sipa changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
flo1 has quit []
proofofk_ has quit [Remote host closed the connection]
proofofkeags has joined #bitcoin-wizards
proofofkeags has quit [Read error: Connection reset by peer]
proofofkeags has joined #bitcoin-wizards
slivera has joined #bitcoin-wizards
proofofkeags has quit [Ping timeout: 256 seconds]
proofofkeags has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
proofofkeags has quit [Remote host closed the connection]
proofofkeags has joined #bitcoin-wizards
proofofkeags has quit [Ping timeout: 258 seconds]
tromp has quit [Ping timeout: 272 seconds]
Eartaker has joined #bitcoin-wizards
gojiHmPFPN has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
bitdex has quit [Ping timeout: 240 seconds]
AaronvanW has quit []
proofofkeags has joined #bitcoin-wizards
gojiHmPFPN has joined #bitcoin-wizards
proofofkeags has quit [Ping timeout: 264 seconds]
Relis has quit [Quit: This computer has gone to sleep]
Relis has joined #bitcoin-wizards
Belkaar has quit [Ping timeout: 246 seconds]
Belkaar has joined #bitcoin-wizards
Belkaar has quit [Changing host]
Belkaar has joined #bitcoin-wizards
bitdex has joined #bitcoin-wizards
proofofkeags has joined #bitcoin-wizards
Relis has quit [Quit: This computer has gone to sleep]
shush has quit [Remote host closed the connection]
CryptoDavid has quit [Quit: Connection closed for inactivity]
tromp has joined #bitcoin-wizards
stackingcore21_ has joined #bitcoin-wizards
justanotheruser has joined #bitcoin-wizards
stackingcore21 has quit [Ping timeout: 244 seconds]
windsok has quit [Ping timeout: 256 seconds]
windsok has joined #bitcoin-wizards
windsok has quit [Changing host]
windsok has joined #bitcoin-wizards
slivera has joined #bitcoin-wizards
kabaum has joined #bitcoin-wizards
Guyver2 has joined #bitcoin-wizards
<t-bast>
jeremyrubin: I don't know if the trapdoor can easily be MPC'd, it probably really depends on the chameleon hashing scheme used so I haven't investigated thoroughly enough
<t-bast>
sanket1729: I think that what's interesting with chameleon hashing is that we could restrict who can rebind the signature (they need to know the trapdoor) and it's linked to a different key than the one you sign with
<t-bast>
sanket1729: but maybe that can be done with signature delegation as well, I don't know at all if chameleon hashing is *required* for something like this
shush has joined #bitcoin-wizards
justan0theruser has joined #bitcoin-wizards
justanotheruser has quit [Ping timeout: 260 seconds]
justan0theruser has quit [Ping timeout: 272 seconds]
justanotheruser has joined #bitcoin-wizards
engil1 has quit []
TheoStorm has joined #bitcoin-wizards
tromp has quit [Ping timeout: 258 seconds]
nick_freeman has quit [Remote host closed the connection]
nick_freeman has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
Waithamai has joined #bitcoin-wizards
Waithamai is now known as Guest65675
Noldorin has quit [Ping timeout: 272 seconds]
tromp has quit [Ping timeout: 272 seconds]
tromp has joined #bitcoin-wizards
nick_freeman has quit [Remote host closed the connection]
tromp_ has joined #bitcoin-wizards
tromp has quit [Ping timeout: 272 seconds]
rafalcpp has joined #bitcoin-wizards
Relis has joined #bitcoin-wizards
Relis has quit [Quit: This computer has gone to sleep]
Relis has joined #bitcoin-wizards
Kiminuo has joined #bitcoin-wizards
bitdex has quit [Quit: = ""]
belcher has joined #bitcoin-wizards
Guest65675 has quit []
rafalcpp has quit [Ping timeout: 256 seconds]
justanotheruser has quit [Ping timeout: 256 seconds]
justanotheruser has joined #bitcoin-wizards
Guyver2 has quit [Quit: Going offline, see ya! (www.adiirc.com)]
izaki1 has joined #bitcoin-wizards
shush has joined #bitcoin-wizards
rafalcpp has joined #bitcoin-wizards
shush has quit [Ping timeout: 256 seconds]
junderw has quit [Ping timeout: 240 seconds]
hugohn has quit [Read error: Connection reset by peer]
schmidty has quit [Read error: Connection reset by peer]
hugohn has joined #bitcoin-wizards
amiti has quit [Write error: Connection reset by peer]
schmidty has joined #bitcoin-wizards
vfP56jSe has quit [Read error: Connection reset by peer]
