--- Log opened Wed Feb 05 00:00:30 2020
00:04 < gmaxwell> I bet it just decides its not done yet.
00:04 < gmaxwell> and leave the bad signature in.
00:04 < gmaxwell> leaves
00:09 < sipa> jonatack: thanks!
00:10 < harding> gmaxwell: sorry.  I'm surprised then that nobody argued with Bernstein on the curves mailing list when he said, "The standard defense against faults is for the signer to verify each signature" if that's not, in fact, a standard precaution.
00:12 -!- jonatack [~jon@2a01:e0a:53c:a200:bb54:3be5:c3d0:9ce5] has quit [Quit: jonatack]
00:13 < gmaxwell> Not worth arguing with Bernstein over. :)
00:14 < gmaxwell> (I'm sure I've made people feel that way too sometimes.)
00:14 < gmaxwell> Part of the problem is that there is seldom a clear threat model for software.
00:15 < gmaxwell> Like if I told some engineer making a HSM that it had to be robust against fault attacks, I think it's at least somewhat likely that they'd verify after signing.
00:15 < gmaxwell> But should software be robust against fault attack? How robust?
00:16 < gmaxwell> When people make crypto software they often don't have a clear idea of what their threat model is.
00:16 < gmaxwell> So by convention, and bludgeoning, the industry has largely accepted secret key operations should be constant time.  But even getting that was a heroic effort (much of which by DJB in fact).
00:17 < midnight> massive internal redundancy checking! I've *always* wanted to see what hardware might look like that incorporates pavel blecher's math proof
00:17 < gmaxwell> But should software be robust against api misuse? against users doing crazy things with keys? fault? etc.  Unclear.
00:18 < sipa> And what is acceptable to some software may not be acceptable to others.
00:18 < sipa> Or needed.
00:19 < midnight> 1. Blecher PM. On a logical problem. Discrete Mathematics. 1983;43(1):107-110. doi:10.1016/0012-365X(83)90026-2
00:19 < gmaxwell> My own view is that because we intend the library to be used by unspecified general applications we're somewhat obligated to taken on _every_ threat.  That if you're going to ignore a threat it should be because you've identified your application and excluded it.    But at the same time that would be insane. So instead I think basically we put in every countermeasure that is runtime cheap and not too
00:19 < gmaxwell> hard to code.
00:19 < midnight>  ^^ that one
00:19 < gmaxwell> we have also waffled some about the library really just being intended for bitcoin, which narrows the scope.
00:20 < gmaxwell> The big areas of risk that I know of that we're not really protected against are fault attack and differential power analysis. Both I think are really hard to do a good job with without targeting specific hardware.
00:21 < gmaxwell> Also, from my searches open source crypto software generally does nothing about either of these issues... so it isn't like libsecp256k1 could just immitate a best practice.
00:22 < gmaxwell> And for DPA in particular, I think there is relatively little software can ultimately do without hardware help.
00:23 < gmaxwell> I've heard of some software techniques that libsecp256k1 doesn't implement which are supposidly used in embedded signing devices... but I've never found open source code with them.  Stuff like increasing the size of k by 64 bits and adding in a random multiple of the group order.  but if your damn adders are giving you away, like that sha256 attack, you're pretty much screwed.
00:25 < gmaxwell> it's possible to construct hardware that has a much lower power/emi emissions signature by using balanced logic (or reversable gates) but because that would draw twice the power or more, these techniquies seem to mostly be unused.. except maybe in specialized crypto chips.
