sipa changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
Chris_Stewart_5 has joined #bitcoin-wizards
rusty has joined #bitcoin-wizards
Belkaar has quit [Ping timeout: 240 seconds]
Belkaar has joined #bitcoin-wizards
Belkaar has joined #bitcoin-wizards
Belkaar has quit [Changing host]
Chris_Stewart_5 has quit [Ping timeout: 260 seconds]
d9b4bef9 has quit [Remote host closed the connection]
d9b4bef9 has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
TheoStorm has quit [Quit: Leaving]
AaronvanW has quit [Ping timeout: 265 seconds]
rusty has quit [Ping timeout: 276 seconds]
luke-jr has quit [Ping timeout: 265 seconds]
luke-jr has joined #bitcoin-wizards
BashCo has quit [Ping timeout: 265 seconds]
cryptojanitor has joined #bitcoin-wizards
Krellan has quit [Read error: Connection reset by peer]
Krellan has joined #bitcoin-wizards
jtimon has quit [Ping timeout: 248 seconds]
AaronvanW has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 240 seconds]
tylevine has joined #bitcoin-wizards
moa has joined #bitcoin-wizards
moa has quit [Changing host]
moa has joined #bitcoin-wizards
cryptojanitor has quit [Quit: Connection closed for inactivity]
luke-jr has quit [Read error: Connection reset by peer]
Krellan has quit [Read error: Connection reset by peer]
luke-jr has joined #bitcoin-wizards
Krellan has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 265 seconds]
moa has quit [Ping timeout: 260 seconds]
moa has joined #bitcoin-wizards
moa has quit [Ping timeout: 260 seconds]
rusty has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
_whitelogger has joined #bitcoin-wizards
p0nziph0ne has joined #bitcoin-wizards
rusty has quit [Ping timeout: 260 seconds]
adrao has quit [Ping timeout: 265 seconds]
adrao has joined #bitcoin-wizards
mikez__ has joined #bitcoin-wizards
BashCo has joined #bitcoin-wizards
TheoStorm has joined #bitcoin-wizards
d9b4bef9 has quit [Remote host closed the connection]
Krellan has quit [Ping timeout: 260 seconds]
Krellan has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
TheoStorm has quit [Ping timeout: 268 seconds]
<maaku>
andytoshi: what would have been the correct choice for BIP66?
p0nziph0ne has quit [Ping timeout: 268 seconds]
<maaku>
for choice of symmetry breaking I mean
TheoStorm has joined #bitcoin-wizards
BashCo has quit [Read error: Connection reset by peer]
BashCo has joined #bitcoin-wizards
BashCo_ has joined #bitcoin-wizards
coinsmurf2 has joined #bitcoin-wizards
BashCo__ has joined #bitcoin-wizards
BashCo has quit [Ping timeout: 265 seconds]
BashCo_ has quit [Ping timeout: 240 seconds]
coinsmurf has quit [Ping timeout: 260 seconds]
BashCo has joined #bitcoin-wizards
BashCo__ has quit [Ping timeout: 248 seconds]
BashCo_ has joined #bitcoin-wizards
Krellan has quit [Ping timeout: 276 seconds]
BashCo has quit [Ping timeout: 256 seconds]
BashCo_ has quit [Read error: Connection reset by peer]
BashCo has joined #bitcoin-wizards
Krellan has joined #bitcoin-wizards
BashCo has quit [Ping timeout: 268 seconds]
BashCo has joined #bitcoin-wizards
BashCo_ has joined #bitcoin-wizards
BashCo has quit [Ping timeout: 240 seconds]
<intcat>
luke-jr: I was recently linked to a twitter thread where you said miners have been recommended to implement SHA2 variants in their hardware since 2012. Is there a guide to generating such variants? Or do you expect all hardware manufacturers to have a cryptographer on payroll to do "roll your own" crypto?
