--- Log opened Fri Nov 26 00:00:43 2021
00:40 -!- Guyver2 [Guyver@guyver2.xs4all.nl] has joined #bitcoin-wizards
00:58 -!- luke-jr [~luke-jr@user/luke-jr] has quit [Quit: ZNC - http://znc.sourceforge.net]
01:00 -!- luke-jr [~luke-jr@user/luke-jr] has joined #bitcoin-wizards
01:21 -!- planksgiving is now known as plank
01:34 -!- jtrag [~jtrag@user/jtrag] has quit [Remote host closed the connection]
01:34 -!- b10c [uid500648@id-500648.ilkley.irccloud.com] has joined #bitcoin-wizards
01:35 -!- jtrag [~jtrag@user/jtrag] has joined #bitcoin-wizards
01:54 -!- jtrag [~jtrag@user/jtrag] has quit [Remote host closed the connection]
01:55 -!- jtrag [~jtrag@user/jtrag] has joined #bitcoin-wizards
01:55 -!- berndj-blackout [~berndj@ns1.linksynergy.co.za] has joined #bitcoin-wizards
01:57 -!- berndj [~berndj@ns1.linksynergy.co.za] has quit [Ping timeout: 268 seconds]
02:00 -!- berndj-blackout is now known as berndj
02:00 < meshcollider> Oh, are you adding a checksum to the master secret and then a separate checksum to each share?
02:04 -!- kexkey [~kexkey@static-198-54-132-85.cust.tzulo.com] has quit [Ping timeout: 250 seconds]
02:06 -!- kexkey [~kexkey@static-198-54-132-133.cust.tzulo.com] has joined #bitcoin-wizards
02:06 -!- jtrag [~jtrag@user/jtrag] has quit [Remote host closed the connection]
02:07 -!- luke-jr [~luke-jr@user/luke-jr] has quit [Quit: ZNC - http://znc.sourceforge.net]
02:07 -!- jtrag [~jtrag@user/jtrag] has joined #bitcoin-wizards
02:08 -!- luke-jr [~luke-jr@user/luke-jr] has joined #bitcoin-wizards
03:05 -!- jonatack [jonatack@user/jonatack] has joined #bitcoin-wizards
03:11 -!- ArchibaldTuttle [~Archibald@static-198-54-131-168.cust.tzulo.com] has quit [Read error: Connection reset by peer]
03:21 -!- Guyver2 [Guyver@guyver2.xs4all.nl] has quit [Read error: Connection reset by peer]
03:22 -!- Guyver2 [Guyver@guyver2.xs4all.nl] has joined #bitcoin-wizards
03:31 -!- jtrag [~jtrag@user/jtrag] has quit [Remote host closed the connection]
03:32 -!- jtrag [~jtrag@user/jtrag] has joined #bitcoin-wizards
03:32 -!- smartin [~Icedove@88.135.18.171] has joined #bitcoin-wizards
03:39 -!- ArchibaldTuttle [~Archibald@static-198-54-131-168.cust.tzulo.com] has joined #bitcoin-wizards
03:46 -!- Common_ [~Common@096-033-221-075.res.spectrum.com] has joined #bitcoin-wizards
03:47 -!- jesseposner_ [~jesse@c-24-5-105-39.hsd1.ca.comcast.net] has joined #bitcoin-wizards
03:47 -!- sr_gi3 [~sr_gi@static-120-137-229-77.ipcom.comunitel.net] has joined #bitcoin-wizards
03:47 -!- michaelfolkson2 [~michaelfo@138.68.143.20] has joined #bitcoin-wizards
03:48 -!- smartin1 [~Icedove@88.135.18.171] has joined #bitcoin-wizards
03:48 -!- stoner19 [~stoner19@2a02:c207:2022:1374::1] has joined #bitcoin-wizards
03:48 -!- dodo__ [~dodo@user/dodo] has joined #bitcoin-wizards
03:50 -!- dongcarl2 [~dongcarl@70.107.207.192] has joined #bitcoin-wizards
03:51 -!- helo_ [~helo@user/helo] has joined #bitcoin-wizards
03:51 -!- rachelfi1h [~rachel@192.199.243.147] has joined #bitcoin-wizards
03:51 -!- nickler_ [~nickler@static.219.205.69.159.clients.your-server.de] has joined #bitcoin-wizards
03:51 -!- u221f_ [~zzif@185.31.136.246] has joined #bitcoin-wizards
03:54 -!- ryan-c` [ryan-c@znc.rya.nc] has joined #bitcoin-wizards
03:55 -!- gribble [~gribble@bitcoin/bot/gribble] has quit [Ping timeout: 260 seconds]
03:55 -!- smartin [~Icedove@88.135.18.171] has quit [Ping timeout: 260 seconds]
03:55 -!- Madars_ [~null@aero-astro-estates.mit.edu] has quit [Ping timeout: 260 seconds]
03:55 -!- michaelfolkson [~michaelfo@138.68.143.20] has quit [Ping timeout: 260 seconds]
03:55 -!- Common [~Common@user/common] has quit [Ping timeout: 260 seconds]
03:55 -!- helo [~helo@user/helo] has quit [Ping timeout: 260 seconds]
03:55 -!- BUSY [~BUSY@user/busy] has quit [Ping timeout: 260 seconds]
03:55 -!- MatrixBot1234510 [~matrixbot@51.15.54.153] has quit [Ping timeout: 260 seconds]
03:55 -!- zegalch [~zegalch@178.128.75.133] has quit [Ping timeout: 260 seconds]
03:55 -!- stoner19_ [~stoner19@vmi221374.contaboserver.net] has quit [Ping timeout: 260 seconds]
03:55 -!- dodo [~dodo@user/dodo] has quit [Ping timeout: 260 seconds]
03:56 -!- split [~split@user/split] has quit [Ping timeout: 260 seconds]
