--- Log opened Mon Aug 08 00:00:19 2016 00:03 -!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 244 seconds] 00:09 -!- BashCo [~BashCo@unaffiliated/bashco] has joined #bitcoin-wizards 00:23 -!- da2ce7 [~da2ce7@opentransactions/dev/da2ce7] has quit [Quit: ZNC - http://znc.in] 00:23 -!- da2ce7_mobile [~da2ce7@opentransactions/dev/da2ce7] has quit [Quit: ZNC - http://znc.in] 00:28 -!- laurentmt [~Thunderbi@80.215.138.34] has joined #bitcoin-wizards 00:31 -!- da2ce7_mobile [~da2ce7@opentransactions/dev/da2ce7] has joined #bitcoin-wizards 00:33 -!- da2ce7 [~da2ce7@opentransactions/dev/da2ce7] has joined #bitcoin-wizards 00:34 -!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has joined #bitcoin-wizards 00:35 -!- JackH [~Jack@79-73-188-45.dynamic.dsl.as9105.com] has joined #bitcoin-wizards 00:38 -!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has quit [Ping timeout: 265 seconds] 00:41 -!- Guyver2 [~Guyver2@guyver2.xs4all.nl] has joined #bitcoin-wizards 00:42 -!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has joined #bitcoin-wizards 00:47 -!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has quit [Ping timeout: 258 seconds] 00:50 -!- TheSeven [~quassel@rockbox/developer/TheSeven] has quit [Ping timeout: 250 seconds] 00:50 -!- TheSeven [~quassel@rockbox/developer/TheSeven] has joined #bitcoin-wizards 00:54 -!- da2ce7_mobile [~da2ce7@opentransactions/dev/da2ce7] has quit [Quit: ZNC - http://znc.in] 00:56 -!- FNinTak [~jonhbit@tsarviajado.media.mit.edu] has quit [Quit: Leaving] 00:57 -!- TheSeven [~quassel@rockbox/developer/TheSeven] has quit [Ping timeout: 258 seconds] 00:57 -!- TheSeven [~quassel@rockbox/developer/TheSeven] has joined #bitcoin-wizards 00:59 -!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards 01:04 -!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 258 seconds] 01:05 -!- da2ce7 [~da2ce7@opentransactions/dev/da2ce7] has quit [Quit: ZNC - http://znc.in] 01:14 -!- da2ce7 [~da2ce7@opentransactions/dev/da2ce7] has joined #bitcoin-wizards 01:17 -!- arowser [~quassel@106.120.101.38] has quit [Quit: No Ping reply in 180 seconds.] 01:18 -!- arowser [~quassel@106.120.101.38] has joined #bitcoin-wizards 01:33 -!- pro [~pro@unaffiliated/pro] has joined #bitcoin-wizards 01:53 -!- TheSeven [~quassel@rockbox/developer/TheSeven] has quit [Ping timeout: 258 seconds] 01:57 -!- TheSeven [~quassel@rockbox/developer/TheSeven] has joined #bitcoin-wizards 02:08 -!- ThomasV [~ThomasV@unaffiliated/thomasv] has quit [Ping timeout: 276 seconds] 02:18 -!- Giszmo [~leo@ip5f5ac08d.dynamic.kabel-deutschland.de] has joined #bitcoin-wizards 02:22 -!- Guyver2 [~Guyver2@guyver2.xs4all.nl] has quit [Quit: :)] 02:28 -!- jonasschnelli [~jonasschn@unaffiliated/jonasschnelli] has quit [Excess Flood] 02:29 -!- jonasschnelli [~jonasschn@unaffiliated/jonasschnelli] has joined #bitcoin-wizards 02:42 -!- ThomasV [~ThomasV@unaffiliated/thomasv] has joined #bitcoin-wizards 02:42 -!- dnaleor [~dnaleor@78-23-74-78.access.telenet.be] has joined #bitcoin-wizards 02:46 -!- jtimon [~quassel@55.31.134.37.dynamic.jazztel.es] has joined #bitcoin-wizards 02:46 -!- toktok [~tim@37.139.12.32] has joined #bitcoin-wizards 03:01 -!- Jaamg [jhpiloma@brute.org.aalto.fi] has quit [Remote host closed the connection] 03:01 -!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards 03:06 -!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 250 seconds] 03:14 -!- aalex [~aalex@64.187.177.58] has quit [Ping timeout: 244 seconds] 03:15 -!- aalex [~aalex@64.187.177.58] has joined #bitcoin-wizards 03:20 -!- edvorg [~edvorg@14.169.57.10] has joined #bitcoin-wizards 03:24 < Taek> One-time costs can sort of be reasoned about as the ultimate extension of the hardware vs operation cost structure 03:25 < Taek> Quantum hashing for example poses a risk, because if one company puts down (in stealth mode) hundreds of millions in R&D over the course of like 5 years, and then they release an ASIC, they've got a full monopoly on hashing until some other group can slug through the same up-front cost 03:25 < Taek> and the first-to-market will have that X years of dominant income that nobody else will ever have, their amortization will perpetually be ahead 03:26 -!- toktok [~tim@37.139.12.32] has quit [Quit: leaving] 03:26 < Taek> granted, I think it's pretty safe to say that if someone like BitFury were to announce a monopoly-grade ASIC, Bitcoin would threaten with a hardfork, and follow through if the tech was not made accessible to everyone 03:36 -!- rubensayshi [~ruben@82.201.93.169] has joined #bitcoin-wizards 03:41 -!- dEBRUYNE [~dEBRUYNE@unaffiliated/debruyne] has joined #bitcoin-wizards 04:01 -!- thesnark [~mike@unaffiliated/thesnark] has joined #bitcoin-wizards 04:02 -!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards 04:02 -!- ThomasV [~ThomasV@unaffiliated/thomasv] has quit [Ping timeout: 264 seconds] 04:06 -!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 240 seconds] 04:16 -!- domwoe [~domwoe@209-6-39-253.c3-0.smr-ubr2.sbo-smr.ma.cable.rcn.com] has joined #bitcoin-wizards 04:26 -!- domwoe [~domwoe@209-6-39-253.c3-0.smr-ubr2.sbo-smr.ma.cable.rcn.com] has quit [Remote host closed the connection] 04:40 -!- chjj [~chjj@unaffiliated/chjj] has quit [Ping timeout: 244 seconds] 04:41 -!- jtimon [~quassel@55.31.134.37.dynamic.jazztel.es] has quit [Ping timeout: 276 seconds] 04:54 -!- stonecoldpat [~a9380004@janus-nat-128-240-225-56.ncl.ac.uk] has quit [Read error: Connection reset by peer] 04:54 -!- chjj [~chjj@unaffiliated/chjj] has joined #bitcoin-wizards 04:57 -!- ThomasV [~ThomasV@unaffiliated/thomasv] has joined #bitcoin-wizards 04:59 < waxwing> trying to grok MW, seems like sender will have to send blinding factors and amount, and then receiver can construct and attach kG signature, so it's kind of very weakly interactive? there aren't really round trips are there? 04:59 < waxwing> 0.5 RT? 05:00 -!- domwoe [~domwoe@209-6-39-253.c3-0.smr-ubr2.sbo-smr.ma.cable.rcn.com] has joined #bitcoin-wizards 05:01 < Taek> That's also what I understood. Perhaps not technically interactive, but the reciever does need to be performing some action 05:01 < Taek> receiver could theoretically be offline though: email 05:02 < Taek> I guess there's a kind of bonus. The sender can redact the send if the receiver never collects 05:02 < waxwing> right, it's certainly not nothing, if that's a correct characterisation. 05:02 < Taek> so, you'd never send money to a mis-typed address, because the receiver would never collect 05:02 -!- dEBRUYNE_ [~dEBRUYNE@unaffiliated/debruyne] has joined #bitcoin-wizards 05:04 -!- dEBRUYNE [~dEBRUYNE@unaffiliated/debruyne] has quit [Ping timeout: 250 seconds] 05:09 -!- malte [Qcpr92R2DN@alkaid.uberspace.de] has quit [Max SendQ exceeded] 05:10 -!- malte [2MBzcfp3WB@alkaid.uberspace.de] has joined #bitcoin-wizards 05:13 -!- edvorg [~edvorg@14.169.57.10] has quit [Remote host closed the connection] 05:16 -!- edvorg [~edvorg@14.169.57.10] has joined #bitcoin-wizards 05:27 -!- jtimon [~quassel@55.31.134.37.dynamic.jazztel.es] has joined #bitcoin-wizards 05:29 -!- ThomasV [~ThomasV@unaffiliated/thomasv] has quit [Ping timeout: 276 seconds] 05:47 -!- domwoe [~domwoe@209-6-39-253.c3-0.smr-ubr2.sbo-smr.ma.cable.rcn.com] has quit [Remote host closed the connection] 05:47 -!- byteflame [~byteflame@70-89-65-45-little-rock-ar.hfc.comcastbusiness.net] has joined #bitcoin-wizards 05:47 -!- domwoe [~domwoe@209-6-39-253.c3-0.smr-ubr2.sbo-smr.ma.cable.rcn.com] has joined #bitcoin-wizards 05:52 -!