06:05:11nsh_:nsh_ is now known as nsh
06:50:24gmaxwell:Oh The 4764 showed up... weee!
07:42:14sipa:the 4764?
08:04:36Emcy:wasnt that a tv show
15:05:25nsh_:nsh_ is now known as nsh
16:26:22jgarzik:jgarzik is now known as home_jg
19:29:14shinybro__:shinybro__ is now known as shinybro_
19:53:43diesel_:diesel_ is now known as Dizzle
20:55:07warren:https://bitcointalk.org/index.php?topic=581411.0 more bad random numbers
20:56:15hearn:bitcoinj uses deterministic ecdsa in git master
20:56:33hearn:this sort of thing happens way too often :(
20:56:42nsh_:when are we likely to have blind/deterministic signing? ever?
20:56:58hearn:deterministic ecdsa _is_ deterministic signing.
20:57:15hearn:that said, the usual root cause is bad RNGs, and if you have a bad RNG the keys can still be breakable even if the signatures aren’t
20:57:22hearn:so i’m not sure how much it really helps
20:57:58sipa:hearn: for generating your deterministic wallet seed, you can afford to spend a lot more effort in gathering randomness etc
20:57:59nsh_:but you can't fix everyone's RNGs, whereas you can steel-cap their boots a bit
20:58:14hearn:that’s true
20:58:17phantomcircuit:warren, lol, cant say i feel bad for people using bc.i and counterparty
20:58:19sipa:after which, assuming no ECDSA and SHA256 breaks, deterministic signatures are safe
20:58:23phantomcircuit:talk about playing with fire
20:58:36hearn:i was thinking on mobile phones you could ask the user to take a photo and then just hash the pixels and mix it into the rng entropy
20:58:44hearn:though … again …. if your rng is bad …. that might just do nothing :)
20:59:03sipa:it can't hurt (except false sense of security)
20:59:19tacotime:Counterparty made a formal statement about it
20:59:22gmaxwell:can also contribute to paranoia.
20:59:49tacotime:unfortunately the second major security flaw to be exploited, but at least it wasn't in the protocol this time.
21:00:01sipa:"take a picture of your face, your fingerprints, your house, the street sign and your bank records"
21:00:14nsh_:(there's probably better/more-reliable hardware entropy in a phone than the camera, depending on what you can garner from the radio circuits)
21:00:18gmaxwell:tacotime: what was the bitcoin-js bug? was it the wrapping the rng code in a try block and doing nothing useful if it failed? If so I've complained about that many times. :(
21:00:53nsh_:nsh_ is now known as nsh
21:00:54tacotime:gmaxwell, I think that was it, apparently the vulnerability for counterwallet was well known in some circles for weeks now.
21:00:56gmaxwell:nsh_: The camera is probably the best accessible thing, though you may have fun like the OS keeping a copy of the picture.
21:01:41sipa:"please sing your national hymn into the microphone"
21:01:46nsh:* nsh smiles
21:02:02hearn:root cause of the failure - lack of type safety in javascript
21:02:54hearn:writing wallet code in java scares me because the type system is so weak. doing it in js would make me want to cry
21:02:57tacotime:ah, thanks hearn
21:03:12phantomcircuit:hearn, the Java type system is weak?
21:03:50gmaxwell:phantomcircuit: yes, it's overly helpful.
21:04:02hearn:nsh: yes sure. but remember the android screwup. the system random source … wasn’t. hashing camera pixels and mixing them in via sha256(pixels||system entropy) is robust
21:04:06phantomcircuit:gmaxwell, example?
21:04:08sipa:phantomcircuit: ever used haskell? :p
21:04:16hearn:phantomcircuit: it’s nowhere near as strong as i’d like.
21:04:24nsh:* nsh nods
21:04:31phantomcircuit:sipa, explicit conversion everywhere...
21:04:34hearn:there are things like Checker Framework that can help a lot, using annotations magic.
21:04:48hearn:and of course modern JVM languages tend to have much better type systems. but i can’t use those :(
21:04:52gmaxwell:Interesting to see that this was actually something using a determinstic nonce, and their use of the hashfunction was undermined by high level abstractions that didn't do what they thought they did.
21:04:59hearn:stupid android still being on java 6
21:07:41hearn:phantomcircuit: e.g. it’s hard to define custom numeric types. no operator overloading, autoboxing is custom magic, etc. it’s hard to enforce immutability without insanely ugly patterns
21:07:47gmaxwell:Also, this might be an example of the importance of using a specified actually determinstic DSA: it would have been caught by unit tests that checked that the signature for a given private key and message was precisely what it was expected to be. But wouldn't have been caught with rests expecting a signer that used H(private||message||entropy).
21:08:03hearn:no real notion of constness
21:08:34hearn:no compiler enforced purity. just lots of things where it’s lacking.
21:10:03phantomcircuit:gmaxwell, H(H(private||message)||entropy) and have the unit tests be for H(private||message)
21:10:22phantomcircuit:that wont catch entropy being static though
21:10:56gmaxwell:phantomcircuit: I'm not following you. How do you catch that the K is a constant when you can't test for K because its unpredictable?
21:11:56sipa:you can have unit tests that pass the entropy explicitly
21:12:00sipa:but that is a different issue
21:12:04phantomcircuit:gmaxwell, this would at least catch the hash function being broken but i guess it would be easier to just do H(k)
21:12:21gmaxwell:You can, but say E.g. say that the code that is supposted to compute G*K instead computes G*constant (because some crazy library changed and now casting any H() output to an integer yields 1)?
21:13:09gmaxwell:vs a fully determinstic signer is a bit easier to test, since you can have a list of private keys, messages, and signatures.. and they just have to match.
21:13:42gmaxwell:I suppose as sipa notes you could break out the entropy input and have the tests and that would be equally good.
21:14:14gmaxwell:private key, message, entropy, signature... and its still secure if the entropy is bad due to the structure.
21:16:41phantomcircuit:gmaxwell, that's what i was trying to get at but yeah just using static entropy values would probably work better
22:55:54gavinandresen_:gavinandresen_ is now known as gavinandresen
22:55:56Dizzle:Dizzle is now known as Guest93781
22:59:49nsh:what might this mean? "Found an address which has had a lot of blocks mined into it, and its been flagged for double spending." (blockchain.info) https://blockchain.info/address/1ALA5v7h49QT7WYLcRsxcXqXUqEqaWmkvw
23:01:09Luke-Jr:nsh: it means blockchain.info is stupid as usual?
23:01:18nsh:sounds plausible
23:01:24Luke-Jr:for me it says: 警告!此比特币地址的交易中可能存在多重支付。凡与此地址进行任何付款或收款操作时,都要保持高度警惕。
23:01:33Luke-Jr:* Luke-Jr kicks blockchain.info for forcing him into Japanese
23:01:41sipa:also, offtopic
23:02:46nsh:someone thought it might be related to the Finney attacks discussed on the list recently, is why i asked. but i guess it's not
23:03:06gmaxwell:just addressing the technical thing; I think orphaned coinbases may trigger that warning.