roconnor-blockstream
roconnor-blockstream
> And if you know the master private key, what use is knowing which codex32 set corresponds to it? I was imagining the scenario: Hey I found these shares in...
> residue = 0x23181b3 Be aware that in the Codex32 spec, we precomputed the hrp and folded it into that constant. If you are going to compute the hrp yourself...
But yes, the constants in the syndrome need to be replaced with codex32 specific constants by someone who knows what the constants mean and how to compute them.
Certainly the idealization of drawing balls from a urn is the prototypical way of defining a uniform distribution. Still balls in practice will not be equal weight/density, and there will...
The reason we believe that SHA-256 has the rpsp property is because it follows from the assumption that the SHA-256 compression function is collision resistant. But that assumption that the...
I claim that the ability to find identical-prefix collisions in SHA1 outright breaks the rpsp property of SHA1 (not to mention the chosen-prefix collisions which are only 4x more expensive)....
If I understand, you are saying it is free to break Schnorr-with-SHA1 because you can just download SHA1 collisions off the internet (not sure why you say a few minutes...
What is not to love is that, and perhaps I'm speaking of that which I do not know, signing hardware might appreciate the fact that the act of signing is...
@LLFourn Pieter informed me that I misunderstood the rpsp and, that one message must be chosen prior to the prefix. So my claims about SHA1's identical-prefix attack implying the rpsp...
I brought this up in private conversation, but I figured I should post this scenario publicly. We could imagine a HSM design divided into two layers, where the inner layer...