- domwoe [~domwoe@209-6-39-253.c3-0.smr-ubr2.sbo-smr.ma.cable.rcn.com] has quit [Ping timeout: 244 seconds] 05:57 -!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has joined #bitcoin-wizards 06:02 -!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards 06:07 -!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 276 seconds] 06:17 -!- laurentmt [~Thunderbi@80.215.138.34] has quit [Ping timeout: 240 seconds] 06:27 -!- domwoe [~domwoe@dhcp-18-189-35-89.dyn.MIT.EDU] has joined #bitcoin-wizards 06:31 -!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 276 seconds] 06:35 -!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has joined #bitcoin-wizards 06:37 -!- dEBRUYNE_ is now known as dEBRUYNE 06:53 -!- laurentmt [~Thunderbi@80.215.234.129] has joined #bitcoin-wizards 06:57 -!- instagibbs [~instagibb@pool-100-15-118-244.washdc.fios.verizon.net] has joined #bitcoin-wizards 06:57 -!- Guyver2 [~Guyver2@guyver2.xs4all.nl] has joined #bitcoin-wizards 07:01 -!- AusteritySucks [~Austerity@unaffiliated/austeritysucks] has quit [Ping timeout: 250 seconds] 07:23 -!- Tiraspoll is now known as Tiraspollll 07:27 -!- stonecoldpat [~a9380004@janus-nat-128-240-225-56.ncl.ac.uk] has joined #bitcoin-wizards 07:46 -!- MoALTz [~no@78-11-183-124.static.ip.netia.com.pl] has joined #bitcoin-wizards 07:48 -!- Emcy [~MC@unaffiliated/mc1984] has joined #bitcoin-wizards 07:54 -!- ThomasV [~ThomasV@unaffiliated/thomasv] has joined #bitcoin-wizards 07:54 -!- AusteritySucks [~Austerity@unaffiliated/austeritysucks] has joined #bitcoin-wizards 08:02 -!- domwoe [~domwoe@dhcp-18-189-35-89.dyn.MIT.EDU] has quit [Remote host closed the connection] 08:02 -!- domwoe [~domwoe@dhcp-18-189-35-89.dyn.MIT.EDU] has joined #bitcoin-wizards 08:03 -!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards 08:05 -!- domwoe_ [~domwoe@dhcp-18-189-35-89.dyn.mit.edu] has joined #bitcoin-wizards 08:06 -!- ThomasV [~ThomasV@unaffiliated/thomasv] has quit [Ping timeout: 276 seconds] 08:07 -!- domwoe [~domwoe@dhcp-18-189-35-89.dyn.MIT.EDU] has quit [Ping timeout: 276 seconds] 08:08 -!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 258 seconds] 08:11 < kanzure> http://diyhpl.us/wiki/transcripts/mimblewimble-podcast/ 08:12 -!- AusteritySucks [~Austerity@unaffiliated/austeritysucks] has quit [Ping timeout: 240 seconds] 08:15 -!- Noldorin [~noldorin@unaffiliated/noldorin] has joined #bitcoin-wizards 08:16 -!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 258 seconds] 08:18 -!- BashCo [~BashCo@unaffiliated/bashco] has quit [Remote host closed the connection] 08:19 < domwoe_> awesome kanzure! 08:28 -!- AusteritySucks [~Austerity@unaffiliated/austeritysucks] has joined #bitcoin-wizards 08:30 -!- Ylbam [uid99779@gateway/web/irccloud.com/x-eoeeyhtxichmgjyj] has joined #bitcoin-wizards 08:30 < bsm117532> Nice, thanks kanzure! 08:30 -!- bildramer [~bildramer@ppp-94-67-116-162.home.otenet.gr] has quit [Ping timeout: 244 seconds] 08:36 -!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has joined #bitcoin-wizards 08:38 -!- BashCo [~BashCo@unaffiliated/bashco] has joined #bitcoin-wizards 08:45 -!- laurentmt [~Thunderbi@80.215.234.129] has quit [Quit: laurentmt] 08:45 -!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 244 seconds] 08:47 -!- rubensayshi [~ruben@82.201.93.169] has quit [Remote host closed the connection] 08:50 -!- zooko [~user@c-73-217-16-2.hsd1.co.comcast.net] has joined #bitcoin-wizards 08:55 -!- mdavid613 [~Adium@cpe-172-251-161-231.socal.res.rr.com] has joined #bitcoin-wizards 08:58 -!- ThomasV [~ThomasV@unaffiliated/thomasv] has joined #bitcoin-wizards 09:02 -!- Sleepnbum [Sleepnbum@72.67.47.196] has joined #bitcoin-wizards 09:13 < kanzure> .title https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016-August/012948.html 09:13 < yoleaux> [bitcoin-dev] Hiding entire content of on-chain transactions 09:14 -!- domwoe_ [~domwoe@dhcp-18-189-35-89.dyn.mit.edu] has quit [Remote host closed the connection] 09:15 < kanzure> https://bitcointalk.org/index.php?topic=1574508.0 09:17 < maaku> aka colored coins 09:18 -!- jtimon [~quassel@55.31.134.37.dynamic.jazztel.es] has quit [Ping timeout: 276 seconds] 09:18 -!- dEBRUYNE_ [~dEBRUYNE@unaffiliated/debruyne] has joined #bitcoin-wizards 09:19 < kanzure> why is this claiming that you can't do OP_RETURN taint analysis? 09:21 -!- dEBRUYNE [~dEBRUYNE@unaffiliated/debruyne] has quit [Ping timeout: 265 seconds] 09:33 -!- domwoe [~domwoe@dhcp-18-189-27-226.dyn.MIT.EDU] has joined #bitcoin-wizards 09:33 -!- domwoe [~domwoe@dhcp-18-189-27-226.dyn.MIT.EDU] has quit [Client Quit] 09:37 -!- dEBRUYNE_ is now known as dEBRUYNE 09:43 -!- Greybits [~Greybits@unaffiliated/greybits] has quit [Ping timeout: 244 seconds] 09:56 -!- jaekwon [~jaekwon@2601:645:c001:263a:cd83:70eb:992c:718c] has joined #bitcoin-wizards 10:03 -!- N0S4A2 [~weechat@174.127.172.104] has joined #bitcoin-wizards 10:04 -!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards 10:09 -!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 265 seconds] 10:19 < andytoshi> waxwing: yes, 0.5 RT between sender and receiver 10:25 -!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has joined #bitcoin-wizards 10:27 -!- edvorg [~edvorg@14.169.57.10] has quit [Ping timeout: 244 seconds] 10:27 < waxwing> andytoshi: so your (k+k') trick, i have trouble understanding, is the idea that k' is publically known? 10:30 < waxwing> oh i think i get it from reading the copied chat log 10:33 < andytoshi> waxwing: the idea is that after merging, only (k + k') is publicly known 10:34 < andytoshi> but i'm thinking now that maybe all both of k, k' should be kept around while the transactions are in transit, so that when people try to merge overlapping transactions they're able to cancel out the intersection 10:34 -!- pro [~pro@unaffiliated/pro] has quit [Ping timeout: 264 seconds] 10:34 < andytoshi> this exposes the original transactions to monitors 10:34 -!- pro [~pro@unaffiliated/pro] has joined #bitcoin-wizards 10:35 < andytoshi> to avoid this, you'd have to send your tx to at most one aggregation service (hopefully there'd be several) .. and this service could even interact with you to merge the kG values as well 10:37 < waxwing> i'm lost at why (k+k') is public; i thought the idea was to publish kG and k' ? 10:37 < waxwing> then the network can sum the k'Gs and add it in 10:38 < andytoshi> waxwing: oh sorry, i'm overloading notation 10:40 -!- execute [~execute@52.68.0.151] has quit [Ping timeout: 244 seconds] 10:42 < andytoshi> waxwing: lemme restart from your first question :) 10:42 < andytoshi> yes. k' is publicly known 10:42 < andytoshi> then if you have a second transaction with k2G and k2' 10:43 < andytoshi> you can combine the transaction and you have kG, k2G, (k' + k2') 10:43 < waxwing> right 10:43 < andytoshi> and the latter -sum- is the only thing that's publicly known, and given only this, you can't know k' or k2', and you therefore can't discern the original transaciton boundaries 10:44 < waxwing> i see, like hiding in the addition, so that's why you're talking about "aggregation service" 10:45 < andytoshi> yeah 10:45 -!