--- Day changed Thu Nov 07 2019 00:01 -!- jonatack [~jon@2a01:e35:8aba:8220:6627:dad:d967:649d] has quit [Ping timeout: 250 seconds] 00:20 -!- soju__ [~soju@2601:640:8780:6d90:8d5f:7c5a:ed4:a0bf] has joined ##taproot-bip-review 00:48 -!- john_ [uid401803@gateway/web/irccloud.com/x-izcebrwjwosdbpgo] has quit [Quit: Connection closed for inactivity] 00:51 -!- jonatack [~jon@54.76.13.109.rev.sfr.net] has joined ##taproot-bip-review 00:52 -!- soju__ [~soju@2601:640:8780:6d90:8d5f:7c5a:ed4:a0bf] has quit [Remote host closed the connection] 00:54 -!- b10c [~Thunderbi@mue-88-130-54-143.dsl.tropolys.de] has joined ##taproot-bip-review 00:59 -!- kabaum [~kabaum@185.224.57.161] has quit [Ping timeout: 240 seconds] 01:01 -!- soju__ [~soju@2601:640:8780:6d90:8d5f:7c5a:ed4:a0bf] has joined ##taproot-bip-review 01:02 -!- soju__ [~soju@2601:640:8780:6d90:8d5f:7c5a:ed4:a0bf] has quit [Remote host closed the connection] 01:53 -!- kabaum [~kabaum@93.182.128.34] has joined ##taproot-bip-review 02:45 -!- ZmnSCPxj_ [~ZmnSCPxj@180.190.33.157] has joined ##taproot-bip-review 02:46 -!- ZmnSCPxj [~ZmnSCPxj@180.190.33.157] has quit [Ping timeout: 240 seconds] 02:54 -!- orfeas [81d75b21@dhcp-91-033.inf.ed.ac.uk] has joined ##taproot-bip-review 02:59 < orfeas> sorry, I've lost the name of the group 7 bip review channel. was it ##taproot-bip-review-group-7 again? 03:00 < evoskuil[m]> ##bitcoin-taproot-sg7 03:07 < orfeas> thanks! 03:22 -!- ZmnSCPxj_ [~ZmnSCPxj@180.190.33.157] has quit [Remote host closed the connection] 03:23 -!- ZmnSCPxj_ [~ZmnSCPxj@180.190.33.157] has joined ##taproot-bip-review 03:30 -!- ZmnSCPxj_ [~ZmnSCPxj@180.190.33.157] has quit [Remote host closed the connection] 03:31 -!- ZmnSCPxj_ [~ZmnSCPxj@180.190.33.157] has joined ##taproot-bip-review 03:34 -!- andytoshi [~apoelstra@unaffiliated/andytoshi] has quit [Read error: Connection reset by peer] 03:57 -!- kabaum [~kabaum@93.182.128.34] has quit [Ping timeout: 265 seconds] 04:10 -!- kabaum [~kabaum@ec2-52-212-246-229.eu-west-1.compute.amazonaws.com] has joined ##taproot-bip-review 04:11 -!- ZmnSCPxj_ [~ZmnSCPxj@180.190.33.157] has quit [Remote host closed the connection] 04:12 -!- ZmnSCPxj_ [~ZmnSCPxj@180.190.33.157] has joined ##taproot-bip-review 04:14 -!- ZmnSCPxj_ [~ZmnSCPxj@180.190.33.157] has quit [Remote host closed the connection] 04:16 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has joined ##taproot-bip-review 04:30 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 240 seconds] 04:35 -!- justinmoon [~quassel@157.245.122.126] has joined ##taproot-bip-review 04:36 < justinmoon> Question: why is musig signing always interactive? 04:40 -!- ZmnSCPxj_ [~ZmnSCPxj@180.190.33.157] has joined ##taproot-bip-review 04:52 <@aj> justinmoon: because you need to share a unique set of R values per Pubkey,Message pair 04:53 -!- r251d [~r251d@162-196-59-192.lightspeed.irvnca.sbcglobal.net] has quit [Ping timeout: 240 seconds] 04:53 -!- jonatack [~jon@54.76.13.109.rev.sfr.net] has quit [Ping timeout: 265 seconds] 04:53 -!- r251d [~r251d@162-196-59-192.lightspeed.irvnca.sbcglobal.net] has joined ##taproot-bip-review 04:55 -!- jonatack [~jon@54.76.13.109.rev.sfr.net] has joined ##taproot-bip-review 05:02 -!- stacie [~stacie@c-24-60-139-217.hsd1.ma.comcast.net] has joined ##taproot-bip-review 05:04 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has joined ##taproot-bip-review 05:12 < justinmoon> Pubkey is aggregate pubkey of all signers? 05:13 -!- jonatack [~jon@54.76.13.109.rev.sfr.net] has quit [Ping timeout: 240 seconds] 05:14 -!