--- Day changed Mon Nov 25 2019 00:01 -!- jonatack_ [~jon@37.170.7.180] has joined ##taproot-bip-review 00:04 -!- jonatack [~jon@37.164.37.175] has quit [Ping timeout: 265 seconds] 00:29 -!- b10c [~Thunderbi@i577BC606.versanet.de] has joined ##taproot-bip-review 00:39 -!- b10c [~Thunderbi@i577BC606.versanet.de] has quit [Remote host closed the connection] 00:41 -!- b10c [~Thunderbi@2001:16b8:2ecb:ec00:6db5:6bd7:dc8f:dda7] has joined ##taproot-bip-review 01:56 < nickler> harding: Is there a reason why Bob wouldn't sign a message including both updates in normal, non-adverserial operation? 01:56 < nickler> The idea in the linked PR only works if Alice can compute the expected message before giving out her nonce and then only signing that message after receiving Bob's nonce. 01:56 < nickler> If Bob signs a different message, they won't produce a combined signature but that's fine for the security of MuSig. 02:25 < gmaxwell> Here is a plausable attack on a system using 16-byte e. Alice and Bob jointly own a 2of2 address. Alice and Bob have both pre-commited then shared nonces. Bob authors a message for alice and him to jointly sign. Bob does ~2^64 work to find two a colliding pair of messages with the same e, one that alice would sign and one that she wouldn't sign that pays him all the coins. Bob asks alice 02:25 < gmaxwell> to sign the one, then substutites the other message on the network. 02:26 < gmaxwell> I think this is concrete enough to refute PR158's claim that 16 bytes wouldn't be sacrificing security. 02:34 < aj> gmaxwell: pre-committing and sharing nonces prior to knowing what message they apply to is already broken via nickler's shortcuts article isn't it? 02:37 < gmaxwell> yes/no. In that case-- that attack requires actual parallel sessions. What I'm describing doesn't. 02:40 < gmaxwell> I agree that the protocol flow I'm suggesting isn't a great idea, but "you and I exchange nonce commitments, then you and I exchange nonces, Then I send you a message. You don't begin any other signing sessions until yours with me completes or you give up and discard the nonces". 02:40 < gmaxwell> afaik doesn't have any problem with a 256bit hash, but is trivially vulnerable to a modest 2^64 work collision attack on the hash with a shortened schnorr signature. 03:13 < aj> yeah. hmm, doesn't shortening the hash make the wagner attack more effective too? 03:37 < gmaxwell> absoltely. 03:38 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has joined ##taproot-bip-review 03:48 -!- Murch [murch@sf1.hashbang.sh] has quit [Ping timeout: 240 seconds] 03:48 -!- jnewbery [~john@4.53.92.114] has quit [Remote host closed the connection] 03:50 -!- jnewbery [~john@4.53.92.114] has joined ##taproot-bip-review 04:13 -!- Murch [murch@sf1.hashbang.sh] has joined ##taproot-bip-review 04:51 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 265 seconds] 05:02 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has joined ##taproot-bip-review 05:11 -!- daniel [~quassel@89.245.184.230] has joined ##taproot-bip-review 05:11 -!- daniel is now known as Guest54499 05:15 -!- davterra [~dulyNoded@91.132.136.84] has joined ##taproot-bip-review 05:53 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 250 seconds] 05:59 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has joined ##taproot-bip-review 06:27 -!- sipa [~pw@gateway/tor-sasl/sipa1024] has quit [Ping timeout: 260 seconds] 06:33 -!- orfeas [81d75b21@dhcp-91-033.inf.ed.ac.uk] has joined ##taproot-bip-review 07:14 < orfeas> in footnote 12 of taproot (https://github.com/sipa/bips/blob/bip-schnorr/bip-taproot.mediawiki#cite_note-12) an attack on feerate is mentioned but the change to wtxid (which seems more important) isn't 08:10 < orfeas> minor change: in the Transaction Digest, I propose that "If both the SIGHASH_NONE and SIGHASH_SINGLE flags are not set" be changed to "If neither the SIGHASH_NONE nor the SIGHASH_SINGLE flag is set" 08:13 -!- orfeas [81d75b21@dhcp-91-033.inf.ed.ac.uk] has quit [Remote host closed the connection] 08:14 -!