- Ylbam [uid99779@gateway/web/irccloud.com/x-eoeeyhtxichmgjyj] has quit [Quit: Connection closed for inactivity] 10:46 < andytoshi> so the problem (and also a problem with OWAS like what the first anonymous guy did) is if i have transactions A, B, C and you have transactions A, B, D and we both give these to a miner 10:46 < andytoshi> the miner is sorta screwed, he can't combine these, he has to pick one 10:46 < andytoshi> but if everyone avoided doing the summing (and privacy conscious people -only- used a service that privately did the summing before broadcasting anything at all), you could avoid this 10:46 < andytoshi> at the cost of privacy, ofc 10:48 < waxwing> i guess there's no way to throw other nums basepoints at this since the whole point is that all the k-s are supposed to be in the same summation set. 10:49 < waxwing> proslogion was just reminding me about proof of discrete log equivalence, hmm 10:50 -!- jannes [~jannes@178.132.211.90] has quit [Quit: Leaving] 10:51 < andytoshi> i've thought about this a bit but i haven't come up with anything 10:53 -!- proslogion [~proslogio@130.159.61.235] has joined #bitcoin-wizards 10:55 -!- pro [~pro@unaffiliated/pro] has quit [Quit: Leaving] 10:56 -!- pro [~pro@unaffiliated/pro] has joined #bitcoin-wizards 11:05 -!- zooko [~user@c-73-217-16-2.hsd1.co.comcast.net] has quit [Ping timeout: 264 seconds] 11:09 -!- N0S4A2 [~weechat@174.127.172.104] has quit [Quit: WeeChat 1.5] 11:10 < maaku> https://eprint.iacr.org/2015/1028.pdf 11:13 -!- mdavid6131 [~Adium@cpe-172-251-161-231.socal.res.rr.com] has joined #bitcoin-wizards 11:15 -!- mdavid613 [~Adium@cpe-172-251-161-231.socal.res.rr.com] has quit [Ping timeout: 265 seconds] 11:19 <@gmaxwell> maaku: these schemes for incremental hashing do not support efficient membership proofs, right? 11:20 -!- jaekwon [~jaekwon@2601:645:c001:263a:cd83:70eb:992c:718c] has quit [Remote host closed the connection] 11:22 -!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has joined #bitcoin-wizards 11:22 < bsm117532> I'm not aware of one that does, I've also looked into this. I'd also like to find one that was constant size. 11:24 -!- ThomasV [~ThomasV@unaffiliated/thomasv] has quit [Ping timeout: 260 seconds] 11:25 -!- maaku [~quassel@173-228-107-141.dsl.static.fusionbroadband.com] has left #bitcoin-wizards ["http://quassel-irc.org - Chat comfortably. Anywhere."] 11:26 -!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has quit [Ping timeout: 250 seconds] 11:28 -!- dEBRUYNE [~dEBRUYNE@unaffiliated/debruyne] has quit [Ping timeout: 265 seconds] 11:28 < bsm117532> I've been wondering if there's an information-theoretic argument that an incremental hash function must be log(n) in terms of the number of stored elements, as this seems to be the case in the paper maaku linked. 11:29 -!- dEBRUYNE [~dEBRUYNE@unaffiliated/debruyne] has joined #bitcoin-wizards 11:50 -!- mn3monic_ [~guido@176.9.68.68] has joined #bitcoin-wizards 11:50 -!- o3u [o3u@unaffiliated/o3u] has joined #bitcoin-wizards 11:50 -!- so_ [~so@unaffiliated/so] has joined #bitcoin-wizards 11:50 -!- livegnik_ [~livegnik@bnw.7c0.nl] has joined #bitcoin-wizards 11:50 -!- Netsplit *.net <-> *.split quits: BonyM, mn3monic, Fistful_of_Coins, luke-jr, so, livegnik, RedEmerald, Guyver2, mr_burdell 11:50 -!- Netsplit over, joins: mr_burdell 11:50 -!- Netsplit over, joins: RedEmerald 11:51 -!- Netsplit over, joins: luke-jr 11:52 -!- BonyM1 [~BonyM-I@ua-83-227-211-4.cust.bredbandsbolaget.se] has joined #bitcoin-wizards 11:52 -!- qpm [~qpm@unaffiliated/midnightmagic/bot/qpm] has quit [Ping timeout: 240 seconds] 11:53 -!- Guyver2 [~Guyver2@guyver2.xs4all.nl] has joined #bitcoin-wizards 11:54 -!- qpm [~qpm@unaffiliated/midnightmagic/bot/qpm] has joined #bitcoin-wizards 12:05 -!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards 12:08 -!- proslogion [~proslogio@130.159.61.235] has quit [Ping timeout: 240 seconds] 12:09 -!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 250 seconds] 12:17 -!- bildramer [~bildramer@80.106.204.148] has joined #bitcoin-wizards 12:20 -!- bildramer [~bildramer@80.106.204.148] has quit [Read error: Connection reset by peer] 12:29 -!- bildramer [~bildramer@80.106.204.148] has joined #bitcoin-wizards 12:38 < Taek> I've thought some about the monitor issue with regards to OWAS/JoinMarket/MW/etc, and perhaps you could do some peer assignment 12:39 < Taek> meaning, you have some method for selecting peers each block that are in charge of merging everything 12:39 < Taek> you let those peers access (as little as possible) the de-anonymizing data, and then rely on them to merge everything into one giant transaction without sharing the data 12:40 < Taek> maybe you also slip them a little something in transaction fees 12:40 < Taek> sometimes monitors/enemies *will* end up as the selected peer / one of the selected peers 12:40 < Taek> but this is still better than situations where the monitor gets to view most everything all of the time 12:40 < Taek> and, a lot of forensics really relies on being able to see multiple steps 12:41 < Taek> if a monitor is only able to view the transaction history every other block, it's more likely that they will have critical gaps which prevent them from doing full de-anonymization 12:43 < Taek> The method for selecting peers would need some Sybil resistence, and given the miner centralization I would not use PoW to determine who to choose as the de-anonymizer 12:44 < Taek> plus you'd have to accept a DoS vulnerability, as occasionally peers may refuse to participate without you realizing that you should move on to the next peer 12:45 < Taek> Maybe you could employ some sort of WoT technique. You ~approx trust the 8 peers you are connected to, so you sign off on their uptime/reliability. Every node does this, so you can form an approximate graph of the network based on peer uptime 12:45 < Taek> you can ignore any weightings over N hops, perhaps 2. 12:46 < Taek> This gives you *some* resistance to Sybil attacks. Then you have some technique for using the peer id (either a pubkey or an ip address) and the hash of the most recent block for determining which has the highest score 12:47 < Taek> If your pool is 8^3 large, and most of those nodes have high uptime, there's a good chance that a large number of other nodes are sending the winner transactions as well 12:47 < Taek> (*handwave*) 12:48 < Taek> Then you still need the winning nodes to have a way to talk to eachother and combine transactions, but at that point the anonymity set is greatly improved 12:49 < instagibbs> Trusted mixers will most likely work fine, imo. 12:50 < waxwing> like Bitcoin VPNs? :) 12:50 < instagibbs> Guard Nodes, but for aggregating transactions 12:50 < instagibbs> Run them over Tor, on a hardened HSM 12:51 * instagibbs handwaves 12:52 < instagibbs> Any wallets with co-signing services already get a bunch of protection, and why wouldn't each service gossip to each other first before releasing batches, etc. 12:55 -!- ThomasV [~ThomasV@unaffiliated/thomasv] has joined #bitcoin-wizards 13:00 -!- MoALTz [~no@78-11-183-124.static.ip.netia.com.pl] has quit [Quit: Leaving] 13:05 < Taek> Would be interesting to have something like guard node HSMs that get distributed by a company like Blockstream, where the HSM public key is signed by multiple members of the ecosystem 13:05 < Taek> then all transactions get encrypted such that only the HSM can decrypt them 13:08 < kanzure> you mean PKI things? 