- jonatack [~jon@213.152.162.74] has joined ##taproot-bip-review 05:23 <@aj> justinmoon: yeah... actually that phrasing is probably not quite right; you need different R values to avoid reusing your nonce with two different H(R,P,m) values which would allow other sto figure out your private key 05:28 < justinmoon> aj: Thanks. So if I wanted to sign a 3/5 musig where all keys are controlled by different parties and stored in bank vaults with no internet, the different signers could commit to a set of R values while online, and then each signer could enter their offline bank vault and sign? 05:31 <@aj> justinmoon: the R values need to be generated as securely as the private keys are stored 05:31 <@aj> justinmoon: (since reusing them reveals the private key) 05:32 <@aj> justinmoon: i think you can generate a bunch of R values on one visit to the vault, and then use those R values for a later transaction on a later visit to the vault, but getting it right requires some storage for the hardware wallet in the vault 05:34 < justinmoon> aj: You'd need to tell your cosigners about these pre-generated R values as well? 05:35 <@aj> https://github.com/ElementsProject/secp256k1-zkp/blob/secp256k1-zkp/src/modules/musig/musig.md might be understandable for threshold sigs -- they require interactive setup and storage for the key setup as well, which n-of-n musig doesn't 05:36 <@aj> justinmoon: yeah, you need to generate s_me = r_me + H(R_me + R_you + R_them, P_me + P_you + P_them, msg)*p_me -- so you can't sign until you know all the R's 05:36 <@aj> justinmoon: and you need to do a two-phase commit to tell everyone the R's or else you become vulnerable to wagner's attack or so 05:50 < justinmoon> aj: Thanks. In summary, you can accomplish "offline signing" if offline wallet and online wallet each store a bit more state. 05:50 < justinmoon> aj: And deterministic-k schemes don't work because signature aggregation implies you could solve for private keys? 05:56 <@aj> justinmoon: if you do deterministic-k but your cosigner doesn't do deterministic-k, then when you combine the two they can solve for a private key. if you both share zk-proofs that you did determinist-k then everything's good -- you can make the k = Hash(private_key, counter) and prove that everyone used the same counter, and only ever sign when the new counter is greater than the last counter you 05:56 <@aj> signed for 05:57 -!- michaelfolkson [~textual@2a00:23c5:be04:e501:70b1:61d2:95e:e2d7] has joined ##taproot-bip-review 05:58 <@aj> you would then generate K=k*G and the zkp in advance / batched, share them all, and to do a signature just collect K_100 from enough signers, and take the proofs into the vaults 05:59 <@aj> (i think, i tend to forget necessary details when describing this stuff off the top of my head, so take it with a grain of salt) 06:07 -!- jonatack [~jon@213.152.162.74] has quit [Ping timeout: 264 seconds] 06:10 < instagibbs> how often are QAs? 06:13 <@aj> two a week 06:14 <@aj> instagibbs: fyi, planning on including a link to your liquid-tapscript-case-study ipynb in the week-2 notes 06:14 < instagibbs> kk 06:27 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 276 seconds] 06:29 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has joined ##taproot-bip-review 07:01 -!- michaelfolkson [~textual@2a00:23c5:be04:e501:70b1:61d2:95e:e2d7] has quit [Quit: Sleep mode] 07:03 -!- michaelfolkson [~textual@2a00:23c5:be04:e501:70b1:61d2:95e:e2d7] has joined ##taproot-bip-review 07:23 -!- michaelfolkson [~textual@2a00:23c5:be04:e501:70b1:61d2:95e:e2d7] has quit [Quit: Sleep mode] 07:29 -!