03:56 -!- sr_gi [~sr_gi@static-120-137-229-77.ipcom.comunitel.net] has quit [Ping timeout: 260 seconds]
03:56 -!- u221f [~zzif@185.31.136.246] has quit [Ping timeout: 260 seconds]
03:56 -!- nickler [~nickler@static.219.205.69.159.clients.your-server.de] has quit [Ping timeout: 260 seconds]
03:56 -!- ryan-c [ryan-c@znc.rya.nc] has quit [Ping timeout: 260 seconds]
03:56 -!- jesseposner [~jesse@c-24-5-105-39.hsd1.ca.comcast.net] has quit [Ping timeout: 260 seconds]
03:56 -!- dongcarl [~dongcarl@70.107.207.192] has quit [Ping timeout: 260 seconds]
03:56 -!- rachelfish [~rachel@192.199.243.147] has quit [Ping timeout: 260 seconds]
03:56 -!- smartin1 is now known as smartin
03:56 -!- ryan-c` is now known as ryan-c
03:56 -!- dongcarl2 is now known as dongcarl
03:56 -!- sr_gi3 is now known as sr_gi
03:56 -!- zegalch [~zegalch@178.128.75.133] has joined #bitcoin-wizards
04:00 -!- roconnor [~roconnor@coq/roconnor] has joined #bitcoin-wizards
04:02 -!- BUSY [~BUSY@user/busy] has joined #bitcoin-wizards
04:02 -!- Madars_ [~null@aero-astro-estates.mit.edu] has joined #bitcoin-wizards
04:02 < roconnor> meshcollider: yes, if all your shares have a valid linear checksum (e.g. BCH code) then your secret will also have a valid checksum, and vice versa.
04:03 -!- MatrixBot1234510 [~matrixbot@51.15.54.153] has joined #bitcoin-wizards
04:16 -!- split [~split@user/split] has joined #bitcoin-wizards
04:16 -!- mode/#bitcoin-wizards [+o split] by ChanServ
04:36 -!- michaelfolkson2 is now known as michaelfolkson
04:37 -!- Guyver2_ [Guyver@guyver2.xs4all.nl] has joined #bitcoin-wizards
04:40 -!- Guyver2 [Guyver@guyver2.xs4all.nl] has quit [Ping timeout: 240 seconds]
04:40 -!- Guyver2_ is now known as Guyver2
04:44 < meshcollider> Oh wow, you're right! That's so cool
04:51 < roconnor> If you want to label your shares with a constant value, an identifier, so that that you don't mix shares belonging to different secrets, then the secret will have the same constant identifier (and vice versa).
04:51 < roconnor> *label your shares with a constant prefix.
04:54 < meshcollider> Yeah that is a lot clearer than the checksum part, because you'd just interpolate a horizontal line on those characters
05:03 < roconnor> lastly, if you are familiar with SSS, then each share as a distinct index and the secret is "placed" at a special index (typically 0).  You can add a label for each share with its index, and the secret will end up being labled with the special index (and vice versa).
05:04 < roconnor> The reasoning is similar, except that instead of interpolating a horizontal line you are interpolating a diagonal line.
05:04 -!- b10c [uid500648@id-500648.ilkley.irccloud.com] has quit [Quit: Connection closed for inactivity]
05:34 < meshcollider> Here's the code I was playing around with today if anyone else wants to do the same: https://gist.github.com/meshcollider/7ce80cd61e0e502d521b0a555bd4a9d0
05:34 -!- darosior [~darosior@194.36.189.246] has quit [Remote host closed the connection]
05:34 < meshcollider> roconnor: right, this is very nice
05:34 -!- darosior [~darosior@194.36.189.246] has joined #bitcoin-wizards
05:37 < roconnor> meshcollider: https://github.com/roconnor-blockstream/SSS32/blob/ms32/MasterSeed32.md#recovering-master-seed has some python code, for comparison.
05:37 < meshcollider> roconnor: I couldn't quite follow your ms32_interpolate function in your BIP draft on the ms32 branch. What is special about s[5] in defining w (where did the 5 come from)? 
05:38 < roconnor> 5 comes from the data part specification in https://github.com/roconnor-blockstream/SSS32/blob/ms32/MasterSeed32.md#ms32
05:38 < roconnor> [0] is the threshold paramameter
05:38 < roconnor> [1:4] is the identifier
05:38 < roconnor> [5] is the share index
05:39 < roconnor> [6:-13] is the share data
05:39 < roconnor> [-13:-1] is the checksum.
05:39 < roconnor> ... assuming I haven't made any off by one errors.
05:40 < meshcollider> Oh, I see! Makes sense, I just couldn't reverse engineer it from the code
05:40 -!- deusexbeer [~hedeo@37-146-236-2.broadband.corbina.ru] has quit [Ping timeout: 260 seconds]
05:41 < roconnor> [6:-14] is the share data ?
05:41 < roconnor> I don't know.  Whatever.
