2016-08-08.log

--- Log opened Mon Aug 08 00:00:19 2016
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 244 seconds]		00:03
-!- BashCo [~BashCo@unaffiliated/bashco] has joined #bitcoin-wizards		00:09
-!- da2ce7 [~da2ce7@opentransactions/dev/da2ce7] has quit [Quit: ZNC - http://znc.in]		00:23
-!- da2ce7_mobile [~da2ce7@opentransactions/dev/da2ce7] has quit [Quit: ZNC - http://znc.in]		00:23
-!- laurentmt [~Thunderbi@80.215.138.34] has joined #bitcoin-wizards		00:28
-!- da2ce7_mobile [~da2ce7@opentransactions/dev/da2ce7] has joined #bitcoin-wizards		00:31
-!- da2ce7 [~da2ce7@opentransactions/dev/da2ce7] has joined #bitcoin-wizards		00:33
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has joined #bitcoin-wizards		00:34
-!- JackH [~Jack@79-73-188-45.dynamic.dsl.as9105.com] has joined #bitcoin-wizards		00:35
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has quit [Ping timeout: 265 seconds]		00:38
-!- Guyver2 [~Guyver2@guyver2.xs4all.nl] has joined #bitcoin-wizards		00:41
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has joined #bitcoin-wizards		00:42
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has quit [Ping timeout: 258 seconds]		00:47
-!- TheSeven [~quassel@rockbox/developer/TheSeven] has quit [Ping timeout: 250 seconds]		00:50
-!- TheSeven [~quassel@rockbox/developer/TheSeven] has joined #bitcoin-wizards		00:50
-!- da2ce7_mobile [~da2ce7@opentransactions/dev/da2ce7] has quit [Quit: ZNC - http://znc.in]		00:54
-!- FNinTak [~jonhbit@tsarviajado.media.mit.edu] has quit [Quit: Leaving]		00:56
-!- TheSeven [~quassel@rockbox/developer/TheSeven] has quit [Ping timeout: 258 seconds]		00:57
-!- TheSeven [~quassel@rockbox/developer/TheSeven] has joined #bitcoin-wizards		00:57
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards		00:59
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 258 seconds]		01:04
-!- da2ce7 [~da2ce7@opentransactions/dev/da2ce7] has quit [Quit: ZNC - http://znc.in]		01:05
-!- da2ce7 [~da2ce7@opentransactions/dev/da2ce7] has joined #bitcoin-wizards		01:14
-!- arowser [~quassel@106.120.101.38] has quit [Quit: No Ping reply in 180 seconds.]		01:17
-!- arowser [~quassel@106.120.101.38] has joined #bitcoin-wizards		01:18
-!- pro [~pro@unaffiliated/pro] has joined #bitcoin-wizards		01:33
-!- TheSeven [~quassel@rockbox/developer/TheSeven] has quit [Ping timeout: 258 seconds]		01:53
-!- TheSeven [~quassel@rockbox/developer/TheSeven] has joined #bitcoin-wizards		01:57
-!- ThomasV [~ThomasV@unaffiliated/thomasv] has quit [Ping timeout: 276 seconds]		02:08
-!- Giszmo [~leo@ip5f5ac08d.dynamic.kabel-deutschland.de] has joined #bitcoin-wizards		02:18
-!- Guyver2 [~Guyver2@guyver2.xs4all.nl] has quit [Quit: :)]		02:22
-!- jonasschnelli [~jonasschn@unaffiliated/jonasschnelli] has quit [Excess Flood]		02:28
-!- jonasschnelli [~jonasschn@unaffiliated/jonasschnelli] has joined #bitcoin-wizards		02:29
-!- ThomasV [~ThomasV@unaffiliated/thomasv] has joined #bitcoin-wizards		02:42
-!- dnaleor [~dnaleor@78-23-74-78.access.telenet.be] has joined #bitcoin-wizards		02:42
-!- jtimon [~quassel@55.31.134.37.dynamic.jazztel.es] has joined #bitcoin-wizards		02:46
-!- toktok [~tim@37.139.12.32] has joined #bitcoin-wizards		02:46
-!- Jaamg [jhpiloma@brute.org.aalto.fi] has quit [Remote host closed the connection]		03:01
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards		03:01
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 250 seconds]		03:06
-!- aalex [~aalex@64.187.177.58] has quit [Ping timeout: 244 seconds]		03:14
-!- aalex [~aalex@64.187.177.58] has joined #bitcoin-wizards		03:15
-!- edvorg [~edvorg@14.169.57.10] has joined #bitcoin-wizards		03:20
Taek	One-time costs can sort of be reasoned about as the ultimate extension of the hardware vs operation cost structure	03:24
Taek	Quantum hashing for example poses a risk, because if one company puts down (in stealth mode) hundreds of millions in R&D over the course of like 5 years, and then they release an ASIC, they've got a full monopoly on hashing until some other group can slug through the same up-front cost	03:25
Taek	and the first-to-market will have that X years of dominant income that nobody else will ever have, their amortization will perpetually be ahead	03:25
-!- toktok [~tim@37.139.12.32] has quit [Quit: leaving]		03:26
Taek	granted, I think it's pretty safe to say that if someone like BitFury were to announce a monopoly-grade ASIC, Bitcoin would threaten with a hardfork, and follow through if the tech was not made accessible to everyone	03:26
-!- rubensayshi [~ruben@82.201.93.169] has joined #bitcoin-wizards		03:36
-!- dEBRUYNE [~dEBRUYNE@unaffiliated/debruyne] has joined #bitcoin-wizards		03:41
-!- thesnark [~mike@unaffiliated/thesnark] has joined #bitcoin-wizards		04:01
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards		04:02
-!- ThomasV [~ThomasV@unaffiliated/thomasv] has quit [Ping timeout: 264 seconds]		04:02
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 240 seconds]		04:06
-!- domwoe [~domwoe@209-6-39-253.c3-0.smr-ubr2.sbo-smr.ma.cable.rcn.com] has joined #bitcoin-wizards		04:16
-!- domwoe [~domwoe@209-6-39-253.c3-0.smr-ubr2.sbo-smr.ma.cable.rcn.com] has quit [Remote host closed the connection]		04:26
-!- chjj [~chjj@unaffiliated/chjj] has quit [Ping timeout: 244 seconds]		04:40
-!- jtimon [~quassel@55.31.134.37.dynamic.jazztel.es] has quit [Ping timeout: 276 seconds]		04:41
-!- stonecoldpat [~a9380004@janus-nat-128-240-225-56.ncl.ac.uk] has quit [Read error: Connection reset by peer]		04:54
