1 2019-11-25T00:03:57  *** Chris_Stewart_5 has quit IRC
 2 2019-11-25T00:13:29  *** Chris_Stewart_5 has joined ##taproot-bip-review
 3 2019-11-25T00:24:26  *** Chris_Stewart_5 has quit IRC
 4 2019-11-25T00:46:30  *** Chris_Stewart_5 has joined ##taproot-bip-review
 5 2019-11-25T01:00:47  *** davterra has quit IRC
 6 2019-11-25T01:38:21  *** pinheadmz has joined ##taproot-bip-review
 7 2019-11-25T02:08:26  *** Chris_Stewart_5 has quit IRC
 8 2019-11-25T03:02:02  *** achow101 has quit IRC
 9 2019-11-25T03:12:27  *** achow101 has joined ##taproot-bip-review
10 2019-11-25T07:07:42  *** _andrewtoth_ has joined ##taproot-bip-review
11 2019-11-25T07:09:04  *** andrewtoth_ has quit IRC
12 2019-11-25T08:01:18  *** jonatack_ has joined ##taproot-bip-review
13 2019-11-25T08:04:43  *** jonatack has quit IRC
14 2019-11-25T08:29:03  *** b10c has joined ##taproot-bip-review
15 2019-11-25T08:39:50  *** b10c has quit IRC
16 2019-11-25T08:41:21  *** b10c has joined ##taproot-bip-review
17 2019-11-25T09:56:45  <nickler> harding: Is there a reason why Bob wouldn't sign a message including both updates in normal, non-adverserial operation?
18 2019-11-25T09:56:48  <nickler> The idea in the linked PR only works if Alice can compute the expected message before giving out her nonce and then only signing that message after receiving Bob's nonce.
19 2019-11-25T09:56:52  <nickler> If Bob signs a different message, they won't produce a combined signature but that's fine for the security of MuSig.
20 2019-11-25T10:25:52  <gmaxwell> Here is a plausable attack on a system using 16-byte e. Alice and Bob jointly own a 2of2 address.   Alice and Bob have both pre-commited then shared nonces.  Bob authors a message for alice and him to jointly sign.  Bob does ~2^64 work to find two a colliding pair of messages with the same e, one that alice would sign and one that she wouldn't sign that pays him all the coins. Bob asks alice
21 2019-11-25T10:25:52  <gmaxwell> to sign the one, then substutites the other message on the network.
22 2019-11-25T10:26:42  <gmaxwell> I think this is concrete enough to refute PR158's claim that 16 bytes wouldn't be sacrificing security.
23 2019-11-25T10:34:12  <aj> gmaxwell: pre-committing and sharing nonces prior to knowing what message they apply to is already broken via nickler's shortcuts article isn't it?
24 2019-11-25T10:37:05  <gmaxwell> yes/no. In that case-- that attack requires actual parallel sessions. What I'm describing doesn't.
25 2019-11-25T10:40:17  <gmaxwell> I agree that the protocol flow I'm suggesting isn't a great idea, but "you and I exchange nonce commitments, then you and I exchange nonces, Then I send you a message.  You don't begin any other signing sessions until yours with me completes or you give up and discard the nonces".
26 2019-11-25T10:40:53  <gmaxwell> afaik doesn't have any problem with a 256bit hash, but is trivially vulnerable to a modest 2^64 work collision attack on the hash with a shortened schnorr signature.
27 2019-11-25T11:13:12  <aj> yeah. hmm, doesn't shortening the hash make the wagner attack more effective too?
28 2019-11-25T11:37:28  <gmaxwell> absoltely.