05:43 < meshcollider> Yep I think [6:-14] is correct if you have 13 checksum elements
05:43 < meshcollider> [-13:] is valid, you don't need the -1
05:44 -!- Guyver2 [Guyver@guyver2.xs4all.nl] has quit [Quit: Going offline, see ya! (www.adiirc.com)]
05:48 -!- dodo__ is now known as dodo
05:52 -!- jtrag [~jtrag@user/jtrag] has quit [Remote host closed the connection]
05:53 -!- jtrag [~jtrag@user/jtrag] has joined #bitcoin-wizards
05:54 < meshcollider> roconnor: the thing that initially tripped me up was that I was thinking about just splitting a (secret ++ checksum) into n shares naively (with a random degree-(t-1) polynomial). But after realising you choose t-1 shares also with checksums and THEN interpolate them to derive the rest of the shares, it made a lot more sense.
05:55 < roconnor> Seems my document could be more clearly written.
05:55 < meshcollider> It was actually what clarified it for me, I was confused when reading this chat :p
05:58 < roconnor> oh.  That makes me feel better.
06:00 < meshcollider> Is this commutativity between SSS and affine checksum known in the academic literature?
06:03 < roconnor> In a ceratin sense, it is probably too trivial to bother with from an academic perspective.  The proof is like half a page or less.
06:56 -!- jtrag [~jtrag@user/jtrag] has quit [Remote host closed the connection]
06:57 -!- jtrag [~jtrag@user/jtrag] has joined #bitcoin-wizards
07:00 -!- AaronvanW [~AaronvanW@190.53.113.19] has joined #bitcoin-wizards
07:03 -!- deusexbeer [~hedeo@37-146-236-2.broadband.corbina.ru] has joined #bitcoin-wizards
07:24 -!- gribble [~gribble@bitcoin/bot/gribble] has joined #bitcoin-wizards
07:52 -!- deusexbeer [~hedeo@37-146-236-2.broadband.corbina.ru] has quit [Ping timeout: 260 seconds]
08:04 < andytoshi> might be able to get it into a practice-oriented CS conference
08:04 < andytoshi> but IMO the bitcoin BIP repo is probably the most appropriate venue for "publication"
08:17 -!- jtrag [~jtrag@user/jtrag] has quit [Remote host closed the connection]
08:17 -!- jtrag [~jtrag@user/jtrag] has joined #bitcoin-wizards
08:43 -!- roconnor [~roconnor@coq/roconnor] has quit [Ping timeout: 260 seconds]
08:56 -!- jtrag [~jtrag@user/jtrag] has quit [Remote host closed the connection]
08:57 -!- jtrag [~jtrag@user/jtrag] has joined #bitcoin-wizards
09:04 -!- tromp [~textual@dhcp-077-249-230-040.chello.nl] has quit [Quit: My iMac has gone to sleep. ZZZzzz…]
09:07 -!- tromp [~textual@dhcp-077-249-230-040.chello.nl] has joined #bitcoin-wizards
09:33 -!- Guyver2 [Guyver@guyver2.xs4all.nl] has joined #bitcoin-wizards
09:37 -!- jtrag [~jtrag@user/jtrag] has quit [Remote host closed the connection]
09:38 -!- jtrag [~jtrag@user/jtrag] has joined #bitcoin-wizards
09:49 -!- bitdex [~bitdex@gateway/tor-sasl/bitdex] has quit [Ping timeout: 276 seconds]
09:50 -!- bitdex [~bitdex@gateway/tor-sasl/bitdex] has joined #bitcoin-wizards
09:57 < andytoshi> every so often i intend to set up a blockstream tech report repo, which issues DOI numbers etc., but it's a fair bit of annoying/fiddly work. we recently hired a research communicator though so maybe once we're through the huge backlog of poorly-communicated material we could look at resurrecting that idea
10:20 -!- tromp [~textual@dhcp-077-249-230-040.chello.nl] has quit [Quit: My iMac has gone to sleep. ZZZzzz…]
10:56 -!- roconnor [~roconnor@coq/roconnor] has joined #bitcoin-wizards
11:01 < andytoshi> roconnor: regarding generation of shares for 3-of-n and higher, i think i've convinced myself is that the most sensible thing is to make the user compute the k initial terms of the lagrange equation then add them together using the addition volvelle
11:02 < andytoshi> for 2-of-n you were able to do this trick where you just created 31 tables (or 31 volvelles) to save the user the addition step, but this doesn't generalize in a "nice" way
11:03 < andytoshi> so .. for example your "generate share C" volvelle computes p(s) * (C - A)/(S - A)   +   p(a) * (C - S) / (A - S), where all values are fixed except for p(s) and p(a) which the user is expected to generate
11:03 < andytoshi> and the number C is "fixed" by the user's choice of this volvelle
11:05 < andytoshi> I instead propose that for share x, the user points the volvelle to x on a "Contribution from share S" volvelle, looks up p(s) and gets p(s) * (C-A)/(S-A)
11:05 < andytoshi> then similarly points the volvelle to x on a "Contribution from share A" volvelle, looks up p(a) and gets p(a) * (C-S)/(A-S)
11:05 < andytoshi> and then adds these two results together
11:06 < andytoshi> this is more work for the user **but** it requires only 2 volvelles, not 31, and it generalizes easily to k-of-n (where it will require k volvelles rather than 2)
11:07 -!- tromp [~textual@dhcp-077-249-230-040.chello.nl] has joined #bitcoin-wizards
11:08 < andytoshi> roconnor: then for recovery, i am kinda stuck. trying to come up with a solution that (a) does not involve a combinatorially-sized "recovery table", (b) does not involve giving the user a general-purpose "multiplication volvelle" and making them go through involved linear algebra steps in a particular order
11:08 < andytoshi> ideally i'd come up with a scheme where the user does some magic with 2 shares at a time then adds the results together
11:16 < andytoshi> roconnor: for 2-of-n i do think it's reasonable to keep your existing tables, since you can fit them 4-to-a-page and as you observe they let you quickly generate multiple consecutive shares "in parallel" by reading consecutive columns
11:27 -!- AaronvanW [~AaronvanW@190.53.113.19] has quit [Remote host closed the connection]
11:38 -!- tromp [~textual@dhcp-077-249-230-040.chello.nl] has quit [Quit: My iMac has gone to sleep. ZZZzzz…]
11:57 -!- tromp [~textual@dhcp-077-249-230-040.chello.nl] has joined #bitcoin-wizards
11:58 -!- AaronvanW [~AaronvanW@190.53.113.19] has joined #bitcoin-wizards
11:58 < roconnor> andytoshi: the recovery disc is a multiplication disc.