_whitelogger has joined #bitcoin-wizards
jtimon has joined #bitcoin-wizards
luke-jr has quit [Excess Flood]
luke-jr has joined #bitcoin-wizards
p0nziph0ne has joined #bitcoin-wizards
Krellan has quit [Ping timeout: 265 seconds]
Krellan has joined #bitcoin-wizards
7JTAEHPAH has joined #bitcoin-wizards
7JTAEHPAH has quit [Remote host closed the connection]
SopaXorzTaker has joined #bitcoin-wizards
TheoStorm has quit [Ping timeout: 260 seconds]
luke-jr has quit [Ping timeout: 240 seconds]
TheoStorm has joined #bitcoin-wizards
d9b4bef9 has joined #bitcoin-wizards
Krellan has quit [Ping timeout: 265 seconds]
Krellan has joined #bitcoin-wizards
son0p has joined #bitcoin-wizards
SopaXorzTaker has quit [Remote host closed the connection]
SopaXorzTaker has joined #bitcoin-wizards
Krellan has quit [Ping timeout: 265 seconds]
<andytoshi>
maaku: requiring the R value's y coordinate to be a quadratic residue
Krellan has joined #bitcoin-wizards
SopaXorzTaker has quit [Remote host closed the connection]
luke-jr has joined #bitcoin-wizards
laurentmt has joined #bitcoin-wizards
Guyver2 has joined #bitcoin-wizards
Chris_Stewart_5 has joined #bitcoin-wizards
laurentmt has quit [Quit: laurentmt]
TheoStorm has quit [Ping timeout: 276 seconds]
Krellan has quit [Ping timeout: 260 seconds]
Krellan has joined #bitcoin-wizards
Krellan has quit [Ping timeout: 255 seconds]
Krellan has joined #bitcoin-wizards
son0p has quit [Remote host closed the connection]
SopaXorzTaker has joined #bitcoin-wizards
TheoStorm has joined #bitcoin-wizards
AaronvanW has quit [Remote host closed the connection]
TheoStorm has quit [Ping timeout: 245 seconds]
AaronvanW has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 245 seconds]
Chris_Stewart_5 has quit [Ping timeout: 276 seconds]
TheoStorm has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
TheoStorm has quit [Ping timeout: 268 seconds]
TheoStorm has joined #bitcoin-wizards
coinsmurf has joined #bitcoin-wizards
coinsmurf2 has quit [Ping timeout: 248 seconds]
TheoStorm has quit [Ping timeout: 268 seconds]
<maaku>
andytoshi: but BIP66 doesn't enforce low S...
<bsm117532>
andytoshi: what's the consequence? If your y coordinate isn't a quadratic residue, try a new nonce until it is?
<maaku>
bsm117532: you can malleate to the one which is
TheoStorm has joined #bitcoin-wizards
<bsm117532>
Is this identical to the "low-s" criterion or not?
<bsm117532>
no...
<bsm117532>
I see
<bsm117532>
because the prime is odd, one of the two will be a quadratic residue, but it might not be the low-s one.
<maaku>
andytoshi: low-S is policy-only. it can be depricated and changed.
<sipa>
maaku: and implemented in every wallet
<maaku>
not saying it'd be easy, but it can be done without breaking consensus
<sipa>
the advantage of quadratoc residue instead of low-s as a symmetry breaker is timy
<bsm117532>
Mathematically that's way more elegant than low-s...
<sipa>
bsm117532: it can also be tested directly in jacobian coordonates, without needing a conversion to affine
<maaku>
sipa: andytoshi is claiming above that we can't batch validate with low-s (which is news to me)
<bsm117532>
But aside from mathematical elegance, is there any reason for using a quadratic r....thanks sipa
<sipa>
heh
<sipa>
sure we can
<maaku>
that seems a little bit more than 'tiny'
<maaku>
ok. that's what i thought
<sipa>
maaku: the cost of computing if something is a quadratic residue is about half of the cost of a conversion to affine coordinates, though
<sipa>
maaku: oh, no he is right
<sipa>
low-s breaks the symmetry by putting a restriction on s
<bsm117532>
Trust the guy with the physics degree on symmetry breaking ;-)
<sipa>
so the verifier doesn't learn anything about R
<sipa>
batch verification requires the verifier to know R's full coordinates
<sipa>
so i guess there are 4 possible symmetry breakers: low-s, low-R.y, even-R.y, quadratic-residue-R.y
<sipa>
all of the latter 3 would permit batch validation
<sipa>
but the last one is the most efficient (the difference is maybe 1-2% at best)
Krellan has quit [Ping timeout: 265 seconds]
<bsm117532>
neat.