- orfeas [81d75b21@dhcp-91-033.inf.ed.ac.uk] has joined ##taproot-bip-review 08:29 < orfeas> taproot, footnote 16, "digest computation avoids unnecessary hashing as opposed to BIP143 digests in which parts may be set zero and before hashing them": I think there is a typo at the end of the sentence 08:31 -!- rottensox [~rottensox@unaffiliated/rottensox] has joined ##taproot-bip-review 08:46 -!- rottensox [~rottensox@unaffiliated/rottensox] has quit [Ping timeout: 245 seconds] 09:10 -!- orfeas [81d75b21@dhcp-91-033.inf.ed.ac.uk] has quit [Remote host closed the connection] 09:33 -!- b10c1 [~Thunderbi@i577BC606.versanet.de] has joined ##taproot-bip-review 09:34 -!- b10c [~Thunderbi@2001:16b8:2ecb:ec00:6db5:6bd7:dc8f:dda7] has quit [Quit: b10c] 09:34 -!- b10c1 is now known as b10c 09:41 -!- jonatack_ [~jon@37.170.7.180] has quit [Quit: jonatack_] 09:42 -!- jonatack [~jon@37.170.7.180] has joined ##taproot-bip-review 10:11 -!- b10c1 [~Thunderbi@i577BC606.versanet.de] has joined ##taproot-bip-review 10:12 -!- b10c [~Thunderbi@i577BC606.versanet.de] has quit [Read error: Connection reset by peer] 10:12 -!- b10c1 is now known as b10c 10:15 -!- rottensox [~rottensox@unaffiliated/rottensox] has joined ##taproot-bip-review 10:49 -!- rottensox [~rottensox@unaffiliated/rottensox] has quit [Quit: Bye] 11:17 -!- andrewtoth_ [~andrewtot@gateway/tor-sasl/andrewtoth] has joined ##taproot-bip-review 11:17 -!- _andrewtoth_ [~andrewtot@gateway/tor-sasl/andrewtoth] has quit [Ping timeout: 260 seconds] 11:30 -!- andrewtoth_ [~andrewtot@gateway/tor-sasl/andrewtoth] has quit [Ping timeout: 260 seconds] 11:52 -!- shesek [~shesek@unaffiliated/shesek] has quit [Read error: Connection reset by peer] 11:53 -!- shesek [~shesek@185.3.145.80] has joined ##taproot-bip-review 11:53 -!- shesek [~shesek@185.3.145.80] has quit [Changing host] 11:53 -!- shesek [~shesek@unaffiliated/shesek] has joined ##taproot-bip-review 11:54 -!- andrewtoth_ [~andrewtot@gateway/tor-sasl/andrewtoth] has joined ##taproot-bip-review 11:57 -!- shesek [~shesek@unaffiliated/shesek] has quit [Ping timeout: 250 seconds] 11:57 -!- rottensox [~rottensox@unaffiliated/rottensox] has joined ##taproot-bip-review 11:58 -!- shesek [~shesek@185.3.145.80] has joined ##taproot-bip-review 11:58 -!- shesek [~shesek@185.3.145.80] has quit [Changing host] 11:58 -!- shesek [~shesek@unaffiliated/shesek] has joined ##taproot-bip-review 12:01 -!- jonatack_ [~jon@37.173.132.239] has joined ##taproot-bip-review 12:02 -!- shesek [~shesek@unaffiliated/shesek] has quit [Ping timeout: 246 seconds] 12:05 -!- jonatack [~jon@37.170.7.180] has quit [Ping timeout: 276 seconds] 12:05 -!- shesek [~shesek@185.3.145.80] has joined ##taproot-bip-review 12:05 -!- shesek [~shesek@185.3.145.80] has quit [Changing host] 12:05 -!- shesek [~shesek@unaffiliated/shesek] has joined ##taproot-bip-review 12:10 -!- shesek [~shesek@unaffiliated/shesek] has quit [Ping timeout: 268 seconds] 12:10 -!- shesek [~shesek@unaffiliated/shesek] has joined ##taproot-bip-review 12:23 -!- pyskell [~pyskell@unaffiliated/pyskell] has joined ##taproot-bip-review 13:00 -!- b10c [~Thunderbi@i577BC606.versanet.de] has quit [Ping timeout: 240 seconds] 13:47 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 265 seconds] 13:55 -!- pyskell [~pyskell@unaffiliated/pyskell] has quit [Quit: Leaving] 15:17 -!- andrewtoth_ [~andrewtot@gateway/tor-sasl/andrewtoth] has quit [Ping timeout: 260 seconds] 15:23 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has joined ##taproot-bip-review 15:27 -!- waxwing [~waxwing@unaffiliated/waxwing] has quit [Quit: ZNC 1.6.5 - http://znc.in] 15:27 -!- waxwing [~waxwing@193.29.57.116] has joined ##taproot-bip-review 15:29 -!- waxwing [~waxwing@193.29.57.116] has quit [Changing host] 15:29 -!- waxwing [~waxwing@unaffiliated/waxwing] has joined ##taproot-bip-review 17:11 -!- rottensox [~rottensox@unaffiliated/rottensox] has quit [Remote host closed the connection] 17:12 -!- rottensox [~rottensox@unaffiliated/rottensox] has joined ##taproot-bip-review 17:22 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 250 seconds] 17:26 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has joined ##taproot-bip-review 18:37 -!- Chris_Stewart_5 [~chris@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 240 seconds] 19:02 -!