13:08 < kanzure> er, CA things 13:09 < Taek> similar, except that the CA in this case is authenticating an HSM instead of a tls key 13:12 < andytoshi> neat, so the idea is that encrypted transactions go out, the HSMs are the only ones that can decode these, and they only output merged transactions 13:13 < Taek> yeah. With the idea being that an adversary with an HSM is not going to be able to use it to figure out what the decrypted inputs are 13:13 < Taek> I'm not sure how hard it is to pull the key out of an HSM 13:13 < andytoshi> for a proper HSM you need an electron microscope and you need to know how to dissemble it without it triggering key erasure 13:16 < andytoshi> you could also do this in a way that you can detect if an HSM has not included your transaction (and won't), then you can encrypt to another HSM without worrying about causing conflicts 13:16 < kanzure> i wonder if you could make it so that for transaction merging you could split it among multiple machines without any machine seeing the pre-merged transaction itself 13:17 < kanzure> er, see the entire pre-merged transactions 13:17 < Taek> oh hmm. So you give an output to 1 machine, another output to another, input to another, etc, and then when they all combine they get the right answer? 13:18 < Taek> seems easy to DoS though, just make a transaction that's missing an output 13:18 < kanzure> like all denial-of-service problems this one can be solved by requiring a fee 13:23 -!- marcinja [~marcinja@dhcp-18-111-88-96.dyn.mit.edu] has joined #bitcoin-wizards 13:25 < nickler> There's probably no need to trust the HSM. There are lots of protocols that prevent revealing input/output relationships the the centralized mixer like coinshuffle++ or tumblebit. With mimblewimble they can probably be simplified. 13:26 < waxwing> good point, but coinshuffle++ has a fair amount of interactivity right (dc-net) 13:27 -!- zooko [~user@73.95.139.83] has joined #bitcoin-wizards 13:29 < instagibbs> reintroducing interactivity makes baby Voldemort cry 13:29 < waxwing> just thinking, why not have a ring signature over multiple kG values? 13:31 < kanzure> instagibbs: some forms of interactivity are tolerable, like in p2p transactions before broadcast, might not be end of world 13:39 -!- zooko` [~user@c-73-14-173-69.hsd1.co.comcast.net] has joined #bitcoin-wizards 13:40 -!- dnaleor [~dnaleor@78-23-74-78.access.telenet.be] has quit [Quit: Leaving] 13:40 -!- zooko [~user@73.95.139.83] has quit [Ping timeout: 265 seconds] 13:43 -!- dnaleor [~dnaleor@78-23-74-78.access.telenet.be] has joined #bitcoin-wizards 13:44 < nsh> andytoshi, would it be possible to create a MW-merged transaction of [some subset of] existing alpha-CT blockchain retrospectively? 13:46 -!- dgenr8 [~dgenr8@unaffiliated/dgenr8] has quit [Ping timeout: 240 seconds] 13:47 -!- contrapumpkin is now known as copumpkin 13:48 < andytoshi> nsh: nope, unfortunately, becuase the exsting alpha-CT chain uses scriptsigs for authentication 13:50 * nsh nods 13:55 -!- LeMiner2 [LeMiner@unaffiliated/leminer] has quit [Read error: Connection reset by peer] 13:55 -!- LeMiner2 [LeMiner@5ED1AFBF.cm-7-2c.dynamic.ziggo.nl] has joined #bitcoin-wizards 14:00 -!- jtimon [~quassel@55.31.134.37.dynamic.jazztel.es] has joined #bitcoin-wizards 14:02 -!- dgenr8 [~dgenr8@unaffiliated/dgenr8] has joined #bitcoin-wizards 14:05 -!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards 14:08 -!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 258 seconds] 14:10 -!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 276 seconds] 14:24 -!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has joined #bitcoin-wizards 14:26 -!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards 14:27 -!- byteflame [~byteflame@70-89-65-45-little-rock-ar.hfc.comcastbusiness.net] has quit [Ping timeout: 260 seconds] 14:30 -!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 244 seconds] 14:31 -!- bildramer [~bildramer@80.106.204.148] has quit [Ping timeout: 276 seconds] 14:35 -!- marcinja [~marcinja@dhcp-18-111-88-96.dyn.mit.edu] has quit [Remote host closed the connection] 14:35 -!- bildramer [~bildramer@ppp-94-67-125-5.home.otenet.gr] has joined #bitcoin-wizards 14:40 < nsh> as a node syncing with MW, i construct eventually from honest nodes a chain that has all explicit inputs, a current UTXOset in the form of pederson commitments, with merkle proofs that each commitment reallocated r-values representing spending authority in such a way that ownership of spendable r-values derive ultimately from explicit inputs through a series of steps [of indeterminate number] keepin 14:40 < nsh> g total value invariant? 14:40 < nsh> and i settle upon this chain because it has the longest PoW still? 14:41 < nsh> the k-values i get with the latest block allow me to prove that the commitments sum to zero and there is a non-inflationary history from genesis 14:42 < nsh> but i am aghostic of the possible histories in terms of ownership [re]allocation and output age 14:43 < nsh> however, transactors can prove a transaction occurred at what chain height and can give a minimum age to an implicit output 14:43 < nsh> is that roughly accurate, andytoshi? 14:45 < nsh> as far as i'm concerned the genesis could have been followed by a single block that merged all the transactions, but i know the extent of history still from block height [assuming things about block discovery time distribution] and i know something about the complexity of the transaction graph from the merkle proofs and cumulative k-values? 14:46 < nsh> [as far as i'm concerned regarding non-inflation and non-theft] 14:46 -!- proslogion [~proslogio@2.217.2.220] has joined #bitcoin-wizards 14:47 < proslogion> it's perhaps trivial, that if everyone using mimblewimble signs with the same nonce, then all k_n*G signatures can be aggregated into one 14:47 < proslogion> which of course has serious problems 14:50 < cjd> oh cool mw conversaion :D 14:51 < bsm117532> How do forks work with MW? Does one choose to keep a (sub)set of past blocks, and then discard them when you're reasonably sure that a reorg can't happen? Is there a danger that history is lost and a reorg can't be performed? 14:51 < cjd> bsm117532: AFAICT you can basically just scrap everything and revalidate from zero if there is a reorg 14:52 < cjd> 22:40 < nsh> and i settle upon this chain because it has the longest PoW still? <-- yes 14:53 < cjd> 22:43 < nsh> however, transactors can prove a transaction occurred at what chain height and can give a minimum age to an implicit output <-- no because the transaction outputs are unglued from the inputs and unglued from the block, all you know is that they're valid 14:53 -!- Emcy_ [~MC@cpc3-swan1-0-0-cust1003.7-3.cable.virginm.net] has joined #bitcoin-wizards 14:53 -!- Emcy_ [~MC@cpc3-swan1-0-0-cust1003.7-3.cable.virginm.net] has quit [Changing host] 14:53 -!- Emcy_ [~MC@unaffiliated/mc1984] has joined #bitcoin-wizards 14:54 < cjd> I am speaking from what I understand, I might also be very wrong 14:54 < sipa> cjd: if you have 'merged' multiple blocks together, you don't have the ability to only validate part of it 14:54 < sipa> you could download it again from the network of course, assuming someone kept the non-merged blocks 14:55 < cjd> You have only outputs in memory and you just reorg the header chain then add everything up, no? 14:55 < sipa> but you don't know the outputs that were spent by the blocks that are reorged 14:56 -!- Ylbam [uid99779@gateway/web/irccloud.com/x-egccbcfottwkanyi] has joined #bitcoin-wizards 14:56 < nsh> i think if you store your receipt rangeproof and blinding value, then you can prove afterwards that you participated in a transaction by signing the blinding value and showing that it rewinds the proof 14:56 -!