- kabaum [~kabaum@ec2-52-212-246-229.eu-west-1.compute.amazonaws.com] has quit [Ping timeout: 240 seconds] 07:47 < murch> Please consider cross-posting any interesting questions to Bitcoin Stackexchange. :) 07:47 < murch> e.g. justinmoon's question above why MuSig signing is always interactive would be a good candidate. 07:47 < justinmoon> murch: i'll post that 07:48 < murch> Thank ye. 08:11 -!- stacie [~stacie@c-24-60-139-217.hsd1.ma.comcast.net] has quit [Quit: My computer has gone to sleep.] 08:21 -!- stacie [~stacie@c-24-60-139-217.hsd1.ma.comcast.net] has joined ##taproot-bip-review 08:21 -!- soju__ [~soju@2601:640:8780:6d90:8d5f:7c5a:ed4:a0bf] has joined ##taproot-bip-review 08:26 -!- jonatack [~jon@2a01:e35:8aba:8220:6627:dad:d967:649d] has joined ##taproot-bip-review 08:29 -!- kabaum [~kabaum@185.224.57.161] has joined ##taproot-bip-review 08:40 < justinmoon> murch: https://bitcoin.stackexchange.com/questions/91534/musig-interactivity 08:42 < sipa> justinmoon: fwiw, we're working on a paper on deterministic nonces in musig 08:51 -!- HighOnBtc [~Admin@213.233.110.236] has joined ##taproot-bip-review 09:05 < instagibbs> justinmoon, would also be nice to know exactly "what can go wrong" in a cold setup with musig 09:05 < justinmoon> instagibbs: Yes. Musig footguns. 09:06 -!- HighOnBtc [~Admin@213.233.110.236] has quit [Ping timeout: 268 seconds] 09:11 -!- kabaum [~kabaum@185.224.57.161] has quit [Ping timeout: 252 seconds] 09:20 -!- michaelfolkson [~textual@62.60.62.11] has joined ##taproot-bip-review 09:42 -!- andytoshi [~apoelstra@unaffiliated/andytoshi] has joined ##taproot-bip-review 09:55 -!- michaelfolkson [~textual@62.60.62.11] has quit [Quit: Sleep mode] 09:59 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 252 seconds] 10:00 -!- orfeas [81d75b21@dhcp-91-033.inf.ed.ac.uk] has quit [Remote host closed the connection] 10:05 -!- michaelfolkson [~textual@62.60.62.11] has joined ##taproot-bip-review 10:12 -!- michaelfolkson [~textual@62.60.62.11] has quit [Quit: Sleep mode] 10:15 < murch> justinmoon: Thanks. :) 10:31 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has joined ##taproot-bip-review 10:36 -!- jenseven [~jenseven@103.194.171.157] has quit [Ping timeout: 240 seconds] 10:44 -!- soju__ [~soju@2601:640:8780:6d90:8d5f:7c5a:ed4:a0bf] has quit [Remote host closed the connection] 10:45 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 264 seconds] 10:51 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has joined ##taproot-bip-review 11:02 < nickler> justinmoon: fwiw I discussed some of the consideration at breaking bitcoin this year, slide 19. https://nickler.ninja/slides/2019-breaking.pdf 11:03 < justinmoon> nickler: Thanks! 11:12 -!- stacie [~stacie@c-24-60-139-217.hsd1.ma.comcast.net] has quit [Quit: My computer has gone to sleep.] 11:19 -!- stacie [~stacie@c-24-60-139-217.hsd1.ma.comcast.net] has joined ##taproot-bip-review 11:38 < instagibbs> nickler, "non-musig key agg" would follow the same signing rounds, right? 11:47 -!- stacie [~stacie@c-24-60-139-217.hsd1.ma.comcast.net] has quit [Quit: My computer has gone to sleep.] 11:47 -!- stacie [~stacie@c-24-60-139-217.hsd1.ma.comcast.net] has joined ##taproot-bip-review 11:47 -!- stacie [~stacie@c-24-60-139-217.hsd1.ma.comcast.net] has quit [Client Quit] 12:03 -!- soju__ [~soju@2601:640:8780:6d90:58df:79:3066:256e] has joined ##taproot-bip-review 12:08 -!