--- Day changed Fri Sep 04 2015
00:24 < gmaxwell> sipa: your comment should add another limitation: does not verify that the implementation calls the correct branch for each condition.
00:59 < sipa> gmaxwell: good one, indeed; you can accidentally swap the if and else branches
02:08 -!- nullbyte [~NSA@193.138.219.233] has quit [Ping timeout: 265 seconds]
02:25 -!- gmaxwell [greg@wikimedia/KatWalsh/x-0001] has quit [Ping timeout: 246 seconds]
02:25 -!- gmaxwell [greg@mf4-xiph.osuosl.org] has joined #secp256k1
02:26 -!- gmaxwell is now known as Guest36270
02:33 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has joined #secp256k1
03:22 < sipa> gmaxwell: actually, that's not true
03:23 < sipa> if you set the wrong assumptions for a branch, it will very likely fail (or the branch was unnecessary in the first place)
03:24 < sipa> of course the translation of the actual program to symbolic form in the sage script can be wrong
03:24 < sipa> but if you translate correctly, it will work
03:25 < sipa> and it will detect a program that calls the wrong branch
03:26 < sipa> maybe this isn't clear, but an "if (a == b) ... else ..." in the code is translated to two branches, one with a zero assumption for a-b and another with a nonzero assumption for a-b
03:27 < sipa> if you swap the branches in the actual code, you'll swap the assumptions in the sage translation, and it will fail
04:48 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has quit [Read error: Connection reset by peer]
04:49 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has joined #secp256k1
07:43 -!- Guest36270 [greg@mf4-xiph.osuosl.org] has quit [Changing host]
07:43 -!- Guest36270 [greg@wikimedia/KatWalsh/x-0001] has joined #secp256k1
07:43 -!- Guest36270 is now known as gmaxwell
07:46 < gmaxwell> sipa: I just mean that the if a==b condition in the code could be wrong .. but right, I hadn't considered that a==b implies an assumption.
07:48 < sipa> Formula secp256k1_gej_add_var on Z43: OK (1481760 additions, 52920 doublings, 0 outside of domain)
07:50 < gmaxwell> oh cool, the exhaustive catches the failure on Z43?
07:50 < sipa> Formula secp256k1_gej_add_ge_old [should fail] on Z43: Branch 0 fails for (2,12,1) + (12,31,1): Z==0
07:50 < sipa> yup :)
07:53 < gmaxwell> Good, it should have-- but I wasn't totally sure if the really small field would be degenerate in a way that left it working.
07:54 < sipa> indeed
08:01 < gmaxwell> sipa: Your exhaustive test needs a description. :)
08:03 < gmaxwell> Also _old needs a description of whats wrong with the function.
08:12 < gmaxwell> You can make the exaustive report if the function failed to have any branch that covers a value in the domain, addressing one of the limitations you have currently stated for symbolic.
08:13 < sipa> gmaxwell: no, because that can be intentional
08:14 < sipa> gmaxwell: wait, there are two cases
08:14 < sipa> all of gej_add_ge's branches assume bz==1
08:14 < sipa> so it's intentional that for other z values, nothing covers it
08:15 < sipa> i've suggested yesterday to add branch-independent assumptions, which we could test against
09:00 -!- nullbyte [~NSA@198.203.28.43] has joined #secp256k1
09:08 -!- nullbyte [~NSA@198.203.28.43] has quit [Ping timeout: 264 seconds]
09:52 -!- nullbyte [~NSA@198.203.28.43] has joined #secp256k1
10:23 -!- nullbyte [~NSA@198.203.28.43] has quit [Ping timeout: 244 seconds]
10:26 -!- nullbyte [NSA@gateway/vpn/mullvad/x-ageuuwqziecnlihq] has joined #secp256k1
11:25 -!- nullbyte [NSA@gateway/vpn/mullvad/x-ageuuwqziecnlihq] has quit [Ping timeout: 246 seconds]
11:26 -!- nullbyte [NSA@gateway/vpn/mullvad/x-bhaoenjwhxyghjgn] has joined #secp256k1
11:52 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has quit [Quit: Leaving.]
12:01 < andytoshi> my backpack was stolen last night with my laptop in it. the disk encryption and keepassx was unlocked. if anyone sees any weird behaviour from any of my accounts please let me know at 5124504323
12:04 < gmaxwell> Crud.
13:12 -!- jcorgan [~jcorgan@unaffiliated/jcorgan] has quit [Ping timeout: 244 seconds]
13:13 -!- jcorgan [~jcorgan@ec2-54-67-38-167.us-west-1.compute.amazonaws.com] has joined #secp256k1
13:13 -!- jcorgan [~jcorgan@ec2-54-67-38-167.us-west-1.compute.amazonaws.com] has quit [Changing host]
13:13 -!- jcorgan [~jcorgan@unaffiliated/jcorgan] has joined #secp256k1
13:27 -!- nullbyte [NSA@gateway/vpn/mullvad/x-bhaoenjwhxyghjgn] has quit [Ping timeout: 250 seconds]
13:29 -!- nullbyte [~NSA@198.203.28.43] has joined #secp256k1
13:39 -!- nullbyte [~NSA@198.203.28.43] has quit [Ping timeout: 272 seconds]
13:41 -!- nullbyte [NSA@gateway/vpn/mullvad/x-suntigubcdbwjacp] has joined #secp256k1
14:17 < midnightmagic> :-o
14:17 < midnightmagic> andytoshi: Holy crap man.
