1 2016-05-28 01:47:14 <random-man> hello
2 2016-05-28 05:08:04 <Guest45280> Which release of openssl works with bitcoin .12?
3 2016-05-28 18:25:46 <bedeho> is there a minimum length to DER encoded signature ?
4 2016-05-28 18:33:45 <waxwing> it might not be feasible to work out the minimum length of a valid signature; but i think something like 3006020101020101 would be a valid *encoding*. Not at all sure though.
5 2016-05-28 18:40:31 <bedeho> waxwing, so is 0 length potentially a valid signature then?
6 2016-05-28 18:40:43 <waxwing> bedeho: neither r nor s can be valid for ECDSA
7 2016-05-28 18:40:51 <waxwing> sorry can be *zero* for valid ECDSA
8 2016-05-28 18:41:35 <waxwing> i can't remember offhand if r= 1 (ie K.x = 1) is a valid point on the curve.
9 2016-05-28 18:41:49 <bedeho> I see, weird that upper bound is known to be 73 bytes, yet lower bound is unknown, yet 0 not possible
10 2016-05-28 18:42:27 <waxwing> well it's just that s is a solution to an equation for a valid k (nonce) -> r.
11 2016-05-28 18:43:19 <waxwing> For example there was some discussion about the weird properties of the point G (G /2 is remarkably short). to do with how the generator was set up. quite fascinating stuff actually. seems to lead to the possibility of a very unusually short sig.
12 2016-05-28 18:44:50 <waxwing> of course usually having r or s much less than 32 bytes is going to be extremely rare.
13 2016-05-28 18:46:30 <bedeho> I see, thanks, really appreciate it
14 2016-05-28 18:51:47 <luke-jr> waxwing: at least 8 bytes, though, right?
15 2016-05-28 18:52:19 <waxwing> luke-jr: the toy example above ^ is 8. kinda stupid though :)
16 2016-05-28 18:52:28 <waxwing> if you meant the DER encoding
17 2016-05-28 18:52:54 <luke-jr> right
18 2016-05-28 18:57:12 <waxwing> i guess the right way to look at it is, you can easily find a one-byte r, but since no one has the corresponding k (ECDLP hardness), you cannot find a corresponding s, even though the private key and the sighash are free variables. i think. a bit confusing.
19 2016-05-28 19:01:51 <luke-jr> waxwing: so we can't know the length of the minimum *valid* signature, but presumably we can at least know some minimum length that could be an *encoded* (valid or not) signature..
20 2016-05-28 19:03:17 <waxwing> luke-jr: yeah i agree, like i said above something like that 8 byte string should be valid.
21 2016-05-28 19:03:42 <waxwing> plus i've looked again and now i think it is valid, in the sense that you can recover a pubkey from it for some arbitrary z(sighash). I think.
22 2016-05-28 19:04:35 <waxwing> like if notation is s=k^-1(z+rd), then you can recover with r^-1(sk-z)G = dG = pubkey (ignoring the fiddling around with two possibilities)
23 2016-05-28 19:05:15 <waxwing> which is weird because if r=1 and s=1 then r^-1 = 1 so you get something like K -zG = pubkey.
24 2016-05-28 19:25:21 <Lauda> https://arxiv.org/pdf/1605.07524v1.pdf
25 2016-05-28 19:25:24 <Lauda> Any thoughts on this?
26 2016-05-28 20:24:15 <luke-jr> Lauda: thought -> PDF -> potential malware -> not wise to open
27 2016-05-28 20:24:41 <Lauda> luke-jr it is on Cornell Uni library
28 2016-05-28 20:24:48 <Lauda> Hopefully not malware
29 2016-05-28 20:28:26 <Lauda> Non-pdf link: https://arxiv.org/abs/1605.07524
30 2016-05-28 21:29:29 <arubi> waxwing, very interesting. http://paste.debian.net/plainh/dbe8492b
31 2016-05-28 21:31:14 <waxwing> arubi: right, so i guess you went message -> z and K - zG -> pubkey -> address right
32 2016-05-28 21:31:31 <waxwing> where K is the point with K.x = 1 or 2 or whatever
33 2016-05-28 21:31:37 <waxwing> i forget which one is on the curve
34 2016-05-28 21:31:45 <arubi> yep. never tried to match a very short sig. k_x = 1 right
35 2016-05-28 21:31:45 <waxwing> oh, must be 1, it's there
36 2016-05-28 21:32:18 <waxwing> i remember i spent hours trying to figure out why i was wrong that a point with x=1 exists, because sipa said somewhere on the internet that it didn't exist. but he made a mistake :)
37 2016-05-28 21:32:40 <waxwing> so anyhoo, yeah that will have length 8 bytes in DER, but no one would have the private key
38 2016-05-28 21:33:53 <arubi> hehe :), right, you'd have to actually verify against a pubkey of (1,...) to prove that you know the DL for (1,..)
39 2016-05-28 21:34:54 <arubi> also do you have a source for the discussion about the generator? I'm very interested in reading it
40 2016-05-28 21:37:48 <waxwing> arubi: gmaxwell talked about it in -wizards.
41 2016-05-28 21:37:59 <waxwing> look at 2^-1 *G
42 2016-05-28 21:38:12 <arubi> ah thanks. I'll search.
43 2016-05-28 21:38:13 <waxwing> 00000000000000000000003b78ce563f89a0ed9414f5aa28ad0d96d6795f9c63
44 2016-05-28 21:38:52 <arubi> got it. cool
45 2016-05-28 21:39:06 <waxwing> 21 bytes, it's the hash of something. that's how they made the generator.
46 2016-05-28 21:39:14 <waxwing> iirc nobody actually knows what they hashed :)
47 2016-05-28 21:39:23 <waxwing> well, say a 20 byte hash + 1 for some reason
48 2016-05-28 21:40:10 <arubi> great, more mysteries to keep me busy aside from borromean.pdf :)