--- Day changed Sat Aug 12 2017 02:57 -!- SopaXorzTaker [~SopaXorzT@unaffiliated/sopaxorztaker] has joined #secp256k1 06:52 -!- HTTP_____GK1wmSU [~DEEP-BOOK@a7.40.17c6.ip4.static.sl-reverse.com] has joined #secp256k1 06:54 -!- HTTP_____GK1wmSU [~DEEP-BOOK@a7.40.17c6.ip4.static.sl-reverse.com] has left #secp256k1 [] 11:53 -!- ofek [~Ofekmeist@pool-68-134-46-22.bltmmd.fios.verizon.net] has joined #secp256k1 11:54 < ofek> what is this? https://github.com/ethereum/pyethereum/blob/85efc8688a3adb45cf9e74fa17022ca4df3ad16a/ethereum/utils.py#L89 11:58 < gmaxwell> absurdly slow, and I believe it's also wrong. 11:59 < gmaxwell> you really shouldn't look at any ethereum crypto code, it's generally extremely incompetent. 12:00 < gmaxwell> like, there is a signing implementation in that guys repo that leaks your private key if you make a second signature... 12:00 < ofek> gmaxwell, yes dude! their ci has been broken for like 3-4 months 12:00 < ofek> tests won't even run 12:01 < ofek> trying to help them move from secp256k1-py to coincurve 12:02 < gmaxwell> well if immitations of that code are part of the ethereum consensus rules, you won't be able to switch, because that code will falsely reject valid signatures. 12:03 < ofek> jeez... 12:03 < gmaxwell> (well, I'm pretty sure of that, haven't checked it carefully) 12:05 < ofek> it's like nobody cares about tests there 12:05 < ofek> which is odd b/c money is involved 12:05 < gmaxwell> "money" 12:06 < sipa> gmaxwell: ah, you're referring to R.x values that are larger than the curve order? 12:08 < gmaxwell> ya. 12:08 < gmaxwell> Mod can wrap them to a value which is not a quadratic residue. 12:08 < sipa> yup 12:09 < gmaxwell> er where r^3+b isn't rather. 12:12 < ofek> so that check is unnecessary then right? 12:12 < sipa> that depends on whether ethereum relies on that check being there 12:14 < ofek> I guess I won't touch it then 12:14 < ofek> thank you both! 12:17 < arubi> well this is interesting 12:30 < ofek> arubi, hello again :) what is interesting? 12:32 < arubi> ofek, hi :), it's interesting if it can't recover 03A9FCC085A67B62FF536E3A98C109FBD3964BC2FBE5F9B7B8039D8894E74DFD3B and 03110CE87B16D0A6D6AC854738807B44247B65741D504941926D3B05DF23B6867F from the message 75BAA31B2DA4143B5F2EDF728683747540653EE3E5A125CA56BEFCB38B38B063 and signature 3045022100FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD036413302206A75737420736F6D652033322072616E646F6D206 :) 12:33 < arubi> oh wait no, the number is wrong 12:33 < arubi> need to use 39C4506EEFDBDB99BAEAA36D11D480F82A9584500F8ED8C012AEB7E96664A4EC for r 12:35 < ofek> arubi, so they do it right? 12:36 < arubi> ofek, https://paste.debian.net/plainh/b685c738 , so I'm wondering if their recovery can get these two pubkeys from the sig and message 12:37 < arubi> it's "message, pubkey, sig" the '1' is just "true", you can ignore that 12:39 < arubi> ugh, looks like I got a newline in the second line. the sig should be the same on both lines 12:45 < arubi> ofek, wait, that's completely wrong again 12:45 < ofek> yeah it's not working for me 12:45 < arubi> I keep copy pasting stuff without reading what comes out. ignore everything I said up to this point, sorry 12:46 < ofek> ok np :) 12:49 < ofek> arubi, I'm getting off for a while to eat. perhaps if you are free you could try your tests with https://github.com/ofek/coincurve 12:50 < ofek> arubi, I'd really appreciate another set of eyes :) 12:51 < arubi> no problem ofek, I think I should get some sleep though first because I seem to be getting a lot of silly things wrong at this hour :) 12:53 < ofek> arubi, but that's the perfect state lol finding bugs is easier when your mind is trying strange things 12:56 < arubi> I know what I wanna do, but my fingers are pushing the wrong buttons on the keyboard :), I'm trying again one last time before I retire and try tomorrow 13:01 -!- D33P-B00K [~PYATIBRAT@91.233.116.245] has joined #secp256k1 13:01 -!- SopaXorzTaker [~SopaXorzT@unaffiliated/sopaxorztaker] has quit [Remote host closed the connection] 13:03 -!- D33P-B00K [~PYATIBRAT@91.233.116.245] has left #secp256k1 [] 13:17 < arubi> ofek, https://paste.debian.net/plainh/190cfc3a , should be it.. 15:21 < gmaxwell> andytoshi: we should have a nonce function for sign to contract with a setup for "signature blinding". 15:22 < gmaxwell> andytoshi: Consider this. Say I have a hardware wallet that I don't completely trust to be non-evil, but I at least trust that it's evil is not coorelated with my host's evilness. 15:22 < gmaxwell> andytoshi: So I am worried that every one in $many signatures it will instead use a kleptographic generation of its nonce. 15:24 < gmaxwell> So what I want is this procedure. Hey hw wallet, I'm gonna ask you to sign this transaction. Tell me your r value for it. . Great, now this random value I'd like you to s2c with is <256 bits>, please sign the transaction and give me the signature and the S2C proof. 15:24 < gmaxwell> So by doing this we totally destroy the nonce sidechannel from the signer. 19:32 < ofek> arubi, you there? 19:42 < ofek> arubi, those sigs don't match 19:43 < ofek> unless my lib is really wrong :'( 19:43 < ofek> don't verify rather 19:50 < ofek> tried my openssl binding too and they still don't verify 21:35 < andytoshi> gmaxwell: ooh, nice!