wizards
15:24 -!- Common [~Common@096-033-221-075.res.spectrum.com] has quit [Changing host]
15:24 -!- Common [~Common@user/common] has joined #bitcoin-wizards
16:27 -!- Common [~Common@user/common] has quit [Quit: Leaving]
16:31 -!- vysn [~vysn@user/vysn] has quit [Ping timeout: 250 seconds]
16:34 < roconnor> Makes sense.
16:34 < roconnor> OTOH, I'm not sure it is reasonable to make a separate 2-of-2 standard.
16:35 < roconnor> And do you really want to split up against something that isn't standardized?
16:54 -!- gene [~gene@gateway/tor-sasl/gene] has quit [Remote host closed the connection]
16:55 -!- gene [~gene@gateway/tor-sasl/gene] has joined #bitcoin-wizards
17:04 -!- soundandfury [~soundandf@2607:fb90:c296:6799:8d5f:9364:47fd:a94] has joined #bitcoin-wizards
17:06 -!- soundandfury [~soundandf@2607:fb90:c296:6799:8d5f:9364:47fd:a94] has quit [Client Quit]
17:12 -!- gene [~gene@gateway/tor-sasl/gene] has quit [Remote host closed the connection]
17:12 -!- gene [~gene@gateway/tor-sasl/gene] has joined #bitcoin-wizards
17:40 -!- b10c [uid500648@ilkley.irccloud.com] has quit [Quit: Connection closed for inactivity]
18:02 -!- bfsfhkacjzgcytf [~bfsfhkacj@user/bfsfhkacjzgcytf] has joined #bitcoin-wizards
18:34 -!- grubman9000 [~ufotofu@user/ufotofu] has quit [Ping timeout: 250 seconds]
18:47 -!- bitdex [~bitdex@gateway/tor-sasl/bitdex] has quit [Remote host closed the connection]
18:48 -!- bitdex [~bitdex@gateway/tor-sasl/bitdex] has joined #bitcoin-wizards
18:57 -!- gene [~gene@gateway/tor-sasl/gene] has quit [Remote host closed the connection]
19:32 -!- grubman9001 [~ufotofu@user/ufotofu] has joined #bitcoin-wizards
20:09 -!- emcy_ [~emcy@user/emcy] has joined #bitcoin-wizards
20:10 -!- emcy [~emcy@user/emcy] has quit [Ping timeout: 265 seconds]
20:58 -!- AlienTrooper [~IZH@user/alientrooper] has quit [Remote host closed the connection]
21:20 -!- Miles_Elite [~mileselit@2.sub-174-250-18.myvzw.com] has joined #bitcoin-wizards
21:35 -!- Miles_Elite [~mileselit@2.sub-174-250-18.myvzw.com] has quit []
23:33 -!- AlienTrooper [~IZH@194.146.142.181] has joined #bitcoin-wizards
23:34 -!- AlienTrooper [~IZH@194.146.142.181] has quit [Changing host]
23:34 -!- AlienTrooper [~IZH@user/alientrooper] has joined #bitcoin-wizards
23:56 -!- z9z0b3t1c [z9z0b3t1c@gateway/vpn/protonvpn/z9z0b3t1c] has quit [Ping timeout: 250 seconds]
--- Log closed Wed Nov 17 00:00:35 2021