29 2019-11-25T11:38:40  *** Chris_Stewart_5 has joined ##taproot-bip-review
30 2019-11-25T11:48:33  *** Murch has quit IRC
31 2019-11-25T11:48:33  *** jnewbery has quit IRC
32 2019-11-25T11:50:58  *** jnewbery has joined ##taproot-bip-review
33 2019-11-25T12:13:51  *** Murch has joined ##taproot-bip-review
34 2019-11-25T12:51:49  *** Chris_Stewart_5 has quit IRC
35 2019-11-25T13:02:06  *** Chris_Stewart_5 has joined ##taproot-bip-review
36 2019-11-25T13:11:04  *** daniel has joined ##taproot-bip-review
37 2019-11-25T13:11:46  *** daniel is now known as Guest54499
38 2019-11-25T13:15:13  *** davterra has joined ##taproot-bip-review
39 2019-11-25T13:53:07  *** Chris_Stewart_5 has quit IRC
40 2019-11-25T13:59:09  *** Chris_Stewart_5 has joined ##taproot-bip-review
41 2019-11-25T14:27:44  *** sipa has quit IRC
42 2019-11-25T14:33:04  *** orfeas has joined ##taproot-bip-review
43 2019-11-25T15:14:05  <orfeas> in footnote 12 of taproot (https://github.com/sipa/bips/blob/bip-schnorr/bip-taproot.mediawiki#cite_note-12) an attack on feerate is mentioned but the change to wtxid (which seems more important) isn't
44 2019-11-25T16:10:55  <orfeas> minor change: in the Transaction Digest, I propose that "If both the SIGHASH_NONE and SIGHASH_SINGLE flags are not set" be changed to "If neither the SIGHASH_NONE nor the SIGHASH_SINGLE flag is set"
45 2019-11-25T16:13:36  *** orfeas has quit IRC
46 2019-11-25T16:14:58  *** orfeas has joined ##taproot-bip-review
47 2019-11-25T16:29:11  <orfeas> taproot, footnote 16, "digest computation avoids unnecessary hashing as opposed to BIP143 digests in which parts may be set zero and before hashing them": I think there is a typo at the end of the sentence
48 2019-11-25T16:31:55  *** rottensox has joined ##taproot-bip-review
49 2019-11-25T16:46:08  *** rottensox has quit IRC
50 2019-11-25T17:10:14  *** orfeas has quit IRC
51 2019-11-25T17:33:45  *** b10c1 has joined ##taproot-bip-review
52 2019-11-25T17:34:00  *** b10c has quit IRC
53 2019-11-25T17:34:00  *** b10c1 is now known as b10c
54 2019-11-25T17:41:42  *** jonatack_ has quit IRC
55 2019-11-25T17:42:00  *** jonatack has joined ##taproot-bip-review
56 2019-11-25T18:11:54  *** b10c1 has joined ##taproot-bip-review
57 2019-11-25T18:12:02  *** b10c has quit IRC
58 2019-11-25T18:12:03  *** b10c1 is now known as b10c
59 2019-11-25T18:15:44  *** rottensox has joined ##taproot-bip-review
60 2019-11-25T18:49:52  *** rottensox has quit IRC
61 2019-11-25T19:17:16  *** andrewtoth_ has joined ##taproot-bip-review
62 2019-11-25T19:17:32  *** _andrewtoth_ has quit IRC
63 2019-11-25T19:30:36  *** andrewtoth_ has quit IRC
64 2019-11-25T19:52:54  *** shesek has quit IRC
65 2019-11-25T19:53:20  *** shesek has joined ##taproot-bip-review
66 2019-11-25T19:53:20  *** shesek has joined ##taproot-bip-review
67 2019-11-25T19:54:21  *** andrewtoth_ has joined ##taproot-bip-review
68 2019-11-25T19:57:33  *** shesek has quit IRC
69 2019-11-25T19:57:53  *** rottensox has joined ##taproot-bip-review
70 2019-11-25T19:58:21  *** shesek has joined ##taproot-bip-review
71 2019-11-25T20:01:35  *** jonatack_ has joined ##taproot-bip-review
72 2019-11-25T20:02:42  *** shesek has quit IRC
73 2019-11-25T20:05:08  *** jonatack has quit IRC
74 2019-11-25T20:05:33  *** shesek has joined ##taproot-bip-review
75 2019-11-25T20:05:33  *** shesek has joined ##taproot-bip-review
76 2019-11-25T20:10:14  *** shesek has quit IRC
77 2019-11-25T20:10:37  *** shesek has joined ##taproot-bip-review
78 2019-11-25T20:23:47  *** pyskell has joined ##taproot-bip-review
79 2019-11-25T21:00:57  *** b10c has quit IRC
80 2019-11-25T21:47:21  *** Chris_Stewart_5 has quit IRC
81 2019-11-25T21:55:52  *** pyskell has quit IRC
82 2019-11-25T23:17:24  *** andrewtoth_ has quit IRC
83 2019-11-25T23:23:12  *** Chris_Stewart_5 has joined ##taproot-bip-review
84 2019-11-25T23:27:02  *** waxwing has quit IRC
85 2019-11-25T23:27:34  *** waxwing has joined ##taproot-bip-review
86 2019-11-25T23:29:15  *** waxwing has quit IRC
87 2019-11-25T23:29:15  *** waxwing has joined ##taproot-bip-review