--- Log opened Sun Aug 08 00:00:32 2021
02:45 -!- jnewbery [~john@user/jnewbery] has quit [Ping timeout: 245 seconds]
02:49 -!- jamesob [sid180710@id-180710.brockwell.irccloud.com] has quit [Ping timeout: 272 seconds]
02:50 -!- jamesob [sid180710@id-180710.brockwell.irccloud.com] has joined #secp256k1
02:50 -!- jnewbery [~john@user/jnewbery] has joined #secp256k1
02:51 -!- elichai2 [sid212594@id-212594.stonehaven.irccloud.com] has quit [Ping timeout: 245 seconds]
03:01 -!- elichai2 [sid212594@id-212594.stonehaven.irccloud.com] has joined #secp256k1
10:03 -!- siv2r09 [~siv2r@103.77.37.165] has quit [Quit: The Lounge - https://thelounge.chat]
10:04 -!- lukedashjr [~luke-jr@user/luke-jr] has joined #secp256k1
10:06 -!- luke-jr [~luke-jr@user/luke-jr] has quit [Ping timeout: 258 seconds]
10:07 -!- lukedashjr is now known as luke-jr
10:35 -!- luke-jr [~luke-jr@user/luke-jr] has quit [Ping timeout: 240 seconds]
10:41 -!- luke-jr [~luke-jr@user/luke-jr] has joined #secp256k1
10:47 -!- luke-jr [~luke-jr@user/luke-jr] has quit [Ping timeout: 268 seconds]
10:59 -!- luke-jr [~luke-jr@user/luke-jr] has joined #secp256k1
11:46 -!- FelixWeis [sid154231@id-154231.stonehaven.irccloud.com] has quit [Ping timeout: 240 seconds]
11:48 -!- elichai2 [sid212594@id-212594.stonehaven.irccloud.com] has quit [Ping timeout: 256 seconds]
11:51 -!- FelixWeis [sid154231@stonehaven.irccloud.com] has joined #secp256k1
11:51 -!- elichai2 [sid212594@stonehaven.irccloud.com] has joined #secp256k1
11:58 < harding> sipa: I think I understand, but I'll describe what I think I know and maybe you can tell me if I'm bullshitting myself.  The problem is that creating two different signatures (or partial signatures) with the same nonce allows someone who sees both signatures to effectively cancel out the nonce and the solve for the only remaining unknown in the signature equation, your private key.
11:58 < harding> For single-sig, you only have to worry about using the same nonce with different messages, hence RFC6979 which makes the nonce contingent on the message.  For multisignatures, it's possible for you to create two different partial signatures with the same nonce and the same message if at least one of the other cosigners changes their nonce (since your partial signature is over the combined nonce, not your unique contribution to it).
11:58 < harding> That means your must never use the same nonce in different multisignature signing sessions, which means you can't use a deterministic nonce that only varies based on the message.
11:58 < harding> I think what confused me is the other problem MuSig* solves for, which is the ability of an adversarial cosigner who knows your nonce to tweak their nonce to negate your contribution.  In MuSig1, requiring your cosigners commit to their nonces before you reveal yours obviously doesn't help if they can just restart the signing session with the same message to get you to use the same deterministic nonce again after they learned its value from a previous
11:58 < harding>  session.  IIUC, with MuSig2, you don't have that problem: even if you use a deterministic nonce, your cosigners still can't tweak their nonces to negate yours.  So that looked like deterministic nonces were back in.  But, what I failed to previously consider, is that the more basic reused nonce attack is still available to them---which is why deterministic nonces must still not be used in MuSig2.