- Emcy [~MC@unaffiliated/mc1984] has quit [Ping timeout: 265 seconds] 14:56 < cjd> ahh indeed so when you reorg you both add and remove utxos 14:56 < nsh> but this still depends on some nodes storing more than is required for consensus 14:56 < nsh> i think 14:56 < sipa> i expect that every node will just not merge the blocks at the tip 14:57 < sipa> everyone will keep some range of blocks unmerged, to deal with reorgs 14:57 <@gmaxwell> Assuming you only care about MW-security you can just sync the new header chain and then do set reconciliation to change to the new utxo set. 14:57 < cjd> ^^this 14:57 <@gmaxwell> Then you don't even need to deal with reorgs. 14:57 < sipa> what is MW security? 14:57 <@gmaxwell> (By MW security I mean the anti-inflation and anti-theft properties of MW, rather than, say, script validation) 14:58 < nsh> ( Simple Multi-Party Set Reconciliation [with invertable bloom look-up tables] -- http://arxiv.org/abs/1311.2037 ) 14:59 < cjd> So I also have a concern with the proposal, can't Eve just create a spend transaction for money that's not hers but then add an output for which she does not know the key and plow a little bit of money into the ground ? It seems to me that outputs must sign themselves... 14:59 <@gmaxwell> I'm pretty disenchanted by iblt. The constant factors kill its performance. But whatever, there are other approaches to set reconciliation. 14:59 <@gmaxwell> cjd: eve cannot produce a rangeproof for a junk output. 14:59 < nsh> this might be more suited: https://www.ics.uci.edu/~eppstein/pubs/EppGooUye-SIGCOMM-11.pdf 15:00 < cjd> ahh I see, I had imagined it without the rangeproof since it seems not required 15:00 < nsh> i don't think you can prove you transacted without saving the range-proof 15:00 < nsh> but i could be wrong 15:00 < cjd> ehhh hang on a sec 15:00 < cjd> you range proof vG but you still can add arbitrary rH 15:00 < nsh> (you can prove by letting people spend your currently-spendable outputs but that's less fun) 15:00 <@gmaxwell> nsh: this is what I like: https://www.cs.bu.edu/~reyzin/code/fuzzy.html 15:01 < cjd> you don't know r so you make up a number to balance the budget... 15:01 < nsh> oh right, you can use another knapsack 15:01 < nsh> that's fine then 15:01 < nsh> gmaxwell, cool, ty 15:03 < cjd> hmm it seems that somehow you need to prove knowledge of v *and* r in order to not be making up magical numbers to balance the sum 15:07 < proslogion> that's what k*G is for 15:07 -!- ThomasV [~ThomasV@unaffiliated/thomasv] has quit [Ping timeout: 240 seconds] 15:09 < cjd> maybe I'm being silly here but this is my attack: I make a transaction which pays out a zillion coins to myself and I tag on a little signature 15:09 < cjd> I add up the outputs and subtract the inputs and the signature, ok problem it's not zero 15:10 < cjd> now I add a new output which pays 0.00001 and it pays it to a key which I don't have the private key but the public key is the sum of all the above plus the new output value (times H) which I just added 15:10 < cjd> presto valid transaction 15:10 < cjd> or not ? 15:11 < nsh> you don't pay to keys in CT 15:11 < cjd> CT ? 15:11 < nsh> confidential transactions 15:12 < cjd> ok what do you call them? They're things which you point-multiply 15:12 < nsh> so inputs and outputs are points, you interactive create a commitment that proves the sum to zero 15:12 < nsh> *interactively 15:12 < nsh> *they 15:13 < cjd> right, and I can make it zero by adding an arbitrary output which I cannot spend... 15:13 < nsh> so the recipient choses their outputs 15:13 < nsh> after the sender has committed 15:14 < nsh> or pre-half-committed, i don't know 15:14 < cjd> If you don't make me prove knowledge of the private key somehow, I will always be able to balance anything to zero 15:15 < cjd> by private key I mean "the value of r", in practice it is effectively a private key 15:16 < nsh> sure 15:16 < nsh> you prove knowledge of the private keys for unspent outputs by committing to a blinding multiple of the H-generator that cancels out the amount multiple of the G generator 15:17 < nsh> (you inherit this ability to match G and H multiples from when you were paid those outputs) 15:19 < cjd> ok you lost me, what exactly is it that the sender and recipient broadcast to the rest of the world ? [ inputID, r*G, v*H, proof_v_is_in_range ] ? 15:20 < cjd> that and a signature across emptystring to prove knowledge of the difference ? 15:20 < cjd> If that's all you're sending then you're not proving knowledge of r and if I can put multiple outputs in a transaction then your protocol is going to be funny 15:21 < nsh> well, in alpha's CT txs are broadcast more like bitcoin. in MW you'd broadcast the pederson commitment, the excess blinding value and the empty string signed with its discrete logarithm 15:21 < cjd> I don't know CT at all, I only read MW 15:23 < cjd> oh in leu of the range proof, you could make v be a 256 bit number where the lower 64 bits are the value and then sign v*H using v 15:23 < cjd> that's a proof of knowledge 15:23 < cjd> and if r*G is signed with r then I can nolonger add silly crap to balance the sum 15:35 -!- Guyver2 [~Guyver2@guyver2.xs4all.nl] has quit [Quit: :)] 15:37 -!- dnaleor [~dnaleor@78-23-74-78.access.telenet.be] has quit [Quit: Leaving] 15:38 < nsh> letting any of the v be chosen by either participant breaks the security model. v must be dictated by the prior inputs, the sender's precommitment and recipient's blinding factor choices for their outputs 15:40 -!- Giszmo [~leo@ip5f5ac08d.dynamic.kabel-deutschland.de] has quit [Quit: Leaving.] 15:43 < cjd> yeah I guess you're right 15:43 < cjd> it sounded nice 15:48 -!- mdavid6131 [~Adium@cpe-172-251-161-231.socal.res.rr.com] has quit [Quit: Leaving.] 15:52 -!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards 16:06 -!- Emcy_ [~MC@unaffiliated/mc1984] has quit [Ping timeout: 252 seconds] 16:12 -!- Emcy [~MC@unaffiliated/mc1984] has joined #bitcoin-wizards 16:13 -!- mdavid613 [~Adium@cpe-172-251-161-231.socal.res.rr.com] has joined #bitcoin-wizards 16:14 -!- zooko` [~user@c-73-14-173-69.hsd1.co.comcast.net] has quit [Ping timeout: 276 seconds] 16:16 -!- proslogion [~proslogio@2.217.2.220] has quit [Ping timeout: 258 seconds] 16:22 -!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 244 seconds] 16:26 -!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards 16:29 -!- proslogion [~proslogio@130.159.234.219] has joined #bitcoin-wizards 16:46 -!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has joined #bitcoin-wizards 16:47 < andytoshi> nsh: you can fix the age thing by means of having each block commit to the utxoset. but yep, that sounds right 16:47 < andytoshi> lol proslogion, if i know your nonce then i know your secret key 16:50 < andytoshi> cjd: the CT rangeproof forces you to know r 16:51 < cjd> ok thanks, I guessed that it must be such after thinking more, certainly such an elementry error would not go overlooked 16:51 < andytoshi> yep. and you definitely can't sign the excess values with the r value from an output, that links all the outputs :) 16:52 < cjd> So my understanding is that MW requires these signatures of emptystring to persist forever, is this correct ? 