12019-11-25T00:03:57  *** Chris_Stewart_5 has quit IRC
 22019-11-25T00:13:29  *** Chris_Stewart_5 has joined ##taproot-bip-review
 32019-11-25T00:24:26  *** Chris_Stewart_5 has quit IRC
 42019-11-25T00:46:30  *** Chris_Stewart_5 has joined ##taproot-bip-review
 52019-11-25T01:00:47  *** davterra has quit IRC
 62019-11-25T01:38:21  *** pinheadmz has joined ##taproot-bip-review
 72019-11-25T02:08:26  *** Chris_Stewart_5 has quit IRC
 82019-11-25T03:02:02  *** achow101 has quit IRC
 92019-11-25T03:12:27  *** achow101 has joined ##taproot-bip-review
102019-11-25T07:07:42  *** _andrewtoth_ has joined ##taproot-bip-review
112019-11-25T07:09:04  *** andrewtoth_ has quit IRC
122019-11-25T08:01:18  *** jonatack_ has joined ##taproot-bip-review
132019-11-25T08:04:43  *** jonatack has quit IRC
142019-11-25T08:29:03  *** b10c has joined ##taproot-bip-review
152019-11-25T08:39:50  *** b10c has quit IRC
162019-11-25T08:41:21  *** b10c has joined ##taproot-bip-review
172019-11-25T09:56:45  <nickler> harding: Is there a reason why Bob wouldn't sign a message including both updates in normal, non-adverserial operation?
182019-11-25T09:56:48  <nickler> The idea in the linked PR only works if Alice can compute the expected message before giving out her nonce and then only signing that message after receiving Bob's nonce.
192019-11-25T09:56:52  <nickler> If Bob signs a different message, they won't produce a combined signature but that's fine for the security of MuSig.
202019-11-25T10:25:52  <gmaxwell> Here is a plausable attack on a system using 16-byte e. Alice and Bob jointly own a 2of2 address.   Alice and Bob have both pre-commited then shared nonces.  Bob authors a message for alice and him to jointly sign.  Bob does ~2^64 work to find two a colliding pair of messages with the same e, one that alice would sign and one that she wouldn't sign that pays him all the coins. Bob asks alice
212019-11-25T10:25:52  <gmaxwell> to sign the one, then substutites the other message on the network.
222019-11-25T10:26:42  <gmaxwell> I think this is concrete enough to refute PR158's claim that 16 bytes wouldn't be sacrificing security.
232019-11-25T10:34:12  <aj> gmaxwell: pre-committing and sharing nonces prior to knowing what message they apply to is already broken via nickler's shortcuts article isn't it?
242019-11-25T10:37:05  <gmaxwell> yes/no. In that case-- that attack requires actual parallel sessions. What I'm describing doesn't.
252019-11-25T10:40:17  <gmaxwell> I agree that the protocol flow I'm suggesting isn't a great idea, but "you and I exchange nonce commitments, then you and I exchange nonces, Then I send you a message.  You don't begin any other signing sessions until yours with me completes or you give up and discard the nonces".
262019-11-25T10:40:53  <gmaxwell> afaik doesn't have any problem with a 256bit hash, but is trivially vulnerable to a modest 2^64 work collision attack on the hash with a shortened schnorr signature.
272019-11-25T11:13:12  <aj> yeah. hmm, doesn't shortening the hash make the wagner attack more effective too?
282019-11-25T11:37:28  <gmaxwell> absoltely.
