--- Day changed Fri Nov 27 2015
00:30 -!- luke-jr_ [~luke-jr@unaffiliated/luke-jr] has joined #secp256k1
00:30 -!- Luke-Jr [~luke-jr@unaffiliated/luke-jr] has quit [Excess Flood]
00:37 -!- luke-jr__ [~luke-jr@unaffiliated/luke-jr] has joined #secp256k1
00:37 -!- luke-jr__ is now known as Luke-Jr
00:42 -!- Netsplit *.net <-> *.split quits: maaku
00:42 -!- Netsplit *.net <-> *.split quits: luke-jr_
01:03 -!- Netsplit *.net <-> *.split quits: btcdrak, evoskuil
01:12 -!- evoskuil [~evoskuil@c-73-225-134-208.hsd1.wa.comcast.net] has joined #secp256k1
01:12 -!- btcdrak [uid115429@gateway/web/irccloud.com/x-kcdeayhggdiycgds] has joined #secp256k1
01:34 -!- Netsplit *.net <-> *.split quits: btcdrak, evoskuil
01:34 -!- Netsplit over, joins: btcdrak
01:48 -!- evoskuil [~evoskuil@c-73-225-134-208.hsd1.wa.comcast.net] has joined #secp256k1
01:48 -!- jonasschnelli [~jonasschn@unaffiliated/jonasschnelli] has quit [Excess Flood]
01:50 -!- jonasschnelli [~jonasschn@unaffiliated/jonasschnelli] has joined #secp256k1
01:53 -!- CodeShark [uid126576@gateway/web/irccloud.com/x-kcnmjohedoqligfo] has quit [Ping timeout: 264 seconds]
01:55 -!- evoskuil [~evoskuil@c-73-225-134-208.hsd1.wa.comcast.net] has quit [Ping timeout: 240 seconds]
01:55 -!- CodeShark [uid126576@gateway/web/irccloud.com/x-jzzukckykzssmisi] has joined #secp256k1
02:05 -!- evoskuil [~evoskuil@c-73-225-134-208.hsd1.wa.comcast.net] has joined #secp256k1
02:18 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has joined #secp256k1
02:26 -!- CodeShark_ [uid126576@gateway/web/irccloud.com/x-jcgvftxuneiryeux] has joined #secp256k1
02:32 -!- GAit1 [~GAit@2-230-161-158.ip202.fastwebnet.it] has joined #secp256k1
02:35 -!- Netsplit *.net <-> *.split quits: btcdrak, GAit, evoskuil, CodeShark
02:35 -!- CodeShark_ is now known as CodeShark
02:42 -!- btcdrak [uid115429@gateway/web/irccloud.com/x-kcdeayhggdiycgds] has joined #secp256k1
02:42 -!- evoskuil [~evoskuil@c-73-225-134-208.hsd1.wa.comcast.net] has joined #secp256k1
02:46 -!- Netsplit *.net <-> *.split quits: btcdrak, evoskuil
02:46 -!- Netsplit over, joins: btcdrak, evoskuil
02:50 -!- jonasschnelli [~jonasschn@unaffiliated/jonasschnelli] has quit [Ping timeout: 264 seconds]
02:54 -!- jonasschnelli [~jonasschn@unaffiliated/jonasschnelli] has joined #secp256k1
03:02 -!- GAit1 [~GAit@2-230-161-158.ip202.fastwebnet.it] has quit [Quit: Leaving.]
03:06 -!- cfields_ [~quassel@unaffiliated/cfields] has quit [Quit: No Ping reply in 180 seconds.]
03:10 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has joined #secp256k1
03:18 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has quit [Quit: Leaving.]
