--- Log opened Sat Nov 09 00:00:49 2013
04:09 < adam3us> gmaxwell:  miner can instead try to find p' that satisfies [H(p')+H(p'||2)]*G =? Q'
04:11 < gmaxwell> 01:08 < adam3us> gmaxwell: but i think x=H(p), Q=xG, b=H(p||2), Q'=xG+bG=(x+b)G, is Q itself is grindable and you give Q to the kdf miner
04:12 < gmaxwell> I'm suggesting that the private key is x+b+z
04:13 < gmaxwell> and z is the index found  by starting with xG and incrementing until you reach the first distingushed point (By some well known scheme).
04:13 < adam3us> gmaxwell: yes sorry that was incorrectly written
04:14 < gmaxwell> yea, it's not (statistical) zero knoweldge.
04:15 < adam3us> gmaxwell: x=H(p), Q=xG, b=H(p||2), Q'=xG+bG=(x+b)G kdf miner finds Q'+zG/2^k?=0 tells user z
04:16 < adam3us> gmaxwell: seems similar to https://bitcointalk.org/index.php?topic=311000.msg3402287#msg3402287
04:16 < gmaxwell> yea, the downside is that the kdf miner says screw you and searches for your passphrase instead. :P worse, he doesn't have to solve the hardening to do it.
04:16 < gmaxwell> so a system which was randomly blinded and thus zero knoweldge would be better.
04:17 < gmaxwell> e.g. if your passphrase just has 16 bits of entropy, he just searches for a passphrase that gives the right Q' query.
04:17 < adam3us> gmaxwell: that one was one-use is a stretched sig instead of a stretched kdf
04:22  * gmaxwell -> bed
04:23 < adam3us> 'night
08:42 < adam3us> gmaxwell: btw the point of stretched public key / signature in https://bitcointalk.org/index.php?topic=311000.msg3402287#msg3402287 is its offline wallet compatible unlike the blind/unblind there is no unblind step so no need for 3 msg flow (blind, (kdf), unblind, sign), verify, it becomes (sign), kdf/verify the first signature verify is expensive
--- Log closed Sun Nov 10 00:00:56 2013