sipa changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
pinheadmz has joined #bitcoin-wizards
justanotheruser has joined #bitcoin-wizards
pinheadmz has quit [Quit: pinheadmz]
whois_____ has quit [Ping timeout: 260 seconds]
whois_____ has joined #bitcoin-wizards
pinheadmz has joined #bitcoin-wizards
DarKPhoeniX1 has quit [Remote host closed the connection]
pinheadmz has quit [Quit: pinheadmz]
vtnerd has joined #bitcoin-wizards
pinheadmz has joined #bitcoin-wizards
maop has joined #bitcoin-wizards
TheoStorm has joined #bitcoin-wizards
joelklabo has quit [Ping timeout: 246 seconds]
queip has quit [Remote host closed the connection]
pinheadmz has quit [Quit: pinheadmz]
queip has joined #bitcoin-wizards
pinheadmz has joined #bitcoin-wizards
TheoStorm has quit [Quit: Leaving]
glozow has quit [Quit: Connection closed for inactivity]
jeremyrubin has quit [Quit: Konversation terminated!]
justanotheruser has quit [Ping timeout: 268 seconds]
dgenr8 has quit [Ping timeout: 264 seconds]
ghost43 has quit [Ping timeout: 240 seconds]
DeanGuss has joined #bitcoin-wizards
jb55 has quit [Ping timeout: 240 seconds]
ghost43 has joined #bitcoin-wizards
mryandao_ has joined #bitcoin-wizards
yanmaani has quit [Ping timeout: 240 seconds]
mryandao has quit [Ping timeout: 240 seconds]
DeanWeen has quit [Remote host closed the connection]
jb55 has joined #bitcoin-wizards
yanmaani has joined #bitcoin-wizards
bitdex has quit [Ping timeout: 240 seconds]
AaronvanW has quit [Remote host closed the connection]
bitdex has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 240 seconds]
meshcollider has quit [Ping timeout: 260 seconds]
AaronvanW has joined #bitcoin-wizards
meshcollider has joined #bitcoin-wizards
ddustin has joined #bitcoin-wizards
ddustin has quit [Ping timeout: 264 seconds]
AaronvanW has quit [Ping timeout: 260 seconds]
ddustin has joined #bitcoin-wizards
ddustin has quit [Ping timeout: 260 seconds]
shesek has quit [Remote host closed the connection]
shesek has joined #bitcoin-wizards
shesek has quit [Changing host]
shesek has joined #bitcoin-wizards
maop has quit [Remote host closed the connection]
LaserShark has joined #bitcoin-wizards
willcl_ark has quit [Quit: Quit]
willcl_ark has joined #bitcoin-wizards
ttc has quit [Quit: Idle for 30+ days]
Guyver2 has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
jessepos_ has quit [Quit: My Mac Mini has gone to sleep. ZZZzzz…]
adiabat has quit [Ping timeout: 240 seconds]
adiabat has joined #bitcoin-wizards
TheoStorm has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 240 seconds]
laptop has joined #bitcoin-wizards
laptop_ has joined #bitcoin-wizards
laptop has quit [Ping timeout: 260 seconds]
TheoStorm has quit [Quit: Leaving]
LaserShark has quit [Remote host closed the connection]
AaronvanW has joined #bitcoin-wizards
pinheadmz has quit [Quit: pinheadmz]
AaronvanW has quit [Ping timeout: 246 seconds]
sunetoft has joined #bitcoin-wizards
<queip>
is it possible to create a multi signature (at least 2-of-2) in such a way that on creation devices A and B cooperate somehow but neither sees any private information allowing to sign without consent of other party, and the multi signature made later by A and B is as small as current bitcoin signatures
<queip>
e.g. if we do not care about backward compatibility and such, can at least 2-multisignatures have 0 blockchain size overhead while being secure
<queip>
what if we go outside of secp256k1
pinheadmz has joined #bitcoin-wizards
<aj>
queip: yes, that's what musig does
<queip>
aj: it has really identical size to single secp256k1 signature?
<michaelfolkson>
queip: I think (may be wrong) it just needs to be Schnorr and another curve could be used. Obviously not relevant to Bitcoin, curve won't be changing time anytime soon
<michaelfolkson>
But yeah it is just a single signature mapped to a single key (which is made from the multiple keys)
glozow has joined #bitcoin-wizards
jonatack has quit [Ping timeout: 260 seconds]
jonatack has joined #bitcoin-wizards
jonatack has quit [Ping timeout: 256 seconds]
jonatack has joined #bitcoin-wizards
<queip>
great :) So, it would work also on any ECC (including e.g. well known curve 25519)? it is a general operation available on (all?) finate fields?