vfP56jSe has joined #bitcoin-wizards
amiti has joined #bitcoin-wizards
junderw has joined #bitcoin-wizards
gojiHmPFPN has joined #bitcoin-wizards
troygiorshev has joined #bitcoin-wizards
troygiorshev has quit [Quit: leaving]
troygiorshev has joined #bitcoin-wizards
rafalcpp has quit [Ping timeout: 260 seconds]
zmnscpxj_ has quit [Ping timeout: 240 seconds]
vcorem has joined #bitcoin-wizards
rafalcpp has joined #bitcoin-wizards
gojiHmPFPN has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
gojiHmPFPN has joined #bitcoin-wizards
slivera has quit [Remote host closed the connection]
<bsm117532>
From the way I read it, a new paper about Chameleon Hashes needs to be written along the lines of Lindell's 2p-ECDSA, using ElGamal instead of Pallier. That would give you an MPC-like Chameleon Hash...
<bsm117532>
If something like that already exists I couldn't find it...
proofofkeags has joined #bitcoin-wizards
Kiminuo has quit [Ping timeout: 246 seconds]
shush has joined #bitcoin-wizards
mappum has joined #bitcoin-wizards
shush has quit [Ping timeout: 260 seconds]
Kiminuo has joined #bitcoin-wizards
Alex[m]4 has left #bitcoin-wizards ["User left"]
real_or_random has quit [Quit: ZNC 1.7.5 - https://znc.in]
real_or_random has joined #bitcoin-wizards
fiatjaf1 has quit [Ping timeout: 260 seconds]
fiatjaf1 has joined #bitcoin-wizards
izaki1 has quit []
shush has joined #bitcoin-wizards
shush has quit [Remote host closed the connection]
shush has joined #bitcoin-wizards
shush has quit [Ping timeout: 256 seconds]
llamma1 has joined #bitcoin-wizards
midnight has quit [Ping timeout: 272 seconds]
<t-bast>
I couldn't find such a scheme either, but chameleon hashing hasn't gotten much research, I wouldn't be surprised if something along the lines of what you suggest was possible (if people put in the effort)
Relis has quit [Quit: This computer has gone to sleep]
troygiorshev has quit [Ping timeout: 256 seconds]
Relis has joined #bitcoin-wizards
shush has joined #bitcoin-wizards
justanotheruser has quit [Ping timeout: 260 seconds]
midnight has joined #bitcoin-wizards
troygiorshev has joined #bitcoin-wizards
justanotheruser has joined #bitcoin-wizards
shush has quit [Remote host closed the connection]
shush has joined #bitcoin-wizards
CryptoDavid has joined #bitcoin-wizards
Fugazi has joined #bitcoin-wizards
justanotheruser has quit [Ping timeout: 256 seconds]
troygiorshev has quit [Quit: leaving]
troygiorshev has joined #bitcoin-wizards
guest534543 has joined #bitcoin-wizards
Kiminuo has quit [Ping timeout: 240 seconds]
troygiorshev has quit [Quit: leaving]
troygiorshev has joined #bitcoin-wizards
roconnor has quit [Read error: Connection reset by peer]
troygiorshev has quit [Quit: leaving]
troygiorshev has joined #bitcoin-wizards
Guyver2 has joined #bitcoin-wizards
troygiorshev has quit [Quit: leaving]
troygiorshev has joined #bitcoin-wizards
vcorem has quit [Quit: Leaving]
ghost43 has quit [Remote host closed the connection]
ghost43 has joined #bitcoin-wizards
troygiorshev has quit [Quit: leaving]
troygiorshev has joined #bitcoin-wizards
justanotheruser has joined #bitcoin-wizards
rafalcpp has quit [Ping timeout: 256 seconds]
proofofkeags has quit [Remote host closed the connection]
proofofkeags has joined #bitcoin-wizards
rafalcpp has joined #bitcoin-wizards
Guyver2_ has joined #bitcoin-wizards
Guyver2 has quit [Ping timeout: 256 seconds]
proofofkeags has quit [Ping timeout: 258 seconds]
Guyver2_ is now known as Guyver2
troygiorshev has quit [Quit: leaving]
troygiorshev has joined #bitcoin-wizards
isis_ is now known as isis
proofofkeags has joined #bitcoin-wizards
rafalcpp has quit [Ping timeout: 256 seconds]
troygiorshev has quit [Quit: leaving]
troygiorshev has joined #bitcoin-wizards
troygiorshev has quit [Client Quit]
troygiorshev has joined #bitcoin-wizards
<sanket1729>
I tweaked a lot with pay to contract style constructions with chameleon hashes and could not find any use cases that could not be done with signature delegation but *required* chameleon hashes
llamma1 has quit []
<sanket1729>
The chameleon hash scheme from borromean ring signatures paper seems to be just a pedersen hash H(m||xG - eP) with the trapdoor being the DL between G and P.