-!- chjj [~chjj@unaffiliated/chjj] has joined #bitcoin-wizards		04:54
-!- ThomasV [~ThomasV@unaffiliated/thomasv] has joined #bitcoin-wizards		04:57
waxwing	trying to grok MW, seems like sender will have to send blinding factors and amount, and then receiver can construct and attach kG signature, so it's kind of very weakly interactive? there aren't really round trips are there?	04:59
waxwing	0.5 RT?	04:59
-!- domwoe [~domwoe@209-6-39-253.c3-0.smr-ubr2.sbo-smr.ma.cable.rcn.com] has joined #bitcoin-wizards		05:00
Taek	That's also what I understood. Perhaps not technically interactive, but the reciever does need to be performing some action	05:01
Taek	receiver could theoretically be offline though: email	05:01
Taek	I guess there's a kind of bonus. The sender can redact the send if the receiver never collects	05:02
waxwing	right, it's certainly not nothing, if that's a correct characterisation.	05:02
Taek	so, you'd never send money to a mis-typed address, because the receiver would never collect	05:02
-!- dEBRUYNE_ [~dEBRUYNE@unaffiliated/debruyne] has joined #bitcoin-wizards		05:02
-!- dEBRUYNE [~dEBRUYNE@unaffiliated/debruyne] has quit [Ping timeout: 250 seconds]		05:04
-!- malte [Qcpr92R2DN@alkaid.uberspace.de] has quit [Max SendQ exceeded]		05:09
-!- malte [2MBzcfp3WB@alkaid.uberspace.de] has joined #bitcoin-wizards		05:10
-!- edvorg [~edvorg@14.169.57.10] has quit [Remote host closed the connection]		05:13
-!- edvorg [~edvorg@14.169.57.10] has joined #bitcoin-wizards		05:16
-!- jtimon [~quassel@55.31.134.37.dynamic.jazztel.es] has joined #bitcoin-wizards		05:27
-!- ThomasV [~ThomasV@unaffiliated/thomasv] has quit [Ping timeout: 276 seconds]		05:29
-!- domwoe [~domwoe@209-6-39-253.c3-0.smr-ubr2.sbo-smr.ma.cable.rcn.com] has quit [Remote host closed the connection]		05:47
-!- byteflame [~byteflame@70-89-65-45-little-rock-ar.hfc.comcastbusiness.net] has joined #bitcoin-wizards		05:47
-!- domwoe [~domwoe@209-6-39-253.c3-0.smr-ubr2.sbo-smr.ma.cable.rcn.com] has joined #bitcoin-wizards		05:47
-!- domwoe [~domwoe@209-6-39-253.c3-0.smr-ubr2.sbo-smr.ma.cable.rcn.com] has quit [Ping timeout: 244 seconds]		05:52
-!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has joined #bitcoin-wizards		05:57
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards		06:02
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 276 seconds]		06:07
-!- laurentmt [~Thunderbi@80.215.138.34] has quit [Ping timeout: 240 seconds]		06:17
-!- domwoe [~domwoe@dhcp-18-189-35-89.dyn.MIT.EDU] has joined #bitcoin-wizards		06:27
-!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 276 seconds]		06:31
-!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has joined #bitcoin-wizards		06:35
-!- dEBRUYNE_ is now known as dEBRUYNE		06:37
-!- laurentmt [~Thunderbi@80.215.234.129] has joined #bitcoin-wizards		06:53
-!- instagibbs [~instagibb@pool-100-15-118-244.washdc.fios.verizon.net] has joined #bitcoin-wizards		06:57
-!- Guyver2 [~Guyver2@guyver2.xs4all.nl] has joined #bitcoin-wizards		06:57
-!- AusteritySucks [~Austerity@unaffiliated/austeritysucks] has quit [Ping timeout: 250 seconds]		07:01
-!- Tiraspoll is now known as Tiraspollll		07:23
-!- stonecoldpat [~a9380004@janus-nat-128-240-225-56.ncl.ac.uk] has joined #bitcoin-wizards		07:27
-!- MoALTz [~no@78-11-183-124.static.ip.netia.com.pl] has joined #bitcoin-wizards		07:46
-!- Emcy [~MC@unaffiliated/mc1984] has joined #bitcoin-wizards		07:48
-!- ThomasV [~ThomasV@unaffiliated/thomasv] has joined #bitcoin-wizards		07:54
-!- AusteritySucks [~Austerity@unaffiliated/austeritysucks] has joined #bitcoin-wizards		07:54
-!- domwoe [~domwoe@dhcp-18-189-35-89.dyn.MIT.EDU] has quit [Remote host closed the connection]		08:02
-!- domwoe [~domwoe@dhcp-18-189-35-89.dyn.MIT.EDU] has joined #bitcoin-wizards		08:02
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards		08:03
-!- domwoe_ [~domwoe@dhcp-18-189-35-89.dyn.mit.edu] has joined #bitcoin-wizards		08:05
-!- ThomasV [~ThomasV@unaffiliated/thomasv] has quit [Ping timeout: 276 seconds]		08:06
-!- domwoe [~domwoe@dhcp-18-189-35-89.dyn.MIT.EDU] has quit [Ping timeout: 276 seconds]		08:07
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 258 seconds]		08:08
kanzure	http://diyhpl.us/wiki/transcripts/mimblewimble-podcast/	08:11
-!- AusteritySucks [~Austerity@unaffiliated/austeritysucks] has quit [Ping timeout: 240 seconds]		08:12
-!- Noldorin [~noldorin@unaffiliated/noldorin] has joined #bitcoin-wizards		08:15
-!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 258 seconds]		08:16
-!- BashCo [~BashCo@unaffiliated/bashco] has quit [Remote host closed the connection]		08:18
domwoe_	awesome kanzure!	08:19
-!- AusteritySucks [~Austerity@unaffiliated/austeritysucks] has joined #bitcoin-wizards		08:28
-!- Ylbam [uid99779@gateway/web/irccloud.com/x-eoeeyhtxichmgjyj] has joined #bitcoin-wizards		08:30
bsm117532	Nice, thanks kanzure!	08:30
-!- bildramer [~bildramer@ppp-94-67-116-162.home.otenet.gr] has quit [Ping timeout: 244 seconds]		08:30
-!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has joined #bitcoin-wizards		08:36
-!- BashCo [~BashCo@unaffiliated/bashco] has joined #bitcoin-wizards		08:38
-!- laurentmt [~Thunderbi@80.215.234.129] has quit [Quit: laurentmt]		08:45
-!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 244 seconds]		08:45
-!- rubensayshi [~ruben@82.201.93.169] has quit [Remote host closed the connection]		08:47
-!- zooko [~user@c-73-217-16-2.hsd1.co.comcast.net] has joined #bitcoin-wizards		08:50