<arubi>
I'm curious, suppose the r value is smaller than (p - n - 1), and then we have eg r == 2 in the signature, then the "real" r value is either "2" or "2 + n", but both of those values' y values are quadratic residues. how does the verifier know which to choose without checking both?
<sipa>
arubi: it doesn't; you need to give the full r coordinate
<sipa>
... or outlaw the case where r.x >= n
<arubi>
I see, so for a script such that "<low r signature> SWAP CHECKSIG" malleability is still possible (two pubkeys can validate given the above rules), unless we do outlaw r.x >= n
<sipa>
yup
<arubi>
sweet, cheers
Krellan has joined #bitcoin-wizards
rusty has joined #bitcoin-wizards
mnkk has joined #bitcoin-wizards
rusty has quit [Ping timeout: 240 seconds]
d9b4bef9 has quit [Remote host closed the connection]
JackH has joined #bitcoin-wizards
d9b4bef9 has joined #bitcoin-wizards
nephyrin` has quit [Ping timeout: 240 seconds]
nephyrin has joined #bitcoin-wizards
Chris_Stewart_5 has joined #bitcoin-wizards
Guyver2_ has joined #bitcoin-wizards
Noldorin has joined #bitcoin-wizards
Chris_Stewart_5 has quit [Ping timeout: 240 seconds]
Guyver2 has quit [Ping timeout: 260 seconds]
Guyver2_ is now known as Guyver2
Chris_Stewart_5 has joined #bitcoin-wizards
alferz has joined #bitcoin-wizards
alferz has quit [Ping timeout: 244 seconds]
p0nziph0ne has quit [Quit: Leaving]
mnkk has quit [Ping timeout: 240 seconds]
mnkk has joined #bitcoin-wizards
smk has joined #bitcoin-wizards
alferz has joined #bitcoin-wizards
nuncanada has joined #bitcoin-wizards
Chris_Stewart_5 has quit [Ping timeout: 240 seconds]
TheoStorm has quit [Quit: Leaving]
nuncanada has quit [Quit: Leaving]
AaronvanW has quit [Ping timeout: 240 seconds]
SopaXorzTaker has quit [Remote host closed the connection]
AaronvanW has joined #bitcoin-wizards
alferz has quit [Ping timeout: 244 seconds]
Aaronvan_ has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 260 seconds]
Chris_Stewart_5 has joined #bitcoin-wizards
Chris_Stewart_5 has quit [Ping timeout: 265 seconds]
LeMiner has joined #bitcoin-wizards
Aaronvan_ has quit [Remote host closed the connection]
AaronvanW has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 256 seconds]
Noldorin has quit [Ping timeout: 245 seconds]
Chris_Stewart_5 has joined #bitcoin-wizards
<andytoshi>
bsm117532: if your y coord isn't a quadratic residue you negate your nonce. same as with low-s
<andytoshi>
also, i didn't realize that low-S was policy only
<andytoshi>
but yeah, it'd probably be less work to just introduce a schnorr sig opcode than it would be to improve this at this point
d9b4bef9 has quit [Remote host closed the connection]
d9b4bef9 has joined #bitcoin-wizards
<maaku>
has anyone worked on a replacement for the payment protocol / bip 70+?
<maaku>
I'm asking here in a less practical, more of a theoretical best-ideal-payment-protocol sense
<maaku>
I know lots of people that have complained about warts of bip70. but has anyone made a strawman alternative?