03:20 -!- cfields [~quassel@unaffiliated/cfields] has joined #secp256k1
03:24 -!- Netsplit *.net <-> *.split quits: btcdrak, evoskuil
03:36 -!- btcdrak [uid115429@gateway/web/irccloud.com/x-kcdeayhggdiycgds] has joined #secp256k1
03:36 -!- btcdrak [uid115429@gateway/web/irccloud.com/x-kcdeayhggdiycgds] has quit [Quit: Connection closed for inactivity]
03:36 -!- jonasschnelli [~jonasschn@unaffiliated/jonasschnelli] has quit [Excess Flood]
03:37 -!- jonasschnelli [~jonasschn@unaffiliated/jonasschnelli] has joined #secp256k1
03:39 -!- evoskuil [~evoskuil@c-73-225-134-208.hsd1.wa.comcast.net] has joined #secp256k1
03:42 -!- CodeShark [uid126576@gateway/web/irccloud.com/x-jcgvftxuneiryeux] has quit [Ping timeout: 264 seconds]
03:42 -!- midnightmagic_ [~midnightm@unaffiliated/midnightmagic] has joined #secp256k1
03:44 -!- Netsplit *.net <-> *.split quits: wumpus, zmanian_, midnightmagic, sipa
03:44 -!- btcdrak [uid115429@gateway/web/irccloud.com/x-plipsggbegraevun] has joined #secp256k1
03:44 -!- CodeShark [uid126576@gateway/web/irccloud.com/x-cuquhwuspmqnmbts] has joined #secp256k1
03:45 -!- midnightmagic_ is now known as midnightmagic
03:48 -!- Netsplit over, joins: zmanian_
03:49 -!- CodeShark [uid126576@gateway/web/irccloud.com/x-cuquhwuspmqnmbts] has quit [Ping timeout: 264 seconds]
03:53 -!- sipa [~pw@2a02:348:86:3011::1] has joined #secp256k1
04:02 -!- btcdrak [uid115429@gateway/web/irccloud.com/x-plipsggbegraevun] has quit [Ping timeout: 264 seconds]
04:12 -!- wumpus [~quassel@pdpc/supporter/professional/wumpus] has joined #secp256k1
04:21 -!- jonasschnelli [~jonasschn@unaffiliated/jonasschnelli] has quit [Excess Flood]
04:30 -!- jonasschnelli [~jonasschn@unaffiliated/jonasschnelli] has joined #secp256k1
04:39 -!- wumpus [~quassel@pdpc/supporter/professional/wumpus] has quit [Ping timeout: 264 seconds]
04:43 -!- wumpus [~quassel@pdpc/supporter/professional/wumpus] has joined #secp256k1
04:45 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has joined #secp256k1
04:54 -!- jonasschnelli [~jonasschn@unaffiliated/jonasschnelli] has quit [Ping timeout: 264 seconds]
04:55 -!- jonasschnelli [~jonasschn@2a01:4f8:200:7025::2] has joined #secp256k1
05:09 -!- cfields [~quassel@unaffiliated/cfields] has quit [Quit: No Ping reply in 180 seconds.]
05:10 -!- sipa [~pw@2a02:348:86:3011::1] has quit [Remote host closed the connection]
05:14 -!- cfields [~quassel@unaffiliated/cfields] has joined #secp256k1
05:16 -!- jonasschnelli [~jonasschn@2a01:4f8:200:7025::2] has quit [Ping timeout: 264 seconds]
05:18 -!- btcdrak [uid115429@gateway/web/irccloud.com/x-ywhntzcuiqhjphcb] has joined #secp256k1
05:18 -!- btcdrak is now known as Guest36383
05:18 -!- jonasschnelli [~jonasschn@2a01:4f8:200:7025::2] has joined #secp256k1
05:22 -!- CodeShark [uid126576@gateway/web/irccloud.com/x-uivsxtvxhfarvqdq] has joined #secp256k1
05:24 -!- Guest36383_ [uid115429@gateway/web/irccloud.com/x-yjhlfmaugpqhkuob] has joined #secp256k1
