#bitcoin-wizards on 2018-09-30 — irc logs at freenode.irclog.whitequark.org

2015-10-30 00:53 sipa changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja

00:32 weez17 has quit [Quit: Lost terminal]

00:36 MarcoFalke has joined #bitcoin-wizards

00:51 _tin has joined #bitcoin-wizards

00:52 bildramer has quit [Quit: Of course we scientists have our little secrets. For instance, the moon is in Spain. Another: stars aren't real. Also, cells are huge. One cell is roughly the size of a marble.]

00:55 jcorgan_ has quit [Ping timeout: 268 seconds]

00:56 _tin has quit [Ping timeout: 252 seconds]

01:00 nejon has quit [Quit: Connection closed for inactivity]

01:01 Chris_Stewart_5 has joined #bitcoin-wizards

01:12 nejon has joined #bitcoin-wizards

01:14 bildramer has joined #bitcoin-wizards

01:18 mn3monic has quit [Excess Flood]

01:18 mn3monic has joined #bitcoin-wizards

01:18 mn3monic has quit [Changing host]

01:18 mn3monic has joined #bitcoin-wizards

01:22 mn3monic has quit [Excess Flood]

01:22 mn3monic has joined #bitcoin-wizards

01:23 AaronvanW has joined #bitcoin-wizards

01:44 AaronvanW has quit []

01:49 Krellan has quit [Read error: Connection reset by peer]

01:51 Krellan has joined #bitcoin-wizards

01:58 thrmo has quit [Quit: Waiting for .007]

02:02 jb551 has quit [Quit: WeeChat 2.1]

02:02 jb55 has joined #bitcoin-wizards

02:10 Belkaar has quit [Ping timeout: 252 seconds]

02:11 Belkaar has joined #bitcoin-wizards

02:11 Belkaar has quit [Changing host]

02:11 Belkaar has joined #bitcoin-wizards

02:39 rh0nj has joined #bitcoin-wizards

02:39 AaronvanW has joined #bitcoin-wizards

02:42 thomasan_ has joined #bitcoin-wizards

02:58 CheckDavid has quit [Quit: Connection closed for inactivity]

03:01 tromp_ has quit [Remote host closed the connection]

03:02 tromp has joined #bitcoin-wizards

03:24 thomasan_ has quit [Remote host closed the connection]

03:25 _tin has joined #bitcoin-wizards

03:30 Chris_Stewart_5 has quit [Ping timeout: 252 seconds]

03:38 Cory has quit [Ping timeout: 272 seconds]

03:42 Pasha has joined #bitcoin-wizards

03:47 Pasha is now known as Cory

05:38 SopaXorzTaker has joined #bitcoin-wizards

06:23 Krellan has quit [Read error: Connection reset by peer]

06:24 Krellan has joined #bitcoin-wizards

06:43 Guyver2 has joined #bitcoin-wizards

06:50 _tin has quit [Ping timeout: 272 seconds]

07:28 p0nziph0ne has joined #bitcoin-wizards

07:48 tromp has quit [Remote host closed the connection]

07:48 tromp has joined #bitcoin-wizards

08:21 tombusby has quit [Ping timeout: 256 seconds]

08:25 tombusby has joined #bitcoin-wizards

08:42 Krellan has quit [Read error: Connection reset by peer]

08:54 wildermind has joined #bitcoin-wizards

09:00 gribble has quit [Remote host closed the connection]

09:13 gribble has joined #bitcoin-wizards

09:32 <jl2012> Do we know which points are valid on the curve, but not a multiple of G?

09:33 <jl2012> I think there are (p - n) of such points?

09:35 <sipa> G is a generator for the curve; by definition every point is a multiple of it

09:36 <sipa> (this is true for secp256k1, but not for all curves - in particular EC groups with cofactors it isn't true)

09:40 <sipa> jl2012: there are p possible x and y coordinates, but only n (x,y) pairs are on the curve

09:48 <jl2012> sipa: thanks!

09:49 <sipa> jl2012: in some EC systems only s subgroup of the curve is used, i that case not every group element is a multiple of the generator

09:50 <sipa> however group theory says that a subgroup of a finite group must always be a divisor of its size

09:52 <jl2012> sipa: for things like g'root that requires another generator, it must also be a multiple of G?

09:54 <sipa> indeed

09:54 <sipa> but it must be an unknown multiple of G

09:59 <jl2012> We could take a hash of a trivial message, and see if it is a valid x value?