-!- mdavid613 [~Adium@cpe-172-251-161-231.socal.res.rr.com] has joined #bitcoin-wizards		08:55
-!- ThomasV [~ThomasV@unaffiliated/thomasv] has joined #bitcoin-wizards		08:58
-!- Sleepnbum [Sleepnbum@72.67.47.196] has joined #bitcoin-wizards		09:02
kanzure	.title https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016-August/012948.html	09:13
yoleaux	[bitcoin-dev] Hiding entire content of on-chain transactions	09:13
-!- domwoe_ [~domwoe@dhcp-18-189-35-89.dyn.mit.edu] has quit [Remote host closed the connection]		09:14
kanzure	https://bitcointalk.org/index.php?topic=1574508.0	09:15
maaku	aka colored coins	09:17
-!- jtimon [~quassel@55.31.134.37.dynamic.jazztel.es] has quit [Ping timeout: 276 seconds]		09:18
-!- dEBRUYNE_ [~dEBRUYNE@unaffiliated/debruyne] has joined #bitcoin-wizards		09:18
kanzure	why is this claiming that you can't do OP_RETURN taint analysis?	09:19
-!- dEBRUYNE [~dEBRUYNE@unaffiliated/debruyne] has quit [Ping timeout: 265 seconds]		09:21
-!- domwoe [~domwoe@dhcp-18-189-27-226.dyn.MIT.EDU] has joined #bitcoin-wizards		09:33
-!- domwoe [~domwoe@dhcp-18-189-27-226.dyn.MIT.EDU] has quit [Client Quit]		09:33
-!- dEBRUYNE_ is now known as dEBRUYNE		09:37
-!- Greybits [~Greybits@unaffiliated/greybits] has quit [Ping timeout: 244 seconds]		09:43
-!- jaekwon [~jaekwon@2601:645:c001:263a:cd83:70eb:992c:718c] has joined #bitcoin-wizards		09:56
-!- N0S4A2 [~weechat@174.127.172.104] has joined #bitcoin-wizards		10:03
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards		10:04
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 265 seconds]		10:09
andytoshi	waxwing: yes, 0.5 RT between sender and receiver	10:19
-!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has joined #bitcoin-wizards		10:25
-!- edvorg [~edvorg@14.169.57.10] has quit [Ping timeout: 244 seconds]		10:27
waxwing	andytoshi: so your (k+k') trick, i have trouble understanding, is the idea that k' is publically known?	10:27
waxwing	oh i think i get it from reading the copied chat log	10:30
andytoshi	waxwing: the idea is that after merging, only (k + k') is publicly known	10:33
andytoshi	but i'm thinking now that maybe all both of k, k' should be kept around while the transactions are in transit, so that when people try to merge overlapping transactions they're able to cancel out the intersection	10:34
-!- pro [~pro@unaffiliated/pro] has quit [Ping timeout: 264 seconds]		10:34
andytoshi	this exposes the original transactions to monitors	10:34
-!- pro [~pro@unaffiliated/pro] has joined #bitcoin-wizards		10:34
andytoshi	to avoid this, you'd have to send your tx to at most one aggregation service (hopefully there'd be several) .. and this service could even interact with you to merge the kG values as well	10:35
waxwing	i'm lost at why (k+k') is public; i thought the idea was to publish kG and k' ?	10:37
waxwing	then the network can sum the k'Gs and add it in	10:37
andytoshi	waxwing: oh sorry, i'm overloading notation	10:38
-!- execute [~execute@52.68.0.151] has quit [Ping timeout: 244 seconds]		10:40
andytoshi	waxwing: lemme restart from your first question :)	10:42
andytoshi	yes. k' is publicly known	10:42
andytoshi	then if you have a second transaction with k2G and k2'	10:42
andytoshi	you can combine the transaction and you have kG, k2G, (k' + k2')	10:43
waxwing	right	10:43
andytoshi	and the latter -sum- is the only thing that's publicly known, and given only this, you can't know k' or k2', and you therefore can't discern the original transaciton boundaries	10:43
waxwing	i see, like hiding in the addition, so that's why you're talking about "aggregation service"	10:44
andytoshi	yeah	10:45
-!- Ylbam [uid99779@gateway/web/irccloud.com/x-eoeeyhtxichmgjyj] has quit [Quit: Connection closed for inactivity]		10:45
andytoshi	so the problem (and also a problem with OWAS like what the first anonymous guy did) is if i have transactions A, B, C and you have transactions A, B, D and we both give these to a miner	10:46
andytoshi	the miner is sorta screwed, he can't combine these, he has to pick one	10:46
andytoshi	but if everyone avoided doing the summing (and privacy conscious people -only- used a service that privately did the summing before broadcasting anything at all), you could avoid this	10:46
andytoshi	at the cost of privacy, ofc	10:46
waxwing	i guess there's no way to throw other nums basepoints at this since the whole point is that all the k-s are supposed to be in the same summation set.	10:48
waxwing	proslogion was just reminding me about proof of discrete log equivalence, hmm	10:49
-!- jannes [~jannes@178.132.211.90] has quit [Quit: Leaving]		10:50
andytoshi	i've thought about this a bit but i haven't come up with anything	10:51
-!- proslogion [~proslogio@130.159.61.235] has joined #bitcoin-wizards		10:53
-!- pro [~pro@unaffiliated/pro] has quit [Quit: Leaving]		10:55
-!- pro [~pro@unaffiliated/pro] has joined #bitcoin-wizards		10:56
-!- zooko [~user@c-73-217-16-2.hsd1.co.comcast.net] has quit [Ping timeout: 264 seconds]		11:05
-!- N0S4A2 [~weechat@174.127.172.104] has quit [Quit: WeeChat 1.5]		11:09
maaku	https://eprint.iacr.org/2015/1028.pdf	11:10
-!- mdavid6131 [~Adium@cpe-172-251-161-231.socal.res.rr.com] has joined #bitcoin-wizards		11:13
-!- mdavid613 [~Adium@cpe-172-251-161-231.socal.res.rr.com] has quit [Ping timeout: 265 seconds]		11:15
@gmaxwell	maaku: these schemes for incremental hashing do not support efficient membership proofs, right?	11:19