11:58 -!- smartin [~Icedove@88.135.18.171] has quit [Ping timeout: 250 seconds]
11:59 < roconnor> If you want to add up shares to create new 2-of-n shares, you should make a table like the recovery table.
12:01 < roconnor> you just need to have a table that map new share index X |-> (X-A)/(S-A) , (X-S)/(A-S) or whatever.
12:01 < roconnor> where those ratios are printed in the greek alphabet.
12:05 < sipa> roconnor: found my bug; there are indeed 930 distinct generators which correspond degree=13 distance=9 length=93 BCH codes over GF(32)
12:05 < sipa> the previous list was a strict subset
12:07 < roconnor> oh that is good to hear.
12:07 < roconnor> Can you paste the full list when you get a chance.
12:07 < sipa> https://0bin.net/paste/lSlJ1JPQ#gh7jkuj4sRw4yCoQWQFg+9vdZsprnn60bd4YYVImDla
12:07 < sipa> the format is different, but perhaps easier to work with?
12:07 < sipa> happy to convert
12:09 < roconnor> are gen and bch_gen always equal?
12:10 -!- tromp [~textual@dhcp-077-249-230-040.chello.nl] has quit [Quit: My iMac has gone to sleep. ZZZzzz…]
12:10 < sipa> yes
12:10 < roconnor> Actually I'd kinda like the other format in addition.
12:11 < sipa> in this list, at least (my code automatically adds all factors to extend the degree to the requested on, if the BCH generator's degree is below)
12:14 < sipa> old format: https://0bin.net/paste/LxPLiLY7#T3K9JiXvwM4apq+JoItPEIq1m-CJTCKrgPs1aVg/yn3
12:25 < roconnor> sipa: are all equivence classes of size 10?
12:26 < sipa> indeed
12:26 < roconnor> I notice there are exactly 10 results that have a triplet coefficents
12:26 < roconnor> which appear to be split into 5 that are reverses of the other 5.
12:27 < sipa> there are two transformations which don't change error detection properties (assuming error classes which affect all symbols equally)
12:27 < sipa> * reversing the order of coefficients of the generator (and then making it monic again)
12:27 < sipa> * squaring all coefficients
12:27 < sipa> the latter is the frobenius endomorphism, and it has order 5 for GF(32)
12:28 < sipa> the former obviously has order 2, except for palindromic generators, where it has order 1
12:28 -!- jtrag [~jtrag@user/jtrag] has quit [Remote host closed the connection]
12:29 < roconnor> does the squaring thing have something to do with characteristic 2?
12:29 -!- jtrag [~jtrag@user/jtrag] has joined #bitcoin-wizards
12:29 < sipa> yes
12:30 < sipa> frobenius endomorphism maps finite fields of characteristic c to themselves, by raising every element to the cth power
12:31 < sipa> and given that it preserves addition and multiplication, it preserves polynomials
12:32 < sipa> so squaring all coefficients is equivalent to having the code work on the square roots of the errors (which, if they are uniform, doesn't change anything)
12:33 -!- AaronvanW [~AaronvanW@190.53.113.19] has quit [Ping timeout: 240 seconds]
12:33 -!- AaronvanW [~AaronvanW@190.53.113.19] has joined #bitcoin-wizards
12:40 < andytoshi> 19:59 < roconnor> If you want to add up shares to create new 2-of-n shares, you should make a table like the recovery table.
12:40 < andytoshi> "add up shares to create 2-of-n shares" veeeery interesting
12:41 < andytoshi> it would be a bunch of work, but reasonably simple/repetitive work, with smallish tables, to just enable users to covert k-of-n shares to k-1 of n shares
12:44 < andytoshi> i'll spend some time thinking if i can do this
13:05 -!- jtrag [~jtrag@user/jtrag] has quit [Quit: <-----  is PODAK (Passed out drunk at keyboard), and he has somehow managed to quit/disconnect...]
13:16 < roconnor> andytoshi: I'm just saying what you said.
13:17 < roconnor> [14:05] <andytoshi> and then adds these two results together
13:17 < roconnor> The recovery process is essentially the same as creating new shares.
13:17 < roconnor> Just different multipliers.