10:03 <sipa> yup, that's how you do it

10:03 <sipa> also include G in the message

10:04 <sipa> so that nobody can claim you secret are the author of G, and picked it in function of this newgenerator you're just proposing

10:04 <sipa> for CT in Elements we just used SHA256(G.x)

10:04 <sipa> iirc

10:04 <sipa> or something like that

10:33 <jl2012> Thanks

10:33 <nsh> called "nothing up my sleeves" constructions

10:33 <nsh> or numbers

10:37 <sipa> nums!

10:37 <sipa> (not confusing at all)

10:38 TheoStorm has quit [Quit: Leaving]

10:49 <nsh> :)

10:49 <nsh> nums numbs

10:49 TheoStorm has joined #bitcoin-wizards

10:57 <waxwing> sometimes called coerce-to-point; a kind of cryptographer's micro-aggression

11:02 Zenton has quit [Read error: Connection reset by peer]

11:02 Zenton has joined #bitcoin-wizards

11:09 thrmo has joined #bitcoin-wizards

11:28 SopaXorzTaker has quit [Quit: Leaving]

12:11 laurentmt has joined #bitcoin-wizards

12:37 laurentmt has quit [Quit: laurentmt]

13:19 Chris_Stewart_5 has joined #bitcoin-wizards

13:24 nuncanada has joined #bitcoin-wizards

13:35 SopaXorzTaker has joined #bitcoin-wizards

14:04 deusexbeer has quit [Quit: Konversation terminated!]

14:22 SopaXorzTaker has quit [Quit: Leaving]

14:34 jb55 has quit [Quit: WeeChat 2.1]

14:38 jb55 has joined #bitcoin-wizards

14:51 Krellan has joined #bitcoin-wizards

15:03 Chris_Stewart_5 has quit [Ping timeout: 268 seconds]

15:11 vcorm has quit [Ping timeout: 256 seconds]

15:20 Chris_Stewart_5 has joined #bitcoin-wizards

15:46 Chris_Stewart_5 has quit [Ping timeout: 268 seconds]

15:48 Chris_Stewart_5 has joined #bitcoin-wizards

15:59 nuncanada has quit [Quit: Leaving]

16:05 Krellan has quit [Ping timeout: 250 seconds]

16:07 Chris_Stewart_5 has quit [Ping timeout: 252 seconds]

16:36 bildramer has quit [Ping timeout: 264 seconds]

16:37 bildramer has joined #bitcoin-wizards

16:52 Giszmo has joined #bitcoin-wizards

16:53 Giszmo has quit [Client Quit]

17:04 Krellan has joined #bitcoin-wizards

17:10 Emcy has quit [Ping timeout: 244 seconds]

17:13 Guyver2 has quit [Remote host closed the connection]

17:15 Emcy has joined #bitcoin-wizards

17:31 shesek has quit [Ping timeout: 272 seconds]

17:33 Chris_Stewart_5 has joined #bitcoin-wizards

17:33 _tin has joined #bitcoin-wizards

17:40 vdo has quit [Ping timeout: 245 seconds]

17:52 Krellan has quit [Ping timeout: 240 seconds]

17:56 nickler has quit [Ping timeout: 252 seconds]

18:01 _tin has quit [Ping timeout: 252 seconds]

18:08 kenshi84 has quit [Ping timeout: 268 seconds]

18:09 kenshi84 has joined #bitcoin-wizards

18:17 kenshi84 has quit [Ping timeout: 252 seconds]

18:18 kenshi84 has joined #bitcoin-wizards

18:23 kenshi84 has quit [Ping timeout: 252 seconds]

18:24 kenshi84 has joined #bitcoin-wizards

18:37 schmidty has joined #bitcoin-wizards

18:37 schmidty is now known as Guest75321

18:39 Guest81722 has quit [Ping timeout: 268 seconds]

18:43 nickler has joined #bitcoin-wizards

18:56 ghost43 has quit [Remote host closed the connection]

18:56 ghost43 has joined #bitcoin-wizards

19:00 <jimpo> In the batch verification algorithm in BIP schnorr, why is a_1 omitted (or == 1)?

19:02 <sipa> jimpo: only the ratios between the different factors need to be unpredictable

19:03 <sipa> so one of them can be chosen as 1

19:03 morcos has quit [Remote host closed the connection]

19:03 morcos has joined #bitcoin-wizards

19:09 <jimpo> Right. So it can be 1, but it would not be unsafe if there was a random a_1 coefficient?

19:11 <jl2012> it seems possible to batch validate taproot (Q = kG + P) with Schnoor (R = sG - eP) ?

19:11 <jl2012> But what about y(Q)?

19:11 <jl2012> Just replace e = n-1; and signature(r,s) = (x(Q),k)

19:14 thrmo has quit [Remote host closed the connection]

19:15 thrmo has joined #bitcoin-wizards

19:16 <jimpo> y(Q) would be known because the pubkey Q would be pushed into the script in compressed form, I assume?

