sipa changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
erwin_bullet has quit []
AaronvanW has quit [Remote host closed the connection]
mdunnio has joined #bitcoin-wizards
mdunnio has quit [Ping timeout: 264 seconds]
kers has joined #bitcoin-wizards
proofofkeags has joined #bitcoin-wizards
_whitelogger has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 246 seconds]
rusty has quit [Ping timeout: 240 seconds]
mdunnio has joined #bitcoin-wizards
rusty has joined #bitcoin-wizards
arowser_ has quit [Ping timeout: 264 seconds]
arowser_ has joined #bitcoin-wizards
alferz has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
justanotheruser has quit [Ping timeout: 260 seconds]
arowser_ has quit [Ping timeout: 246 seconds]
arowser_ has joined #bitcoin-wizards
shush has quit [Remote host closed the connection]
dllud has quit [Read error: Connection reset by peer]
shush has joined #bitcoin-wizards
dllud has joined #bitcoin-wizards
arowser_ has quit [Remote host closed the connection]
arowser_ has joined #bitcoin-wizards
shush has quit [Ping timeout: 260 seconds]
arowser_ has quit [Remote host closed the connection]
arowser_ has joined #bitcoin-wizards
shush has joined #bitcoin-wizards
arowser_ has quit [Remote host closed the connection]
arowser_ has joined #bitcoin-wizards
mdunnio has quit [Remote host closed the connection]
AaronvanW has quit [Ping timeout: 246 seconds]
arowser_ has quit [Remote host closed the connection]
arowser_ has joined #bitcoin-wizards
justanotheruser has joined #bitcoin-wizards
arowser_ has quit [Ping timeout: 240 seconds]
shush has quit [Remote host closed the connection]
shush has joined #bitcoin-wizards
arowser_ has joined #bitcoin-wizards
adiabat has quit [Remote host closed the connection]
shush has quit [Ping timeout: 260 seconds]
adiabat has joined #bitcoin-wizards
mdunnio has joined #bitcoin-wizards
mdunnio has quit [Ping timeout: 246 seconds]
slivera has quit [Remote host closed the connection]
shush has joined #bitcoin-wizards
shush has quit [Ping timeout: 260 seconds]
proofofkeags has quit [Remote host closed the connection]
proofofkeags has joined #bitcoin-wizards
kers has quit []
proofofkeags has quit [Ping timeout: 240 seconds]
mdunnio has joined #bitcoin-wizards
mdunnio has quit [Ping timeout: 240 seconds]
Belkaar has quit [Ping timeout: 265 seconds]
Belkaar has joined #bitcoin-wizards
Belkaar has joined #bitcoin-wizards
Belkaar has quit [Changing host]
CryptoDavid has quit [Quit: Connection closed for inactivity]
proofofkeags has quit [Remote host closed the connection]
rafalcpp has quit [Ping timeout: 246 seconds]
rafalcpp has joined #bitcoin-wizards
Dimlock has joined #bitcoin-wizards
CryptoDavid has quit [Quit: Connection closed for inactivity]
<roconnor>
If you want to provably leak a private key on Bitcoin Script today I think it suffices to demand a signtature that is very small in size, which can be enforced with OP_SIZE and OP_LT an friends.
<roconnor>
A small sized signature essentially forces R to be +/- G/2 and hence forces k to be +/- 1/2 and then knowledge of k allows you to recover the private key from the signature.
proofofkeags has joined #bitcoin-wizards
<roconnor>
Technically this can be circumvented by a using a vast amount of computing power to find another R value that is just as small as G/2. I understand that require about 2^90 work.
<roconnor>
(which is comperable to the total amount of PoW done in Bitcoin).
<aj>
roconnor: you can circumvent it by pre-calculating a small R and changing the message to also get a small s, for 2*2^45 work or something, i think?
<roconnor>
The message is hashed so it takes "just as much" work to grind a small s as it is to grind a small r.
<roconnor>
You can define the signature and message first and use pubkey derivation to derive the public key for it.
<roconnor>
but that requires knowing the message first, and usually in Bitcoin the message contains the pubkey.
<roconnor>
(you'd want to make sure they aren't doing any CODESEPARATOR shenanigans here.)
<roconnor>
aj: oh I see you grind r and s separately!
<roconnor>
I don't know what I was thinking
<roconnor>
Yes you are right.
shush has quit [Remote host closed the connection]
shush has joined #bitcoin-wizards
<roconnor>
too bad we don't have high-S consensus rules.
shush has quit [Remote host closed the connection]
shush has joined #bitcoin-wizards
<aj>
roconnor: yeah (talked about this with gmaxwell back 2015ish when thinking about it for lightning)
rusty has joined #bitcoin-wizards
<aj>
roconnor: i think it might have been possible then to require setting r=g/2 and grinding s a little bit to make it roughly infeasible to grind both r and s and get the same result, not sure if that'd still work, and it seemed like too much effort at that point
rusty has left #bitcoin-wizards [#bitcoin-wizards]
arowser_ has quit [Remote host closed the connection]
arowser_ has joined #bitcoin-wizards
TheoStorm has joined #bitcoin-wizards
wk057 has quit [Read error: Connection reset by peer]
TheoStorm has quit [Quit: Leaving]
wk057 has joined #bitcoin-wizards
justanotheruser has quit [Ping timeout: 240 seconds]
proofofkeags has quit [Remote host closed the connection]
proofofkeags has joined #bitcoin-wizards
proofofkeags has quit [Remote host closed the connection]
proofofkeags has joined #bitcoin-wizards
Guyver2 has quit [Quit: Going offline, see ya! (www.adiirc.com)]
<waxwing>
i think it's a better setup for an ecdsa atomic swap than what we had before, only because it's a lot less crypto machinery. but i think the drawback is you use on-chain multisig.
<waxwing>
i'm not sure if i'm remembering the details right, though.