13:19 < andytoshi> roconnor: i think "then you add the results together" is pretty different from "the results themselves are 'shares' from a lower-degree polynomial" :)
13:19 < andytoshi> and re "recovery is essentially the same as creating shares" ... yes, with the huge difference that during the creation process we can assume that the user has specifically the S and A shares
13:19 < andytoshi> but during recovery the user may have any of the n-choose-2 possible shares
13:20 < andytoshi> hence the recovery table and the (in my view) biggest difficulty in scaling to higher k
13:21 -!- AaronvanW [~AaronvanW@190.53.113.19] has quit [Remote host closed the connection]
13:21 -!- dr-orlovsky [~dr-orlovs@31.14.40.18] has quit [Ping timeout: 268 seconds]
13:22 -!- dr-orlovsky [~dr-orlovs@31.14.40.18] has joined #bitcoin-wizards
13:25 -!- Guyver2_ [Guyver@guyver2.xs4all.nl] has joined #bitcoin-wizards
13:26 -!- tromp [~textual@dhcp-077-249-230-040.chello.nl] has joined #bitcoin-wizards
13:28 -!- Guyver2 [Guyver@guyver2.xs4all.nl] has quit [Ping timeout: 245 seconds]
13:28 -!- Guyver2_ is now known as Guyver2
13:30 < roconnor> all I mean yb "add up shares to crate new 2-of-n shares" was "<andytoshi> and then adds these two results together"
13:30 < roconnor> All I'm saying is that to do your scheme you should use the recovery disc and a table rather than 2 new discs.
13:32 < andytoshi> you mean, i should use the recovery disc and a table for share creation?
13:32 < andytoshi> The problem is that the table would have n-choose-k entries in it
13:35 < roconnor> For share generation if the initial shares are at S, A C D ... then for each k there is only a 1-d table mapping from new share index to coefficents for S A C D ...
13:39 -!- tromp [~textual@dhcp-077-249-230-040.chello.nl] has quit [Quit: My iMac has gone to sleep. ZZZzzz…]
13:40 < andytoshi> ah! i get it, once i've fixed k and my share index (or rather, looked them up in a reasonably-sized table), there is a fixed symbol i can turn the recovery disk to
13:41 < andytoshi> and then it will be equal to one of the new volvelles that i was proposing
13:42 < roconnor> yep.
13:42 < roconnor> I still don't have a good answer for k-of-n recovery.
13:43 < roconnor> I haven't thought about it recently.  As you note, it is at least going to be possible to just do all the algebra by hand with these discs.
13:43 < andytoshi> yeah.
13:45 < andytoshi> the right solution might be to just print the giant table for 2-of-n and 3-of-n ... nobody sane is going to increase k past 3
13:45 < andytoshi> but it would be elegant if we could support arbitrary k
13:45 < andytoshi> espcially given that we can do share *generation* with no new volvelles!
13:49 -!- tromp [~textual@dhcp-077-249-230-040.chello.nl] has joined #bitcoin-wizards
13:52 -!- AaronvanW [~AaronvanW@190.53.113.19] has joined #bitcoin-wizards
13:53 -!- Guyver2 [Guyver@guyver2.xs4all.nl] has quit [Quit: Going offline, see ya! (www.adiirc.com)]
14:19 < roconnor> this late binding in postscript is driving me up the wall.
14:20 < andytoshi> lol, gotta remember to write `bind` before `def`everywhere
14:20 < andytoshi> (i have been really bad about that actually)
14:21 < roconnor> I don't know I've used bind and it does nothing.
14:22 < roconnor> Clearly I shouldn't be using higher order functions.
14:22 < roconnor> but it is so nice say, write these letter and then draw a box around each letter in the following way.
14:23 < andytoshi> i'm a little surprised that bind doesn't do what you need, my impression was that it basically turned all your symbols into fixed values
14:23 < andytoshi> whereas by default it basically gives you monkeypatching on steroids where you can redefine the internals of functions before calling them
14:25 < roconnor> That what everything I read indicates.
14:25 < roconnor> But I starting to think it maybe only applies to builtin functions or something.
14:25 < andytoshi> ok. i've only read stuff, i haven't actually tried it :)
14:25 < roconnor> I've never gotten bind to do anything meaninful.
14:25 -!- AaronvanW [~AaronvanW@190.53.113.19] has quit [Ping timeout: 245 seconds]
14:26 < roconnor> certainly binding variables would have been a useful thing.
14:27 < andytoshi> it may be some sort of deep/shallow copy thing
14:27 < andytoshi> where you are "binding" a variable to a fixed memory location but then you can still modify the data at that location
14:27  * andytoshi just speculating
14:27 -!- tromp [~textual@dhcp-077-249-230-040.chello.nl] has quit [Quit: My iMac has gone to sleep. ZZZzzz…]
14:28 < roconnor> I've added some tiny numbers to the checksum worksheet.
14:29 < roconnor> I still kinda want to add notches ever 4 letters.
14:29 < roconnor> actually I still need to stick that ms1 out front.
14:29 < roconnor> ugh which means my numbers are wrong.
14:29 < roconnor> okay I can fix that.
14:38 -!- jtrag [~jtrag@user/jtrag] has joined #bitcoin-wizards
14:41 -!- AaronvanW [~AaronvanW@190.53.113.19] has joined #bitcoin-wizards
15:00 -!- jtrag [~jtrag@user/jtrag] has quit [Read error: Connection reset by peer]
15:01 -!- jtrag [~jtrag@user/jtrag] has joined #bitcoin-wizards
15:01 < andytoshi> i think, my project of "reducing the degree" of shares, as an intermediate recovery step, is not going to work. at least not without operating on 3+ shares at once
15:03 < roconnor> Really?
15:04 < roconnor> Bezier curves work that way.
15:04 < andytoshi> bezier curves don't have a single polynomial equation that describes them though do they?
15:04 < roconnor> they do, they are simple polynomials.
15:04 < andytoshi> oh, lemme read up on them then
15:05 < roconnor> they use the bernstein basis instead of the lagrange basis.