14:17 < midnightmagic> andytoshi: Was it a Mac?
14:18 < andytoshi> midnightmagic: no, thinkpad
14:19 < andytoshi> the keyboard was mapped to dvorak and i have a tiling WM and disabled mouse, so it's safe from casuals at least..
14:19 < sipa> lol
14:21 < gmaxwell> well disabled trackpad.
14:21 < andytoshi> oh, yeah, the eraser works
14:24 < andytoshi> but there are no buttons. i mapped prtscrn to left-click etc
14:24 < midnightmagic> andytoshi: Dang man. So it's possible that they just open the lid and start doing stuff as you without a password? Can I ask how you configured the disk encryption?
14:25 < andytoshi> midnightmagic: correct. and i was logged into several online accounts and had a root console open..
14:26 < midnightmagic> D-:
14:26 < andytoshi> i checked a box in the fedora installer to encrypt. i don't know what it did. i have to type one password on boot'.
14:26 < andytoshi> .
14:54 < gmaxwell> So patrick was asking me if the randomness in batch verification created a consensus risk. Obviously not without software bugs, but even assuming bugs I think I convinced him that it wasn't something that could be fixed.
14:54 < gmaxwell> The reason is that caching means that nodes will not be verifying the same batches in any case, so derandomizing the batch verification wouldn't create consistency.
14:55 < gmaxwell> Though I did also point out that batch verify could be derandomized by initilizing it using the block hash. This is effectively a fiat shamir transform, and should not impact the cryptographic security of the scheme. (But again, moot because of caching).
14:58 < sipa> right, it's only a consensus risk if it can be consistently influenced across many nodes
14:59 < sipa> andytoshi: that sounds like full disk encryption, typically LUKS with aes and a password-strengthened encrypted master key
15:00 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has joined #secp256k1
15:00 < gmaxwell> yes, thats what fedoras installer thing does.
15:03 < sipa> default with 1s iterations of key strengthening
15:33 < andytoshi> the bar found my laptop !!!!
15:33 < andytoshi> i learned a lot of opsec lessons today, but all is well..
15:34 < sipa> andytoshi: this is a trick, it now has a keylogger
15:36 < gmaxwell> 'found'?
15:37 < sipa> it's like when this colleague of mine at google went to vacation in north korea
15:37 < andytoshi> gmaxwell: i got an email from somebody (how did he get my email?) "I found your backpack at Draught House tonight.  It was after last call and I couldn’t get Rune or Mickey to open the side door.  Give me a call at 512-839-1723 and we’ll get you
15:37 < andytoshi> +your bag back."
15:38 < andytoshi> oops i should not have posted his # :)
15:38 < sipa> never was quite sure whether it was her who returned, or a genetically-altered imitation
15:38 < andytoshi> i actually don't know who he is (maybe i will recognize him when i meet him), i was extremely drunk last night
15:38 < andytoshi> it's probable that i gave him my name and email
15:38 < sipa> andytoshi: don't be root and drunk
15:38 < TD-Linux> sipa, yeah I have some friends who got a job at google and I got a similar impression
15:39 < sipa> TD-Linux: haha, except you're talking about google and not north korea? :p
16:48 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has quit [Read error: Connection reset by peer]
16:49 -!- GAit [~GAit@2.230.161.158] has joined #secp256k1
17:02 -!- GAit [~GAit@2.230.161.158] has quit [Quit: Leaving.]
17:03 -!- nullbyte [NSA@gateway/vpn/mullvad/x-suntigubcdbwjacp] has quit [Ping timeout: 264 seconds]
17:09 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has joined #secp256k1
17:09 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has quit [Client Quit]
18:54 < fkhan> sipa, i'm still intending to finish #248, i just have some finishing touches there
20:00 -!- fkhan [weechat@gateway/vpn/mullvad/x-ilhuivpqrqyspunz] has quit [Ping timeout: 246 seconds]
20:25 -!- fkhan [~weechat@unaffiliated/loteriety] has joined #secp256k1
20:27 < gmaxwell> sipa:  print "  Branch %i fails for (%s,%s,%s) + (%s,%s,%s): (%s,%s) not tangential" % (name, branch, Ax, Ay, Az, Bx, By, Bz, cx, cy)
20:27 < gmaxwell> name is a string. %i is not for strings.
20:27 < gmaxwell> I am sensing an error condition which was untested!
20:43 < gmaxwell> sipa: also it should set an error code (I assume sage can just return it)
22:21 -!- jtimon [~quassel@159.30.134.37.dynamic.jazztel.es] has quit [Ping timeout: 256 seconds]
22:50 -!- fkhan [~weechat@unaffiliated/loteriety] has quit [Ping timeout: 244 seconds]
22:53 -!- fkhan [weechat@gateway/vpn/mullvad/x-ubnnpslidjquurvz] has joined #secp256k1
23:04 -!- jcorgan [~jcorgan@unaffiliated/jcorgan] has left #secp256k1 []