- ZmnSCPxj_ [~ZmnSCPxj@180.190.32.251] has joined ##taproot-bip-review 19:19 -!- pinheadmz_ [~matthewzi@pool-100-33-69-78.nycmny.fios.verizon.net] has joined ##taproot-bip-review 19:23 -!- pinheadmz [~matthewzi@pool-100-33-69-78.nycmny.fios.verizon.net] has quit [Ping timeout: 276 seconds] 19:23 -!- pinheadmz_ is now known as pinheadmz 19:57 -!- jonatack_ [~jon@37.173.132.239] has quit [Read error: Connection reset by peer] 20:24 -!- pinheadmz [~matthewzi@pool-100-33-69-78.nycmny.fios.verizon.net] has quit [Quit: pinheadmz] 20:28 -!- pinheadmz [~matthewzi@pool-100-33-69-78.nycmny.fios.verizon.net] has joined ##taproot-bip-review 20:49 -!- luke-jr [~luke-jr@unaffiliated/luke-jr] has quit [Ping timeout: 246 seconds] 21:13 -!- ZmnSCPxj__ [9258463b@146.88.70.59] has joined ##taproot-bip-review 21:16 < ZmnSCPxj__> harding: possibly we can move to sending h(r * G) "early", i.e. in the previous `commitment_signed`, we already sent our `h(r * G)` for our *current* `commitment_signed`. 21:17 < ZmnSCPxj__> ...but the other side still needs to send back its `R` as well before we can send our partial `s`, hmm, no. 21:20 < ZmnSCPxj__> current LN already requires 1.5 round trips to forward a payment. We can batch multiple payments together but there's still turnaround time for the remote side to accept the creation of the HTLC. 21:22 -!- luke-jr [~luke-jr@unaffiliated/luke-jr] has joined ##taproot-bip-review 21:22 < ZmnSCPxj__> There is my old proposal for fast forwards as well, which reduces forwarding to 0.5 round trips but requires a later "cleanup" that batches several forwards + claims/errors. 21:22 < ZmnSCPxj__> https://lists.linuxfoundation.org/pipermail/lightning-dev/2019-April/001986.html 21:23 < ZmnSCPxj__> If we use MuSig for only the funding transaction output, then it's only the later "cleanup" that needs the 2.5 round trips overhead of the MuSig protocol. 21:30 < ZmnSCPxj__> Such a tradeoff may be acceptable. In the happy case where most closes are mutual, then channel closes look exactly like singlesig spends. 21:30 -!- yaslama_ [~yaslama@bzq-218-78-150.red.bezeqint.net] has quit [Read error: Connection reset by peer] 21:30 -!- yaslama [~yaslama@bzq-218-78-150.red.bezeqint.net] has joined ##taproot-bip-review 21:31 < ZmnSCPxj__> This adds overhead for updating the actual channel mechanism, but my fast forwards proposal does not use the channel mechanism "directly", it instead spends the output the forwarding side owns 21:32 < ZmnSCPxj__> Then on claiming the forwardee adds another transaction that spends that HTLC. 21:32 < ZmnSCPxj__> And *then* the channel mechanism is used to cut through the intermediate transactions 21:33 < ZmnSCPxj__> But by then the hash preimage has been provided and the transaction has completed, and the cut-through is now "just" an optimization enabled by the update mechanism. 21:38 < ZmnSCPxj__> Or just punt and do not use MuSig for channel commitment updates, instead use a MuSig(A, B) internal key and a Tapscript with a ` OP_CHECKSIGVERIFY OP_CHECKSIG`, and only use MuSig for mutual closes anyway. 21:55 -!- rottensox_ [~rottensox@unaffiliated/rottensox] has joined ##taproot-bip-review 21:57 -!- rottensox [~rottensox@unaffiliated/rottensox] has quit [Ping timeout: 246 seconds] 21:58 -!- rottensox__ [~rottensox@unaffiliated/rottensox] has joined ##taproot-bip-review 21:59 -!- dr-orlovsky [~dr-orlovs@91.240.140.128] has quit [Quit: My MacBook has gone to sleep. ZZZzzz…] 22:01 -!- rottensox_ [~rottensox@unaffiliated/rottensox] has quit [Ping timeout: 265 seconds] 22:27 -!- jonatack_ [~jon@37.173.132.239] has joined ##taproot-bip-review 22:28 -!- jonatack_ [~jon@37.173.132.239] has quit [Client Quit] 22:28 -!- jonatack [~jon@37.173.132.239] has joined ##taproot-bip-review 22:43 < aj> ZmnSCPxj__: could have a script path that only takes 1 round, so that the routing can continue quickly, but also clean up afterwards by finishing musig key path spend as well 23:29 -!- ZmnSCPxj__ [9258463b@146.88.70.59] has quit [Remote host closed the connection] 23:44 -!- rottensox__ [~rottensox@unaffiliated/rottensox] has quit [Ping timeout: 250 seconds]