15:05 < roconnor> They interpolate in a similar way, except they don't pass through the control points.
15:05 < roconnor> but maybe if you do a change of basis.
15:06 < roconnor> and then you can do a bunch of repeated, bezier-like linear interpolation
15:06 < roconnor> and get the result.
15:06 < roconnor> maybe.
15:06 < roconnor> That's a lot of hand wavying.
15:09 < andytoshi> sure, but it's a helpful direction. i was trying to find such a basis on my own, but these polynomials quickly start to look messy and there aren't a lot of forced moves
15:13 -!- AaronvanW [~AaronvanW@190.53.113.19] has quit [Ping timeout: 250 seconds]
15:16 < roconnor> https://en.wikipedia.org/wiki/De_Casteljau%27s_algorithm
15:19 < roconnor> I don't know. Even if this method was helpful converting the to a Bernstein basis probably involves at least as much work as hand calcuating the required coefficents.
15:21 < andytoshi> Yeah, I think so -- and converting bases requires using all the shares at once typically (i.e. the coefficients you are multiplying by are a linear combination of all the share values)
15:21 < andytoshi> which either means unreasonably large tables or quadratic-many volvelle uses
15:21 < roconnor> I suppose we could store the shares in a bernstein basis instead of a "lagrange" basis.  That is a scary idea.
15:21 < andytoshi> and i can directly do the lagrange interpolation with quadratically many volvellings
15:22 < roconnor> that probably has bad consequences.  The position of the control point would depend on the threshold.
15:22 < andytoshi> lol, that is a scary idea. i guess there's no reason that it shouldn't work .. although we should be careful that these basis polynomials make sense in characteristic 2
15:22 < roconnor> so you couldn't add more shares "for free" like you expect.
15:23 -!- AaronvanW [~AaronvanW@190.53.113.19] has joined #bitcoin-wizards
15:30 -!- jtrag [~jtrag@user/jtrag] has quit [Remote host closed the connection]
15:31 -!- jtrag [~jtrag@user/jtrag] has joined #bitcoin-wizards
15:49 < andytoshi> shitty
15:50 < andytoshi> i'm also not sure how easy share creation would be
15:50 < andytoshi> if we were going to switch bases at all i think the easiest basis for recovery would be the 1,x,x^2,... basis :)
15:51 < andytoshi> in any case ... stealing random polynomial tricks from that wikipedia page did not get me anywhere on recovery
15:51 < andytoshi> i think my next approach will be to start from the manual langrange polynomial computation and try to "jet out" steps with volvelles and see if i can reduce the asymptotic time
15:56 < andytoshi> ah i guess it's gonna be quadratic no matter what .. if i try to produce entire lagrange basis polynomials in one shot, i run into a problem because there are combinatorially many of them
15:56 < andytoshi> but if i compute them, that's gonna require O(k) multiplications
15:56 < andytoshi> and I'm gonna need to add O(k) of them togethr
15:57 < andytoshi> But ... I can do it entirely with a 32x32 lookup table and the existing add/mult volvelles
15:58 < andytoshi> roconnor: how do you feel about replacing the symbols on the recovery wheel with normal bech32 symbols, and renaming it Multiplication?
16:02 < andytoshi> It definitely seems like it could increase the chance for user confusion .. the symbols were nice because they forced you to do things in the correct order
16:07 -!- jtrag [~jtrag@user/jtrag] has quit [Remote host closed the connection]
16:08 < andytoshi> We could also just provide a top wheel that has the symbols on it, which you could combine with the recovery bottom wheel. then for "normal" 2-of-n or 3-of-n users they can just look up their recovery symbols from the table, and only 4+-of-n users would need this extra multiplication disc to build their symbols
16:08 -!- jtrag [~jtrag@user/jtrag] has joined #bitcoin-wizards
16:11 < andytoshi> I think I like that. It means that, during recovery, there is basically only one way for users to use the volvelles. Similarly during share creation, if we use the recovery disk, there is only one way to use them
16:11 < andytoshi> or at least, a greatly reduced set of possibilities
16:12 -!- morcos [~morcos@gateway/tor-sasl/morcos] has quit [Remote host closed the connection]
16:12 < andytoshi> otherwise users have a pile of random-looking bech32 characters, some of which are data, some of which are indices, some of which are intermediates ... and they have to correctly funnel them through a long series of arbitrary-looking steps
16:12 -!- morcos [~morcos@gateway/tor-sasl/morcos] has joined #bitcoin-wizards
16:13 < andytoshi> So my proposal is:
16:13 < andytoshi> 1. Rename "Recovery" to "Recovery/Creation"
16:13 < andytoshi> 2. Replace the "Create Share C"/"Create Share D" instructions with a table mapping (k, share index) -> symbol and instructions for using the recovery/creation wheel to make shares
16:14 < andytoshi> 2a. Leave the 2-of-n tables in place (except transpose them, as i think you intend to do, so that consecutive share characters appear below each other rather than next to each other). Describe this as an alternate scheme which is simpler and faster, but only supports 2-of-n and is less fun
16:15 < andytoshi> 3. Add a recovery table for 3-of-n. Clean up the recovery table for 2-of-n
16:16 < andytoshi> 4. At the end of the booklet, provide instructions for doing 4-of-n using a bonus "symbol multiplication wheel" and a table mapping (x,y) -> (S+y)/(x+y) which will let them build their own "recovery symbols" i.e. lagrange basis polynomials
16:16 < andytoshi> and I guess, in the "(k, share index)->symbol" table from step (2), warn that recovery for k=4+ will involve extra steps and is only recommended if you know what you're doing
16:16 < andytoshi> fin
16:24 -!- schmidty [sid297174@lymington.irccloud.com] has quit [Ping timeout: 240 seconds]
16:26 -!- schmidty [sid297174@id-297174.lymington.irccloud.com] has joined #bitcoin-wizards
16:27 -!- isthmus [sid302307@lymington.irccloud.com] has quit [Ping timeout: 240 seconds]
16:27 -!- isthmus [sid302307@id-302307.lymington.irccloud.com] has joined #bitcoin-wizards
16:32 -!- s0ph1a [sid246387@helmsley.irccloud.com] has quit [Ping timeout: 245 seconds]
16:34 -!- RubenSomsen [sid301948@user/rubensomsen] has quit [Ping timeout: 245 seconds]
16:36 -!- s0ph1a [sid246387@id-246387.helmsley.irccloud.com] has joined #bitcoin-wizards
16:37 -!- jtrag [~jtrag@user/jtrag] has quit [Remote host closed the connection]
16:37 < roconnor> sounds reasonable.
