sipa changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
luke-jr has quit [Excess Flood]
luke-jr has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
lukedashjr has joined #bitcoin-wizards
luke-jr has quit [Ping timeout: 264 seconds]
lukedashjr is now known as luke-jr
belcher has quit [Quit: Leaving]
Guest07453 has joined #bitcoin-wizards
isis is now known as isis_
jtimon has quit [Ping timeout: 264 seconds]
itsme has joined #bitcoin-wizards
dougsland has joined #bitcoin-wizards
AaronvanW has quit [Remote host closed the connection]
Krellan has quit [Read error: Connection reset by peer]
Krellan has joined #bitcoin-wizards
thrmo has quit [Quit: Waiting for .007]
Krellan has quit [Ping timeout: 265 seconds]
Krellan has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
Krellan has quit [Ping timeout: 265 seconds]
Krellan has joined #bitcoin-wizards
luke-jr has quit [Read error: Connection reset by peer]
luke-jr has joined #bitcoin-wizards
luke-jr has quit [Excess Flood]
luke-jr has joined #bitcoin-wizards
luke-jr has quit [Excess Flood]
luke-jr has joined #bitcoin-wizards
Krellan has quit [Ping timeout: 246 seconds]
lukedashjr has joined #bitcoin-wizards
lukedashjr has quit [Excess Flood]
lukedashjr has joined #bitcoin-wizards
lukedashjr has quit [Excess Flood]
luke-jr has quit [Ping timeout: 256 seconds]
lukedashjr has joined #bitcoin-wizards
lukedashjr has quit [Excess Flood]
luke-jr has joined #bitcoin-wizards
Krellan has joined #bitcoin-wizards
intcat has quit [Read error: Connection reset by peer]
ghost43 has quit [Write error: Connection reset by peer]
ghost43 has joined #bitcoin-wizards
Krellan has quit [Ping timeout: 246 seconds]
intcat has joined #bitcoin-wizards
Aaronvan_ has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 240 seconds]
Krellan has joined #bitcoin-wizards
nuncanada has quit [Quit: Leaving]
Krellan has quit [Ping timeout: 246 seconds]
Krellan has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
Aaronvan_ has quit [Ping timeout: 256 seconds]
isis_ is now known as isis
rusty has joined #bitcoin-wizards
Emcy has quit [Ping timeout: 265 seconds]
AaronvanW has quit [Remote host closed the connection]
AaronvanW has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 240 seconds]
Cory has quit [Read error: Connection reset by peer]
Emcy has joined #bitcoin-wizards
Chris_Stewart_5 has joined #bitcoin-wizards
Cory has joined #bitcoin-wizards
Chris_Stewart_5 has quit [Ping timeout: 240 seconds]
luke-jr has quit [Ping timeout: 260 seconds]
CubicEarths has joined #bitcoin-wizards
luke-jr has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
legogris has quit [Remote host closed the connection]
legogris has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 256 seconds]
Aranjedeath has quit [Quit: Three sheets to the wind]
Chris_Stewart_5 has joined #bitcoin-wizards
Chris_Stewart_5 has quit [Ping timeout: 260 seconds]
rusty has quit [Ping timeout: 260 seconds]
AaronvanW has joined #bitcoin-wizards
luke-jr has quit [Ping timeout: 250 seconds]
luke-jr has joined #bitcoin-wizards
luke-jr has quit [Changing host]
luke-jr has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 256 seconds]
datavetaren has joined #bitcoin-wizards
luke-jr has quit [Read error: Connection reset by peer]
luke-jr has joined #bitcoin-wizards
dongcarl_ is now known as dongcarl
datavetaren has quit [Quit: datavetaren]
AaronvanW has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 256 seconds]
datavetaren has joined #bitcoin-wizards
Gurgulor has quit [Ping timeout: 276 seconds]
datavetaren has quit [Quit: datavetaren]
Empact has joined #bitcoin-wizards
harding has quit [Remote host closed the connection]
harding has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
Krellan has quit [Read error: Connection reset by peer]
Krellan has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 250 seconds]
laurentmt has joined #bitcoin-wizards
laurentmt has quit [Client Quit]
nickler_ has quit [Ping timeout: 240 seconds]
nickler has joined #bitcoin-wizards
jephalien has quit [Remote host closed the connection]
laurentmt has joined #bitcoin-wizards
laurentmt has quit [Client Quit]
marcoagner has joined #bitcoin-wizards
setpill has joined #bitcoin-wizards
<dcousens>
secp256k1_ec_pubkey_tweak_add is generally synonymous with point multiplication ... unless the tweak is 0, which if multiplied would be ... infinity? What would be the semantics here?
