--- Log opened Tue Jul 30 00:00:08 2024
00:23 -!- tromp [~textual@92-110-219-57.cable.dynamic.v4.ziggo.nl] has quit [Quit: My iMac has gone to sleep. ZZZzzz…]
08:44 -!- tromp [~textual@92-110-219-57.cable.dynamic.v4.ziggo.nl] has joined #secp256k1
09:03 -!- preimage [~halosghos@user/halosghost] has joined #secp256k1
09:09 -!- jon_atack [~jonatack@user/jonatack] has joined #secp256k1
09:12 -!- jonatack [~jonatack@user/jonatack] has quit [Ping timeout: 260 seconds]
09:16 -!- jon_atack [~jonatack@user/jonatack] has quit [Ping timeout: 252 seconds]
09:17 -!- jonatack [~jonatack@user/jonatack] has joined #secp256k1
09:35 -!- jonatack [~jonatack@user/jonatack] has quit [Ping timeout: 260 seconds]
09:37 -!- jonatack [~jonatack@user/jonatack] has joined #secp256k1
09:44 < theStack> i've noticed that for schnorr signing, the secret key negation (necessary if corresponding point has odd Y) isn't done in constant time. does it make sense to change that, by using `_scalar_cond_negate` instead?
09:46 < andytoshi> the negation itself i believe is constant-time (not on purpose, it's just super fast and simple). it's true that we don't try to take the same amount of time in the negation and non-negation case
09:47 < andytoshi> which _cond_negate would help. but i don't think this is necessary because i _think_ the choice of whether to negate is always public
09:47 < andytoshi> and i think maybe it always corresponds to a 1-bit loss of security, though i don't remember now
09:59 < theStack> ah, thanks, interesting. (btw, the only use of _cond_negate currently in non-test code is for ensuring a low-s value in ECDSA signing)
10:42 < sipa> attackers (without access to the private key) can in O(1) time determine whether negation was performed or not, just by observing message, public key, and signature
10:42 < sipa> (by just verifying the sG = R + hash(R||P||m)P equation for both signs of P)
10:43 < sipa> thus revealing this information through timing information cannot help the attacker
10:44 -!- tromp [~textual@92-110-219-57.cable.dynamic.v4.ziggo.nl] has quit [Quit: My iMac has gone to sleep. ZZZzzz…]
10:45 < sipa> andytoshi: there is no loss in security either (not even 1 bit), in the sense that whatever techniques are available to break DLP of x-only pubkeys are also available for full keys (if you had a hypothetical A(x) algorithm that computes the DL of an x-only key x, you can turn it into an DL solver for full pubkeys P by running it on P.x, checking the result, if it not matching, negate the DL)
12:50 -!- tromp [~textual@92-110-219-57.cable.dynamic.v4.ziggo.nl] has joined #secp256k1
14:16 -!- tromp [~textual@92-110-219-57.cable.dynamic.v4.ziggo.nl] has quit [Quit: My iMac has gone to sleep. ZZZzzz…]
14:35 -!- preimage [~halosghos@user/halosghost] has quit [Quit: WeeChat 4.3.5]
15:04 -!- tromp [~textual@92-110-219-57.cable.dynamic.v4.ziggo.nl] has joined #secp256k1
15:24 -!- tromp [~textual@92-110-219-57.cable.dynamic.v4.ziggo.nl] has quit [Quit: My iMac has gone to sleep. ZZZzzz…]
17:45 -!- jonatack [~jonatack@user/jonatack] has quit [Ping timeout: 255 seconds]
17:46 -!- jonatack [~jonatack@user/jonatack] has joined #secp256k1
23:27 -!- tromp [~textual@92-110-219-57.cable.dynamic.v4.ziggo.nl] has joined #secp256k1
--- Log closed Wed Jul 31 00:00:09 2024