16:52 < andytoshi> cjd: but even without that, observe that if every output has a rangeproof of being in [0, 2^64], you can't make outputs with negative values anyway 16:52 < andytoshi> cjd: correct 16:52 < cjd> Ahh no, I meant to sign the output itself using the output's r which would not link it to stuff but might reveal things 16:52 < andytoshi> unless they can be aggregated somehow (if it used a pairing based curve this could be done) 16:52 < cjd> Ok I believe I have a solution 16:53 < andytoshi> cjd: ah, yeah, understood. that is not necessary, the rangeproof itself is effectively a signature with r 16:53 < cjd> perfect 16:54 < cjd> Suppose I make a payment to you and so I pass you the sum of inputs and outputs for you to add in your output, then you and I both bcast the transaction incomplete with the sum of all of our input and output private values and the remaining value (fee) 16:54 < cjd> the miner is a participant in the transaction, he adds another output to take the fee and thus he is the one who makes the signature on emptystring 16:54 < cjd> but then he can produce only one per block 16:54 < cjd> am I talking shit? 16:55 < andytoshi> cjd: he can put as many outputs as he likes. he's gotta add another k*G value to be sure that nobody else can know this output's key 16:55 < andytoshi> and he can do a single output for every transaction that he's received 16:56 < cjd> right 16:56 < cjd> and if I am not mistaken, he needs only one signature to balance the entire block 16:56 < andytoshi> yep 16:57 -!- JackH [~Jack@79-73-188-45.dynamic.dsl.as9105.com] has quit [Ping timeout: 252 seconds] 16:57 < proslogion> andytoshi: sorry, only meant the pubkey of the nonce 16:57 < andytoshi> proslogion: ah, yes, though this requires interaction 16:57 < proslogion> true 16:57 < cjd> furthermore, we can as a matter of protocol, we can require that he rebalances out that signature in order to spend the fee money 16:57 -!- rhett [~rhett@c-73-223-86-218.hsd1.ca.comcast.net] has joined #bitcoin-wizards 16:58 < cjd> but if we are paying 64 bytes per block, we have already made a breakthrough 16:58 < cjd> Now, can we make this post-quantum ? :) 17:00 -!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has quit [Remote host closed the connection] 17:00 < cjd> or wait, do we even need to add the signature at all? can we not just make that value become one of the outputs for the miner ? 17:00 -!- rhett [~rhett@c-73-223-86-218.hsd1.ca.comcast.net] has quit [Client Quit] 17:01 -!- jaekwon [~jaekwon@108-239-230-147.lightspeed.sntcca.sbcglobal.net] has joined #bitcoin-wizards 17:01 < cjd> assuming the miner mines pays out to at least 2 outputs and he knows the sum of secrets, he can make the first value be secret and the second value is what is needed to balance the numbers, he will need to be sure to store this secret key to disk as soon as he mines the block 17:01 < cjd> but being a miner he should be capable of handing that 17:02 < andytoshi> cjd: the sum of secrets is sufficient knowledge to spend both outputs at once 17:02 < andytoshi> so if the rest of the block was created by one person, and the miner does not add a kG, his money can be stolen by that person 17:02 < cjd> argh right :) 3 17:02 < andytoshi> yup :( 17:02 < andytoshi> i had a similar scheme before MW came out that made exactly this mistake 17:02 < cjd> requiring the miner to produce 3 outputs is not a serious harm though 17:03 -!- blockzombie [~blockzomb@eth59-167-133-100.static.internode.on.net] has joined #bitcoin-wizards 17:03 < cjd> now what about post-quantum? have you looked at it at all ? 17:05 < andytoshi> cjd: 3 outputs doesn't help, one output plus an extra kG value is sufficent 17:05 < andytoshi> as far as post-quantum, oleganza tells me he has a scheme for making CT quantum-safe, but i don't know any details yet 17:06 < andytoshi> and i haven't thought at all about how that would affect mimblewimble 17:06 < cjd> ok if you find pederson type stuff that runs post-quantum, please ping me 17:06 < andytoshi> probably mimblewimble would be screwed, because "quantum safe" simply means that inflation remains impossible 17:06 -!- proslogion [~proslogio@130.159.234.219] has quit [Ping timeout: 260 seconds] 17:06 -!- Emcy_ [~MC@unaffiliated/mc1984] has joined #bitcoin-wizards 17:06 < andytoshi> it does -not- mean that the commitments stay hidden 17:06 < andytoshi> i will absolutely. this interests me as well 17:07 < andytoshi> i might hafta go back to school and talk to the lattice people, i'm sure something similar can be done.. 17:07 < cjd> right 17:07 < cjd> lattice or polynomials 17:08 < andytoshi> maybe even LWE 17:08 < cjd> I got really excited by HElib which does homomorphic and is thought by some people to be post-quantum but alas it does not have communitive behavior 17:08 < cjd> but I got to brush up on C++ and have fun with polynomials 17:09 < andytoshi> use rust ;) 17:09 < cjd> no, you have to write things in other languages so you can *rewrite* them in rust 17:10 -!- Emcy [~MC@unaffiliated/mc1984] has quit [Ping timeout: 276 seconds] 17:10 < cjd> (it's a meme, rust community people are constantly asking for everyhing to be rewritten in rust) 17:10 < andytoshi> oh, ofc, otherwise you'll never be able to rewrite everything in rust 17:10 < andytoshi> yep :P 17:10 < cjd> ok I see the problem re sum of secrets 17:11 < cjd> I'm annoyed that there is no solution and you have to sum entries for each block but dammit, 64 bytes per block is not bad 17:11 < andytoshi> welll, with a pairing-friendly curve you can aggregate all the kG values and their signatures 17:12 -!- Sleepnbum [Sleepnbum@72.67.47.196] has quit [Ping timeout: 250 seconds] 17:12 < cjd> I'd rather KISS because I want everything to run twice, once over a curve and second time using something post-quantum 17:12 < cjd> if we're going to do another blockchain, IMO it's mandatory 17:14 <@gmaxwell> it appears to be currently impossible to construct schemes like this that are usefully 'post-quantum'. 17:14 -!- dEBRUYNE [~dEBRUYNE@unaffiliated/debruyne] has quit [Quit: Leaving] 17:14 <@gmaxwell> The kind of homomorphism that makes this work is also what makes discrete log easy on quantum computers. 17:15 < cjd> that's... annoying 17:17 < sipa> there is not even an efficient equivalent to diffie-hellman exchange in PQC, right? 17:17 <@gmaxwell> sipa: depends on how you define efficient. 17:18 <@gmaxwell> The isogenies ladder thing is kind of efficient. I've linked to it in here before. 17:18 < cjd> This: https://en.wikipedia.org/wiki/Supersingular_isogeny_key_exchange claims to be DH like 17:18 <@gmaxwell> thats what I'm referring to. 17:18 < sipa> oh, ok 17:19 <@gmaxwell> who knows if its even classically secure... 17:19 * sipa hides in a superposition of corners 17:19 < cjd> But we need what is effectively homomorphic encryption but with communitivity 17:19 <@gmaxwell> probably only a few dozen people in the world really understand it at a level enough to begin to evaluate its security. 17:20 < cjd> IMO it's not harmful to roll out something without fully understanding it as long as you're backed up by well understood curves 17:20 < sipa> commutativity? 17:20 < sipa> or what is communitivity 17:21 < cjd> x + y == y + x 17:21 -!- Tiraspollll is now known as Tiraspolll 17:21 < sipa> yes, commuativity, not communitivity 17:21 < cjd> oh, I can't spell - as usual, sorry 17:21 < sipa> seems i can't either 17:22 <@gmaxwell> cjd: if you just define the requirement as have commuativity, then that alone is pretty much sufficient to make it insecure against quantum computers. 17:22 < cjd> I'm probably using the wrong word here, I mean that basically for any given plaintext there is a single ciphertext 17:22 < sipa> gmaxwell: did you copy paste my misspelling? 