<maaku>
or even just articulated one
<sipa>
i think the best (practical) replacement will be LN payment requests...
Krellan has quit [Read error: Connection reset by peer]
<Varunram>
hehe, I didn't see your message, but yes, that's it :)
<adlai>
nice to meet you. please do not take offense at my refusal to shake your hand.
* adlai
flicks over some dead skin cells to test whether we both call the louder end of the cobalt nuclei "south"
<Varunram>
gmaxwell: (maybe a noob question, but here goes) why do we hash into 6 values? can we make do with 3 or something?
<bsm117532>
maaku: Yes, I'm interested in a BIP70 replacement, interested to find partners to agree on a replacement.
<bsm117532>
Right now I'm thinking to just add pubkeys to a BIP21 URI and a signature.
<bsm117532>
Exchanging pubkeys is left as an exercise to the reader.
<bsm117532>
But one can make a simple protocol for key lifetime management by exchanging a (spent) txid instead, which reveals a pubkey. Then follow the first output in the successive chain of spends to reveal replacement keys
<sipa>
bsm117532: the biggest flaw with BIP70 is that the sender is permitted to broadcast the signed message, meaning that it is possible for the transaction to confirm without the receiver being informed a payment is coming
<gmaxwell>
not just permitted but in practice everyone does, esp since the BIP doesn't answer the relevant questions for if you don't.
<bsm117532>
But if the receiver generated the address and signed it, he knows the payment is coming, no?
<gmaxwell>
e.g. when do you time out the utxo and become able to respend them?
<sipa>
bsm117532: no
<sipa>
bsm117532: the point for BIP70 was to have an actual communication channel with the receiver, so that for example refund address or memo can be transmitted
<bsm117532>
That can be included in a BIP21 URI
<sipa>
BIP70 in practice makes it possible for the transaction to confirm without the communication channel
<bsm117532>
Oh I see
<sipa>
...the URI goes from receiver to sender, not the other way around
<bsm117532>
yeah
<gmaxwell>
Varunram: well do the math on the success rate an attacker would have replacing the computation with a different one.
<gmaxwell>
Varunram: 6 was just an example.
<sipa>
the obvious solution is to include an encryption key in the payment request, and have the sender encrypt the whole response (tx + metadata) with that encryption key
<sipa>
and not allow broadcasting it himself
<bsm117532>
But doesn't he need proof of receipt? And doesn't this lead to infinite recursion?
<Varunram>
gmaxwell: yeah, so with 3 values and 2 more static values, its at 2.5x?
<sipa>
bsm117532: wut?
<sipa>
ah, i see
<bsm117532>
sipa: how does the sender know the receiver received it?
<Varunram>
2.67
<sipa>
bsm117532: he can ask for a receipt
<sipa>
if the communication fails in the response, he can just submit again
<gmaxwell>
128 parts with 15 known responses, gets ~64 bit security against tampering... and about 12% loss of hardening performance.
<bsm117532>
This is a usual 2 party fair exchange protocol, which has been proven to not exist...hence timeouts in atomic cross chain swaps, no?
<sipa>
bsm117532: submitting a transaction is idempotent
<gmaxwell>
(or I'm forgetting the math for this again, always possible, yea seems I am. oh right, you need duplicates plus known responses)
<bsm117532>
sipa: I was thinking of a much simpler problem...preventing address malleability in communication
<sipa>
bsm117532: what is the issue there?
<sipa>
payment requests are signed
<bsm117532>
BIP21 requests are not
<bsm117532>
BIP70 pulls in a lot of overhead, and trusts CA's.
<gmaxwell>
you have to have some secure way to communicate, if you don't all bets are off.
<bsm117532>
Also I'm not a fan of protocol buffers, or having to keep a connection open to everyone.
<bsm117532>
sipa: I'm thinking of an inter-provider usage, where refunds are (hopefully) unecessary.
<bsm117532>
If the payment doesn't go through, it's at one provider or the other.