<michaelfolkson>
But to get it confirmed ask in #secp256k1
<michaelfolkson>
Obviously Bitcoin devs won't be writing code for a MuSig scheme for any other curve. So you'd have to write the code for another curve (normal warnings, don't roll your own crypto unless you know what you are doing etc etc)
<kanzure>
i spent a few minutes digging this up for someone, so i might as well post the reference
<kanzure>
regarding "On the instability of bitcoin without the block reward" or "bitcoin is unstable without the block reward",
ddustin has quit [Remote host closed the connection]
<waxwing>
queip, michaelfolkson bear in mind that the original paper has been superseded by MuSig2 : https://eprint.iacr.org/2020/1261
<michaelfolkson>
waxwing: Right. No problems found with MuSig but MuSig2 is a strict improvement (other than its newness)
<waxwing>
there is also musig-dn but the above is the main thing right now ... yes afair there is nothing curve-specific here. but note, whilst it's a huge step forward to be single-key verified, there is a slight tradeoff: interactivity.
<waxwing>
well the original variant of musig had a flaw in the security proof, it was patched up to 3 round
<waxwing>
then musig2 reinstates 2 round
<waxwing>
so it's like, the tradeoff remains, but it's ameliorated to the greatest extent possible
<michaelfolkson>
Language is hard here :) No problems found with *latest* MuSig
AaronvanW has joined #bitcoin-wizards
<michaelfolkson>
MuSig 1b is fine
<michaelfolkson>
(as far as we know)
<waxwing>
yeah but it's intrinsically a rather complicated and involved story, so language or not, confusion is very forgivable
<michaelfolkson>
MuSig 1a had a flaw
<waxwing>
we didn't even talk about musig-dn :)
<michaelfolkson>
My understanding of that is it is interesting academically but unlikely to be used in production for much
<waxwing>
i was going to go through that latest security proof (musig2) in some detail but it's really quite a can of worms (algebraic group model; OMDL, the way it uses "forking lemma" etc.).
<waxwing>
somewhere deep in the weeds of it there is a very interesting/idea insight but .. sheesh that stuff is hard.
<waxwing>
naively you'd think the nonce points (R_i) have to be committed to; that's what 3 round was. it seemed to make sense. Albeit it's very non-obvious that wagner's attack is as effective as it is.
gribble has quit [Remote host closed the connection]
dgenr8 has joined #bitcoin-wizards
<waxwing>
iirc the core of the idea was that the "target" value in the wagner attack is, in the musig2 scenario, not constant, which prevents it from working.
dllud has quit [Ping timeout: 256 seconds]
ddustin has joined #bitcoin-wizards
sunetoft has quit [Remote host closed the connection]
dllud has joined #bitcoin-wizards
gribble has joined #bitcoin-wizards
<michaelfolkson>
If you're here kanzure, I have a question for you. The Bitcoin functional test framework uses python-bitcoinlib code.
<michaelfolkson>
Is there any history of pushing updates to python-bitcoinlib to Bitcoin Core functional tests? (in form of PR obviously)
<michaelfolkson>
Or was it just taken at a point in time and then maintained entirely independently?
<michaelfolkson>
Presumably some of the Python Taproot code could be taken from Core and used in python-bitcoinlib
<michaelfolkson>
On the MuSig2 proof waxwing, maybe one day when I'm feeling brave I'll scratch at the surface. Interesting that it is a lot more complex than MuSig 1b though
ddustin has quit [Remote host closed the connection]
<michaelfolkson>
Complexity being the enemy of security n all
chipc has joined #bitcoin-wizards
CryptoDavid has joined #bitcoin-wizards
<waxwing>
mm .. it was pretty complex before! i mean you're right, but - complexity of security proofs is obviously a bit different from complexity of a protocol.
<michaelfolkson>
It can't generally be helped in the case of proofs. But I'd guess the more complex the proof the more likely it will need revisions
<michaelfolkson>
Easier to make a protocol less complex. A proof got complex for a reason
dllud has quit [Ping timeout: 264 seconds]
dllud has joined #bitcoin-wizards
<pinheadmz>
well the UX got less complex with MuSig2 (removed a round trip) which is really good news. We will probably use musig2 at bitgo
jadi has joined #bitcoin-wizards
<waxwing>
michaelfolkson, the issue is not usually so much revisions - in a way, that's a kind of good sign ... sometimes these proofs go largely unexamined. i feel like the real issue is that they are built from assumption sets in a pick-and-mix fashion. it's really hard to have any sense, sometimes, of what proofs *mean*.