17:22 < cjd> yeah, that's annoying 17:22 <@gmaxwell> yes. 17:23 <@gmaxwell> I can't spell that word either, I was waiting for one of you to use it. 17:23 < cjd> btw is there any plan to add an opcode to do like NTRU or something ? 17:23 <@gmaxwell> ugh. no. 17:23 * andytoshi gets to use his math degree! 17:23 < andytoshi> "commutativity" 17:23 <@gmaxwell> There is a straightforward path to have PQ secure bitcoin-- use hash based signatures. 17:23 < cjd> ahh cool 17:24 < cjd> that would make a neat press release 17:24 <@gmaxwell> Virtually all other PQ signature schemes are a pile of hopes and handwaves and also slow enough to verify to be problematic. 17:24 < andytoshi> interestingly we can get a OWAS-like system that is also purely hash-based 17:24 < andytoshi> that gmaxwell wrote about a couple years ago .. lemme see if i can find it 17:24 < sipa> cjd: we even know how to introduce PQ crypto in such a way that the blockchain isn't burdened before EC actually becomes insecure 17:24 < kanzure> https://bitcointalk.org/index.php?topic=284194.0 17:24 <@gmaxwell> I implemented hash based signatures eons ago, but just didn't publish it because I didn't want to deal with it showing up in idiotic altcoins. 17:24 < andytoshi> https://download.wpsoftware.net/bitcoin/wizards/2014-06-22.html 17:24 < kanzure> https://bitcointalk.org/index.php?topic=47037.0 17:24 < cjd> haha 17:25 < sipa> cjd: by making all wallets use a 1-of-2 (EC or PQ) keys 17:25 < cjd> anything which is PQ should be 2 of 2 17:25 -!- Ylbam [uid99779@gateway/web/irccloud.com/x-egccbcfottwkanyi] has quit [Quit: Connection closed for inactivity] 17:25 < cjd> EC & PQ 17:26 <@gmaxwell> What sipa is referring to is a construction where you do a IF { AREWEPOSTQUANTUMYET_VERIFY standard checksig } ELSE { HASHBASED_PUBKEY }... and then after doomsday you just turn AREWEPOSTQUANTUMYET abort on execution. 17:26 < cjd> oh wait, this is hash based, so indeed it's really boring and you can trust it 17:26 < andytoshi> you could make it so that the 1-of-2 is softforkable into a 2-of-2 17:26 < andytoshi> oh greg beat me to it 17:26 < sipa> into a 1-of-1, really 17:26 <@gmaxwell> andytoshi: well I described it a bit differently. 1 of 2 into a 1 of 1. but same kind of thinking aplies. 17:26 -!- justanotheruser [~Justan@unaffiliated/justanotheruser] has quit [Read error: Connection reset by peer] 17:27 < cjd> Personally I would want to have PQ addresses 17:27 < sipa> !hi5 gmaxwell 17:27 < gribble> Error: "hi5" is not a valid command. 17:27 < cjd> I mean we're not going to know when we're PQ, just the number of tin-hatters will grow slowly until it includes everyone 17:28 -!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has joined #bitcoin-wizards 17:28 < sipa> nah, i'm sure there will be quantum denyers 17:28 < cjd> :) 17:28 <@gmaxwell> the address reuse problem though is especially annoying with space efficient hash based signatures. 17:29 < cjd> oh right, there is a security issue using an addr after you spent from it, right ? 17:30 -!- justanotheruser [~Justan@unaffiliated/justanotheruser] has joined #bitcoin-wizards 17:31 -!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 276 seconds] 17:32 < cjd> In addition, our construction yields two more interesting features: 1) the ability to "convert" a Pedersen commitment into a lattice-based one 17:32 < cjd> http://eprint.iacr.org/2015/628/20150630:185350 17:32 < cjd> Have not read (flipped thorough) it yet 17:33 -!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has joined #bitcoin-wizards 17:36 -!- Cloudflare [~hmullerdo@unaffiliated/cloudflare] has joined #bitcoin-wizards 17:36 < Cloudflare> hi 17:36 <@gmaxwell> I haven't seen that paper, but I've seen one of the papers it references; and IIRC it only gave a PoK but does not have full additive homorphism. 17:37 < cjd> ok that's no good, I'm trying to seek in on the spot where they make their promises now... 17:37 -!- Sleepnbum [~Sleepnbum@173.55.57.163] has joined #bitcoin-wizards 17:37 <@gmaxwell> it's not difficult to make a plain pedersen like commitment unconditionally sound, (but not unconditionally private)-- an elgammal ciphertext is an example of that. 17:38 <@gmaxwell> though it's easy to prove that something cannot be both unconditionally sound and unconditionally hiding, at least one of the two must be only a computational guarentee. 17:38 -!- renlord is now known as pocoyo 17:39 < cjd> if you can't add them up, what is the value over a concatinate-and-hash commitment ? 17:40 < Cloudflare> quit 17:40 < Cloudflare> this 17:40 < Cloudflare> channel 17:40 -!- Cloudflare [~hmullerdo@unaffiliated/cloudflare] has quit [Quit: WeeChat 1.5] 17:41 <@gmaxwell> because their scheme is still unconditionally hiding. 17:41 -!- bumtime [~Sleepnbum@173.55.57.163] has joined #bitcoin-wizards 17:41 -!- Sleepnbum [~Sleepnbum@173.55.57.163] has quit [Ping timeout: 244 seconds] 17:41 < cjd> so basically they're rules-lawyering their paper into relevance :) 17:42 < andytoshi> this appears to be weakly additively homomorphic, if you add too many commitments together then it'll fail to be binding to the sum 17:42 < cjd> hmm interesting 17:42 < andytoshi> it's possible (though i'd have to run through their calcs precisely) that you can add two commitments together while retaining bindingness, without compromising security, and then do this "reblinding" thing 17:43 < cjd> right, the HElib does this 17:43 < cjd> they keep a noise parameter and you can reEncrypt to bring down the noise 17:43 <@gmaxwell> andytoshi: AFAICT though their reblinding requires you know the commited value. 17:46 -!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has quit [Remote host closed the connection] 17:47 < andytoshi> maybe we don't need unblinding. if you say that within a single transaction everything has to add to a commitment to zero, maybe this forces the noise on all outputs to be small (but still hiding? i dunno) 17:47 < andytoshi> s/unblinding/reblinding/ 17:48 < andytoshi> will need to look into SVP lattice ring signatures .. *handwave handwave* this almost looks like we can import your rangeproofs into this system, it's so pedersen-like 17:49 < andytoshi> but the security parameters in quantum crypto are weird. it's hard to say "x bits", you've got these radii and gaussian probabilites, i don't know how to think about them 17:52 < cjd> hmm 17:53 < cjd> I'm bad at math but I caught on to this HElib and I was playing with it, it allows you to encrypt a value with a public key and then add encrypted values 17:53 < cjd> and it's based on NTRU 17:54 -!- iwilcox [~iwilcox@unaffiliated/iwilcox] has quit [Remote host closed the connection] 17:55 < cjd> I can encrypt, add, decrypt but if I encrypt and add a set of polynomials which sum to zero, I do not get the same encrypted content at a plain 0 polynomial 17:59 -!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has joined #bitcoin-wizards 18:12 -!- Cloudflare [~hmullerdo@unaffiliated/cloudflare] has joined #bitcoin-wizards 18:12 -!- Cloudflare [~hmullerdo@unaffiliated/cloudflare] has quit [Quit: WeeChat 1.5] 18:15 -!- Cloudflare [~cloudflar@unaffiliated/cloudflare] has joined #bitcoin-wizards 18:15 < Cloudflare> yo 18:15 < Cloudflare> pocoyo: sup 18:15 -!- jaekwon [~jaekwon@108-239-230-147.lightspeed.sntcca.sbcglobal.net] has quit [Remote host closed the connection] 18:19 -!- jaekwon [~jaekwon@108-239-230-147.lightspeed.sntcca.sbcglobal.net] has joined #bitcoin-wizards 18:20 -!- pro [~pro@unaffiliated/pro] has quit [Quit: Leaving] 18:23 -!