sipa changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
tromp has quit [Remote host closed the connection]
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 248 seconds]
meshcollider has quit [Quit: Connection closed for inactivity]
dougsland has quit [Ping timeout: 260 seconds]
TheoStorm has joined #bitcoin-wizards
TheoStorm has quit [Client Quit]
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 240 seconds]
nuncanada has quit [Quit: Leaving]
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 240 seconds]
Noldorin has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
son0p_ has quit [Remote host closed the connection]
mol has joined #bitcoin-wizards
molz has quit [Ping timeout: 250 seconds]
mol has quit [Client Quit]
molz has joined #bitcoin-wizards
rusty has joined #bitcoin-wizards
Giszmo has quit [Ping timeout: 260 seconds]
molz has quit [Quit: ZNC 1.6.6 - http://znc.in]
molz has joined #bitcoin-wizards
Xantanium2 has joined #bitcoin-wizards
Giszmo has joined #bitcoin-wizards
Xantanium3 has quit [Ping timeout: 268 seconds]
molz has quit [Remote host closed the connection]
molz has joined #bitcoin-wizards
molz has quit [Client Quit]
molz has joined #bitcoin-wizards
molz has quit [Quit: ZNC 1.6.6 - http://znc.in]
molz has joined #bitcoin-wizards
molz has quit [Client Quit]
legogris has quit [Remote host closed the connection]
tromp has joined #bitcoin-wizards
legogris has joined #bitcoin-wizards
arubi has quit [Remote host closed the connection]
tromp has quit [Ping timeout: 260 seconds]
arubi has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 248 seconds]
molz has joined #bitcoin-wizards
DougieBot5000_ has joined #bitcoin-wizards
DougieBot5000 has quit [Ping timeout: 255 seconds]
DougieBot5000_ is now known as DougieBot5000
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 265 seconds]
sometest has joined #bitcoin-wizards
sometest has quit [Client Quit]
sometest has joined #bitcoin-wizards
SopaXorzTaker has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 260 seconds]
d9b4bef9 has quit [Remote host closed the connection]
d9b4bef9 has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
samm_ has quit [Remote host closed the connection]
samm_ has joined #bitcoin-wizards
TheoStorm has joined #bitcoin-wizards
cryptojanitor has joined #bitcoin-wizards
thrmo has joined #bitcoin-wizards
SopaXorzTaker has quit [Remote host closed the connection]
SopaXorzTaker has joined #bitcoin-wizards
SopaXorzTaker has quit [Remote host closed the connection]
rusty has left #bitcoin-wizards [#bitcoin-wizards]
SopaXorzTaker has joined #bitcoin-wizards
Guyver2 has joined #bitcoin-wizards
tromp has quit [Remote host closed the connection]
<waxwing> if Alice and Bob want to do 2 of 2 schnorr, but Alice wants to propose it to Bob without interaction, taking a known pubkey of Bob's P, can she construct a 2 of 2 with only a "forward" (perhaps "half-round") interaction: send to Bob: P, P_2 = P + aG, R = P + bG, where a, b are sent along privately or made from some ECDH, then she can calculate the joint key (musig or whatever formula) in advance?
<waxwing> ah perhaps the issue there is, you have to commit to the R values before your P values? i should have clarified above, "send P_2, R" means those would be *Bob's* intended P and R, of course Alice would have to send her own too.
tromp has joined #bitcoin-wizards
<aj> waxwing: musig lets you calculate the combined pubkey non-interactively (so you can pay to the multisig address); to do the signature, you need to know both of the public nonces, because you hash their sum when computing the signature (to pay from the multisig address). if Bob provides Alice with an R value in advance there's some risk (if Alice can trick Bob into signing two different messages with
<aj> the same R value, he reveals his key)
<waxwing> aj: yes, i'm specifically proposing that Alice send (via encrypted channel) a scalar 'b' to Bob, which he adds to his pubkey P, and uses R = P + bG
tromp has quit [Ping timeout: 255 seconds]
goofie has quit [Quit: WeeChat 2.0.1]
goofie has joined #bitcoin-wizards
<aj> waxwing: s = r+Hp = p+b+Hp = b+(1+H)p; p = (s-b)/(1+H) -- reveals Bob's pubkey if he signs with that nonce
<waxwing> aj, can you clarify what the terms are there? i'm not proposing using key P as Bob's key, and i'm not proposing not using a joint key a la musig
<waxwing> i think you're using "p" as private key of P right
<aj> waxwing: you said P is his pubkey, so I'm calling his private key p; P=pG
<aj> waxwing: H is the signature message hash, SHA256(R||P||m) or similar
<waxwing> right i see what you're saying, that's not what i'm proposing. let me right out in a bit more clear detail:
<waxwing> we want 2 of 2. Alice knows one pubkey of Bob, P. Alice send (P_A, R_A) (her own, as normal), but sends a,b two random scalars: Bob constructs his keys as P_B = P + aG, R_B = P + bG, then he can construct the joint key (with the hashes) in musig as normal.
