--- Log opened Thu Dec 20 00:00:56 2018 00:28 < gmaxwell> I believe I have found a flaw in the informal proof that the SUF-CMA proof for schnorr signatures extends to bip-schnorr. ( https://github.com/sipa/bips/blob/bip-schnorr/bip-schnorr.mediawiki#cite_note-1 ) 00:30 < gmaxwell> Imagine a SUF-CMA attacker which creates e,s forged signatures but always produces ones where R(Y) is not a quadratic residue. Those couldn't be converted to bip-schnorr signatures. So there is a bijection between e,s and r,s but not between e,s and bip-schnorr. 00:30 < gmaxwell> The direction that it goes in means it doesn't worry me. 00:38 < sipa> i think you can avoid that scenario by forking when the RO is invoked and returning H(R,P,m) on one side, and H(-R,P,m) on the other aide; at least one of both sides will have an R(Y) quadratic residue, i think 00:42 < sipa> or really, notbeven fork; justbinvoke it once with the normal hash function, and once with a hash function that flips R first 00:44 < sipa> *not even, just invoke 00:50 < sipa> hmm, no 01:04 < sipa> i think you can use the fact that pointnnegation is an endomorphism 01:05 < sipa> so an algorithm that works on one instantiation of the curve should work on the endomorphism too 01:05 < sipa> not sure hownto formalize that, though 01:07 < gmaxwell> It may just suffice to show that bip-schnorr signatures are a proper subset of the signatures accepted by another implementation, so anything that breaks bip schnorr also breaks the other. 01:07 < gmaxwell> So it's security is at least as good. 01:25 -!- ken2812221 [~ken281222@180.217.180.85] has joined #secp256k1 05:59 -!- ken2812221 [~ken281222@180.217.180.85] has quit [Ping timeout: 244 seconds] 07:56 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 08:26 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Remote host closed the connection] 08:27 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 08:33 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Ping timeout: 272 seconds] 08:41 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 08:50 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Ping timeout: 246 seconds] 09:00 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 09:01 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Read error: Connection reset by peer] 09:02 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 09:42 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Remote host closed the connection] 09:42 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 11:57 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Remote host closed the connection] 11:57 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 12:09 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Remote host closed the connection] 12:09 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 16:26 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Remote host closed the connection] 16:26 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 17:50 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Remote host closed the connection] 17:51 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 19:55 -!- midnightmagic [~midnightm@unaffiliated/midnightmagic] has quit [Ping timeout: 264 seconds] 20:59 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Remote host closed the connection] 20:59 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1 21:02 -!- ddustin_ [~ddustin@unaffiliated/ddustin] has joined #secp256k1 21:04 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Ping timeout: 272 seconds] 21:07 -!- ddustin_ [~ddustin@unaffiliated/ddustin] has quit [Ping timeout: 268 seconds] 21:19 -!- instagibbs [~instagibb@pool-100-15-135-248.washdc.fios.verizon.net] has quit [Ping timeout: 245 seconds] 21:20 -!- instagibbs [~instagibb@pool-100-15-135-248.washdc.fios.verizon.net] has joined #secp256k1 --- Log closed Fri Dec 21 00:00:57 2018