-!- jaekwon [~jaekwon@2601:645:c001:263a:cd83:70eb:992c:718c] has quit [Remote host closed the connection]		11:20
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has joined #bitcoin-wizards		11:22
bsm117532	I'm not aware of one that does, I've also looked into this. I'd also like to find one that was constant size.	11:22
-!- ThomasV [~ThomasV@unaffiliated/thomasv] has quit [Ping timeout: 260 seconds]		11:24
-!- maaku [~quassel@173-228-107-141.dsl.static.fusionbroadband.com] has left #bitcoin-wizards ["http://quassel-irc.org - Chat comfortably. Anywhere."]		11:25
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has quit [Ping timeout: 250 seconds]		11:26
-!- dEBRUYNE [~dEBRUYNE@unaffiliated/debruyne] has quit [Ping timeout: 265 seconds]		11:28
bsm117532	I've been wondering if there's an information-theoretic argument that an incremental hash function must be log(n) in terms of the number of stored elements, as this seems to be the case in the paper maaku linked.	11:28
-!- dEBRUYNE [~dEBRUYNE@unaffiliated/debruyne] has joined #bitcoin-wizards		11:29
-!- mn3monic_ [~guido@176.9.68.68] has joined #bitcoin-wizards		11:50
-!- o3u [o3u@unaffiliated/o3u] has joined #bitcoin-wizards		11:50
-!- so_ [~so@unaffiliated/so] has joined #bitcoin-wizards		11:50
-!- livegnik_ [~livegnik@bnw.7c0.nl] has joined #bitcoin-wizards		11:50
-!- Netsplit .net <-> .split quits: BonyM, mn3monic, Fistful_of_Coins, luke-jr, so, livegnik, RedEmerald, Guyver2, mr_burdell		11:50
-!- Netsplit over, joins: mr_burdell		11:50
-!- Netsplit over, joins: RedEmerald		11:50
-!- Netsplit over, joins: luke-jr		11:51
-!- BonyM1 [~BonyM-I@ua-83-227-211-4.cust.bredbandsbolaget.se] has joined #bitcoin-wizards		11:52
-!- qpm [~qpm@unaffiliated/midnightmagic/bot/qpm] has quit [Ping timeout: 240 seconds]		11:52
-!- Guyver2 [~Guyver2@guyver2.xs4all.nl] has joined #bitcoin-wizards		11:53
-!- qpm [~qpm@unaffiliated/midnightmagic/bot/qpm] has joined #bitcoin-wizards		11:54
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards		12:05
-!- proslogion [~proslogio@130.159.61.235] has quit [Ping timeout: 240 seconds]		12:08
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 250 seconds]		12:09
-!- bildramer [~bildramer@80.106.204.148] has joined #bitcoin-wizards		12:17
-!- bildramer [~bildramer@80.106.204.148] has quit [Read error: Connection reset by peer]		12:20
-!- bildramer [~bildramer@80.106.204.148] has joined #bitcoin-wizards		12:29
Taek	I've thought some about the monitor issue with regards to OWAS/JoinMarket/MW/etc, and perhaps you could do some peer assignment	12:38
Taek	meaning, you have some method for selecting peers each block that are in charge of merging everything	12:39
Taek	you let those peers access (as little as possible) the de-anonymizing data, and then rely on them to merge everything into one giant transaction without sharing the data	12:39
Taek	maybe you also slip them a little something in transaction fees	12:40
Taek	sometimes monitors/enemies will end up as the selected peer / one of the selected peers	12:40
Taek	but this is still better than situations where the monitor gets to view most everything all of the time	12:40
Taek	and, a lot of forensics really relies on being able to see multiple steps	12:40
Taek	if a monitor is only able to view the transaction history every other block, it's more likely that they will have critical gaps which prevent them from doing full de-anonymization	12:41
Taek	The method for selecting peers would need some Sybil resistence, and given the miner centralization I would not use PoW to determine who to choose as the de-anonymizer	12:43
Taek	plus you'd have to accept a DoS vulnerability, as occasionally peers may refuse to participate without you realizing that you should move on to the next peer	12:44
Taek	Maybe you could employ some sort of WoT technique. You ~approx trust the 8 peers you are connected to, so you sign off on their uptime/reliability. Every node does this, so you can form an approximate graph of the network based on peer uptime	12:45
Taek	you can ignore any weightings over N hops, perhaps 2.	12:45
Taek	This gives you some resistance to Sybil attacks. Then you have some technique for using the peer id (either a pubkey or an ip address) and the hash of the most recent block for determining which has the highest score	12:46
Taek	If your pool is 8^3 large, and most of those nodes have high uptime, there's a good chance that a large number of other nodes are sending the winner transactions as well	12:47
Taek	(handwave)	12:47
Taek	Then you still need the winning nodes to have a way to talk to eachother and combine transactions, but at that point the anonymity set is greatly improved	12:48
instagibbs	Trusted mixers will most likely work fine, imo.	12:49
waxwing	like Bitcoin VPNs? :)	12:50
instagibbs	Guard Nodes, but for aggregating transactions	12:50
instagibbs	Run them over Tor, on a hardened HSM	12:50
* instagibbs handwaves		12:51
instagibbs	Any wallets with co-signing services already get a bunch of protection, and why wouldn't each service gossip to each other first before releasing batches, etc.	12:52
-!- ThomasV [~ThomasV@unaffiliated/thomasv] has joined #bitcoin-wizards		12:55
-!- MoALTz [~no@78-11-183-124.static.ip.netia.com.pl] has quit [Quit: Leaving]		13:00
Taek	Would be interesting to have something like guard node HSMs that get distributed by a company like Blockstream, where the HSM public key is signed by multiple members of the ecosystem	13:05