<sanket1729>
Which looks MPC friendly with secret shared trapdoor.
dr-orlovsky has joined #bitcoin-wizards
rafalcpp has joined #bitcoin-wizards
<dr-orlovsky>
Hi! Does anyone know is this assymmetric encryption scheme is implemented anywhere in Secp256k1 lib? <https://crypto.stackexchange.com/a/45042> (yes, I know it's slow & inefficient, and better to use DH-based encryption, but I need to encrypt a small piece of the data and require non-interactive protocol)
guest534543 has quit [Quit: Leaving]
Kiminuo has joined #bitcoin-wizards
Fugazi has quit [Remote host closed the connection]
Fugazi has joined #bitcoin-wizards
jtk has joined #bitcoin-wizards
Dean_Guss has quit [Remote host closed the connection]
Fugazi has quit [Ping timeout: 246 seconds]
zmnscpxj_ has joined #bitcoin-wizards
gleb has joined #bitcoin-wizards
Dean_Guss has joined #bitcoin-wizards
<sipa>
dr-orlovsky: libsecp256k1 only explicitly supports key generation, BIP32 derivation, ECDSA signing, ECDSA pubkey recovery, and ECDH
<sipa>
it may be possible to implement ElGamal encryption by stitching together primitives designed for other function
<dr-orlovsky>
Thank you! Am I right that this type of encryption scheme is called "ElGamal"?
<sipa>
yes
<sipa>
the possibly hard part is mapping your data to a curve point
<yanmaani>
sipa: Can't you use ECDH for encryption?
<sipa>
yanmaani: read dr-orlovsky's question
<yanmaani>
Yes, non-interactive
<sipa>
ah yes, DH based encryption can be made non-interactive just fine
<yanmaani>
generate a private key, do ECDH with target public key, encrypt with shared secret, append public key, discard private key
<sipa>
though for very small pieces of data that's overkill
<dr-orlovsky>
thanks for thed clarification
<sipa>
if you want something with better analyzed properties, ECIES is effectively non-interactive ECDH with symmetric encryption, plus hashes for authentication
<zmnscpxj_>
secp256k1_ec_pubkey_tweak_mul is scalar * Point, secp256k1_ec_pubkey_combine adds Points, secp256k1_ec_pubkey_negate the second arg first to subtract Points
rafalcpp has quit [Ping timeout: 264 seconds]
<dr-orlovsky>
My case: client & server. Server keeps encrypted seed phrase. When clients needs server to sign, it provides password and the server decrypts priv key, that's simple. But when client asks server to create a new seed phrase, I'd like the client not to provide the password, and the server still needs to encrypt. So, it should work with priv/pub key: server knowns client's pub key and encrypts with it, while for the
<dr-orlovsky>
decryption & signing it will ask for the private
<zmnscpxj_>
user-created brain passwords?
<zmnscpxj_>
are those not low-entropy in practice...?
<dr-orlovsky>
instead of password a key pair is used here
<zmnscpxj_>
so why not some kind of multisig?
