sipa changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
davidfg41 has quit []
AaronvanW has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 265 seconds]
AIM` has joined #bitcoin-wizards
justanotheruser has joined #bitcoin-wizards
poon has quit [Quit: Lost terminal]
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 276 seconds]
CryptoDavid has quit [Quit: Connection closed for inactivity]
AaronvanW has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 240 seconds]
AaronvanW has joined #bitcoin-wizards
Ox207fffff has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 240 seconds]
elichai2 has quit [Quit: Connection closed for inactivity]
ddustin has quit [Remote host closed the connection]
ddustin has joined #bitcoin-wizards
ddustin has quit [Ping timeout: 245 seconds]
mdunnio has joined #bitcoin-wizards
mdunnio_ has joined #bitcoin-wizards
mdunnio has quit [Ping timeout: 268 seconds]
dgenr8 has quit [Ping timeout: 258 seconds]
dgenr8 has joined #bitcoin-wizards
queip has quit [Ping timeout: 258 seconds]
rafalcpp_ has quit [Ping timeout: 240 seconds]
rafalcpp_ has joined #bitcoin-wizards
queip has joined #bitcoin-wizards
mdunnio_ has quit [Remote host closed the connection]
mdunnio has joined #bitcoin-wizards
FenderQ1 has quit []
mdunnio has quit [Remote host closed the connection]
mdunnio has joined #bitcoin-wizards
rh0nj has quit [Remote host closed the connection]
elichai2 has joined #bitcoin-wizards
rh0nj has joined #bitcoin-wizards
mdunnio has quit [Remote host closed the connection]
mdunnio has joined #bitcoin-wizards
Meemaw has joined #bitcoin-wizards
t-bast has joined #bitcoin-wizards
<sanket1729>
Is there is security proof for the taproot/pay2contract construction? I can see that it relies on the fact that we cannot find points C1, C2, scripts S1, S2 such `C1 + H(C1 || S1)*G` == `C2 + H(C2 || S2)*G`.
rusty has joined #bitcoin-wizards
mdunnio has quit [Remote host closed the connection]
captjakk has joined #bitcoin-wizards
mdunnio has joined #bitcoin-wizards
<sipa>
sanket1729: there are probably more security properties that are desirable
mdunnio has quit [Remote host closed the connection]
captjakk has quit [Remote host closed the connection]
<sipa>
i think andytoshi had a security proof somewhere
<andytoshi>
sanket1729: but yeah, the property you describe is implied by the random oracle property for H
<andytoshi>
and appears *not* to be implied by any standard assumption
<andytoshi>
e.g. collision resistance is not sufficient, even though this property is really similar to collision resistence
Meemaw has quit []
mdunnio has quit [Ping timeout: 265 seconds]
<sipa>
andytoshi: you show properties for signatures, which i guess is the stronger property
<sipa>
but is there an easy way to show that f(P,s) = P + H(P||s)*G is a collision resistant function if H is modeled as a random oracle?
mdunnio has joined #bitcoin-wizards
rusty has quit [Quit: Leaving.]
t-bast has quit [Quit: Leaving]
Guyver2 has quit [Quit: Going offline, see ya! (www.adiirc.com)]
<andytoshi>
H being a random oracle and H being a random oracle are equivalent
<andytoshi>
which you can argue statistically
justanotheruser has quit [Ping timeout: 265 seconds]
<andytoshi>
basically you start with a game where f is a RO, observe that f is then collision resistant, then you switch to a game where H is a RO, and argue indistinguishability
<sipa>
oh, of course
<sipa>
you mean H being RO and f being RO are equivalent
<sanket1729>
I worked out something with a new cryptographer at UIUC. It turns out that we can prove it with a weaker assumption of RO, specifically oberservable RO. meaning the queries to the oracle are observable as well as the responses to those queries can be programmed.
<sipa>
exactly which property do you prove?
<sanket1729>
f(P,s) is collision resistant
<sanket1729>
I will write something up and try to share it by tomorrow.
<sipa>
how does observable RO work and how does it differ from normal RO?
<sipa>
(or do you have a link to something i can read)
<sanket1729>
For doing a proof we get access for all Ci,Si queires to the RO which were made by the adversary
TheoStorm has joined #bitcoin-wizards
<sanket1729>
For doing a proof, we can make use of the fact we know inputs given the oracle. So, at a high level,we also make use of the fact that input to H(C ...) is allowed to be observed in outside the hash
<sanket1729>
According, to Dakshita Khuranna(the new faculty who helped with this proof). "For most of the applied community, the RO model is the same as the observable, programmable RO model"
<sanket1729>
So, maybe I am being pedantic about some minor difference.
<andytoshi>
i don't think it's minor
<andytoshi>
if i understand right, observable RO is what most people intuitively take RO to mean (i.e. you provide a random tape which is fixed in advance, and the challenger can see it in advance)
<andytoshi>
whereas the actual RO model lets the challenger program it in ways that aren't clearly sensible
<andytoshi>
or rather, which make the paper seem to deviate from reality
mdunnio has quit [Remote host closed the connection]
multichill has joined #bitcoin-wizards
18WAADP33 has joined #bitcoin-wizards
<sipa>
oh it means the simulation can't program the RO output based on the input to the hash function calls?
Emcy has quit [Ping timeout: 245 seconds]
<waxwing>
the proofs i read all seem to involve programming the RO, not having it only known in advance, i wasn't smart enough to have an intuition of what it ought to be before that :)
Emcy has joined #bitcoin-wizards
queip has quit [Ping timeout: 246 seconds]
rafalcpp has joined #bitcoin-wizards
rafalcpp_ has quit [Ping timeout: 276 seconds]
queip has joined #bitcoin-wizards
captjakk has joined #bitcoin-wizards
captjakk has quit [Remote host closed the connection]
captjakk has joined #bitcoin-wizards
18WAADP33 has quit [Remote host closed the connection]
captjakk has quit [Remote host closed the connection]
captjakk has joined #bitcoin-wizards
captjakk has quit [Remote host closed the connection]
captjakk has joined #bitcoin-wizards
captjakk has quit [Remote host closed the connection]
captjakk has joined #bitcoin-wizards
captjakk has quit [Remote host closed the connection]
jnewbery has quit [Read error: Connection reset by peer]
captjakk has joined #bitcoin-wizards
jnewbery has joined #bitcoin-wizards
captjakk has quit [Remote host closed the connection]
captjakk has joined #bitcoin-wizards
captjakk has quit [Remote host closed the connection]
TheoStorm has quit [Quit: Leaving]
queip has quit [Ping timeout: 245 seconds]
rafalcpp_ has joined #bitcoin-wizards
tromp_ has joined #bitcoin-wizards
rafalcpp has quit [Ping timeout: 276 seconds]
tromp has quit [Ping timeout: 246 seconds]
queip has joined #bitcoin-wizards
multichill has quit [Ping timeout: 268 seconds]
marcoagner has quit [Ping timeout: 250 seconds]
moriarty has joined #bitcoin-wizards
v4hn has joined #bitcoin-wizards
AaronvanW has quit [Remote host closed the connection]