<waxwing>
the example i always remember is dan brown (no, not that one) proving that ECDSA has strong unforgeability in the generic group model. when in fact (so called "malleability") it very trivially doesn't have strong unforgeability.
<waxwing>
so it's almost like, if you don't have an incredibly fine sense of the real story the proof is telling (and how many people in the world have that?), then they're not that useful.
<waxwing>
but i'm wittering, i do agree with your basic point that the more complex it is, the less happy one should be about it.
<michaelfolkson>
That is cool pinheadmz. The motivation for using it is clear. And if there are any problems they will only get found if people use it
<michaelfolkson>
I remember years ago Andreas talking about different blockchains being bug bounties. It seems to me it is kind of similar with new cryptographic schemes. Best to start with smaller amounts of money
<pinheadmz>
And if we adopt a protocol where, along with each tx signature, we exchange nonces for the *next* TX, then we can effectively reduce each multisig to one round -- it just means both parties need to keep track of that state
<pinheadmz>
michaelfolkson heh, is litecoin going to adopt taproot before bitcoin?
<michaelfolkson>
Unpopular opinion maybe but I hope so
<michaelfolkson>
Upsets the purity maximalists
StopAndDecrypt has quit [Ping timeout: 256 seconds]
<michaelfolkson>
If there is any point to Litecoin it is for testing stuff with real money in advance of Bitcoin. And perhaps being there if Bitcoin fails technically for some bizarre reason that doesn't also kill Litecoin
<waxwing>
yes the first round being pre-processable so that it's kinda- one round is one of the big selling points of musig2. that's very cool.
jadi has quit [Remote host closed the connection]
jadi has joined #bitcoin-wizards
jadi has quit [Ping timeout: 272 seconds]
DeanGuss has quit [Remote host closed the connection]
DeanGuss has joined #bitcoin-wizards
mryandao_ has quit [Ping timeout: 240 seconds]
ghost43 has quit [Quit: Leaving]
mryandao has joined #bitcoin-wizards
ghost43 has joined #bitcoin-wizards
jb55 has quit [Ping timeout: 240 seconds]
bitdex has quit [Ping timeout: 240 seconds]
yanmaani has quit [Ping timeout: 240 seconds]
bitdex has joined #bitcoin-wizards
jadi has joined #bitcoin-wizards
yanmaani has joined #bitcoin-wizards
jadi has quit [Ping timeout: 240 seconds]
jb55 has joined #bitcoin-wizards
Setherson has joined #bitcoin-wizards
Evilqubit has joined #bitcoin-wizards
<Setherson>
Hello, Everyone!
Evilqubit has quit [Remote host closed the connection]
wk057 has quit [Remote host closed the connection]
wk057 has joined #bitcoin-wizards
TheoStorm has joined #bitcoin-wizards
TheoStorm has quit [Quit: Leaving]
son0p has joined #bitcoin-wizards
jesseposner has joined #bitcoin-wizards
a5m0 has quit [Ping timeout: 272 seconds]
a5m0 has joined #bitcoin-wizards
TheoStorm has joined #bitcoin-wizards
son0p has quit [Ping timeout: 260 seconds]
son0p has joined #bitcoin-wizards
CryptoDavid has quit [Quit: Connection closed for inactivity]
<Setherson>
Not a very chatty bunch...lol
belcher_ has joined #bitcoin-wizards
belcher has quit [Ping timeout: 240 seconds]
belcher_ is now known as belcher
dllud has quit [Ping timeout: 272 seconds]
dllud has joined #bitcoin-wizards
<queip>
oh no, a mortal entered our plane. seize him!
DeanWeen has joined #bitcoin-wizards
DeanGuss has quit [Remote host closed the connection]
son0p has quit [Quit: leaving]
ddustin has joined #bitcoin-wizards
laptop_ has quit [Ping timeout: 240 seconds]
DeanWeen has quit [Remote host closed the connection]
DeanWeen has joined #bitcoin-wizards
tromp has quit [Remote host closed the connection]
tromp has joined #bitcoin-wizards
<kanzure>
michaelfolkson: python-bitcoinlib is forked from a thing that was itself incorporated into bitcoin core's functional test framework
<kanzure>
or the thing it was forked from was from code in the bitcoin core repository, i forget the lineage exactly
<kanzure>
but python-bitcoinlib came later
ddustin has quit [Remote host closed the connection]
ddustin has joined #bitcoin-wizards
tromp has quit [Remote host closed the connection]
tromp has joined #bitcoin-wizards
tromp has quit [Read error: Connection reset by peer]
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 240 seconds]
ddustin has quit [Remote host closed the connection]