- soju__ [~soju@2601:640:8780:6d90:58df:79:3066:256e] has quit [Ping timeout: 245 seconds] 12:12 < nickler> instagibbs: if you mean DL-based and without the zkp mentioned above then yes afaik 12:12 < instagibbs> yes, meaning your slides thanks 12:12 < nickler> I posted an answer on stackexchange 12:12 < nickler> instagibbs: ah, yeah 12:14 < instagibbs> 2 roundtrips to vault is still so painful :'( 12:17 < sipa> nickler: very nice answer 12:17 < nickler> you can make it only 1 roundtrip to one of your vaults 12:18 < instagibbs> i mean 2 visits to vault, unless you mean only 1 visit 12:20 < nickler> I mean 1 visit. Let's say you have 3 keys, VaultA, VaultB, VaultC. You've already pre-shared nonce commitments, you go to VaultA get the nonce, go to VaultB get the nonce, go to VaultC get the nonce, and return with a partial signature using the sum of the nonces 12:20 < nickler> so you only go to VaultC once 12:21 < instagibbs> Ok amortized, because N parallel sessions 12:23 < nickler> yeah, only works once, but also makes sense for example when you use musig in lightning 12:24 < instagibbs> I mean LN is super hot, not a big deal 12:24 < instagibbs> Latency issues aside 12:25 < devrandom> you can't reuse nonces for different messages, right? 12:26 -!- kabaum [~kabaum@2001:9b1:efd:9b00::281] has joined ##taproot-bip-review 12:26 < sipa> devrandom: no 12:26 < sipa> any known (sufficiently simple) relation between nonces used in distinct (partial) signatures leaks the private key 12:27 < devrandom> so I'm not sure what pre-sharing buys you (from a UX point of view), given that you need to regenerate the nonces for every signature you make 12:27 < sipa> you can pregenerate a million nonces 12:28 < sipa> as long as you make sure not to ever use the same one twice 12:28 < sipa> (i don't recommend that, to be clear, but in certain cases that is safe) 12:28 < devrandom> ah, right, you can do a batch of them 12:30 < devrandom> can the nonces be deterministically generated from the private keys and a counter, to reduce storage requirements? 12:31 < sipa> yes, but 12:31 < sipa> you must still guarantee they're never reused 12:31 < sipa> in particular, you cannot deterministically generate them from the private key and the message like in single sigs 12:32 < devrandom> ah, of course, if you batch them in advance you don't know the message, so then you need to keep track of the message to allocated nonce 12:32 < sipa> because then you'd like your private key by participating in two signing attempts for the same message 12:32 < sipa> s/like/leak/ 12:34 -!- andytoshi [~apoelstra@unaffiliated/andytoshi] has quit [Read error: Connection reset by peer] 12:55 -!- mattleon [~textual@pool-173-68-83-200.nycmny.fios.verizon.net] has joined ##taproot-bip-review 12:59 < devrandom> the meeting invite for study group 3 refers to this channel. is that right, or is there a specific channel for our group? 12:59 < mattleon> also here for group 3 12:59 < mattleon> though there was an email that mentioned another channel, I'll dig it up 13:00 < sipa> i think the idea is just that you'd use this channel to coordinate 13:00 < pyskell> devrandom, mattleon that's correct 13:00 < devrandom> I see it now - #bitcoin-taproot-sg3 13:00 < pyskell> Can we use the logging bot in other channels then sipa? 13:01 < pyskell> Maybe aj or moneyball know? 13:04 < luke-jr> meeting bot seems more useful 13:04 < pyskell> #help 13:40 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 240 seconds] 13:41 -!- ZmnSCPxj_ [~ZmnSCPxj@180.190.33.157] has quit [Ping timeout: 268 seconds] 13:53 -!- andytoshi [~apoelstra@wpsoftware.net] has joined ##taproot-bip-review 13:53 -!