<dr-orlovsky>
this can be used for multisig as well (you may have multiple signing servers)
<zmnscpxj_>
no I mean you multisig 2-of-2 with server as one signer and client as other signer
<belcher>
it sounds like his scheme has the entropy from the seed phrase + user provided entropy
<zmnscpxj_>
seems same security model?
<belcher>
so its not like the brainwallets where its just sha256(passphrase)
<zmnscpxj_>
server generates the seed phrase or it comes from the user as well?
<dr-orlovsky>
seed phrase is server-generated and not backed up (b/c it's part of 5/7 multisig or something like that; if it's lost, the funds still can be moved)
<zmnscpxj_>
but then " client asks server to create a new seed phrase" ...?
<zmnscpxj_>
does the client have to trust the server not to hack the encrypted seed phrase?
<dr-orlovsky>
it is his server
<zmnscpxj_>
ah
<zmnscpxj_>
so server is trusted, okay
<dr-orlovsky>
but still it's nice to keep the seeds encrypted and transfer unencryption key only on signing procedures and not in any other case
<zmnscpxj_>
why store the encrypted seed phrase then?
<dr-orlovsky>
this is sort of exchange case: you have multiple signing servers with their own policies
<zmnscpxj_>
See if the server data is copied, somebody else now has copy of encrypted seed phrase, if the encryption itself is too low-entropy then it may become easy for the hacker to derive the original seed phrase
<dr-orlovsky>
that is why the encryption is made 256-bit private key
<zmnscpxj_>
and if you are going to use stronger encryption, you may as well have the "client" program hold its own privkey
<zmnscpxj_>
instead of sending decryption keys over the wire
<zmnscpxj_>
?
Fugazi has joined #bitcoin-wizards
<zmnscpxj_>
have the client send a partial signature instead of the actual key
<dr-orlovsky>
you can't: you will store than all multisig seeds in one place (client), which destroys the whole security model
<dr-orlovsky>
> have the client send a partial signature instead of the actual key
<dr-orlovsky>
how it can be used for the decryption?
<zmnscpxj_>
see, the resulting encrypt(clientkey, serverkey) can be implemented as a scalar addition of clientkey+serverkey
<dr-orlovsky>
exactly
<zmnscpxj_>
which is the basis of n-of-n multisignatures anyway....
<zmnscpxj_>
so it is the same as using a multisignature scheme
<dr-orlovsky>
well, there is no signature in ecryption/decryption process
<zmnscpxj_>
?
<zmnscpxj_>
but you are using the decrypted text as a privkey right?
<dr-orlovsky>
yes
<zmnscpxj_>
so the privkey can be just clientkey+serverkey
<dr-orlovsky>
actually extended private key, but does not matter
<zmnscpxj_>
and you can just use some kind of MuSig scheme
<zmnscpxj_>
for equivalent security
<zmnscpxj_>
Schnorr etc.
<zmnscpxj_>
or just use an ECDH for that matter
<zmnscpxj_>
where the resulting privkey is clientkey*serverkey
<zmnscpxj_>
and you just send points over the wire
<zmnscpxj_>
seems safer than sending private key material over the wire
<dr-orlovsky>
You may think of an org (exchange) with multiple ppl having access to transaction signing (accountants, directors) and 9 servers implementing 5/9 multisig; each server having its own policy etc (how many signatures to make a day, how many bitcoins is allowed to spend). This is not just a simple multisig 2-of-2
<zmnscpxj_>
yes, but linearity of keys buys you a lot of flex
<zmnscpxj_>
oh well
<zmnscpxj_>
at least if you authenticate and encrypt the wire between client and server you can just send client decryption key as you will
<dr-orlovsky>
with multiple people you will have a need for them to share their local priv keys, which is even less secure than sending non-signing key per wire
<zmnscpxj_>
why?
<dr-orlovsky>
client & server are connected via LN-type protocol (i.e. end-to-end encrypted)
<zmnscpxj_>
just make a 5-of-9 of 9 x 2-of-2s
<dr-orlovsky>
20 ppl, 9 servers for instance
<zmnscpxj_>
which is doable today with 2p-ecdsa
<dr-orlovsky>
no Shnorrs yet
<dr-orlovsky>
I need only a single person to sign + 5 servers
<zmnscpxj_>
2p-ecdsa uses clientkey*serverkey
<dr-orlovsky>
ok, you mean 5/9 multisig over 2p-ecdsa's?