11:59 -!- lukedashjr [~luke-jr@user/luke-jr] has joined #secp256k1
12:00 -!- luke-jr [~luke-jr@user/luke-jr] has quit [Ping timeout: 240 seconds]
12:01 -!- lukedashjr is now known as luke-jr
12:09 < sipa> harding: exactly
12:14 -!- luke-jr [~luke-jr@user/luke-jr] has quit [Ping timeout: 272 seconds]
12:15 -!- lukedashjr [~luke-jr@user/luke-jr] has joined #secp256k1
12:16 -!- lukedashjr is now known as luke-jr
12:41 -!- luke-jr [~luke-jr@user/luke-jr] has quit [Ping timeout: 245 seconds]
12:44 -!- luke-jr [~luke-jr@user/luke-jr] has joined #secp256k1
12:46 < sipa> gmaxwell: it's complicated... i think it's better to say that it isn't the determinism of the nonce or the functioncto do that's a peoblem (e.g. musig-dn with an rfc6979-like derandomized nonce would also not be a problem, just way more expensive to construct ZKPs for; and on the other hand, i think you could reasonably call musig (1 or 2) with a SHA256(seckey, pubkeys, message, secure_counter++) a 
12:46 < sipa> derandomized nonce too as it requires no entropy at signing...
12:46 < sipa> time, and can be secure)
12:56 < gmaxwell> musig-dn is actually determinstic from the perspective of the reciever.  A signer using RFC6979 is not determinstic from the perspective of the reciever.
12:57 < gmaxwell> musig-dn would have been secure for NXT's pos crap.
13:00 < sipa> as long as they don't hash the proof along with it :)
13:01 < gmaxwell> if they had, then they would have needed musig-dn-dn. :P
18:37 -!- lukedashjr [~luke-jr@user/luke-jr] has joined #secp256k1
18:40 -!- luke-jr [~luke-jr@user/luke-jr] has quit [Ping timeout: 256 seconds]
18:40 -!- lukedashjr is now known as luke-jr
19:39 -!- meshcollider [meshcollid@meshcollider.jujube.ircnow.org] has quit [Changing host]
19:39 -!- meshcollider [meshcollid@user/meshcollider] has joined #secp256k1
21:24 -!- siv2r09 [~siv2r@103.77.37.165] has joined #secp256k1
21:40 -!- belcher_ [~belcher@user/belcher] has joined #secp256k1
21:44 -!- belcher [~belcher@user/belcher] has quit [Ping timeout: 250 seconds]
21:58 -!- Netsplit *.net <-> *.split quits: real_or_random, FelixWeis, elichai2
21:59 -!- Netsplit over, joins: real_or_random, FelixWeis, elichai2
22:01 -!- nickler [~nickler@static.219.205.69.159.clients.your-server.de] has joined #secp256k1
22:01 -!- Netsplit *.net <-> *.split quits: nickler_, uasf_, johnzwen-, sipa
22:01 -!- johnzweng [~johnzweng@zweng.at] has joined #secp256k1
22:01 -!- sipa_ [~pw@user/sipa] has joined #secp256k1
22:02 -!- uasf [~uasf@2604:a880:2:d0::1bda:1001] has joined #secp256k1
22:02 -!- robertspigler [~robertspi@2001:470:69fc:105::2d53] has quit [Ping timeout: 256 seconds]
22:04 -!- Netsplit *.net <-> *.split quits: michaelfolkson, kanzure, waxwing
22:05 -!- kanzure_ [~kanzure@user/kanzure] has joined #secp256k1
22:06 -!- eli[m] [~elinixbit@2001:470:69fc:105::ba64] has quit [Ping timeout: 240 seconds]
22:06 -!- michaelfolkson [~michaelfo@138.68.143.20] has joined #secp256k1
22:08 -!- waxwing [~waxwing@193.29.57.116] has joined #secp256k1
22:35 -!- eli[m] [~elinixbit@2001:470:69fc:105::ba64] has joined #secp256k1
23:02 -!- robertspigler [~robertspi@2001:470:69fc:105::2d53] has joined #secp256k1
23:08 -!- belcher_ is now known as belcher
--- Log closed Mon Aug 09 00:00:33 2021