05:25 -!- Guest36383 [uid115429@gateway/web/irccloud.com/x-ywhntzcuiqhjphcb] has quit [Ping timeout: 264 seconds]
05:25 -!- Guest36383_ is now known as Guest36383
05:32 -!- sipa [~pw@2a02:348:86:3011::1] has joined #secp256k1
05:47 -!- sipa_ [~pw@2a02:348:86:3011::1] has joined #secp256k1
05:51 -!- midnightmagic_ [~midnightm@unaffiliated/midnightmagic] has joined #secp256k1
05:52 -!- Netsplit *.net <-> *.split quits: midnightmagic, sipa
05:53 -!- [1]evoskuil [~evoskuil@c-73-225-134-208.hsd1.wa.comcast.net] has joined #secp256k1
05:54 -!- evoskuil [~evoskuil@c-73-225-134-208.hsd1.wa.comcast.net] has quit [Ping timeout: 240 seconds]
05:54 -!- [1]evoskuil is now known as evoskuil
06:05 -!- [1]evoskuil [~evoskuil@c-73-225-134-208.hsd1.wa.comcast.net] has joined #secp256k1
06:07 -!- evoskuil [~evoskuil@c-73-225-134-208.hsd1.wa.comcast.net] has quit [Ping timeout: 240 seconds]
06:07 -!- evoskuil [~evoskuil@c-73-225-134-208.hsd1.wa.comcast.net] has joined #secp256k1
06:10 -!- [1]evoskuil [~evoskuil@c-73-225-134-208.hsd1.wa.comcast.net] has quit [Ping timeout: 240 seconds]
06:16 -!- [1]evoskuil [~evoskuil@c-73-225-134-208.hsd1.wa.comcast.net] has joined #secp256k1
06:27 -!- Netsplit *.net <-> *.split quits: evoskuil, [1]evoskuil
06:48 -!- evoskuil [~evoskuil@c-73-225-134-208.hsd1.wa.comcast.net] has joined #secp256k1
06:55 -!- evoskuil [~evoskuil@c-73-225-134-208.hsd1.wa.comcast.net] has quit [Ping timeout: 240 seconds]
06:55 -!- evoskuil [~evoskuil@c-73-225-134-208.hsd1.wa.comcast.net] has joined #secp256k1
07:05 -!- evoskuil [~evoskuil@c-73-225-134-208.hsd1.wa.comcast.net] has quit [Ping timeout: 240 seconds]
07:05 -!- evoskuil [~evoskuil@c-73-225-134-208.hsd1.wa.comcast.net] has joined #secp256k1
07:05 -!- [1]evoskuil [~evoskuil@c-73-225-134-208.hsd1.wa.comcast.net] has joined #secp256k1
07:05 -!- evoskuil [~evoskuil@c-73-225-134-208.hsd1.wa.comcast.net] has quit [Ping timeout: 240 seconds]
07:05 -!- [1]evoskuil is now known as evoskuil
07:19 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has quit [Read error: Connection reset by peer]
07:19 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has joined #secp256k1
07:51 -!- GAit1 [~GAit@2-230-161-158.ip202.fastwebnet.it] has joined #secp256k1
07:54 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has quit [Ping timeout: 250 seconds]
08:01 -!- sipa_ is now known as sipa
08:46 -!- Netsplit *.net <-> *.split quits: evoskuil
09:01 -!- evoskuil [~evoskuil@c-73-225-134-208.hsd1.wa.comcast.net] has joined #secp256k1
09:20 -!- jonasschnelli [~jonasschn@2a01:4f8:200:7025::2] has quit [Changing host]
09:20 -!- jonasschnelli [~jonasschn@unaffiliated/jonasschnelli] has joined #secp256k1
10:02 -!- andytoshi [~andytoshi@wpsoftware.net] has quit [Changing host]
10:02 -!- andytoshi [~andytoshi@unaffiliated/andytoshi] has joined #secp256k1
10:17 < andytoshi> sage: ZZ[x].ideal(2,x).reduce(10+x)
10:17 < andytoshi> x + 10
10:39 -!- GAit1 [~GAit@2-230-161-158.ip202.fastwebnet.it] has quit [Quit: Leaving.]
