--- Log opened Tue Aug 13 00:00:38 2019
02:20 -!- jonatack [8613b3c3@134.19.179.195] has quit [Ping timeout: 260 seconds]
03:54 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has joined #secp256k1
06:20 -!- weez17 [~isaac@unaffiliated/weez17] has quit [Remote host closed the connection]
06:30 -!- elichai2 [uid212594@gateway/web/irccloud.com/x-lvagwbzqqglaymza] has joined #secp256k1
06:33 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1
06:56 -!- jonatack [6dca6b05@109.202.107.5] has joined #secp256k1
07:41 -!- jonatack [6dca6b05@109.202.107.5] has quit [Quit: jonatack]
07:42 -!- jonatack [~jon@2a01:e35:8aba:8220:6627:dad:d967:649d] has joined #secp256k1
07:46 < jonatack> "#bitcoin-core-dev,#bitcoin-builds,#secp256k1,#rust-bitcoin,##miniscript,##hwi,#bitcoin,#bitcoin-wizards,#bitcoin-core-pr-reviews,#bitcoin-explorers,#bitcoin-workshop,#mit-dci,#lisp,##lisp,#slime,#sbcl,#quicklisp,#mezzano,#clschool,#lispm"
07:46 < jonatack> Y
07:47 < jonatack> sorry all
09:32 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Remote host closed the connection]
09:49 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 248 seconds]
10:14 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has joined #secp256k1
12:20 -!- reallll [~belcher@unaffiliated/belcher] has joined #secp256k1
12:23 -!- belcher [~belcher@unaffiliated/belcher] has quit [Ping timeout: 245 seconds]
12:26 -!- reallll is now known as belcher
13:44 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 245 seconds]
13:55 < elichai2> Had a conversation around Musig, and people are talking about using bip32 for nonces, that all parties exchange H(xpub) commitment and then increase the derivation by 1 together for each signing while verifying everyones nonces.
13:55 < elichai2> I have a feeling that this is susceptible to Wagners attack somehow because the private nonces are a continuous addition over F and Wagners attack is pretty good in those scenarios and even a bit of bias/relationship between nonces is bad
14:02 < sipa> afaik we determined before that this doesn't add any security
14:03 < elichai2> what doesn't add any security?
14:03 < sipa> there are no attacks that are prevented by using MuSig on the nonces (as opposed to just summing)
14:05 < sipa> oh, nvm
14:05 < sipa> you say using bip32 for nonces
14:05 < elichai2> yeah
14:05 < sipa> i thought you said musig for nonces
14:06 < elichai2> oh no no
14:06 < sipa> bip32 results in a linear relation between the derived keys
14:06 < sipa> that's just as bad as nonce reuse
14:07 < elichai2> yeah. but I had a feeling that this can be exploited, but how is it more expolitable then linear relationship between private keys? (assuming you never saw any of the secrets)
14:07 < sipa> you don't need wagner even
14:07 < sipa> you can literally directly solve the equations
14:07 < elichai2> like, the equation still introduces a new random variable each time
14:07 < sipa> no
14:07 < sipa> let's say the master private key is m
14:07 < sipa> and c is the chaincode
14:08 < elichai2> you still have `s'=(k+H(chaincode...)+ed)` isn't that H`(..)` a new random variable?
14:08 < sipa> no, because the input to the hash is public
14:08 < sipa> so the hash is just a known constant
14:08 < elichai2> ohh you're right
14:09 < sipa> we are working on an alternative approach to computing nonces deterministically, while adding zkps to maintain security
14:09 < sipa> which is really cool, but fairly complex and slow in practice
14:10 < sipa> the nice thing is that it's actually possible to do this in a provably secure way (under the same security assumptions as schnorr already needs)
14:10 < elichai2> using zkp to prove that you used sha2(e||d)?
14:11 < sipa> yeah, but using a modified hash function for the nonce
14:11 < sipa> which is easier to prove
14:11 < sipa> and actually is provably secure :p
14:11 < elichai2> yeah the circuit for sha256 isn't fun lol
14:11 < elichai2> marlin?
14:11 < elichai2> *merlin
14:11 < sipa> something we came up with
14:11 < elichai2> oh cool :)
14:12 < sipa> merlin is a api framework
14:13 < elichai2> that's a cool project :) who's working on that?
14:15 < sipa> real_or_random mostly
14:16 < sipa> https://gist.github.com/sipa/6048f49c65f05099e93069dc6a6ba459
14:16 < sipa> that's the hash function
14:19 < elichai2> sipa: cool :) i'll print and read it sometime this week
14:19 < sipa> there will be a paper, because showing that the whole combined signing construction is actually secure is nontrivial
14:20 < elichai2> when the paper is out i'll read the paper too :)
14:21 < elichai2> I think bip32 was also publishable (seeing that people outside of the bitcoin community uses it today)
14:23 < sipa> maybe if it has security proofs etc :)
14:35 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1
14:51 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Remote host closed the connection]
14:52 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1
14:57 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Ping timeout: 250 seconds]
15:51 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has joined #secp256k1
16:41 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 248 seconds]
17:50 -!- elichai2 [uid212594@gateway/web/irccloud.com/x-lvagwbzqqglaymza] has quit [Quit: Connection closed for inactivity]
19:32 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1
19:37 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Ping timeout: 264 seconds]
21:18 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1
23:00 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Remote host closed the connection]
23:01 -!- ddustin [~ddustin@unaffiliated/ddustin] has joined #secp256k1
23:06 -!- ddustin [~ddustin@unaffiliated/ddustin] has quit [Ping timeout: 264 seconds]
--- Log closed Wed Aug 14 00:00:40 2019