00:55:23Guest4999:Guest4999 is now known as qwertyoruiop
01:44:16ghtdak:ghtdak has left #bitcoin-wizards
03:07:59jcorgan:jcorgan is now known as jcorgan_
03:08:16jcorgan_:jcorgan_ is now known as jcorgan
04:41:00c0rw|sleep:c0rw|sleep is now known as c0rw1n
05:06:55phantomcircuit:petertodd, http://pastebin.com/raw.php?i=UBUaRb7t
05:07:05phantomcircuit:there's a dependency bug in the makefile somewhere
05:16:45freewil:freewil has left #bitcoin-wizards
16:29:36maaku:andytoshi gmaxwell: was there consensus about a good way to do blind signing over ECDSA?
16:57:06andytoshi:maaku: iirc nope. there is a way using homomorphic encryption (not fully homomorphic necessarily so you can use reasonably established crypto) but it's ugly
16:57:51andytoshi:oleganza's scheme tied the nonce to the keypair so you could only sign a single message per keypair
16:58:13andytoshi:so the 'signer' would be using a random key that he didn't know, though the blinder did
16:59:23andytoshi:oh, but there is a paper that i don't remember the name of which can do blind ECDSA interactively
17:00:18andytoshi:so unless gmaxwell remembers something i've forgotten, your choices are: introduce a homo. encryption scheme, use interaction, or deal with the oleganza restrictions :)
17:02:14maaku:all not acceptable for the application I'm considering (coinjoin)
17:02:25roconnor__:roconnor__ is now known as roconnor
17:03:50andytoshi:i know you want ECDSA because people are already using that, they have verification code, etc., but personally i think you should just bite the bullet here and use schnorr
17:04:16maaku:yeah probably
17:04:35maaku:if i'm introducing a new primitive, should be generalize to brands credentials?
17:05:51andytoshi:tbh i haven't yet read the brands paper, i bet adam3us has an opinion here
17:13:07andytoshi:is there an implementation of brands credentials? there isn't an implementation of blind schnorr i'm aware of but there are implementations of non-blind schnorr (well, eddsa is basically schnorr) and it's not hard at all to modify it to be blind
17:13:59andytoshi:in fact if you don't think about side channels it is deal simple to implement blind schnorr from whole cloth (you need a hash function and an EC math lib). idk if the same holds for brands stuff
17:14:19maaku:yeah by adam back : http://www.cypherspace.org/credlib/
17:15:36andytoshi:oh nice
17:15:36maaku:but i'm not sure his credlib does the regular old blind signing mode out of the box
17:21:43maaku:yeah i should talk to adam about this
17:22:55andytoshi:for sure. i suspect whatever you decide on could become a de facto standard for wizards projects, so bear that in mind..