<waxwing> and iiuc Alice can as well, in advance. i think.
<aj> alice knows P in advance, right?
<waxwing> yes
<aj> it seems a bit weird to be generating a pubkey and the nonces for signing against that pubkey at the same time, fwiw
<waxwing> yeah, weird for sure. wondering how close you can get to a one-way interaction.
<aj> but the end signature looks like s = (r_a+r_b) + H*(p_a + p_B) # lower case for curve preimages, H=SHA256( (R_A+R_B) || (P_A+P_B) || m ) or similar
<waxwing> oh i see; you mean it exposes "p" there?
<waxwing> oh, no, you don't publish "r" of course
<waxwing> i do prefer "k" btw :)
<aj> s - r_a - Hp_a = r_b + Hp_b = p+b + H(p+b) = p+Hp + b(1+H)
<aj> i like lower case = scalar/secret, upper case = corresponding curve point
<waxwing> oh 100%, that is not in question (re: lower case)
<aj> Alice knows s (from the published signature), r_a (her secret), H (public), p_a (her private key), b (her scalar), so can calculate p (B's original private key)
vicenteH has joined #bitcoin-wizards
<aj> sorry, there should have been H(p+a) there, not p+b, point should still stand though
<aj> iirc tadge's descreet logs uses single-use double-length public keys by having them be (P,R) pairs, so if you let Bob give Alice a (P,R) pair initially, then you could go to town. but Bob would need to make that unique for Alice, Alice couldn't look that up Bob's pubkey in the phone book or so
<waxwing> you wrote s - r_a - Hp_a = r_b + Hp_b = p+b + H(p+b), shouldn't that be `p+b + H(p_b)(p+a)`
<waxwing> or ... not 100% clear to me your notation, but Bob's side of sig is s = k + e x where x is his private key (p+a), k is p+b (as you wrote) and e is the hash of the keys a la musig
<aj> yeah, r_b + H*p_b = p+b + H*(p+a) (H is a scalar result of the hash)
<waxwing> ok "H*(p+a)" yeah that's clear
<waxwing> yes, one time use etc. hmm.
tromp has joined #bitcoin-wizards
<waxwing> yes, the simplest way to understand it is the security of `s = k + ex` is dependent on having two unknowns k, x; if both are (publically known) tweaks of only one unknown (here, 'p'), the security is lost.
<waxwing> thanks aj
<aj> yeah
<aj> if you come up with a clever solution though, let me know :)
<waxwing> heh. no! i'll go straight to nchain and patent it :)
nuncanada has joined #bitcoin-wizards
<aj> that makes no sense -- what you've got is already good enough to go to nchain and patent!
<waxwing> lol
<waxwing> i mean, the obvious next thing to think is: if only one unknown is not enough, how about 2? what if you have two keys of Bob's available?
<waxwing> hmm not interesting, is it. that just means you know P and R.
<aj> if you could make it multi-use, it might be interesting?
<waxwing> i guess. but just to be clear (because it for sure isn't yet, to me): if you took a P and an R from the blockchain, and let's say you tweaked them both to avoid reuse, would that be secure?
<aj> you've got a schnorr signature (R,s) from the blockchain, with s = r+xp (x=SHA256(blah), R,s,P all known) ; and you'll get another signature with s = a+(b+c*r) + H*(d+e*p + q) ; you know a,b,c,d,e,q,H,s
<aj> so collecting knowns on the left gives s-a-b - H*(d+q) = c*r + H*e*p
<aj> but r = s-xp, so RHS = c*(s-xp) + H*e*p = c*s - (c*x+H*e)*p and c*s is known, as is c,x,H,e so you can solve for p :(
arubi has quit [Remote host closed the connection]
arubi has joined #bitcoin-wizards
<aj> and i think EC only lets you tweak by multiplying and adding right, so that covers everything possible, if you source is the blockchain :(
<waxwing> i didn't follow exactly, but i'm betting what you're arguing is: if you use the same (R, P) as from one transactoin signature, with only linear tweaks, you can still extract p.
<aj> yeah. sorry, it's saturday night here, so i'm multitasking this convo and getting sloshed :)
<waxwing> presumably because you have two signatures using the same secrets r and p, effectively (linear tweaks are known)
<waxwing> oh. you just made me realise it's Sunday lol
<aj> oh dear, so it is :(
<waxwing> no wait, it's saturday!
<aj> half-past midnight here
<waxwing> just use 2 different keys (ie not exactly R, P from one transaction sig)
SopaXorzTaker has quit [Remote host closed the connection]
<aj> how do you deanonymise Bob's transactions to find a different tx with a different P to pick an R from?