292019-11-25T11:38:40  *** Chris_Stewart_5 has joined ##taproot-bip-review
302019-11-25T11:48:33  *** Murch has quit IRC
312019-11-25T11:48:33  *** jnewbery has quit IRC
322019-11-25T11:50:58  *** jnewbery has joined ##taproot-bip-review
332019-11-25T12:13:51  *** Murch has joined ##taproot-bip-review
342019-11-25T12:51:49  *** Chris_Stewart_5 has quit IRC
352019-11-25T13:02:06  *** Chris_Stewart_5 has joined ##taproot-bip-review
362019-11-25T13:11:04  *** daniel has joined ##taproot-bip-review
372019-11-25T13:11:46  *** daniel is now known as Guest54499
382019-11-25T13:15:13  *** davterra has joined ##taproot-bip-review
392019-11-25T13:53:07  *** Chris_Stewart_5 has quit IRC
402019-11-25T13:59:09  *** Chris_Stewart_5 has joined ##taproot-bip-review
412019-11-25T14:27:44  *** sipa has quit IRC
422019-11-25T14:33:04  *** orfeas has joined ##taproot-bip-review
432019-11-25T15:14:05  <orfeas> in footnote 12 of taproot (https://github.com/sipa/bips/blob/bip-schnorr/bip-taproot.mediawiki#cite_note-12) an attack on feerate is mentioned but the change to wtxid (which seems more important) isn't
442019-11-25T16:10:55  <orfeas> minor change: in the Transaction Digest, I propose that "If both the SIGHASH_NONE and SIGHASH_SINGLE flags are not set" be changed to "If neither the SIGHASH_NONE nor the SIGHASH_SINGLE flag is set"
452019-11-25T16:13:36  *** orfeas has quit IRC
462019-11-25T16:14:58  *** orfeas has joined ##taproot-bip-review
472019-11-25T16:29:11  <orfeas> taproot, footnote 16, "digest computation avoids unnecessary hashing as opposed to BIP143 digests in which parts may be set zero and before hashing them": I think there is a typo at the end of the sentence
482019-11-25T16:31:55  *** rottensox has joined ##taproot-bip-review
492019-11-25T16:46:08  *** rottensox has quit IRC
502019-11-25T17:10:14  *** orfeas has quit IRC
512019-11-25T17:33:45  *** b10c1 has joined ##taproot-bip-review
522019-11-25T17:34:00  *** b10c has quit IRC
532019-11-25T17:34:00  *** b10c1 is now known as b10c
542019-11-25T17:41:42  *** jonatack_ has quit IRC
552019-11-25T17:42:00  *** jonatack has joined ##taproot-bip-review
562019-11-25T18:11:54  *** b10c1 has joined ##taproot-bip-review
572019-11-25T18:12:02  *** b10c has quit IRC
582019-11-25T18:12:03  *** b10c1 is now known as b10c
592019-11-25T18:15:44  *** rottensox has joined ##taproot-bip-review
602019-11-25T18:49:52  *** rottensox has quit IRC
612019-11-25T19:17:16  *** andrewtoth_ has joined ##taproot-bip-review
622019-11-25T19:17:32  *** _andrewtoth_ has quit IRC
632019-11-25T19:30:36  *** andrewtoth_ has quit IRC
642019-11-25T19:52:54  *** shesek has quit IRC
652019-11-25T19:53:20  *** shesek has joined ##taproot-bip-review
662019-11-25T19:53:20  *** shesek has joined ##taproot-bip-review
672019-11-25T19:54:21  *** andrewtoth_ has joined ##taproot-bip-review
682019-11-25T19:57:33  *** shesek has quit IRC
692019-11-25T19:57:53  *** rottensox has joined ##taproot-bip-review
702019-11-25T19:58:21  *** shesek has joined ##taproot-bip-review
712019-11-25T20:01:35  *** jonatack_ has joined ##taproot-bip-review
722019-11-25T20:02:42  *** shesek has quit IRC
732019-11-25T20:05:08  *** jonatack has quit IRC
742019-11-25T20:05:33  *** shesek has joined ##taproot-bip-review
752019-11-25T20:05:33  *** shesek has joined ##taproot-bip-review
762019-11-25T20:10:14  *** shesek has quit IRC
772019-11-25T20:10:37  *** shesek has joined ##taproot-bip-review
782019-11-25T20:23:47  *** pyskell has joined ##taproot-bip-review
792019-11-25T21:00:57  *** b10c has quit IRC
802019-11-25T21:47:21  *** Chris_Stewart_5 has quit IRC
812019-11-25T21:55:52  *** pyskell has quit IRC
822019-11-25T23:17:24  *** andrewtoth_ has quit IRC
832019-11-25T23:23:12  *** Chris_Stewart_5 has joined ##taproot-bip-review
842019-11-25T23:27:02  *** waxwing has quit IRC
852019-11-25T23:27:34  *** waxwing has joined ##taproot-bip-review
862019-11-25T23:29:15  *** waxwing has quit IRC
872019-11-25T23:29:15  *** waxwing has joined ##taproot-bip-review