- bumtime [~Sleepnbum@173.55.57.163] has quit [Ping timeout: 260 seconds] 18:23 <@gmaxwell> Cloudflare: http://i.stack.imgur.com/dzUaZ.png 18:37 -!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has quit [Remote host closed the connection] 18:46 < Cloudflare> gmaxwell: hahaha 18:46 < Cloudflare> that's amazing 18:49 -!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 250 seconds] 19:00 -!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has joined #bitcoin-wizards 19:06 -!- mdavid613 [~Adium@cpe-172-251-161-231.socal.res.rr.com] has quit [Quit: Leaving.] 19:06 -!- cyphase [~cyphase@unaffiliated/cyphase] has quit [Ping timeout: 258 seconds] 19:11 -!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 258 seconds] 19:16 -!- cyphase_eviltwin [~cyphase@unaffiliated/cyphase] has joined #bitcoin-wizards 19:18 -!- Sleepnbum [~Sleepnbum@173.55.57.163] has joined #bitcoin-wizards 19:21 -!- jaekwon [~jaekwon@108-239-230-147.lightspeed.sntcca.sbcglobal.net] has quit [Remote host closed the connection] 19:26 -!- jaekwon [~jaekwon@75-101-96-71.dsl.static.fusionbroadband.com] has joined #bitcoin-wizards 19:27 -!- jaekwon [~jaekwon@75-101-96-71.dsl.static.fusionbroadband.com] has quit [Remote host closed the connection] 19:27 -!- jaekwon [~jaekwon@75-101-96-71.dsl.static.fusionbroadband.com] has joined #bitcoin-wizards 19:28 -!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has joined #bitcoin-wizards 19:32 -!- pocoyo [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 244 seconds] 19:33 -!- blockzombie [~blockzomb@eth59-167-133-100.static.internode.on.net] has quit [Remote host closed the connection] 19:34 -!- blockzombie [~blockzomb@eth59-167-133-100.static.internode.on.net] has joined #bitcoin-wizards 19:44 -!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has joined #bitcoin-wizards 19:47 -!- thesnark [~mike@unaffiliated/thesnark] has quit [Remote host closed the connection] 19:51 -!- jtimon [~quassel@55.31.134.37.dynamic.jazztel.es] has quit [Ping timeout: 258 seconds] 20:04 -!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has quit [Remote host closed the connection] 20:06 -!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has joined #bitcoin-wizards 20:09 -!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 258 seconds] 20:19 -!- wetdinghy [~loltastic@99-8-65-117.lightspeed.davlca.sbcglobal.net] has joined #bitcoin-wizards 20:27 -!- rodarmor [rodarmor@2600:3c01::f03c:91ff:fe61:6c68] has joined #bitcoin-wizards 20:28 -!- pocoyo [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards 20:29 -!- ThomasV [~ThomasV@unaffiliated/thomasv] has joined #bitcoin-wizards 20:33 -!- pocoyo [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 252 seconds] 20:33 -!- instagibbs [~instagibb@pool-100-15-118-244.washdc.fios.verizon.net] has quit [Ping timeout: 252 seconds] 20:36 -!- pocoyo [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards 20:40 -!- instagibbs [~instagibb@pool-100-15-118-244.washdc.fios.verizon.net] has joined #bitcoin-wizards 20:44 -!- rusty2 [~rusty@pdpc/supporter/bronze/rusty] has joined #bitcoin-wizards 20:46 -!- rusty2 is now known as rusty 20:46 -!- wetdinghy [~loltastic@99-8-65-117.lightspeed.davlca.sbcglobal.net] has quit [Quit: AndroIRC - Android IRC Client ( http://www.androirc.com )] 20:56 -!- CrazyTruthYakDDS [uid67551@gateway/web/irccloud.com/x-pxbdahbgqyeqrbov] has joined #bitcoin-wizards 21:04 -!- r0ach [~r0ach@107-217-214-192.lightspeed.jcvlfl.sbcglobal.net] has quit [] 21:11 -!- pompom [~pompom36@ctngya111073.ct.ftth.ppp.infoweb.ne.jp] has joined #bitcoin-wizards 21:18 -!- pompom [~pompom36@ctngya111073.ct.ftth.ppp.infoweb.ne.jp] has left #bitcoin-wizards ["Leaving"] 21:19 -!- iddo [~idddo@hyena.cs.cornell.edu] has quit [Changing host] 21:19 -!- iddo [~idddo@unaffiliated/iddo] has joined #bitcoin-wizards 21:28 -!- arowser [~quassel@106.120.101.38] has quit [Remote host closed the connection] 21:33 -!- ThomasV [~ThomasV@unaffiliated/thomasv] has quit [Ping timeout: 252 seconds] 21:33 -!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has quit [Remote host closed the connection] 21:41 -!- arowser [~quassel@106.120.101.38] has joined #bitcoin-wizards 21:46 -!- cyphase_eviltwin is now known as cyphase 21:48 -!- Alopex [~bitcoin@cyber.dealing.ninja] has quit [Remote host closed the connection] 21:49 -!- contrapumpkin [~copumpkin@haskell/developer/copumpkin] has joined #bitcoin-wizards 21:50 -!- Alopex [~bitcoin@cyber.dealing.ninja] has joined #bitcoin-wizards 21:51 -!- copumpkin [~copumpkin@haskell/developer/copumpkin] has quit [Ping timeout: 258 seconds] 22:12 -!- jaekwon [~jaekwon@75-101-96-71.dsl.static.fusionbroadband.com] has quit [Read error: Connection reset by peer] 22:12 -!- jaekwon [~jaekwon@75-101-96-71.dsl.static.fusionbroadband.com] has joined #bitcoin-wizards 22:27 -!- asynk [~aknix@65.78.54.2] has joined #bitcoin-wizards 22:30 -!- pocoyo is now known as renlord 22:30 -!- ThomasV [~ThomasV@unaffiliated/thomasv] has joined #bitcoin-wizards 22:32 -!- arowser_ [~quassel@106.120.101.38] has joined #bitcoin-wizards 22:33 -!- arowser_ [~quassel@106.120.101.38] has quit [Remote host closed the connection] 22:34 -!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has joined #bitcoin-wizards 22:38 -!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has quit [Ping timeout: 252 seconds] 22:42 -!- renlord is now known as pocoyo 22:43 -!- pocoyo is now known as mryandao 22:43 -!- mryandao is now known as help 22:43 -!- sdaftuar [~sdaftuar@unaffiliated/sdaftuar] has quit [Ping timeout: 258 seconds] 22:43 -!- help is now known as mryandao 22:45 -!- sdaftuar [~sdaftuar@unaffiliated/sdaftuar] has joined #bitcoin-wizards 23:07 -!- wumpus [~quassel@pdpc/supporter/professional/wumpus] has quit [Ping timeout: 264 seconds] 23:08 -!- AusteritySucks [~Austerity@unaffiliated/austeritysucks] has quit [Ping timeout: 276 seconds] 23:09 -!- mryandao [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Read error: Connection reset by peer] 23:09 -!- Cloudflare [~cloudflar@unaffiliated/cloudflare] has quit [Read error: Connection reset by peer] 23:11 -!- wumpus [~quassel@pdpc/supporter/professional/wumpus] has joined #bitcoin-wizards 23:11 -!- Cloudflare [~cloudflar@unaffiliated/cloudflare] has joined #bitcoin-wizards 23:11 -!- CrazyTruthYakDDS [uid67551@gateway/web/irccloud.com/x-pxbdahbgqyeqrbov] has quit [Quit: Connection closed for inactivity] 23:15 -!- mryandao [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards 23:23 -!- jgarzik [~jgarzik@unaffiliated/jgarzik] has quit [Read error: Connection reset by peer] 23:24 -!- Cloudflare [~cloudflar@unaffiliated/cloudflare] has quit [Quit: WeeChat 1.5] 23:24 -!- jgarzik [~jgarzik@104-178-201-106.lightspeed.tukrga.sbcglobal.net] has joined #bitcoin-wizards 23:24 -!- jgarzik [~jgarzik@104-178-201-106.lightspeed.tukrga.sbcglobal.net] has quit [Changing host] 23:24 -!- jgarzik [~jgarzik@unaffiliated/jgarzik] has joined #bitcoin-wizards 23:26 -!- yoleaux [~yoleaux@xn--ht-1ia18f.nonceword.org] has quit [Ping timeout: 244 seconds] 23:35 -!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has joined #bitcoin-wizards 23:39 -!- jannes [~jannes@178.132.211.90] has joined #bitcoin-wizards 23:39 -!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has quit [Ping timeout: 250 seconds] 23:47 -!- BashCo [~BashCo@unaffiliated/bashco] has quit [Remote host closed the connection] 23:50 -!- asynk is now known as wipogee 23:59 -!- dnaleor [~dnaleor@78-23-74-78.access.telenet.be] has joined #bitcoin-wizards --- Log closed Tue Aug 09 00:00:20 2016