--- Log opened Tue Jan 21 00:00:15 2020 04:34 -!- jonatack [~jon@2a01:e0a:53c:a200:bb54:3be5:c3d0:9ce5] has quit [Quit: jonatack] 05:07 -!- jeremyrubin [~jr@c-67-180-60-249.hsd1.ca.comcast.net] has quit [Ping timeout: 258 seconds] 07:29 -!- jonatack [~jon@82.102.27.171] has joined #bitmetas 08:08 -!- jonatack [~jon@82.102.27.171] has quit [Ping timeout: 265 seconds] 08:30 -!- jeremyrubin [~jr@c-67-180-60-249.hsd1.ca.comcast.net] has joined #bitmetas 09:03 -!- jonatack [~jon@2a01:e0a:53c:a200:bb54:3be5:c3d0:9ce5] has joined #bitmetas 10:39 < jnewbery> For aggreagting pubkeys using MuSig with 32 byte pubkeys, do we have to negate all the challenge factors if the aggregate pubkey doesn't have a square Y? 13:43 < jnewbery> should I ask questions about the reference taproot implementation here or in #taproot-bip-review? 13:44 < jnewbery> I'm a little confused by https://github.com/sipa/bitcoin/blob/ebe976d4712af27ce114cfd0e96864e0546f28bd/test/functional/test_framework/key.py#L276 13:44 < jnewbery> is 'is_positive()' shorthand for 'Y coordinate is a quadratic residue'? 13:47 < sipa> jnewbery: we used that terminology for a bit, but dropped it 13:47 < sipa> maybe there are some remainders 13:48 < jnewbery> I know that if we have a point in jacobian coordinates (x,y,z), then we can convert to (x/z^2, y/z^3), so jacobi_symbol(self.p[1] * inv(self.p[2])^3, SECP256K1_FIELD_SIZE) == 1 will return whether Y is square 13:48 < sipa> jnewbery: yes, it meams "has quadratic residue y" 13:48 < jnewbery> but I can't see why jacobi_symbol(self.p[1] * self.p[2], SECP256K1_FIELD_SIZE) == 1 returns whether Y is square 13:48 < sipa> jnewbery: ah! 13:48 < sipa> what is the ratio between the two expressions? 13:49 < sipa> (that are the input to the jacobi symbol) 13:49 < jnewbery> p[2]^4 ? 13:49 < sipa> yup. 13:49 < jnewbery> which is square 13:49 < jnewbery> thanks 13:49 < sipa> yup :) 13:50 < jnewbery> did you see my question above about musig with 32 byte pubkeys? 13:50 < sipa> you should ask nickler 13:51 < jnewbery> here or is somewhere else better? 13:52 < sipa> i'm sure here is fine 13:52 < jnewbery> thanks 13:52 < jnewbery> nickler: For aggreagting pubkeys using MuSig with 32 byte pubkeys, do we have to negate all the challenge factors if the aggregate pubkey doesn't have a square Y? 18:55 -!- sipa [~pw@gateway/tor-sasl/sipa1024] has quit [Ping timeout: 240 seconds] 19:11 -!- sipa [~pw@gateway/tor-sasl/sipa1024] has joined #bitmetas 23:05 < nickler> jnewbery: yeah, or alternatively you can negate the secrets. In practice the rule whether to negate can be more complicated than that because 1) the unaggregated pks are 32 bytes as well and 2) adding a taproot tweak can change the squareness as well. 23:06 < nickler> (implemented here https://github.com/ElementsProject/secp256k1-zkp/pull/86/files#diff-288b66e015cda5acfe60c8e931c69db6R202) --- Log closed Wed Jan 22 00:00:16 2020