--- Log opened Mon Feb 24 00:00:05 2020
01:01 -!- jonatack [~jon@2a01:e0a:53c:a200:bb54:3be5:c3d0:9ce5] has joined ##taproot-bip-review
02:08 -!- mol [~molly@unaffiliated/molly] has joined ##taproot-bip-review
02:11 -!- molz_ [~molly@unaffiliated/molly] has quit [Ping timeout: 255 seconds]
03:36 -!- jonatack [~jon@2a01:e0a:53c:a200:bb54:3be5:c3d0:9ce5] has quit [Ping timeout: 240 seconds]
03:50 -!- jonatack [~jon@2a01:e0a:53c:a200:bb54:3be5:c3d0:9ce5] has joined ##taproot-bip-review
07:28 -!- hebasto [~hebasto@95.164.65.194] has quit [Ping timeout: 240 seconds]
09:23 -!- hebasto [~hebasto@95.164.65.194] has joined ##taproot-bip-review
09:45 -!- molly [~molly@unaffiliated/molly] has joined ##taproot-bip-review
09:47 -!- mol [~molly@unaffiliated/molly] has quit [Ping timeout: 240 seconds]
10:01 -!- pinheadmz [~matthewzi@pool-100-33-69-78.nycmny.fios.verizon.net] has quit [Quit: pinheadmz]
10:28 -!- ariard_ [~ariard@167.99.46.220] has quit [Quit: Lost terminal]
13:37 -!- pinheadmz [~matthewzi@5.181.234.220] has joined ##taproot-bip-review
17:22 -!- mol [~molly@unaffiliated/molly] has joined ##taproot-bip-review
17:25 -!- molly [~molly@unaffiliated/molly] has quit [Ping timeout: 265 seconds]
17:30 < kanzure> in the taproot bip, non-malleability is a motivation: why? segwit solves this right? i like non-malleability of course.
17:41 < aj> kanzure: wtxid malleability is still nice to avoid, as is having different sizes of witness data which might let people malleate your fee rate over p2p?
17:48 < sipa> also tx propagation is hurt by malleability, which indirectly contributes to block propagation in compact blocks & co
18:00 < kanzure> thank you. we're in a socratic seminar at the moment :).
18:00 < aj> oh, then the answer should have been "why do you think non-malleability would be a motivation?" ?
18:01 < kanzure> well really it turned into "we're reading bip-340 out loud and watching adiabat explain schnorr signatures on youtube"
18:04 < kanzure> for tagged hashes, in what situation is nonce reuse expected? like low-entropy nonces ..?
18:04 < aj> do you mean tag reuse?
18:05 < kanzure> "For example, without tagged hashing a BIP340 signature could also be valid for a signature scheme where the only difference is that the arguments to the hash function are reordered. Worse, if the BIP340 nonce derivation function was copied or independently created, then the nonce could be accidentally reused in the other scheme leaking the secret key."
18:05 < kanzure> this would only be true for low-entropy nonces right?
18:05 < aj> or if the nonce is deterministic
18:06 < kanzure> oh i see, i can see ways that deterministic nonces would conflict.
18:23 < ghost43> Let's say I want an M of N multisig policy. Due to restrictions with interactivity, let's say I don't want to use musig as part of the scheme. I could either have a single tapleaf testing the M-of-N using OP_CHECKSIGADD, or I could create N choose M tapleaves each with an M-of-M using OP_CHECKSIGADD. If M,N are small, say 3-of-5, both are equally workable. The many tapleaf case looks more desirable due to having to reveal less details
18:23 < ghost43> about the policy on chain. Looking at the sighash in the bips, do I understand it correctly that with the combinatorial setup each signer commits to the other actual signers, i.e. the first signer would have to choose who the other M-1 signers are going to be?
18:29 < kanzure> grammatical bug in "this prevents lying to offline signing devices about output being spent" in bip341
19:25 -!- luke-jr [~luke-jr@unaffiliated/luke-jr] has quit [Read error: Connection reset by peer]
19:28 -!- luke-jr [~luke-jr@unaffiliated/luke-jr] has joined ##taproot-bip-review
19:52 -!- CubicEarth [~CubicEart@c-67-168-1-172.hsd1.wa.comcast.net] has quit [Ping timeout: 260 seconds]
19:53 -!- CubicEarth [~CubicEart@c-67-168-1-172.hsd1.wa.comcast.net] has joined ##taproot-bip-review
20:21 < kanzure> https://diyhpl.us/wiki/transcripts/austin-bitcoin-developers/2020-02-24-socratic-seminar-6/
20:23 < aj> ghost43: (i find k-of-n less confusing fwiw)
20:24 < aj> ghost43: yes, each signature commits to the tapscript, so if you have a different tapscript for each group (ie ABC, ABD, ABE, BCD, BCE, CDE) then you have to decide in advance which of those you're going to do
20:26 < aj> ghost: you do ABC with "A CHECKSIGVERIFY B CHECKSIGVERIFY C CHECKSIG" presumably, no checksigadds. if you did ABCDE,k=3 with "A CHECKSIG {B,C,D,E CHECKSIGADD} 3 EQUAL" there's only one script and you're fine. if you're not doing musig, i think that's cheaper too?
20:37 -!- sipa [~pw@gateway/tor-sasl/sipa1024] has quit [Ping timeout: 240 seconds]
20:43 -!- sipa [~pw@gateway/tor-sasl/sipa1024] has joined ##taproot-bip-review
23:57 -!- jonatack [~jon@2a01:e0a:53c:a200:bb54:3be5:c3d0:9ce5] has quit [Ping timeout: 240 seconds]
--- Log closed Tue Feb 25 00:00:06 2020