Taek	then all transactions get encrypted such that only the HSM can decrypt them	13:05
kanzure	you mean PKI things?	13:08
kanzure	er, CA things	13:08
Taek	similar, except that the CA in this case is authenticating an HSM instead of a tls key	13:09
andytoshi	neat, so the idea is that encrypted transactions go out, the HSMs are the only ones that can decode these, and they only output merged transactions	13:12
Taek	yeah. With the idea being that an adversary with an HSM is not going to be able to use it to figure out what the decrypted inputs are	13:13
Taek	I'm not sure how hard it is to pull the key out of an HSM	13:13
andytoshi	for a proper HSM you need an electron microscope and you need to know how to dissemble it without it triggering key erasure	13:13
andytoshi	you could also do this in a way that you can detect if an HSM has not included your transaction (and won't), then you can encrypt to another HSM without worrying about causing conflicts	13:16
kanzure	i wonder if you could make it so that for transaction merging you could split it among multiple machines without any machine seeing the pre-merged transaction itself	13:16
kanzure	er, see the entire pre-merged transactions	13:17
Taek	oh hmm. So you give an output to 1 machine, another output to another, input to another, etc, and then when they all combine they get the right answer?	13:17
Taek	seems easy to DoS though, just make a transaction that's missing an output	13:18
kanzure	like all denial-of-service problems this one can be solved by requiring a fee	13:18
-!- marcinja [~marcinja@dhcp-18-111-88-96.dyn.mit.edu] has joined #bitcoin-wizards		13:23
nickler	There's probably no need to trust the HSM. There are lots of protocols that prevent revealing input/output relationships the the centralized mixer like coinshuffle++ or tumblebit. With mimblewimble they can probably be simplified.	13:25
waxwing	good point, but coinshuffle++ has a fair amount of interactivity right (dc-net)	13:26
-!- zooko [~user@73.95.139.83] has joined #bitcoin-wizards		13:27
instagibbs	reintroducing interactivity makes baby Voldemort cry	13:29
waxwing	just thinking, why not have a ring signature over multiple kG values?	13:29
kanzure	instagibbs: some forms of interactivity are tolerable, like in p2p transactions before broadcast, might not be end of world	13:31
-!- zooko` [~user@c-73-14-173-69.hsd1.co.comcast.net] has joined #bitcoin-wizards		13:39
-!- dnaleor [~dnaleor@78-23-74-78.access.telenet.be] has quit [Quit: Leaving]		13:40
-!- zooko [~user@73.95.139.83] has quit [Ping timeout: 265 seconds]		13:40
-!- dnaleor [~dnaleor@78-23-74-78.access.telenet.be] has joined #bitcoin-wizards		13:43
nsh	andytoshi, would it be possible to create a MW-merged transaction of [some subset of] existing alpha-CT blockchain retrospectively?	13:44
-!- dgenr8 [~dgenr8@unaffiliated/dgenr8] has quit [Ping timeout: 240 seconds]		13:46
-!- contrapumpkin is now known as copumpkin		13:47
andytoshi	nsh: nope, unfortunately, becuase the exsting alpha-CT chain uses scriptsigs for authentication	13:48
* nsh nods		13:50
-!- LeMiner2 [LeMiner@unaffiliated/leminer] has quit [Read error: Connection reset by peer]		13:55
-!- LeMiner2 [LeMiner@5ED1AFBF.cm-7-2c.dynamic.ziggo.nl] has joined #bitcoin-wizards		13:55
-!- jtimon [~quassel@55.31.134.37.dynamic.jazztel.es] has joined #bitcoin-wizards		14:00
-!- dgenr8 [~dgenr8@unaffiliated/dgenr8] has joined #bitcoin-wizards		14:02
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards		14:05
-!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 258 seconds]		14:08
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 276 seconds]		14:10
-!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has joined #bitcoin-wizards		14:24
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards		14:26
-!- byteflame [~byteflame@70-89-65-45-little-rock-ar.hfc.comcastbusiness.net] has quit [Ping timeout: 260 seconds]		14:27
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 244 seconds]		14:30
-!- bildramer [~bildramer@80.106.204.148] has quit [Ping timeout: 276 seconds]		14:31
-!- marcinja [~marcinja@dhcp-18-111-88-96.dyn.mit.edu] has quit [Remote host closed the connection]		14:35
-!- bildramer [~bildramer@ppp-94-67-125-5.home.otenet.gr] has joined #bitcoin-wizards		14:35
nsh	as a node syncing with MW, i construct eventually from honest nodes a chain that has all explicit inputs, a current UTXOset in the form of pederson commitments, with merkle proofs that each commitment reallocated r-values representing spending authority in such a way that ownership of spendable r-values derive ultimately from explicit inputs through a series of steps [of indeterminate number] keepin	14:40
nsh	g total value invariant?	14:40
nsh	and i settle upon this chain because it has the longest PoW still?	14:40
nsh	the k-values i get with the latest block allow me to prove that the commitments sum to zero and there is a non-inflationary history from genesis	14:41
nsh	but i am aghostic of the possible histories in terms of ownership [re]allocation and output age	14:42
nsh	however, transactors can prove a transaction occurred at what chain height and can give a minimum age to an implicit output	14:43
nsh	is that roughly accurate, andytoshi?	14:43
nsh	as far as i'm concerned the genesis could have been followed by a single block that merged all the transactions, but i know the extent of history still from block height [assuming things about block discovery time distribution] and i know something about the complexity of the transaction graph from the merkle proofs and cumulative k-values?	14:45