10:51 -!- jtimon [~quassel@74.29.134.37.dynamic.jazztel.es] has quit [Ping timeout: 276 seconds]
11:01 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has joined #secp256k1
11:11 < andytoshi> this is kinda neat: https://eprint.iacr.org/2015/1135.pdf it proposes changing a schnorr sig to (A) commit to the pubkey along with the message and nonce, (B) recompute the pubkey (from the secret key) while signing
11:11 < andytoshi> this makes it strong against an adversary who can make "related key" attacks, which are queries for signatures on tweaked keys
11:12 < andytoshi> this is supposed to model a fault-injection attacker
11:12 < sipa> it's incompatible with pubkey recovery, though :(
11:14 < andytoshi> ah, yes, very
11:15 < sipa> though there is a solution: commit not to the pubkey directly, but to a hash of it
11:15 < andytoshi> it forces the (s, hash) form of the signature since just (m, r) are no longer sufficient to compute the hash
11:15 < sipa> then you can recover the pubkey when knowing its hash
11:15 < andytoshi> yes
11:15 < sipa> i've considered allowing a pubkey hash function to be passed to the signer and the verifier
11:16 < sipa> then you can have a hash_verify which you pass the hash and the hash function
11:16 < sipa> but no recovery
11:16 < andytoshi> do you have a usecase for that?
11:16 < andytoshi> seems like needing to haul these hashes around wrecks the space benefits of pubkey recovery
11:17 < sipa> a OP_CHECKSIGVERIFYWITHPUBKEYHASH
11:17 < andytoshi> yup
11:17 < andytoshi> i see
11:17 < andytoshi> the 'hash of pubkey' would be a bitcoin script, say
11:17 < andytoshi> or just the hash160 even
11:17 < sipa> yeah, hash160
11:17 < sipa> that saves you from putting the full pubkey in the scriptsig
11:18 < sipa> though it's not compatible with batch validation either
11:18 < andytoshi> yup, understood
11:18 < andytoshi> yeah, that seems unfixable
11:18 < sipa> ethereum uses this as their basic checksig afaik
11:18 < andytoshi> this tweaked schnorr?
11:18 < andytoshi> i'd never heard of it
11:19 < sipa> no, not tweaked
11:19 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has quit [Read error: Connection reset by peer]
11:19 < sipa> but they use recovery instead of verification
11:19 < andytoshi> ah, yes
11:19 < andytoshi> i remember that
11:19 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has joined #secp256k1
11:21 < andytoshi> im not sure how interesting fault injection attackers are. seems not worth the batch validation cost to use this
11:41 < gmaxwell> andytoshi: hm?  you can use this and preserve batch validation.
11:42 < gmaxwell> You cannot use the hash instead of the pubkey and preserve batch validation.
11:42 < sipa> yeah, committing to the pubkey (or a hash thereof) is not incompatible with batch validation
11:42 < gmaxwell> Fault injection is very interesting for low cost HSMs (e.g. smartcards); since you're assuming the attacker has physical access to the device.
11:42 < sipa> but using recovery instead of validation is
11:43 < gmaxwell> Commiting to the pubkey is attractive for other reasons; IMO any signature scheme should do this in some way or another; without it the signature is not a proof of knoweldge.
11:43 < gmaxwell> The fault attacks andytoshi is talking about are in signing, and we don't care about batch validation there.
11:44 < gmaxwell> Basically it suggests a recover after sign in signing which is actually pretty nice and cheap, because it means you don't have to computes xG in the signer; which was what prevented me from suggesting adding verify after sign already.
11:46 < andytoshi> gmaxwell: the paper i linked doesn't change verification at all except to pub a pubkey (commitment) into the messagehash
11:47 < gmaxwell> I know.
11:47 < andytoshi> which by itself won't affect batch validation. i had thought you couldn't transform this into the (s, r) form, which would prevent batch validation. but i was wrong, if the verifier knows the pubkey this is fine
11:48 < gmaxwell> right.
11:48 < sipa> right, i just mean you can't use verify-knowing-only-the-pubkeyhash in batch; just commiting isn't a problem
11:48 < sipa> and if we're going to change the signature anyway in #359, we should probably add that too
11:48 < andytoshi> cool gmaxwell sipa , i think i'm on the same page as you now :)
11:49 < andytoshi> sipa: agreed re #359
11:49 < gmaxwell> I think it's highly surprising to people that a ecdsa signature doesn't prove knoweldge of a discrete log... I'm surprised I've not yet seen a vulnerable protocol based on that. (though I've certantly almost constructed some...)