16:37 -!- jtrag [~jtrag@user/jtrag] has joined #bitcoin-wizards
16:38 < roconnor> what is 32 choose 3?
16:38 -!- RubenSomsen [sid301948@user/rubensomsen] has joined #bitcoin-wizards
16:38 < roconnor> 4960
16:38 < roconnor> not so bad.
16:48 < andytoshi> I think we only need 31 choose 3, which is the same order of magnitude
16:49 < andytoshi> since S is not an allowable share
17:15 -!- AaronvanW [~AaronvanW@190.53.113.19] has quit [Remote host closed the connection]
17:19 -!- jtrag [~jtrag@user/jtrag] has quit [Remote host closed the connection]
17:20 -!- jtrag [~jtrag@user/jtrag] has joined #bitcoin-wizards
17:25 -!- z9z0b3t1c [z9z0b3t1c@gateway/vpn/protonvpn/z9z0b3t1c] has quit [Ping timeout: 245 seconds]
17:46 -!- AaronvanW [~AaronvanW@190.53.113.19] has joined #bitcoin-wizards
17:50 < roconnor> Right.  4495
17:51 -!- AaronvanW [~AaronvanW@190.53.113.19] has quit [Ping timeout: 250 seconds]
18:07 -!- AaronvanW [~AaronvanW@190.53.113.19] has joined #bitcoin-wizards
18:11 -!- jtrag [~jtrag@user/jtrag] has quit [Remote host closed the connection]
18:12 -!- jtrag [~jtrag@user/jtrag] has joined #bitcoin-wizards
18:19 -!- AaronvanW [~AaronvanW@190.53.113.19] has quit [Ping timeout: 245 seconds]
18:50 -!- jtrag [~jtrag@user/jtrag] has quit [Remote host closed the connection]
18:50 -!- jtrag [~jtrag@user/jtrag] has joined #bitcoin-wizards
19:00 -!- AaronvanW [~AaronvanW@190.53.113.19] has joined #bitcoin-wizards
19:32 < roconnor> I kinda think 94.3 is a slightly better magic angle than 94.
19:33 < roconnor> but maybe not worth changing.
19:33 -!- AaronvanW [~AaronvanW@190.53.113.19] has quit [Ping timeout: 268 seconds]
19:34 < roconnor> I've been thinking that angles of the form 11.25*(i +/- phi) are good angles.
19:35 < roconnor> I bring this up because I was trying to eliminate 2 items from the recovery wheel to make spin around 30 entries.
19:36 < roconnor> but the top disc cover is at a bad angle for that.
19:36 < roconnor> (PS, a good angle for both 30 and 32 is 139.35 ;)
19:37 < roconnor> anyhow I think I'll just keep two "dummy" entries in the recovery disc.
19:57 -!- CrashTestDummy2 [~CrashTest@ool-ad02813b.dyn.optonline.net] has joined #bitcoin-wizards
19:59 -!- CrashTestDummy [~CrashTest@ool-ad02813b.dyn.optonline.net] has quit [Ping timeout: 245 seconds]
20:25 -!- AaronvanW [~AaronvanW@190.53.113.19] has joined #bitcoin-wizards
20:57 -!- AaronvanW [~AaronvanW@190.53.113.19] has quit [Ping timeout: 245 seconds]
21:09 -!- jtrag [~jtrag@user/jtrag] has quit [Remote host closed the connection]
21:10 -!- jtrag [~jtrag@user/jtrag] has joined #bitcoin-wizards
21:21 -!- jtrag [~jtrag@user/jtrag] has quit [Remote host closed the connection]
21:22 -!- jtrag [~jtrag@user/jtrag] has joined #bitcoin-wizards
21:37 -!- ArchibaldTuttle [~Archibald@static-198-54-131-168.cust.tzulo.com] has quit [Remote host closed the connection]
21:37 -!- ArchibaldTuttle [~Archibald@static-198-54-131-168.cust.tzulo.com] has joined #bitcoin-wizards
21:37 -!- ArchibaldTuttle [~Archibald@static-198-54-131-168.cust.tzulo.com] has quit [Client Quit]
21:39 -!- ArchibaldTuttle [~Archibald@static-198-54-131-168.cust.tzulo.com] has joined #bitcoin-wizards
21:40 -!- ArchibaldTuttle [~Archibald@static-198-54-131-168.cust.tzulo.com] has quit [Client Quit]
21:41 -!- kexkey [~kexkey@static-198-54-132-133.cust.tzulo.com] has quit [Quit: kexkey]
21:42 -!- ArchibaldTuttle [~Archibald@static-198-54-131-168.cust.tzulo.com] has joined #bitcoin-wizards
21:43 -!- ArchibaldTuttle [~Archibald@static-198-54-131-168.cust.tzulo.com] has quit [Client Quit]
21:45 -!- ArchibaldTuttle [~Archibald@static-198-54-131-168.cust.tzulo.com] has joined #bitcoin-wizards
21:48 -!- AaronvanW [~AaronvanW@190.53.113.19] has joined #bitcoin-wizards
21:51 -!- kexkey [~kexkey@static-198-54-132-133.cust.tzulo.com] has joined #bitcoin-wizards
22:22 -!- AaronvanW [~AaronvanW@190.53.113.19] has quit [Ping timeout: 268 seconds]
22:26 -!- tromp [~textual@dhcp-077-249-230-040.chello.nl] has joined #bitcoin-wizards
22:37 -!- tromp [~textual@dhcp-077-249-230-040.chello.nl] has quit [Quit: My iMac has gone to sleep. ZZZzzz…]
22:49 -!- AaronvanW [~AaronvanW@190.53.113.19] has joined #bitcoin-wizards
22:51 < roconnor> andytoshi: It maybe because it is 2am here and I can't think straight, but I think I cracked k-of-n recovery.