nsh	[as far as i'm concerned regarding non-inflation and non-theft]	14:46
-!- proslogion [~proslogio@2.217.2.220] has joined #bitcoin-wizards		14:46
proslogion	it's perhaps trivial, that if everyone using mimblewimble signs with the same nonce, then all k_n*G signatures can be aggregated into one	14:47
proslogion	which of course has serious problems	14:47
cjd	oh cool mw conversaion :D	14:50
bsm117532	How do forks work with MW? Does one choose to keep a (sub)set of past blocks, and then discard them when you're reasonably sure that a reorg can't happen? Is there a danger that history is lost and a reorg can't be performed?	14:51
cjd	bsm117532: AFAICT you can basically just scrap everything and revalidate from zero if there is a reorg	14:51
cjd	22:40 < nsh> and i settle upon this chain because it has the longest PoW still? <-- yes	14:52
cjd	22:43 < nsh> however, transactors can prove a transaction occurred at what chain height and can give a minimum age to an implicit output <-- no because the transaction outputs are unglued from the inputs and unglued from the block, all you know is that they're valid	14:53
-!- Emcy_ [~MC@cpc3-swan1-0-0-cust1003.7-3.cable.virginm.net] has joined #bitcoin-wizards		14:53
-!- Emcy_ [~MC@cpc3-swan1-0-0-cust1003.7-3.cable.virginm.net] has quit [Changing host]		14:53
-!- Emcy_ [~MC@unaffiliated/mc1984] has joined #bitcoin-wizards		14:53
cjd	I am speaking from what I understand, I might also be very wrong	14:54
sipa	cjd: if you have 'merged' multiple blocks together, you don't have the ability to only validate part of it	14:54
sipa	you could download it again from the network of course, assuming someone kept the non-merged blocks	14:54
cjd	You have only outputs in memory and you just reorg the header chain then add everything up, no?	14:55
sipa	but you don't know the outputs that were spent by the blocks that are reorged	14:55
-!- Ylbam [uid99779@gateway/web/irccloud.com/x-egccbcfottwkanyi] has joined #bitcoin-wizards		14:56
nsh	i think if you store your receipt rangeproof and blinding value, then you can prove afterwards that you participated in a transaction by signing the blinding value and showing that it rewinds the proof	14:56
-!- Emcy [~MC@unaffiliated/mc1984] has quit [Ping timeout: 265 seconds]		14:56
cjd	ahh indeed so when you reorg you both add and remove utxos	14:56
nsh	but this still depends on some nodes storing more than is required for consensus	14:56
nsh	i think	14:56
sipa	i expect that every node will just not merge the blocks at the tip	14:56
sipa	everyone will keep some range of blocks unmerged, to deal with reorgs	14:57
@gmaxwell	Assuming you only care about MW-security you can just sync the new header chain and then do set reconciliation to change to the new utxo set.	14:57
cjd	^^this	14:57
@gmaxwell	Then you don't even need to deal with reorgs.	14:57
sipa	what is MW security?	14:57
@gmaxwell	(By MW security I mean the anti-inflation and anti-theft properties of MW, rather than, say, script validation)	14:57
nsh	( Simple Multi-Party Set Reconciliation [with invertable bloom look-up tables] -- http://arxiv.org/abs/1311.2037 )	14:58
cjd	So I also have a concern with the proposal, can't Eve just create a spend transaction for money that's not hers but then add an output for which she does not know the key and plow a little bit of money into the ground ? It seems to me that outputs must sign themselves...	14:59
@gmaxwell	I'm pretty disenchanted by iblt. The constant factors kill its performance. But whatever, there are other approaches to set reconciliation.	14:59
@gmaxwell	cjd: eve cannot produce a rangeproof for a junk output.	14:59
nsh	this might be more suited: https://www.ics.uci.edu/~eppstein/pubs/EppGooUye-SIGCOMM-11.pdf	14:59
cjd	ahh I see, I had imagined it without the rangeproof since it seems not required	15:00
nsh	i don't think you can prove you transacted without saving the range-proof	15:00
nsh	but i could be wrong	15:00
cjd	ehhh hang on a sec	15:00
cjd	you range proof vG but you still can add arbitrary rH	15:00
nsh	(you can prove by letting people spend your currently-spendable outputs but that's less fun)	15:00
@gmaxwell	nsh: this is what I like: https://www.cs.bu.edu/~reyzin/code/fuzzy.html	15:00
cjd	you don't know r so you make up a number to balance the budget...	15:01
nsh	oh right, you can use another knapsack	15:01
nsh	that's fine then	15:01
nsh	gmaxwell, cool, ty	15:01
cjd	hmm it seems that somehow you need to prove knowledge of v and r in order to not be making up magical numbers to balance the sum	15:03
proslogion	that's what k*G is for	15:07
-!- ThomasV [~ThomasV@unaffiliated/thomasv] has quit [Ping timeout: 240 seconds]		15:07
cjd	maybe I'm being silly here but this is my attack: I make a transaction which pays out a zillion coins to myself and I tag on a little signature	15:09
cjd	I add up the outputs and subtract the inputs and the signature, ok problem it's not zero	15:09
cjd	now I add a new output which pays 0.00001 and it pays it to a key which I don't have the private key but the public key is the sum of all the above plus the new output value (times H) which I just added	15:10
cjd	presto valid transaction	15:10
cjd	or not ?	15:10
nsh	you don't pay to keys in CT	15:11
cjd	CT ?	15:11
nsh	confidential transactions	15:11
cjd	ok what do you call them? They're things which you point-multiply	15:12
