--- Log opened Sun Mar 03 14:17:26 2013
14:17 !niven.freenode.net [freenode-info] channel trolls and no channel staff around to help? please check with freenode support: http://freenode.net/faq.shtml#gettinghelp
14:31 < HM> amiller_: yeah it's interesting
14:31 < HM> blinding is also interesting
14:32 < HM> although i have a crypto scenario i wanted to apply blinding to but apparently can't
14:37 < HM> amiller_: thanks for the merkle paper
14:38 < HM> I think there's a crossover between the SRP protocol and the blinding method on that Kong paper
14:38 < amiller_> np i like dumping links to papers it helps me to keep references cycling in my head
14:39 <@sipa> ha
14:42 < HM> I have a scenario where i thought I could use D-H to establish a shared key, but obviously you need 1 private key available
14:42 < TD> by the way, i was able to obtain something that claims to be a threshold RSA implementation
14:42 < TD> if someone wants to play with splitting of signing keys let me know, otherwise i'll try it at some point
14:43 <@sipa> dobyou have a link, TD?
14:43 <@sipa> do you
14:43 < TD> no
14:43 < TD> it was emailed to me by a researcher i contacted
14:43 < TD> so i'd have to send you the same attachment
14:44 < TD> or i could upload it somewhere
14:44 < TD> even better, it's a subcomponent of a larger codebase, which claims to be a "byzatine fault-tolerant state machine replication system"
14:45 <@sipa> i searched for such a thing, but couldn't find anything about it
14:45 < HM> i thought it'd be possible for Alice to force Bob to compute b*aG, but if they know you're doing so and know aG they can still return b*xG where x is anything of their choosing.
14:45 <@sipa> somehow i'd be surprised that it would be possible on (unmodified) RSA and not be known
14:46 < HM> blinding only works when the blinds (or whatever you call them) are truly random
14:46 < HM> afaict
14:46 < TD> the Shoup paper from 2000 describes how to do transparent threshold RSA
14:46 < TD> so it appears to be an implementation of that
14:47 < TD> hmm
14:47 < TD> actually, the Shoup paper says that whilst the signatures have the same format, there are constraints on the keys
14:47 < TD> which would be problematic for splitting existing code-signing keys
14:47 < TD> let me see
14:56 < TD> academic code. lovely :)
14:58 < TD> i'm being a bit unfair
14:58 < TD> it seems to be fairly well documented, even though the code was clearly written by people who looked at openssl and said "what a fine API, let's copy that"
14:58 <@sipa> haha
14:59 < HM> macro's! what a novel idea! there should be a paper on how to abuse these
14:59 <@sipa> HM: you know repeated application of the c preprocessor is turning comolete :p
14:59 <@sipa> turing
15:00 < TD> you know when all defined structures use single-letter variable names, you're dealing with something a bit retro
15:00 < TD> this is from 2004 though
15:00 < HM> errm, is it?
15:01 < HM> i know C++ templates are but i thought the macro language lacked the necessaries
15:02 < TD> yes
15:02 < TD> it expects to be able to generate its own keys. hmm.
15:04 < TD> annoying. android has no support for key rotation. so it means we'd have to unpublish the old app, publish the new app, notify users to switch and migrate the wallets across
15:10 < TD> hmmm
15:10 < TD> "we do however place some restrictions on the key. it must be a strong prime exceeding l"
15:10 < TD> l is the total number of shares
15:10 < TD> so if there are 5 signers, "a strong prime exceeding 5" would be satisfied by basically any key
15:11 < TD> "the modulus must be the product of two strong primes"
15:11 < TD> isn't this just a statement of requirements on a normal RSA key?
15:17 < HM> sounds like it
15:18 < HM> so this is a public key based secret sharing scheme?
15:27 < TD> HM: yes. http://www.shoup.net/papers/thsig.pdf
15:33 < TD> hmmmm
15:34 < TD> maybe there is a difference
15:34 < HM> does this scheme still require that the entity doing the final sign keep all the shares it handle confidential?
15:34 < TD> modulus = p'q' where p = 2p' + 1
15:34 < TD> same for q
15:34 < TD> HM: no.
15:34 < TD> HM: that's just doing a Shamirs secret share on the private key
15:34 < TD> this is different
15:34 < HM> right. okay
15:35 < TD> you split a key, and then to calculate signatures the private key is never needed to be recombined
15:35 < TD> oh, no, sorry
15:35 < TD> modulus = pq as normal.
15:35 <@sipa> TD: sounds like a Sophie Germaine prime
15:36 < TD> m=p'q'
15:39 < TD> ok, i give up trying to understand the details of this scheme
15:40 < TD> it says at the start it is "exceedingly simple" and then takes nearly 4 pages of dense equations to describe it
15:40 <@sipa> haha, sounds academic :D
15:40 < TD> but anyway, as far as i can tell, any "normal" RSA key can be used and the signatures are normal RSA sigs
15:40 < TD> which is exactly what we need, especially on android
15:40 < TD> super
15:41 < HM> hmm the SRP protocol uses the hash of 2 publicly exchange parameters in the arithmetic
15:41 < HM> I don't understand why
15:43 < TD> SRP?
15:45 < HM> Secure remote password protocol
15:46 < HM> it's a password based mutual authentication scheme
22:32 < nanotube> gmaxwell: i totally am. :)
23:43 < midnightmagic> ... it does exist.
--- Log closed Mon Mar 04 00:00:39 2013