Fugazi has quit [Remote host closed the connection]
<zmnscpxj_>
could do it that way
<dr-orlovsky>
but do we have 2p ecdsa impl in secp256k1 lib already?
<zmnscpxj_>
key linearity in EC buys you a lot
<zmnscpxj_>
nope
Fugazi has joined #bitcoin-wizards
<dr-orlovsky>
still seems that it's easier to do ElGamal with secp256k1 than implement 2p ecdsa
<zmnscpxj_>
ok
<sipa>
2p ecdsa needs very fancy cryptography
<dr-orlovsky>
but I appreciate risk of decryption key transfer
<sipa>
well, by my standards :)
<dr-orlovsky>
and you scheme is very interesting indeed
<dr-orlovsky>
I known Jonas Nick was working on 2p ecdsa in secp256k1 (I assume he is nicker here)
<dr-orlovsky>
* nickler
<sipa>
that would surprise me
<dr-orlovsky>
as a part of Fulmo's Lightning HackSprint days, together with guys from SuredBits
<dr-orlovsky>
zmnscpxj_: if the server-stored seed phrase is encrypted with client+server keys, wire transfer of client's key is as secure as 2p ecdsa
<dr-orlovsky>
and the server still able to encrypt new seeds (it knowns clients pubkey)
ghost43 has quit [Remote host closed the connection]
proofofkeags has quit [Remote host closed the connection]
ghost43 has joined #bitcoin-wizards
proofofkeags has joined #bitcoin-wizards
proofofkeags has quit [Ping timeout: 256 seconds]
<dr-orlovsky>
sipa: with ElGamal, which "reversible mapping function" can be chosen (you will recommend) between curve point group and message byte slice?
<dr-orlovsky>
I assume take 256-bit slice of the message and interpret it as an x-coord of the pubkey?
<sipa>
unfortunately, no
<sipa>
because not every x coordinate is valid and on the curve
<dr-orlovsky>
do such functions exist at all?
<sipa>
if you have say 30 bytes of data
<sipa>
you can add 2 random padding bytes, and try; if it's not on the curve, try 2 other bytes etc
<dr-orlovsky>
I see
<sipa>
the problem is that this is not exactly uniform, which may leak information
<sipa>
the more padding bytes the closer to uniform the mapping is
<dr-orlovsky>
... and the more work is required to both encrypt and decrypt
davispuh has joined #bitcoin-wizards
shush has quit [Remote host closed the connection]
shush has joined #bitcoin-wizards
proofofkeags has joined #bitcoin-wizards
uiuc-slack has quit [Remote host closed the connection]
uiuc-slack4 has joined #bitcoin-wizards
shush has quit [Ping timeout: 256 seconds]
justanotheruser has quit [Ping timeout: 240 seconds]
proofofkeags has quit [Remote host closed the connection]
proofofkeags has joined #bitcoin-wizards
rafalcpp has joined #bitcoin-wizards
justanotheruser has joined #bitcoin-wizards
mappum has quit [Remote host closed the connection]
shush has joined #bitcoin-wizards
shush has quit [Ping timeout: 260 seconds]
mappum has joined #bitcoin-wizards
zmnscpxj_ has quit [Remote host closed the connection]
shush has joined #bitcoin-wizards
Kiminuo has quit [Ping timeout: 264 seconds]
dgenr8 has quit [Quit: Leaving]
dgenr8 has joined #bitcoin-wizards
jtk has quit []
Guyver2 has quit [Quit: Going offline, see ya! (www.adiirc.com)]
Chris_Stewart_5 has quit [Ping timeout: 246 seconds]
rafalcpp has quit [Ping timeout: 246 seconds]
fredy2 has joined #bitcoin-wizards
pinheadm_ has joined #bitcoin-wizards
justanotheruser has quit [Ping timeout: 264 seconds]
pinheadmz has quit [Ping timeout: 264 seconds]
justanotheruser has joined #bitcoin-wizards
rafalcpp has joined #bitcoin-wizards
AaronvanW has quit []
slivera has joined #bitcoin-wizards
Fugazi has quit [Remote host closed the connection]
proofofkeags has quit [Remote host closed the connection]