nsh	so inputs and outputs are points, you interactive create a commitment that proves the sum to zero	15:12
nsh	*interactively	15:12
nsh	*they	15:12
cjd	right, and I can make it zero by adding an arbitrary output which I cannot spend...	15:13
nsh	so the recipient choses their outputs	15:13
nsh	after the sender has committed	15:13
nsh	or pre-half-committed, i don't know	15:14
cjd	If you don't make me prove knowledge of the private key somehow, I will always be able to balance anything to zero	15:14
cjd	by private key I mean "the value of r", in practice it is effectively a private key	15:15
nsh	sure	15:16
nsh	you prove knowledge of the private keys for unspent outputs by committing to a blinding multiple of the H-generator that cancels out the amount multiple of the G generator	15:16
nsh	(you inherit this ability to match G and H multiples from when you were paid those outputs)	15:17
cjd	ok you lost me, what exactly is it that the sender and recipient broadcast to the rest of the world ? [ inputID, rG, vH, proof_v_is_in_range ] ?	15:19
cjd	that and a signature across emptystring to prove knowledge of the difference ?	15:20
cjd	If that's all you're sending then you're not proving knowledge of r and if I can put multiple outputs in a transaction then your protocol is going to be funny	15:20
nsh	well, in alpha's CT txs are broadcast more like bitcoin. in MW you'd broadcast the pederson commitment, the excess blinding value and the empty string signed with its discrete logarithm	15:21
cjd	I don't know CT at all, I only read MW	15:21
cjd	oh in leu of the range proof, you could make v be a 256 bit number where the lower 64 bits are the value and then sign v*H using v	15:23
cjd	that's a proof of knowledge	15:23
cjd	and if r*G is signed with r then I can nolonger add silly crap to balance the sum	15:23
-!- Guyver2 [~Guyver2@guyver2.xs4all.nl] has quit [Quit: :)]		15:35
-!- dnaleor [~dnaleor@78-23-74-78.access.telenet.be] has quit [Quit: Leaving]		15:37
nsh	letting any of the v be chosen by either participant breaks the security model. v must be dictated by the prior inputs, the sender's precommitment and recipient's blinding factor choices for their outputs	15:38
-!- Giszmo [~leo@ip5f5ac08d.dynamic.kabel-deutschland.de] has quit [Quit: Leaving.]		15:40
cjd	yeah I guess you're right	15:43
cjd	it sounded nice	15:43
-!- mdavid6131 [~Adium@cpe-172-251-161-231.socal.res.rr.com] has quit [Quit: Leaving.]		15:48
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards		15:52
-!- Emcy_ [~MC@unaffiliated/mc1984] has quit [Ping timeout: 252 seconds]		16:06
-!- Emcy [~MC@unaffiliated/mc1984] has joined #bitcoin-wizards		16:12
-!- mdavid613 [~Adium@cpe-172-251-161-231.socal.res.rr.com] has joined #bitcoin-wizards		16:13
-!- zooko` [~user@c-73-14-173-69.hsd1.co.comcast.net] has quit [Ping timeout: 276 seconds]		16:14
-!- proslogion [~proslogio@2.217.2.220] has quit [Ping timeout: 258 seconds]		16:16
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 244 seconds]		16:22
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards		16:26
-!- proslogion [~proslogio@130.159.234.219] has joined #bitcoin-wizards		16:29
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has joined #bitcoin-wizards		16:46
andytoshi	nsh: you can fix the age thing by means of having each block commit to the utxoset. but yep, that sounds right	16:47
andytoshi	lol proslogion, if i know your nonce then i know your secret key	16:47
andytoshi	cjd: the CT rangeproof forces you to know r	16:50
cjd	ok thanks, I guessed that it must be such after thinking more, certainly such an elementry error would not go overlooked	16:51
andytoshi	yep. and you definitely can't sign the excess values with the r value from an output, that links all the outputs :)	16:51
cjd	So my understanding is that MW requires these signatures of emptystring to persist forever, is this correct ?	16:52
andytoshi	cjd: but even without that, observe that if every output has a rangeproof of being in [0, 2^64], you can't make outputs with negative values anyway	16:52
andytoshi	cjd: correct	16:52
cjd	Ahh no, I meant to sign the output itself using the output's r which would not link it to stuff but might reveal things	16:52
andytoshi	unless they can be aggregated somehow (if it used a pairing based curve this could be done)	16:52
cjd	Ok I believe I have a solution	16:52
andytoshi	cjd: ah, yeah, understood. that is not necessary, the rangeproof itself is effectively a signature with r	16:53
cjd	perfect	16:53
cjd	Suppose I make a payment to you and so I pass you the sum of inputs and outputs for you to add in your output, then you and I both bcast the transaction incomplete with the sum of all of our input and output private values and the remaining value (fee)	16:54
cjd	the miner is a participant in the transaction, he adds another output to take the fee and thus he is the one who makes the signature on emptystring	16:54
cjd	but then he can produce only one per block	16:54
cjd	am I talking shit?	16:54
andytoshi	cjd: he can put as many outputs as he likes. he's gotta add another k*G value to be sure that nobody else can know this output's key	16:55
andytoshi	and he can do a single output for every transaction that he's received	16:55
cjd	right	16:56
cjd	and if I am not mistaken, he needs only one signature to balance the entire block	16:56
andytoshi	yep	16:56
-!- JackH [~Jack@79-73-188-45.dynamic.dsl.as9105.com] has quit [Ping timeout: 252 seconds]		16:57
proslogion	andytoshi: sorry, only meant the pubkey of the nonce	16:57