- andytoshi [~apoelstra@wpsoftware.net] has quit [Changing host] 13:53 -!- andytoshi [~apoelstra@unaffiliated/andytoshi] has joined ##taproot-bip-review 14:09 -!- mattleon [~textual@pool-173-68-83-200.nycmny.fios.verizon.net] has quit [Quit: Textual IRC Client: www.textualapp.com] 14:16 -!- soju__ [~soju@2601:640:8780:6d90:b0d0:665d:73a2:d119] has joined ##taproot-bip-review 14:23 -!- soju__ [~soju@2601:640:8780:6d90:b0d0:665d:73a2:d119] has quit [Remote host closed the connection] 14:35 -!- soju__ [~soju@2601:640:8780:6d90:b0d0:665d:73a2:d119] has joined ##taproot-bip-review 14:35 -!- ZmnSCPxj_ [~ZmnSCPxj@180.190.33.157] has joined ##taproot-bip-review 14:36 -!- b10c [~Thunderbi@mue-88-130-54-143.dsl.tropolys.de] has quit [Ping timeout: 264 seconds] 14:40 -!- soju__ [~soju@2601:640:8780:6d90:b0d0:665d:73a2:d119] has quit [Ping timeout: 264 seconds] 14:46 -!- stacie [~stacie@c-24-60-139-217.hsd1.ma.comcast.net] has joined ##taproot-bip-review 14:49 -!- stacie [~stacie@c-24-60-139-217.hsd1.ma.comcast.net] has quit [Client Quit] 14:52 <@aj> pyskell: i can add lightningbot to other channels, but if you want meetbot logging for a 1h meeting, just doing it here would be much easier i think 14:52 -!- pinheadmz [~matthewzi@5.181.233.92] has quit [Quit: pinheadmz] 14:54 -!- ZmnSCPxj_ [~ZmnSCPxj@180.190.33.157] has quit [Ping timeout: 276 seconds] 15:00 -!- pglazman [~pglazman@205.209.24.227] has quit [Quit: My MacBook has gone to sleep. ZZZzzz…] 15:02 -!- soju__ [~soju@2601:640:8780:6d90:b0d0:665d:73a2:d119] has joined ##taproot-bip-review 15:04 -!- pglazman [~pglazman@205.209.24.227] has joined ##taproot-bip-review 15:35 -!- pglazman [~pglazman@205.209.24.227] has quit [Quit: My MacBook has gone to sleep. ZZZzzz…] 15:42 -!- pglazman [~pglazman@205.209.24.227] has joined ##taproot-bip-review 16:05 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has joined ##taproot-bip-review 16:16 -!- pglazman [~pglazman@205.209.24.227] has quit [Read error: Connection reset by peer] 16:56 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 265 seconds] 17:15 -!- nick_fre_ [~nick_free@2001:16b8:30c6:da00:e0d6:1aa:ba59:3a79] has quit [Remote host closed the connection] 17:22 -!- michaelfolkson [~textual@2a00:23c5:be04:e501:e8f4:48b5:f75a:b75f] has joined ##taproot-bip-review 17:26 -!- stacie [~stacie@c-24-60-139-217.hsd1.ma.comcast.net] has joined ##taproot-bip-review 17:27 -!- soju__ [~soju@2601:640:8780:6d90:b0d0:665d:73a2:d119] has quit [] 17:55 -!- michaelfolkson [~textual@2a00:23c5:be04:e501:e8f4:48b5:f75a:b75f] has quit [Quit: Sleep mode] 18:01 -!- nick_freeman [~nick_free@92.116.135.129] has joined ##taproot-bip-review 18:08 -!- jb55 [~jb55@gateway/tor-sasl/jb55] has quit [Remote host closed the connection] 18:30 -!- nick_fre_ [~nick_free@2001:16b8:300b:2800:4c26:b5e9:5bc7:6410] has joined ##taproot-bip-review 18:33 -!- nick_freeman [~nick_free@92.116.135.129] has quit [Ping timeout: 240 seconds] 18:59 < pyskell> aj, gotcha, will do in the future 19:33 -!- pinheadmz [~matthewzi@184.75.212.188] has joined ##taproot-bip-review 19:38 -!- nick_fre_ [~nick_free@2001:16b8:300b:2800:4c26:b5e9:5bc7:6410] has quit [Remote host closed the connection] 20:40 -!- stacie [~stacie@c-24-60-139-217.hsd1.ma.comcast.net] has quit [Quit: My computer has gone to sleep.] 20:45 -!- stacie [~stacie@c-24-60-139-217.hsd1.ma.comcast.net] has joined ##taproot-bip-review 20:45 -!- stacie [~stacie@c-24-60-139-217.hsd1.ma.comcast.net] has quit [Client Quit] 20:58 -!- pinheadmz [~matthewzi@184.75.212.188] has quit [Quit: pinheadmz]