Results 1 ... 59 found in all logged channels for 'secp256k1'
(asciilifeform) dulapbot: Logged on 2022-10-20 00:26:03 mats: https://asecuritysite.com/ecdsa/ecd6 "ECDSA: Revealing the private key, from two keys and shared nonces (with SECP256k1)"
(asciilifeform) mats: https://asecuritysite.com/ecdsa/ecd6 "ECDSA: Revealing the private key, from two keys and shared nonces (with SECP256k1)"
(asciilifeform) punkman: "Experimentally, we found that for a 256-bit n, our case of interest for secp256k1, we were able to recover the private key from two signatures with 128-bit nonces by reducing a 3-dimensional lattice with 75% probability, from threesignatures with 170-bit nonces with a 4-dimensional lattice with 95% probability,from 4 samples with 190-bit nonces
(alethepedia) snsabot: Logged on 2021-06-09 12:02:50 asciilifeform: billymg: was discussed on numerous occasions. asciilifeform wasn't eager to crib src from known nsa stooges; mp didn't push the issue (nfi precisely why, but prolly same reason) ; nobody else admitted to giving a rat's arse re: subj.
(alethepedia) asciilifeform: billymg: was discussed on numerous occasions. asciilifeform wasn't eager to crib src from known nsa stooges; mp didn't push the issue (nfi precisely why, but prolly same reason) ; nobody else admitted to giving a rat's arse re: subj.
(asciilifeform) shinohai: Yeah best i can tell is they replaced with libsecp256k1 which is equal ball of yarn
(asciilifeform) asciilifeform: shinohai: he has a (apparently complete, tho i did not test) secp256k1 engine in there. tho to use in 'peh' i'ma need to make physical bounds analysis for it.
(trilema) Framedragger: ...and all this is exposed to ecdsa and the particular parameters (secp256k1) not breaking... ouch.
(trilema) thestringpuller: libsecp256k1 is even worse from what little glances of it
(trilema) adlai: http://btcbase.org/log/2016-12-24#1590194 << i don't think crap-rsa ever leaked, although i did publish crap-secp256k1 for deed validation
(trilema) thestringpuller: like libsecp256k1 or whatever crap those power rangers created
(trilema) adlai: (much/all of satoshi's stash is p2pk, not p2pkh, so a secp256k1 compromise will make those pennies ripe for taking)
(trilema) asciilifeform: i can picture black 'sectera' phone ringing on hitler's desk, 'ft meade, we need moar time, secp256k1 is still standing' 'lose the other division, or LOSE YERSELF!1211111'
(trilema) thestringpuller: if they rip out OpenSSL for libsecp256k1 won't this cause undeterministic behavior in signature checking? Or does the "comooniteee" just want to not check signatures anymore?
(trilema) mircea_popescu: libsecp256k1
(trilema) asciilifeform: #6210 0e4f2a0 build: disable optional use of gmp in internal secp256k1 build << what's it use instead of gmp ?!!??
(trilema) asciilifeform: #6954 e54ebbf Switch to libsecp256k1-based ECDSA validation << as mentioned earlier by BingoBoingo ?
(trilema) assbot: secp256k1/secp256k1.c at master · bitcoin/secp256k1 · GitHub ... ( http://bit.ly/1O04r7L )
(trilema) asciilifeform: https://github.com/bitcoin/secp256k1/blob/master/src/secp256k1.c#L314 << lulzy
(trilema) mircea_popescu wants serious review of the secp256k1 thing.
(trilema) punkman: asciilifeform: there's also https://github.com/bitcoin/secp256k1 :trollface:
(trilema) assbot: Switch to libsecp256k1-based ECDSA validation by sipa · Pull Request #6954 · bitcoin/bitcoin · GitHub ... ( http://bit.ly/1kZymlj )
(trilema) assbot: bip0032sbcl/secp256k1.lisp at master · adlai/bip0032sbcl · GitHub ... ( http://bit.ly/1JgiGPk )
(trilema) Adlai only [re]wrote secp256k1.lisp
(trilema) Adlai wrote his own secp256k1 group operations, isn't all the rest supposed to write itself?
