--- Day changed Fri Aug 11 2017
03:49 -!- SopaXorzTaker [~SopaXorzT@unaffiliated/sopaxorztaker] has joined #secp256k1     
05:20 -!- Netsplit over, joins: ofek
10:00 -!- SopaXorzTaker [~SopaXorzT@unaffiliated/sopaxorztaker] has quit [Remote host closed the connection]     
10:55 < andytoshi> there's no way i can browbeat the public API into giving me a secret nonce, if i give it a secret key and signature, is there?
11:01 < sipa> the default one? i don't think so
11:01 < sipa> you can provide your own secret nonce though
11:03 < andytoshi> i'm updating sighacker to allow encrypting 32 bytes of data into the nonce
11:03 < andytoshi> and now i'm trying to decrypt it
11:24 -!- SopaXorzTaker [~SopaXorzT@unaffiliated/sopaxorztaker] has joined #secp256k1     
12:48 -!- SopaXorzTaker [~SopaXorzT@unaffiliated/sopaxorztaker] has quit [Quit: Leaving]     
13:02 < andytoshi> what if i PR'd a function that exposes this? is it too footgunny? this is useful from time to time for RNG forensics
13:03 < andytoshi> in addition to what i'm currently doing :P
13:03 < sipa> i'd rather not
13:03 < sipa> it's not like reimplementing it is hard in tools that really need it
13:04 < gmaxwell> I'd rather have things like signto contract nonce functions... encrypted message nonce functions that get it right.
13:06 < andytoshi> i can write either of those (actually i have written both). encryption is easy but decryption is quite elaborate
13:07 < andytoshi> with schnorr it's much easier actually, you can add stuff to the nonce and it winds up just being directly added to the s-value. maybe i'll just put this off until we have some form of schnorr signature
18:22 < gmaxwell> oh I assumed encryption would just be k = message2 ^ H(x || message)  or likewise.
18:50 < andytoshi> yes, that is what it is, but this requires computing k from the signature to get message2 out
18:51 < andytoshi> if you replace ^ with +, you can re-sign with a message of 0, and subtract the resulting s value from the encryption-signature's s value
18:51 < andytoshi> so you avoid any inversions (i guess you avoid this anyway with schnorr)
18:53 < gmaxwell> oh I see to avoid solving a discrete log problem... :P
19:01 < sipa> put the ba lr high enough, solve ECDLP first
19:01 < sipa> *bar
19:09 -!- ofek [~Ofekmeist@pool-68-134-46-22.bltmmd.fios.verizon.net] has left #secp256k1 ["Leaving"]