| 00:55:23 | Guest4999: | Guest4999 is now known as qwertyoruiop |
| 01:44:16 | ghtdak: | ghtdak has left #bitcoin-wizards |
| 03:07:59 | jcorgan: | jcorgan is now known as jcorgan_ |
| 03:08:16 | jcorgan_: | jcorgan_ is now known as jcorgan |
| 04:41:00 | c0rw|sleep: | c0rw|sleep is now known as c0rw1n |
| 05:06:55 | phantomcircuit: | petertodd, http://pastebin.com/raw.php?i=UBUaRb7t |
| 05:07:05 | phantomcircuit: | there's a dependency bug in the makefile somewhere |
| 05:16:45 | freewil: | freewil has left #bitcoin-wizards |
| 16:29:36 | maaku: | andytoshi gmaxwell: was there consensus about a good way to do blind signing over ECDSA? |
| 16:57:06 | andytoshi: | maaku: iirc nope. there is a way using homomorphic encryption (not fully homomorphic necessarily so you can use reasonably established crypto) but it's ugly |
| 16:57:51 | andytoshi: | oleganza's scheme tied the nonce to the keypair so you could only sign a single message per keypair |
| 16:58:13 | andytoshi: | so the 'signer' would be using a random key that he didn't know, though the blinder did |
| 16:59:23 | andytoshi: | oh, but there is a paper that i don't remember the name of which can do blind ECDSA interactively |
| 17:00:18 | andytoshi: | so unless gmaxwell remembers something i've forgotten, your choices are: introduce a homo. encryption scheme, use interaction, or deal with the oleganza restrictions :) |
| 17:02:14 | maaku: | all not acceptable for the application I'm considering (coinjoin) |
| 17:02:25 | roconnor__: | roconnor__ is now known as roconnor |
| 17:03:50 | andytoshi: | i know you want ECDSA because people are already using that, they have verification code, etc., but personally i think you should just bite the bullet here and use schnorr |
| 17:04:16 | maaku: | yeah probably |
| 17:04:35 | maaku: | if i'm introducing a new primitive, should be generalize to brands credentials? |
| 17:05:51 | andytoshi: | tbh i haven't yet read the brands paper, i bet adam3us has an opinion here |
| 17:13:07 | andytoshi: | is there an implementation of brands credentials? there isn't an implementation of blind schnorr i'm aware of but there are implementations of non-blind schnorr (well, eddsa is basically schnorr) and it's not hard at all to modify it to be blind |
| 17:13:59 | andytoshi: | in fact if you don't think about side channels it is deal simple to implement blind schnorr from whole cloth (you need a hash function and an EC math lib). idk if the same holds for brands stuff |
| 17:14:19 | maaku: | yeah by adam back : http://www.cypherspace.org/credlib/ |
| 17:15:36 | andytoshi: | oh nice |
| 17:15:36 | maaku: | but i'm not sure his credlib does the regular old blind signing mode out of the box |
| 17:21:43 | maaku: | yeah i should talk to adam about this |
| 17:22:55 | andytoshi: | for sure. i suspect whatever you decide on could become a de facto standard for wizards projects, so bear that in mind.. |