<dcousens>
To clarify, secp256k1_ec_pubkey_tweak_add, called with point Q and tweak == 0, returns Q
AaronvanW has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 265 seconds]
<aj>
tweak_add(Q,t) = Q+t*G; so t=0 gives Q
<aj>
?
<aj>
there's tweak_mul(Q,t) = t*Q, so tweak_mul(Q,0) should be 0*G=inf ?
<dcousens>
aj: aye, my mistake was in the assumption "is generally synonymous with point multiplication", as I merely matched the type signature in my head (Point, uint256) instead of the actual semantics
<aj>
dcousens: heh. sounds like you're thinking in haskell then :)
Krellan has quit [Ping timeout: 255 seconds]
marcoagner has quit [Quit: WeeChat 2.0.1]
marcoagner has joined #bitcoin-wizards
uiuc-slack has joined #bitcoin-wizards
samm_ has quit [Read error: Connection reset by peer]
samm_ has joined #bitcoin-wizards
liead has joined #bitcoin-wizards
adlai has quit [Ping timeout: 248 seconds]
uiuc-slack1 has quit [Ping timeout: 248 seconds]
CheckDavid has quit [Quit: Connection closed for inactivity]
spinza has quit [Quit: Coyote finally caught up with me...]
marcoagner has quit [Quit: WeeChat 2.0.1]
jtimon has joined #bitcoin-wizards
marcoagner has joined #bitcoin-wizards
spinza has joined #bitcoin-wizards
TheoStorm has quit [Ping timeout: 256 seconds]
laurentmt has joined #bitcoin-wizards
provoostenator has joined #bitcoin-wizards
provoostenator has left #bitcoin-wizards ["Textual IRC Client: www.textualapp.com"]
<andytoshi>
tweak_mul returns 0 if you try to multiply a point by 0, as described in the docs for that function
<andytoshi>
like, the integer (in C, integer means "error" and also means every other word) 0. it doesn't return any point.
<dcousens>
out of interest, why does secp256k1_ecdsa_signature_parse_compact support 0 values for r/s ("If R or S fall outside of [0..order-1], the encoding is invalid. R and S with value 0 are allowed in the encoding.")
<dcousens>
I know it still guarantees to fail validation, just curious why to fail if > order-1, but not 0
<andytoshi>
the motivation there was uniqueness of encoding
vicenteH has joined #bitcoin-wizards
<andytoshi>
it'd be a layer violation to exclude encodings just because they couldn't be valid signatures .. and also it's helpful sometimes to have an "all-zeroes" signature as a sentinel value or something like that
deusexbeer has quit [Read error: Connection reset by peer]
<dcousens>
andytoshi: ta for insight :)
<dcousens>
but wait
<dcousens>
andytoshi isn't excluding > order-1 the same as "just because they couldn't be valid signatures"?
<dcousens>
I mean, the encoding could have specified [1 ...order-1]
<dcousens>
If the question is, given 64 bytes, "could this be a signature usable for a verify operation", if R/S is not in [1... order -1], then the answer is no? or?
