--- Day changed Tue Nov 10 2015 00:06 < sipa> andytoshi: indeed, that's a know problem 00:10 < sipa> gmaxwell: he's talking about the fact that ECDSA specifies r to R.x mod n, which not something we should change 00:11 < sipa> it's different from k, which has to be in the range [k, n-1] inclusive 00:17 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has joined #secp256k1 02:20 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has quit [Read error: Connection reset by peer] 02:21 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has joined #secp256k1 04:43 -!- jonasschnelli [~jonasschn@unaffiliated/jonasschnelli] has quit [Ping timeout: 246 seconds] 04:43 -!- jonasschnelli [~jonasschn@unaffiliated/jonasschnelli] has joined #secp256k1 04:58 -!- jonasschnelli [~jonasschn@unaffiliated/jonasschnelli] has quit [Excess Flood] 04:59 -!- jonasschnelli [~jonasschn@unaffiliated/jonasschnelli] has joined #secp256k1 05:14 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has quit [Read error: Connection reset by peer] 05:14 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has joined #secp256k1 05:26 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has quit [Read error: Connection reset by peer] 05:26 -!- GAit [~GAit@2.230.161.158] has joined #secp256k1 07:17 <@andytoshi> gmaxwell: if i truncate that's just wrapping mod 2^8 or whatever, i'll still have some r values show up more often than others 07:37 -!- jtimon [~quassel@74.29.134.37.dynamic.jazztel.es] has joined #secp256k1 07:46 < sipa> andytoshi, gmaxwell: i think there is some confusion; for nonces and private keys, you just truncate to the number of bits in n (before the comparison check, which already exists). For the ECDSA r value, you shouldn't change anything, as it is defined to be R.x mod n, and indeed, that is not zero knowledge 07:47 < sipa> andytoshi: i think you will have a big problem with ecdsa pubkey rwcovery though... 07:51 <@andytoshi> sipa: right now if "R.x mod n" overflows we reject it in the signing function, which (i thought) was part of the definition of ECDSA 07:51 <@andytoshi> sipa: so my low-order scalar code always lies and says "no overflow" right now 07:51 <@andytoshi> in any case, agreed, wrapping like this will totally break recovery 07:54 <@andytoshi> oh, apparently not, that's something we added 07:54 <@andytoshi> that *should* be in the spec, if there's a big difference between the field modulus and group order it makes some R values much more likely than others 07:55 <@andytoshi> well, "much more" like twice as likely 07:59 < sipa> andytoshi: yes, it should, but isn't :) 07:59 < sipa> andytoshi: and there is an overflow check on x and on k, not on r 08:00 <@andytoshi> oh 08:01 <@andytoshi> hmm, there is an overflow check *somewhere*, i definitely had to lie about overflow to avoid an infinite loop, but i don't recall where 08:02 < sipa> oh, there is one to reject (R.x mod n) == 0 08:02 < sipa> which is part of the spex 08:03 <@andytoshi> yeah, we do do that 08:03 <@andytoshi> ah, it's in generating a blinding factor that there is an overflow check that spins forever unless i lie about overflow 08:03 <@andytoshi> specifically i'm lying in `secp256k1_scalar_set_b32` 08:03 < sipa> yes, k 08:04 < sipa> don't lie about overflow, nust truncate 08:04 < sipa> it will spin, that's fine 08:04 < sipa> it won't spin for long if you truncate :) 08:04 <@andytoshi> understood :) i was just trying to avoid the number of files where i added `#ifdef EXHAUSTIVE_TESTS` 08:04 <@andytoshi> s/avoid/minimize/ 08:05 < sipa> ah 08:05 < sipa> well you can do the truncation in the nonce function, and not touch anything else 08:05 < sipa> i like doing it in the use sites, as it's a generally correct thing to do 08:06 < sipa> (for the usual curve size it's just a no-op) 08:06 <@andytoshi> the nonce function i'm using is a constant function, there is no need for truncation or anything there 08:07 < sipa> ok 08:07 <@andytoshi> but sure, i'll add some truncation constant (which would result in a noop for the usual curve) 08:07 <@andytoshi> because i do need that in a few places. the context generation at least 08:09 < sipa> you'll also need it on the output of the nonce function in schnorr 08:11 <@andytoshi> why? i'll just use a constant nonce function there too 08:12 < sipa> eh 08:12 <@andytoshi> ah, i suppose to get thorough testing i should also test the default nonce functions 08:12 <@andytoshi> for both signing algos 08:12 <@andytoshi> which would indeed require truncation 08:13 < sipa> the message hash, i meam 08:13 < sipa> not the nonce function 08:13 < sipa> the message hash is not customizable (through the api) as it would change the standard 08:14 <@andytoshi> oh i see 08:15 < sipa> but if you're testing at a lower level, you can override it 08:15 < sipa> it's still a function pointer 08:15 < sipa> just not one that's exposed 08:30 -!- GAit [~GAit@2.230.161.158] has quit [Quit: Leaving.] 09:02 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has joined #secp256k1 09:26 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has quit [Read error: Connection reset by peer] 09:26 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has joined #secp256k1 10:47 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has quit [Quit: Leaving.] 11:06 -!- waxwing [~waxwing@62.205.214.125] has quit [Read error: Connection reset by peer] 11:08 -!- waxwing [~waxwing@62.205.214.125] has joined #secp256k1 11:34 < Luke-Jr> sipa: gmaxwell mentioned you were possibly working on a sign-to-contract - is that correct? 11:34 < sipa> i thought about it, not written yet 12:14 -!- fkhan [weechat@gateway/vpn/mullvad/x-aopqxjyqxklngfzi] has quit [Ping timeout: 240 seconds] 12:29 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has joined #secp256k1 12:31 -!- fkhan [weechat@gateway/vpn/mullvad/x-nvqlplnrfnptmhrh] has joined #secp256k1 12:31 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has quit [Client Quit] 12:32 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has joined #secp256k1 13:11 -!- belcher [~user@unaffiliated/belcher] has joined #secp256k1 13:18 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has quit [Quit: Leaving.] 13:18 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has joined #secp256k1 13:26 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has quit [Quit: Leaving.] 13:28 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has joined #secp256k1 14:32 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has quit [Quit: Leaving.] 14:33 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has joined #secp256k1 14:52 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has quit [Quit: Leaving.] 14:53 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has joined #secp256k1 14:57 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has quit [Client Quit] 16:31 -!- belcher [~user@unaffiliated/belcher] has quit [Quit: Leaving] 17:58 -!- lecusemble [~lecusembl@f9beb4d9.violates.me] has quit [Ping timeout: 255 seconds] 18:10 -!- lecusemble [~lecusembl@f9beb4d9.violates.me] has joined #secp256k1 18:29 -!- sipa [~pw@2a02:348:86:3011::1] has quit [Changing host] 18:29 -!- sipa [~pw@unaffiliated/sipa1024] has joined #secp256k1