Transcript for #bitcoin-dev 2017/12/29

04:53 DSidH arubi: a quick question about ECC. Can I throw and error when point at infinity is encountered?
04:53 DSidH are there any situations where computing point at infinity is legit in bitcoin?
04:56 eck no
04:56 eck certain pk values are disallowed
04:57 eck e.g. 0
05:02 DSidH eck what about verifying signatures? will we ever encounter it then?
05:03 eck you can create a tx that sends coins to an invalid address, in which case the coins either become anyone-can-spend or no-one-can-spend depending on the exact situation
05:07 eck i believe though (someone correct me if i am wrong) that signature verification just requires add/multiply operations, so there are no pathological values from that pov
05:09 eck and modulus, i guess
05:10 eck
05:12 rmt FTR, answers my question above.
05:14 eck here's where this could come up though, as you can see from the wikipedia article, in a normal ECDSA signature you do a sanity check of the public key, e.g. check that it is within the expected range
05:15 eck most transactions in the bitcoin network are P2PKH, meaning that the tx script contains the hash of the public key rather than the full public key itself
05:15 eck therefore other nodes can't properly validate the public key used, since they only know the hash, not the full public key
05:15 eck so you could create an invalid public key, and then if you used it in a P2PKH transaction it would be "unspendable"
05:16 eck more technically, from a mathematical pov there is likely some valid public key that has the same hash (as the hash is only 160 bits, vs 256 for the full key), but in practice it becomes unspendable since no one knows what that valid key is
05:19 DSidH eck Invalid keys can be handled. I am more worried about legit keys because sig validation requires aX + bY for two good points X and Y
05:19 DSidH if aA = -bY this could lead to point at infinity
05:20 DSidH (aX = -bY)
05:21 DSidH and attacker could construct other values that cause this
05:21 eck example?
05:21 DSidH not sure, just a worry
05:21 eck i don't think that would leat to a point at infinity
05:22 eck that would lead to a point at zero which is not allowed anyway
05:23 DSidH how does core handle this?
05:23 eck i can't tell you off hand but my assumption is it would be unspendable for the reason i just gave
05:24 DSidH yup thats cool as long as I am following the same rules
05:26 DSidH I wanted to keep (0, 0) as a special case for point at infinity as others have done but that feels hacky
05:26 DSidH tacky*
05:27 eck well the issue is if you used 0 as your private key, the multiplication privkey * G would trivially be zero also
05:27 eck which is why 0 is disallowed
05:28 eck i don't know how this works with ancient p2pk txs though
05:29 DSidH eck for instance in key recovery we need to test that nR is point at infinity; currently I am doing it via exception. This is the only case I have encountered it
05:30 DSidH btw ignore the actual notation as I dont remember the formula but we need to test that aX is infinite for some a, X
05:31 eck if you're using libsecp256k1 it should handle the edge cases for you, if you have your own implementation i would suggest trying to port the libsecp256k1 tests to your implementation
05:36 DSidH Has anyone looked at this? (complete formula for ECC addition without exceptions)
06:40 blyat_ Is there any documentation for the debug categories?
07:23 arubi DSidH, I'm actually not sure what's the safe and correct way to handle that. I'm returning "not a point" for both non points and the point at infinity, but it only means "error" depending on what the program is doing. for example in signature validation \ pubkey recovery, the r value is allowed to be an invalid x coordinate in some cases, like in the rec_r_big file I posted on gist. the sec1-v2 doc says when you should be failing and when
07:23 arubi to try again with different values
07:57 arubi but yea since I can just feed you signatures where ( s = z/k ), there should be a safe way to handle that.. I'm failing with "Runtime error (func=invmod, adr=37): Divide by zero" which is not very nice :)
08:07 xiedeacc what's CCoinsViewDB::GetHeadBlocks for? I have google a lot, there exists little information
08:19 xiedeacc what's CCoinsViewDB::GetHeadBlocks for? I have google a lot, there exists little information
09:26 DSidH EXIT
11:20 firemanxbr inb
15:25 camarads hey guys. can anybody tell me when will the new bitcoin core be available ? i have been waiting for the change address to be segwit also
15:55 molz camarads, when it's ready
15:55 molz i'm waiting for v0.16.0 too, that's the version that has native segwit in the wallet
15:57 camarads it would be perfect for the rpc api to have that option
15:57 camarads when i use sendtoaddress , the change address to be segwit
19:14 qwertzlcoatl yo my bitcoin core app keeps crashing when i try to load it? it verifies blocks than says "loading finished" but then it just crashes? anyone ?
19:21 molz qwertzlcoatl, which version and which OS?
19:21 qwertzlcoatl hold up this time it worked
23:13 G0pn1k o/
23:13 G0pn1k hi all
23:15 Randolf Hello G0pn1k.
23:18 G0pn1k i was wondering if someone could maybe point me in the right direction, i might be being an idiot but im trying to query core to see basically an address has ever recieved funds
23:19 G0pn1k i figured i would have to do something like txindex=1 and build a db of public keys that have ever existed in a transaction maybe? but im not too sure
23:20 echeveria you don't need txindex for that, but you'll be doing something external.
23:20 G0pn1k i want to avoid any apis and such, maybe i should have said
23:20 G0pn1k unless i understand external wrong
23:20 echeveria take a look at something like bitcoin-iterate.
23:22 G0pn1k ah ok, so itterate over each hash and look at the from and to?
23:23 echeveria it's the name of a tool. there's no 'from' in bitcoin.
23:24 G0pn1k sorry, still trying to get my head around a lot it
23:25 G0pn1k i thought if i itterate each transaction that is output from that script i could look at the resultant address and build a db from them all