(trilema) Adlai: fwiw, i'm using https://github.com/adlai/cjhunt/blob/master/src/hunt.lisp#L13 much more than secp256k1.lisp
(trilema) Adlai rewrote secp256k1.lisp, but ecdsa invovles more than a mere ec group api
(trilema) phf: Adlai: does that secp256k1 implementation you have in your github works?
(trilema) decimation: yeah it seems like we are stuck with secp256k1 anyway
(trilema) decimation: ah I was searching for "secp256k1"
(trilema) assbot: 4 results for 'libsecp256k1 from:mircea' : http://s.b-a.link/?q=libsecp256k1+from%3Amircea
(trilema) mircea_popescu: !s libsecp256k1 from:mircea
(trilema) decimation: asciilifeform: of mild interest from last night, apparently 'sipa' (Pieter Wuille) wrote a secp256k1 replacement library, apparently in attempt to ditch openssl https://github.com/bitcoin/secp256k1
(trilema) midnightmagic: or, do what sipa did and write a secp256k1 lib because the openssl people don't give a shit they're wrecking dependencies.
(trilema) assbot: build: disable optional use of gmp in internal secp256k1 build · bitcoin/bitcoin@dfdb6dd · GitHub ... ( http://bit.ly/1HcgJqD )
(trilema) Adlai: re: montgomery ladder, you can implement constant-time secp256k1, but it's a pita
(trilema) assbot: Logged on 24-03-2015 14:55:51; fluffypony: DJB believes secp256k1 is broken
(trilema) assbot: Logged on 24-03-2015 14:55:51; fluffypony: DJB believes secp256k1 is broken
(trilema) fluffypony: DJB believes secp256k1 is broken
(trilema) assbot: On why 0.10's release notes say "we have reason to believe that libsecp256k1 is better tested and more thoroughly reviewed than the implementation in OpenSSL" : Bitcoin ... ( http://bit.ly/1xEmxjb )
(trilema) mircea_popescu: opinion that migrating Bitcoin Core to libsecp256k1 in the near future
(trilema) mircea_popescu: "While I have often cautioned people before to avoid using libsecp256k1
(trilema) assbot: secp256k1/secp256k1.h at master · bitcoin/secp256k1 · GitHub ... ( http://bit.ly/1zZ94UK )
(trilema) mircea_popescu: did blockstream actually publish the libsecp256k1 ?
(trilema) assbot: nullc comments on On why 0.10's release notes say "we have reason to believe that libsecp256k1 is better tested and more thoroughly reviewed than the implementation in OpenSSL" ... ( http://bit.ly/1AzJuem )
(trilema) assbot: On why 0.10's release notes say "we have reason to believe that libsecp256k1 is better tested and more thoroughly reviewed than the implementation in OpenSSL" : Bitcoin ... ( http://bit.ly/1BThrna )
(trilema) mircea_popescu: asciilifeform atm im trying to discern whether the recent "secp256k1" talk is simply the defeated nsa trying to find a better reason to fork bitcoin, or these derps actualy have something.
(trilema) asciilifeform: ecdsa curves, 'nothing up my sleeve' constants << think back to the legend with the 'randomly wired' neural net. if secp256k1 (or, another example, aes s-boxes) have sufficiently broad classes of 'weak key' - then all you need to do is find a simple, e.g., sqrt(2), whatever, 'sleeve constant' that impresses the fools.
(trilema) punkman: decimation: I guess my question above (rephrased) is this: does the secp256k1 algorithm allow for any arbitrary 256 bit vector to be used as a key? Or is there a restricted set that will be more secure than other cases? <- exponent must be smaller than curve order, which is 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
(trilema) decimation: using the secp256k1 parameters
(trilema) decimation: I guess my question above (rephrased) is this: does the secp256k1 algorithm allow for any arbitrary 256 bit vector to be used as a key? Or is there a restricted set that will be more secure than other cases?
(trilema) mircea_popescu: <pete_dushenski> "And then divide by
uh, I think 5, because Pieters libsecp256k1 code is 5 times as fast as OpenSSL << honestly, at this point i'd want everyone to give a good look to libsecp256k1
(trilema) pete_dushenski: "And then divide by… uh, I think 5, because Pieter’s libsecp256k1 code is 5 times as fast as OpenSSL." << love this line by gavin.
(trilema) assbot: Unique Ring Signatures using secp256k1 keys