19:18 <jl2012> yes, but could it work with the batch validation in bip_schnorr, which requires jacobi(y(R)) = 1 ?

19:20 <jimpo> Yeah, I don't think that would be a problem. It's only required in the BIP so that a 32 byte x coordinate can be unambiguously mapped to a pubkey

19:20 <jimpo> And in the batch verification the group element R is reconstructed

19:21 <jimpo> so if you start with Q, I believe it's fine

19:23 p0nziph0ne has quit [Quit: Leaving]

19:25 <jl2012> thanks

19:25 <sipa> jimpo: yeah, there could be a random a_1

19:31 <sipa> jl2012: and indeed if you start from the x coordinate and decompress, the jacobi symbol of y will always be 1

19:32 <sipa> also jacobi symbols are an order of magnitude less work than an EC multiplication

19:40 Krellan has joined #bitcoin-wizards

19:44 <jl2012> we could also "convert" a Schnorr sig into an ECDSA sig? msg = -rs/e; sig = r||-r/e

19:47 <sipa> what does that mean?

19:49 <jl2012> take a schnorr_bip sig (r,s) for e and P. We can convert it to an ECDSA sig (r, -r/e) for msg = -rs/e and P

19:49 <jl2012> the schnorr sig is valid if and only if the transformed ECDSA is valid

19:50 <sipa> e is the message, or e = H(R||P||m) ?

19:50 <jl2012> e = H(R||P||m)

19:51 <sipa> that's technically not true, as the msg in ECDSA needs to be a hash

19:52 <jl2012> yes, but libsecp256k1 allows me to inject any msg I want

19:52 <sipa> that's true

19:52 <jl2012> my point is, I could cheat libsecp256k1 to validate a Schnorr sig for me

19:53 <sipa> but if you're talking about specific schemes, ECDSA won't check that the jacobi symbol is right, and you always have overflow issues in theory

19:53 <sipa> (the R'x coordinate is stored modulo n in an ECDSA sig)

19:54 <jl2012> I'm just trying to figure out their mathematical relationship

19:54 <jl2012> it seems ECDSA, Schnorr, taproot are all related

19:55 bildramer has quit [Ping timeout: 252 seconds]

19:55 bildramer has joined #bitcoin-wizards

19:56 <sipa> jl2012: well they're all just an EC multiplication and soke hashes :)

19:56 <sipa> *some

19:57 <jl2012> yes, adding 2 multiplications

20:09 deusexbeer has joined #bitcoin-wizards

20:09 jb55 has quit [Quit: WeeChat 2.2]

20:25 vdo has joined #bitcoin-wizards

20:25 vdo has quit [Changing host]

21:00 Dizzle has joined #bitcoin-wizards

21:11 bitcoin-wizards3 has joined #bitcoin-wizards

21:15 bitcoin-wizards3 has quit [Client Quit]

21:34 arubi has quit [Remote host closed the connection]

21:34 arubi has joined #bitcoin-wizards

21:37 luke-jr has quit [Read error: Connection reset by peer]

21:39 belcher has quit [Read error: Connection reset by peer]

21:40 belcher has joined #bitcoin-wizards

21:40 belcher has quit [Remote host closed the connection]

21:42 luke-jr has joined #bitcoin-wizards

21:50 wildermind has quit [Quit: Connection closed for inactivity]

21:51 belcher has joined #bitcoin-wizards

21:57 Krellan has quit [Read error: Connection reset by peer]

21:59 Krellan has joined #bitcoin-wizards

22:07 thrmo_ has joined #bitcoin-wizards

22:07 thrmo has quit [Ping timeout: 256 seconds]

22:12 Chris_Stewart_5 has quit [Ping timeout: 252 seconds]

22:21 thrmo_ is now known as thrmo

22:22 Murch has joined #bitcoin-wizards

22:46 Emcy has quit [Remote host closed the connection]

23:08 shesek has joined #bitcoin-wizards

23:08 shesek has quit [Changing host]

23:08 shesek has joined #bitcoin-wizards

23:08 thomasan_ has joined #bitcoin-wizards

23:10 Krellan has quit [Ping timeout: 260 seconds]

23:15 mn3monic has quit [Excess Flood]

23:16 mn3monic has joined #bitcoin-wizards

23:21 Dizzle has quit [Remote host closed the connection]

23:22 Dizzle has joined #bitcoin-wizards

23:32 thomasa__ has joined #bitcoin-wizards

23:32 thomasan_ has quit [Read error: Connection reset by peer]

23:39 thrmo_ has joined #bitcoin-wizards

23:40 thrmo has quit [Ping timeout: 256 seconds]

23:57 Murch has quit [Quit: Snoozing.]