sipa has joined #bitcoin-wizards
CubicEarths has quit [Remote host closed the connection]
<andytoshi>
i think our code rejects overflows
<andytoshi>
but our scalars have many representations as integers, some of which exceed the order of their respective groups
<a87ry5>
Aggregation of Gamma-Signatures and Applications to Bitcoin
datavetaren has joined #bitcoin-wizards
TheoStorm has joined #bitcoin-wizards
Krellan has joined #bitcoin-wizards
Krellan has quit [Remote host closed the connection]
Krellan has joined #bitcoin-wizards
<waxwing>
seems like the authors aren't aware of the work that's been done on musig and so on to make schnorr aggregation safe from key subtraction attacks
<waxwing>
(from a brief read of Section 4)
madacol has quit [Ping timeout: 255 seconds]
madacol has joined #bitcoin-wizards
madacol has quit [Client Quit]
BashCo has joined #bitcoin-wizards
thrmo has joined #bitcoin-wizards
marcoagner has quit [Remote host closed the connection]
marcoagn1 has joined #bitcoin-wizards
a87ry5 has quit [Ping timeout: 248 seconds]
thrmo is now known as NuncaVaisAcabar
vicenteH has joined #bitcoin-wizards
isis is now known as isis_
rusty has joined #bitcoin-wizards
<nickler>
I have only skimmed the gamma signatures paper but the scheme doesn't seem to aggregate the public nonces (see table 4). It's like non-interactive half aggregation, but it seems broken by Wagner because not all attacker given data (like messages and public nonces) is hashed into all the challenges ei. This is similar to https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-May/014308.html.
<nickler>
The challenges are just ei = H(Pi, mi). Since the pubkeys Pi are just multiplied by ei and then summed in the verification equation an attacker can try to choose its pubkeys and challenges to cancel out the victim's.
<nickler>
The victim's pubkey is P1, the corresponding challenge e1. The attacker wants to cancel P1, so needs to find (ei, Pi) for i >= 2, s.t. -e1*P1 = e2*P2 + ... + en*Pn.
<nickler>
If the attacker for example chooses pubkeys Pi = i*P1 then solution -e1 = e2*2 + ... + en*n can be found with Wagner's algorithm in O(2^33) (for 256 bit groups if I'm not mistaken).
p0nziph0ne has joined #bitcoin-wizards
ghost43_ has joined #bitcoin-wizards
NuncaVaisAcabar is now known as thrmo
ghost43 has quit [Ping timeout: 255 seconds]
devrandom has joined #bitcoin-wizards
<waxwing>
they use 'P' for 'G' which takes some getting used to :)
datavetaren has quit [Quit: datavetaren]
TheoStorm has quit [Quit: Leaving]
laurentmt has joined #bitcoin-wizards
intcat has quit [Remote host closed the connection]
intcat has joined #bitcoin-wizards
p0nziph0ne has quit [Quit: Leaving]
laurentmt has quit [Quit: laurentmt]
rusty has quit [Ping timeout: 268 seconds]
laurentmt has joined #bitcoin-wizards
laurentmt has quit [Client Quit]
d9b4bef9 has quit [Remote host closed the connection]
dougsland has quit [Ping timeout: 240 seconds]
rusty has joined #bitcoin-wizards
liead is now known as adlai
BashCo_ has joined #bitcoin-wizards
BashCo has quit [Ping timeout: 240 seconds]
BashCo_ has quit [Ping timeout: 248 seconds]
BashCo has joined #bitcoin-wizards
belcher has joined #bitcoin-wizards
rusty has quit [Quit: Leaving.]
<waxwing>
afaict the gamma signature in the paper has soundness and zero-knowledgeness, but as for the aggregated part yeah they're not aggregating the nonce points (A), so .. doesn't seem interesting.
<waxwing>
it's kind of amusing that oleg andreev was setting as a quiz the other day the question "why isn't schnorr s = ke + x rather than s = k + ex"
<waxwing>
here it's like slightly similar, it's s = ke_1 + e_2x, with e_2 being H(P||m) and e_1 being H(R)
TheoStorm has joined #bitcoin-wizards
BashCo has quit [Ping timeout: 240 seconds]
marcoagn1 has quit [Ping timeout: 255 seconds]
ekrion has quit [Remote host closed the connection]
deusexbeer has joined #bitcoin-wizards
ghost43_ is now known as ghost43
arubi has quit [Remote host closed the connection]
arubi has joined #bitcoin-wizards
thrmo_ has joined #bitcoin-wizards
Guyver2 has quit [Quit: Going offline, see ya! (www.adiirc.com)]