11:50 < andytoshi> i think you'd have to be doing something pretty subtle to actually need proof-of-knowledge
11:53 < gmaxwell> andytoshi: the atomic-swap with revealed pubkey using forced small nonce is broken by an attacker that can sig recover (e.g. with sighash single).
11:53 < andytoshi> like, it's hard to articulate what exactly ecdsa does prove about the signer's knowledge. it think it's something like "knowledge of a specific discrete log, except for this series of exceptional cases"
11:53 < gmaxwell> (thats why I mentioned that P must be a contract hash pubkey.)
11:57 < andytoshi> oh, heh, wow
11:57 < andytoshi> took me a bit to figure out what "sig recover" meant
11:57 < andytoshi> now i feel blindsided for not noticing that
11:58 < andytoshi> that's a perfect example of forcing the hash to commit to the pubkey too
11:58 < andytoshi> why forcing is needed*
11:59 < gmaxwell> yes, in bitcoin everything does... except via the sighash single bug.
11:59 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has quit [Quit: Leaving.]
11:59 < gmaxwell> But people want new scripthash flags that leave the txin hash out, which would open the door to those attacks again.
12:00 < gmaxwell> (this is part of why I keep telling people that are eager to jump to leaving that hash out that they don't fully understand the risks of what they're asking for...)
12:00 < andytoshi> this is a really good characterization of what the sighash single bug actually does, cryptographically
12:00 < andytoshi> "makes the signature not a proof-of-knowledge"
12:01 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has joined #secp256k1
12:04 < andytoshi> i wonder if i can convince myself it's possible to produce two distinct ecdsa signatures without knowledge of a discrete log..
12:05 < andytoshi> or impossible
12:06 < andytoshi> (not counting (r, s) and (r, -s) as distinct sigs :))
12:07 < gmaxwell> I set message = 0.
12:07  * gmaxwell waits for the extra constraints.
12:07 < andytoshi> message is also a random oracle output
12:07 < andytoshi> on arbitrary input
12:08 < gmaxwell> oh thats a good one, I thought you'd just add message is non-zero and then I'd add message = N. :P
12:08 < andytoshi> :P i think actually if i allow you any relations between the messages you'd be able to beat me
12:09 < andytoshi> i could be wrong, but not in a way that has a clear argument
12:10 < sipa> doesn't ECDSA need an assumption like "f(P) = P.x mod n" behaves like a hash function?
12:19 < andytoshi> ok, i'm convinced that you can't do it as long as you can't find any simple relationship between k values and r values
12:20 < andytoshi> which is a pretty vague condition, but i also think ecdsa's unforgeability depends on it
12:41 < sipa> andytoshi: thanks for reviewing my sage code!
12:42 < andytoshi> sipa: np. i'm only a quarterish done
12:42 < andytoshi> the high-level comment at the top all looks good, so i don't expect to have any serious nits
15:01 -!- midnightmagic_ is now known as mmidnightmagic
15:01 -!- mmidnightmagic is now known as midnightmagic
15:43 -!- nickler [~nickler@185.12.46.130] has quit [Ping timeout: 260 seconds]
16:01 -!- nickler [~nickler@185.12.46.130] has joined #secp256k1
19:17 -!- jtimon [~quassel@74.29.134.37.dynamic.jazztel.es] has joined #secp256k1
20:53 -!- phantomcircuit [phantomcir@2600:3c01::f03c:91ff:fe73:6892] has joined #secp256k1
20:53 < phantomcircuit> i assume people have seen https://eprint.iacr.org/2015/1141.pdf ?
21:48 -!- CodeShark_ [uid126576@gateway/web/irccloud.com/x-xysabwkovrfqdxcj] has joined #secp256k1
21:51 -!- cfields_ [~quassel@unaffiliated/cfields] has joined #secp256k1
21:52 -!- wump [~quassel@pdpc/supporter/professional/wumpus] has joined #secp256k1
21:56 -!- Netsplit *.net <-> *.split quits: wumpus, CodeShark, cfields
21:56 -!- CodeShark_ is now known as CodeShark
22:39 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has quit [Quit: Leaving.]
23:59 -!- GAit [~GAit@2-230-161-158.ip202.fastwebnet.it] has joined #secp256k1