<waxwing> you could make the Nakamoto/Meiklejohn assumption "all inputs from one counterparty"; understand i'm thinking of rather wacky ideas like what i called 'snicker' where you propose transactions and send them to a bulletin board encrypted, without contacting the counterparty
<waxwing> it's just me trying to figure out how far you can go in making proposals for things like coinswap or coinjoin, without doing rounds of interactivity and so on.
<waxwing> but what you helped me realise there is that there are probably no shortcuts to "each side has their P, R" and obviously normally that means each side generating their R in interaction.
cryptojanitor has quit [Quit: Connection closed for inactivity]
<aj> the case i'm thinking of is splitting your private key into a 2-of-2 multisig, so you can have one device compromised without losing your funds... be nice if you could still do signatures without both devices having to talk to each other while signing, which imo increases the risk of a compromise spreading
CodeShark has quit [Ping timeout: 256 seconds]
mariorz has quit [Ping timeout: 256 seconds]
<aj> but only thing i can think of is having each device pass a bunch of nonces to the other one first as part of the setup, and then ensuring each is only used at most once
mariorz has joined #bitcoin-wizards
<waxwing> yes outside of RFC6979 land life gets rather dangerous
CodeShark_ has joined #bitcoin-wizards
djhoulihan has quit [Quit: A deep and dreamless slumber.]
djhoulihan has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
yokwe has quit [Remote host closed the connection]
wallet42 has quit [Remote host closed the connection]
worstadmin has quit [Remote host closed the connection]
sarang has quit [Remote host closed the connection]
Herka has quit [Remote host closed the connection]
yokwe has joined #bitcoin-wizards
worstadmin has joined #bitcoin-wizards
Herka has joined #bitcoin-wizards
sarang has joined #bitcoin-wizards
wallet42 has joined #bitcoin-wizards
SopaXorzTaker has joined #bitcoin-wizards
deusexbeer has quit [Quit: Konversation terminated!]
AaronvanW has quit [Remote host closed the connection]
tromp has quit [Remote host closed the connection]
AaronvanW has joined #bitcoin-wizards
AaronvanW has quit [Remote host closed the connection]
AaronvanW has joined #bitcoin-wizards
Giszmo has quit [Ping timeout: 240 seconds]
tromp has joined #bitcoin-wizards
Giszmo has joined #bitcoin-wizards
bsm1175321 has joined #bitcoin-wizards
Noldorin has joined #bitcoin-wizards
Giszmo has quit [Ping timeout: 264 seconds]
bsm1175321 has quit [Ping timeout: 240 seconds]
tromp has quit [Remote host closed the connection]
tromp has joined #bitcoin-wizards
Giszmo has joined #bitcoin-wizards
deusexbeer has joined #bitcoin-wizards
tromp has quit [Remote host closed the connection]
nuncanada has quit [Quit: Leaving]
nuncanada has joined #bitcoin-wizards
nuncanada has quit [Read error: Connection reset by peer]
nuncanada has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
nuncanada has quit [Read error: Connection reset by peer]
nuncanada has joined #bitcoin-wizards
cryptojanitor has joined #bitcoin-wizards
SopaXorzTaker has quit [Remote host closed the connection]
belcher has quit [Ping timeout: 255 seconds]
belcher has joined #bitcoin-wizards
AaronvanW has quit [Remote host closed the connection]
AaronvanW has joined #bitcoin-wizards
Aaronvan_ has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 256 seconds]
Aaronvan_ has quit [Remote host closed the connection]
AaronvanW has joined #bitcoin-wizards
son0p_ has joined #bitcoin-wizards
AaronvanW has quit [Remote host closed the connection]
AaronvanW has joined #bitcoin-wizards
LeMiner has joined #bitcoin-wizards
AaronvanW has quit [Remote host closed the connection]
thrmo_ has joined #bitcoin-wizards
thrmo has quit [Ping timeout: 260 seconds]
son0p_ has quit [Remote host closed the connection]
Giszmo has quit [Ping timeout: 240 seconds]
Giszmo has joined #bitcoin-wizards
keymone has quit [Ping timeout: 240 seconds]
keymone has joined #bitcoin-wizards
Giszmo has quit [Ping timeout: 256 seconds]
nephyrin` has joined #bitcoin-wizards
spinza has quit [Quit: Coyote finally caught up with me...]
nephyrin has quit [Ping timeout: 265 seconds]
tromp has quit [Ping timeout: 260 seconds]
Giszmo has joined #bitcoin-wizards
spinza has joined #bitcoin-wizards
LeMiner has quit [Read error: Connection reset by peer]
Guyver2 has quit [Quit: Going offline, see ya! (www.adiirc.com)]
cryptojanitor has quit [Quit: Connection closed for inactivity]