<sipa>
heh, that doesn't seem like a very good match for a payment protocol
<sipa>
anyway, good luck :)
<bsm117532>
Heh it's an address non-malleability protocol :-P
<sipa>
use an authenticated connection
<bsm117532>
If you're paying for stickers, use Lightning :-P
<sipa>
especially between providers that should be trivial
<bsm117532>
Yes, that's one solution. But consider the case of someone transfering BTC from their Trezor to an exchange, and having a clipboard virus or browser virus.
<sipa>
you still need a way to initially share a key between the two parties
<sipa>
in a trusted way
<bsm117532>
Yes. Exercise for the reader...
<sipa>
lol
<bsm117532>
Sharing once in a trusted manner is a lot easier and more reliable than a persistent trusted connection
<sipa>
sure, but that doesn't need a replacement for BIP70
<bsm117532>
Anyway, all the above issues need some serious though, and I wish for some industry momentum to fix them.
<bsm117532>
*thought
<sipa>
just a secure way of sending URLs
<bsm117532>
Secure way of sending URLs won't save you from clipboard-jacking or client-side browser hacks.
* sipa
is still salty about payment protocols which was designed to get rid of the "an on chain transaction is a payment" model, and then got turned into something stupid
<sipa>
and i expect in practice LN will be what fixes that
<bsm117532>
LN won't be usable for everything. Not for exchanges, not for custody.
<bsm117532>
We still need a BIP70 replacement...
<Varunram>
bsm117532: if I have a client side browser hack, I could do way more things..
<sipa>
bsm117532: those things are likely to just be "value transfers" that don't really need all the consumer convenience of a payment
<bsm117532>
Varunram: yes, in the case of high-value transfer, you also need a 2-man rule (and multiple devices)
<bsm117532>
sipa: but they're higher value and higher risk too
<sipa>
i think you read "BIP70 replacement" as "a replacement for the PKI part of BIP70"
<bsm117532>
Yes, that's one part of BIP70 :-P
<sipa>
i don't think that the PKI part was ever the issue it was designed to solve
<bsm117532>
It introduced an unnecessary vulnerability that way though
<sipa>
yes, agree
<sipa>
my preference was just not having a PKI integrated in the payment protocol itself
<sipa>
and instead rely on the fact that a user is already visiting a website he wants to perform a payment on, i.e. there already exists a trusted channel
<Varunram>
sipa: but you rely on CAs to be honest as bsm117532 was telling earlier?
<sipa>
Varunram: if you use BIP70, sure
<bsm117532>
It's better to integrate the signatures into the payment request, then you're insensitive to channel-based PKI bullshit.
<bsm117532>
Because PKI is broken...
<sipa>
yes, it is
<sipa>
and it's used regardless
<sipa>
i'm not saying that this is a good situation
* bsm117532
grumbles
<sipa>
i'm saying that it's a boring problem, that doesn't have much to do with BIP70 being broken
<bsm117532>
It's not boring because it's still unsolved. Playing shell games with unsolved problems doesn't cause them to be magically solved.
<bsm117532>
But yeah, you have a different desire there
<sipa>
i'd rather call it an unsolvable problem :)
<sipa>
PKIs suck, we don't know how to fix this
<bsm117532>
Actually, I know of an excellent key public key broadcast and rotation system...
<sipa>
but requiring everyone to manually share keys instead isn't a solution
<bsm117532>
It's just not scalable enough...
<sipa>
like?
<bsm117532>
pubkeys on bitcoin
sipa has left #bitcoin-wizards [#bitcoin-wizards]
<bsm117532>
hahaa
<bsm117532>
Seriously, can we get some industry folks together to solve these damn problems?
LeMiner has quit [Read error: Connection reset by peer]
smk has quit [Ping timeout: 260 seconds]
intcat has quit [Ping timeout: 250 seconds]
str4d has joined #bitcoin-wizards
intcat has joined #bitcoin-wizards
AaronvanW has quit [Remote host closed the connection]
vicenteH has quit [Ping timeout: 240 seconds]
Krellan has quit [Read error: Connection reset by peer]