--- Day changed Thu Dec 14 2017
01:08 -!- Xanukkah [~SopaXorzT@unaffiliated/sopaxorztaker] has quit [Read error: Connection reset by peer]     
01:08 -!- SopaXorzTaker [~SopaXorzT@unaffiliated/sopaxorztaker] has joined #secp256k1     
01:13 -!- SopaXorzTaker [~SopaXorzT@unaffiliated/sopaxorztaker] has quit [Remote host closed the connection]     
01:17 -!- SopaXorzTaker [~SopaXorzT@unaffiliated/sopaxorztaker] has joined #secp256k1     
02:13 -!- Cory [~Cory@unaffiliated/cory] has quit [Ping timeout: 240 seconds]     
03:14 -!- Cory [~Cory@unaffiliated/cory] has joined #secp256k1     
03:34 -!- SopaXorzTaker [~SopaXorzT@unaffiliated/sopaxorztaker] has quit [Remote host closed the connection]     
03:38 -!- SopaXorzTaker [~SopaXorzT@unaffiliated/sopaxorztaker] has joined #secp256k1     
04:49 -!- gmaxwell [gmaxwell@wikimedia/KatWalsh/x-0001] has quit [Ping timeout: 240 seconds]     
04:50 -!- gmaxwell [gmaxwell@mf4-xiph.osuosl.org] has joined #secp256k1     
04:51 -!- gmaxwell is now known as Guest52242     
09:51 -!- Guest52242 [gmaxwell@mf4-xiph.osuosl.org] has quit [Changing host]     
09:51 -!- Guest52242 [gmaxwell@wikimedia/KatWalsh/x-0001] has joined #secp256k1     
09:51 -!- Guest52242 is now known as gmaxwell     
09:55 -!- jtimon [~quassel@37.134.31.164] has joined #secp256k1     
12:43 -!- SopaXorzTaker [~SopaXorzT@unaffiliated/sopaxorztaker] has quit [Remote host closed the connection]     
15:13 < arubi> it turns out that with a neat trick I can also make the nonce itself recoverable, so really a verifymessage again only needs the address, the signature and the message.
15:14 < arubi> if I replace secret nonce generation from 'rfc6979( privkey, sighash|commitment )' to CKDpriv() of the 1. privkey, 2. hashed commitment as chain code, and 3. sighash broken to a non-hardened bip32 path a verifier can :
15:14 < arubi> 1. recover the pubkey normally, 2. create the hashed commitment from the provided address, 3. derive the public nonce using CKDpub() in the path of the provided message.  here's an example run : https://gist.github.com/fivepiece/9d71197845791ef9fac57a31d1fc492f
15:45 < andytoshi> what does "sighash broken to a non-hardened bip32 path" mean?
15:45 < andytoshi> are you saying that the secret nonce would be a publicly-known offset of the secret key?
15:47 < andytoshi> i'm also confused about "'rfc6979( privkey, sighash|commitment )", is sighash the message, and `commitment` is the s2c commitment? why is `commitment` being used to derive the secret nonce?
15:47 < arubi> the sighash broken.. means breaking the 32 bytes of sighash into groups of 6 bytes (and one last 4 bytes) to make a derivation path of indexes
15:48 < arubi> sighash is the preimage of the message, commitment is the s2c commitment, correct
15:49 < arubi> sighash could be the message itself too, I don't think it matters.  I'm trying to make it so I don't use the same nonce to sign two different messages
15:49 < andytoshi> just use rfc6979 and forget about it
15:49 < arubi> I guess I don't need it there, you're right
15:49 < arubi> but if I use rfc6979, the public nonce is note recoverable.  I have to give it to the verifier
15:50 < arubi> I'm trying to make core's signmessage better.  that's the point of all of it.  currently it's vulnerable to malleability
15:50 < andytoshi> what you described was rfc6979 with extra stuff thrown in
15:50 < arubi> I also described replacing rfc6979 altogether with CKDpriv
15:51 < arubi> the verifier does CKDpub to recover the nonce from an expected commitment
15:51 < andytoshi> starting from what pubkey?
15:51 < arubi> the commitment is the scriptpubkey for the address
15:51 < arubi> the recovered pubkey from sig and message
15:51 < andytoshi> so the nonce is CKDpub(pubkey, stuff) ?
15:51 < andytoshi> that will leak your secret key
15:52 < arubi> wonder how, I couldn't find it
15:52 < arubi> the public nonce is CKDpub, the private nonce (k itself) is CKDpriv
15:52 < andytoshi> if your secret nonce is equal to your secret key plus a known offset you can just solve for it from any signature
15:53 < andytoshi> in fact i claim that if your public nonce is _any_ publicly computable function of your public key, your signature will leak the message
15:53 < andytoshi> and if you have a counterexample function i would be extremely interested to hear about it
15:55 < arubi> I don't understand how a verifier can know the offset.  they do CKDpub with public points?
15:56 < arubi> ah wait I see
15:56 < arubi> I'm gonna work through it to really get the feel.  thanks andytoshi
15:58 < andytoshi> np. good luck!
19:58 -!- arubi [~ese168@gateway/tor-sasl/ese168] has quit [Ping timeout: 248 seconds]     
19:59 -!- arubi [~ese168@gateway/tor-sasl/ese168] has joined #secp256k1     
22:40 -!- maaku [~maaku@173.234.25.100] has quit [Quit: ZNC - http://znc.in]     
22:46 -!- maaku [~maaku@173.234.25.100] has joined #secp256k1     
23:50 -!- andytoshi [~apoelstra@unaffiliated/andytoshi] has quit [Ping timeout: 240 seconds]