22:51 < roconnor> First let's review 2-of-n recovery.
22:51 < roconnor> you have two shares.  Let's call them share A and share Z.
22:52 < roconnor> Starting with share A
22:53 < roconnor> using a still to be made disc that implements the Recovery Table, you turn the dial to the *other* share Z.
22:54 < roconnor> look up A in that window to get the multiplier for the A share.  Let's say the omega, ω multiplier comes out.
22:54 < roconnor> You use the recovery disc to multiply every entry from the A share by ω.
22:55 < roconnor> And get a share, let's call it A0.
22:55 < roconnor> Next you repeat the process to find the multiplier for the Z share.
22:55 < roconnor> you turn the dial to hte *other* share A.
22:56 < roconnor> lookup Z in that window to get the multiplier for the Z share.  Let's say it is ξ.
22:57 < roconnor> Again use use the recovery disc to multiply very entry from the A share by ξ.
22:57 < roconnor> er you multiply every entry from the Z share by ξ.
22:58 < roconnor> And you get a share, let's call it Z0.
22:58 < roconnor> Now you add A0 to Z0 and you get your secret share.
22:58 < roconnor> Okay so here the plank for 3-of-n recovery.
22:58 < roconnor> *plan
22:58 < roconnor> Let's say we have shares A W and Z.
22:58 < roconnor> We start with share A.
22:59 < roconnor> using the same Recovery table we turn the dial to one of the other shares, say W.
22:59 < roconnor> look up its symbol and multiply the A share by that symbol to get A0
22:59 < roconnor> now we turn the dial to Z and again lookup the A entry
22:59 < roconnor> and we get a symbol.
23:00 < roconnor> We multiply the A0 share by this symbol to get an A1 share.
23:00 < roconnor> Next we move to the W share.
23:00 < roconnor> turn the recovery table to the other share A, lookup the W entry's symbol.
23:00 < roconnor> multiply the W share by that symbol to get W0
23:01 < roconnor> turn the recovery table to the other share Z, lookup the W entry's symbol.
23:01 < roconnor> multiply the W0 share by that to get W1.
23:01 < roconnor> Repeat the process on the Z share to get Z0 and Z1.
23:01 < roconnor> Finally add up A1 W1 and Z1 to recover your secret share.
23:02 -!- ArchibaldTuttle [~Archibald@static-198-54-131-168.cust.tzulo.com] has quit [Quit: ArchibaldTuttle]
23:03 < plank> not often i get highlighted here
23:04 -!- tromp [~textual@dhcp-077-249-230-040.chello.nl] has joined #bitcoin-wizards
23:04 < roconnor> Basically the recovery table contains the value of `(S - X)/(Y-X)` where X bottom disc dialed value and Y is the top disc value.
23:04 < roconnor> in symbol form.
23:05 < roconnor> plank: sorry for the typo.
23:05 < plank> lol no worries
23:07 < roconnor> andytoshi: that all said, having a giant 3-of-n table is still probably a good idea.  It will cut the work in half.
23:07 < roconnor> for that common case.
23:11 < roconnor> Also, having a symbol to symbol multiplication disc would let you combine symbols, and reduce the amount of work you need to from quadratic in k to linear in k.
23:11 < roconnor> so we'll probably want to do that.
23:21 -!- AaronvanW [~AaronvanW@190.53.113.19] has quit [Ping timeout: 268 seconds]
23:31 -!- ArchibaldTuttle [~Archibald@static-198-54-131-168.cust.tzulo.com] has joined #bitcoin-wizards
23:31 -!- ArchibaldTuttle is now known as atuttle
23:32 -!- atuttle [~Archibald@static-198-54-131-168.cust.tzulo.com] has quit [Client Quit]
23:33 -!- atuttle [~atuttle@static-198-54-131-168.cust.tzulo.com] has joined #bitcoin-wizards
23:36 -!- atuttle [~atuttle@static-198-54-131-168.cust.tzulo.com] has quit [Client Quit]
23:53 -!- jtrag [~jtrag@user/jtrag] has quit [Read error: Connection reset by peer]
23:54 -!- jtrag [~jtrag@user/jtrag] has joined #bitcoin-wizards
--- Log closed Sat Nov 27 00:00:44 2021