andytoshi changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | This channel is logged. | For logs and more information, visit https://bitcoin.ninja
brg444 has quit [Quit: Connection closed for inactivity]
jnsu has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
son0p has quit [Quit: Lost terminal]
tromp has quit [Ping timeout: 265 seconds]
jonatack_ has joined #bitcoin-wizards
jonatack_ has quit [Read error: Connection reset by peer]
TheoStorm has quit [Quit: Leaving]
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 246 seconds]
jeremyrubin has joined #bitcoin-wizards
Belkaar_ has quit [Ping timeout: 240 seconds]
Belkaar has joined #bitcoin-wizards
Belkaar has joined #bitcoin-wizards
laptop_ has quit [Ping timeout: 276 seconds]
Belkaar has quit [Ping timeout: 264 seconds]
Belkaar has joined #bitcoin-wizards
Belkaar has quit [Changing host]
Belkaar has joined #bitcoin-wizards
CryptoDavid has quit [Quit: Connection closed for inactivity]
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 256 seconds]
Belkaar has quit [Ping timeout: 276 seconds]
Belkaar_ has joined #bitcoin-wizards
brg444 has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 264 seconds]
vtnerd has quit [Ping timeout: 256 seconds]
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 276 seconds]
mryandao has quit [Remote host closed the connection]
mryandao has joined #bitcoin-wizards
czargb has quit [Quit: Connection closed]
shesek has quit [Remote host closed the connection]
shesek has joined #bitcoin-wizards
shesek has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 240 seconds]
flag has quit [Remote host closed the connection]
flag has joined #bitcoin-wizards
jadi has joined #bitcoin-wizards
jb55 has quit [Remote host closed the connection]
jb55 has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
rotten has joined #bitcoin-wizards
tromp has quit [Remote host closed the connection]
brg444 has quit [Quit: Connection closed for inactivity]
jnsu has quit [Remote host closed the connection]
jnsu has joined #bitcoin-wizards
jnsu has quit [Ping timeout: 264 seconds]
justanotheruser has quit [Ping timeout: 272 seconds]
jnsu has joined #bitcoin-wizards
jnsu has quit [Ping timeout: 264 seconds]
waxwing_ is now known as waxwing
waxwing has quit [Changing host]
waxwing has joined #bitcoin-wizards
jadi has joined #bitcoin-wizards
<waxwing>
how does one get a sense of the strength of the OMDL assumption? the two references in the MuSig2 paper are good, they define the concept clearly and give interesting analysis e.g. chosen target vs known target equivalence. but they both just say 'this is a new strong assumption'.
<waxwing>
i mean in some ways it all seems a bit academic: intuitively, if you're given a bunch of random targets, there is obviously not going to be a clever way to combine them such that the number of queries required is less.
<waxwing>
but "obviously" ... :)
jadi has quit [Read error: Connection reset by peer]
<sipa>
does it help to know that in the generic group model it holds?
<sipa>
that's not a particularly high bar, of course, ggm is pretty strong (and schemes have been broken in practice that were proven secure in ggm)
<waxwing>
sipa, oh interesting, i'll happily look that up. do you have a reference offhand?
<waxwing>
but yes understood re strength
<sipa>
waxwing: there was a paper maybe 1.5 years ago that gave an inventory of schemea that were in one way or another proven, but still broken
<sipa>
i don't remember the name
<sipa>
iirc they were things of which you'd say "well duh you can't do that in ggm!", but i don't remember the details
<waxwing>
oh sure, on that point.. well the only thing i always remember is reading how ecdsa was proven strongly unforgeable in GGM :) but yeah i might do a search later on that.
<sipa>
right!
<sipa>
it is, because there is no "extract x coordinate" in ggm, so yoh have to replace it with a hash from points to scalars
<sipa>
however, i think of you actually do that, you can also prove it strongly unforgeable in just ROM/DL
<sipa>
there is a better result somewhere else, where instead the x-coordinate grabbing is modelled as a reversible random mapping between points and scalars, and iirc they prove that the low-s form is also strongly unforgeable
jadi has joined #bitcoin-wizards
<sipa>
waxwing: maybe a disappointing result too... in AGM, OMDL does not follow from DL
<waxwing>
sipa, pretty sure the paper i was thinking of was this:https://eprint.iacr.org/2002/026.ps
<waxwing>
algebraic group model, i see. i still haven't got round to reading up on that.
<sipa>
waxwing: AGM is great
<waxwing>
andytoshi was telling me about it a few weeks ago.
<waxwing>
sipa, re: modelled as reversible random mapping etc, are you talking about the stuff by .. Fersch et al i think?
<sipa>
it's easy: any algorithm in AGM that outputs a group element, must also output how it can be written as a linear combination of any of its input group elements
<waxwing>
oh
<sipa>
it's far weaker than GGM, because algorithm do get access to the actual group representation
<sipa>
they just are constrained to doing linear operations with them
<sipa>
but things like endomorphisms don't break it
<sipa>
in AGM, DL is not implied (obviously)
<sipa>
however, and this is pretty interesting: in AGM it holds that DL and CDH are equivalent (either can be shown from the other)
<sipa>
which feels nice, because afaik there are no groups known where they differ
<sipa>
but despite that, OMDL is still distinct
<nickler>
Fwiw, in our latest revision of MuSig2 (not yet uploaded) we use a falsifiable variant of OMDL that we call algebraic OMDL (AOMDL).
<nickler>
The difference is that whenever the DL oracle of the OMDLis queried, it also receives a representation in all input group elements. The MuSig2 reductions are algebraic in that sense.
<nickler>
Then the representation allows the AOMDL to efficiently answer the DL oracle because it knows the DL of the input group elements.
laptop_ has joined #bitcoin-wizards
sr_gi has quit [Read error: Connection reset by peer]
sr_gi has joined #bitcoin-wizards
laptop_ has quit [Remote host closed the connection]
peutetre has quit [Remote host closed the connection]
TheoStorm has joined #bitcoin-wizards
jb55 has quit [Remote host closed the connection]
jb55 has joined #bitcoin-wizards
jnsu has joined #bitcoin-wizards
son0p has joined #bitcoin-wizards
CubicEarth_ has quit [Ping timeout: 246 seconds]
CubicEarth has joined #bitcoin-wizards
jnsu has quit [Ping timeout: 264 seconds]
<waxwing>
ah yes i found that stackexchange Q in a search last year. Re: Fersch, i remembered it because i linked it in my blog post about schnorr sig security a couple years back. i remember also there's a pretty good youtube vid of a talk for that paper. was helpful, somewhat.