00:25 < harding> sipa: here's the change you suggested (as I understood it): https://github.com/bitcoinops/bitcoinops.github.io/pull/335/files
00:40 -!- afk11 [~afk11@gateway/tor-sasl/afk11] has quit [Remote host closed the connection]
00:40 -!- afk11 [~afk11@gateway/tor-sasl/afk11] has joined #secp256k1
01:04 -!- jonatack [~jon@109.232.227.138] has joined #secp256k1
02:06 -!- jonasschnelli [~jonasschn@unaffiliated/jonasschnelli] has quit [Quit: ZNC - http://znc.in]
02:15 -!- jonasschnelli [~jonasschn@unaffiliated/jonasschnelli] has joined #secp256k1
02:38 -!- midnight [~midnightm@unaffiliated/midnightmagic] has quit [Ping timeout: 248 seconds]
02:43 -!- midnightmagic [~midnightm@unaffiliated/midnightmagic] has joined #secp256k1
02:46 -!- jonatack [~jon@109.232.227.138] has quit [Ping timeout: 272 seconds]
03:17 -!- afk11 [~afk11@gateway/tor-sasl/afk11] has quit [Remote host closed the connection]
03:17 -!- jb55 [~jb55@gateway/tor-sasl/jb55] has quit [Read error: Connection reset by peer]
03:17 -!- alec [~alec@gateway/tor-sasl/alec] has quit [Write error: Connection reset by peer]
03:17 -!- sipa [~pw@gateway/tor-sasl/sipa1024] has quit [Read error: Connection reset by peer]
03:17 -!- alec [~alec@gateway/tor-sasl/alec] has joined #secp256k1
03:19 -!- afk11 [~afk11@gateway/tor-sasl/afk11] has joined #secp256k1
03:22 -!- sipa [~pw@gateway/tor-sasl/sipa1024] has joined #secp256k1
03:38 -!- jb55 [~jb55@gateway/tor-sasl/jb55] has joined #secp256k1
03:43 -!- jonatack [~jon@2a01:e0a:53c:a200:bb54:3be5:c3d0:9ce5] has joined #secp256k1
16:18 -!- cfields_ [~cfields@unaffiliated/cfields] has joined #secp256k1
16:19 -!- weez17_ [~isaac@unaffiliated/weez17] has joined #secp256k1
16:21 -!- cfields [~cfields@unaffiliated/cfields] has quit [Remote host closed the connection]
16:21 -!- BlueMatt [~BlueMatt@unaffiliated/bluematt] has quit [Ping timeout: 272 seconds]
16:21 -!- weez17 [~isaac@unaffiliated/weez17] has quit [Ping timeout: 272 seconds]
16:22 -!- BlueMatt [~BlueMatt@unaffiliated/bluematt] has joined #secp256k1
16:25 -!- wallet42 [sid154231@gateway/web/irccloud.com/x-zazecsxbjhjdwgpy] has quit [Read error: Connection reset by peer]
16:25 -!- fjahr [sid374480@gateway/web/irccloud.com/x-efkrfktxtctjelbc] has quit [Read error: Connection reset by peer]
16:25 -!- Lightsword [~Lightswor@2604:a880:1:20::1d3:9001] has quit [Quit: ZNC]
16:25 -!- elichai2 [sid212594@gateway/web/irccloud.com/x-jultoaphqsxqsecj] has quit [Read error: Connection reset by peer]
16:25 -!- fjahr [sid374480@gateway/web/irccloud.com/x-zxgqlsemucmslilt] has joined #secp256k1
16:25 -!- Lightsword [~Lightswor@107.170.253.193] has joined #secp256k1
16:25 -!- wallet42 [sid154231@gateway/web/irccloud.com/x-tllizksysaqzfojk] has joined #secp256k1
16:26 -!- elichai2 [sid212594@gateway/web/irccloud.com/x-cbgzncrypihcnuzr] has joined #secp256k1
16:30 -!- real_or_random [~real_or_r@173.249.7.254] has quit [Quit: ZNC 1.7.5 - https://znc.in]
16:31 -!- real_or_random [~real_or_r@173.249.7.254] has joined #secp256k1
21:14 -!- sipa [~pw@gateway/tor-sasl/sipa1024] has quit [Ping timeout: 240 seconds]
21:16 -!- sipa [~pw@gateway/tor-sasl/sipa1024] has joined #secp256k1
--- Log closed Thu Feb 06 00:00:31 2020