andytoshi	proslogion: ah, yes, though this requires interaction	16:57
proslogion	true	16:57
cjd	furthermore, we can as a matter of protocol, we can require that he rebalances out that signature in order to spend the fee money	16:57
-!- rhett [~rhett@c-73-223-86-218.hsd1.ca.comcast.net] has joined #bitcoin-wizards		16:57
cjd	but if we are paying 64 bytes per block, we have already made a breakthrough	16:58
cjd	Now, can we make this post-quantum ? :)	16:58
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has quit [Remote host closed the connection]		17:00
cjd	or wait, do we even need to add the signature at all? can we not just make that value become one of the outputs for the miner ?	17:00
-!- rhett [~rhett@c-73-223-86-218.hsd1.ca.comcast.net] has quit [Client Quit]		17:00
-!- jaekwon [~jaekwon@108-239-230-147.lightspeed.sntcca.sbcglobal.net] has joined #bitcoin-wizards		17:01
cjd	assuming the miner mines pays out to at least 2 outputs and he knows the sum of secrets, he can make the first value be secret and the second value is what is needed to balance the numbers, he will need to be sure to store this secret key to disk as soon as he mines the block	17:01
cjd	but being a miner he should be capable of handing that	17:01
andytoshi	cjd: the sum of secrets is sufficient knowledge to spend both outputs at once	17:02
andytoshi	so if the rest of the block was created by one person, and the miner does not add a kG, his money can be stolen by that person	17:02
cjd	argh right :) 3	17:02
andytoshi	yup :(	17:02
andytoshi	i had a similar scheme before MW came out that made exactly this mistake	17:02
cjd	requiring the miner to produce 3 outputs is not a serious harm though	17:02
-!- blockzombie [~blockzomb@eth59-167-133-100.static.internode.on.net] has joined #bitcoin-wizards		17:03
cjd	now what about post-quantum? have you looked at it at all ?	17:03
andytoshi	cjd: 3 outputs doesn't help, one output plus an extra kG value is sufficent	17:05
andytoshi	as far as post-quantum, oleganza tells me he has a scheme for making CT quantum-safe, but i don't know any details yet	17:05
andytoshi	and i haven't thought at all about how that would affect mimblewimble	17:06
cjd	ok if you find pederson type stuff that runs post-quantum, please ping me	17:06
andytoshi	probably mimblewimble would be screwed, because "quantum safe" simply means that inflation remains impossible	17:06
-!- proslogion [~proslogio@130.159.234.219] has quit [Ping timeout: 260 seconds]		17:06
-!- Emcy_ [~MC@unaffiliated/mc1984] has joined #bitcoin-wizards		17:06
andytoshi	it does -not- mean that the commitments stay hidden	17:06
andytoshi	i will absolutely. this interests me as well	17:06
andytoshi	i might hafta go back to school and talk to the lattice people, i'm sure something similar can be done..	17:07
cjd	right	17:07
cjd	lattice or polynomials	17:07
andytoshi	maybe even LWE	17:08
cjd	I got really excited by HElib which does homomorphic and is thought by some people to be post-quantum but alas it does not have communitive behavior	17:08
cjd	but I got to brush up on C++ and have fun with polynomials	17:08
andytoshi	use rust ;)	17:09
cjd	no, you have to write things in other languages so you can rewrite them in rust	17:09
-!- Emcy [~MC@unaffiliated/mc1984] has quit [Ping timeout: 276 seconds]		17:10
cjd	(it's a meme, rust community people are constantly asking for everyhing to be rewritten in rust)	17:10
andytoshi	oh, ofc, otherwise you'll never be able to rewrite everything in rust	17:10
andytoshi	yep :P	17:10
cjd	ok I see the problem re sum of secrets	17:10
cjd	I'm annoyed that there is no solution and you have to sum entries for each block but dammit, 64 bytes per block is not bad	17:11
andytoshi	welll, with a pairing-friendly curve you can aggregate all the kG values and their signatures	17:11
-!- Sleepnbum [Sleepnbum@72.67.47.196] has quit [Ping timeout: 250 seconds]		17:12
cjd	I'd rather KISS because I want everything to run twice, once over a curve and second time using something post-quantum	17:12
cjd	if we're going to do another blockchain, IMO it's mandatory	17:12
@gmaxwell	it appears to be currently impossible to construct schemes like this that are usefully 'post-quantum'.	17:14
-!- dEBRUYNE [~dEBRUYNE@unaffiliated/debruyne] has quit [Quit: Leaving]		17:14
@gmaxwell	The kind of homomorphism that makes this work is also what makes discrete log easy on quantum computers.	17:14
cjd	that's... annoying	17:15
sipa	there is not even an efficient equivalent to diffie-hellman exchange in PQC, right?	17:17
@gmaxwell	sipa: depends on how you define efficient.	17:17
@gmaxwell	The isogenies ladder thing is kind of efficient. I've linked to it in here before.	17:18
cjd	This: https://en.wikipedia.org/wiki/Supersingular_isogeny_key_exchange claims to be DH like	17:18
@gmaxwell	thats what I'm referring to.	17:18
sipa	oh, ok	17:18
@gmaxwell	who knows if its even classically secure...	17:19
* sipa hides in a superposition of corners		17:19
cjd	But we need what is effectively homomorphic encryption but with communitivity	17:19
@gmaxwell	probably only a few dozen people in the world really understand it at a level enough to begin to evaluate its security.	17:19
cjd	IMO it's not harmful to roll out something without fully understanding it as long as you're backed up by well understood curves	17:20
sipa	commutativity?	17:20
sipa	or what is communitivity	17:20
cjd	x + y == y + x	17:21
-!- Tiraspollll is now known as Tiraspolll		17:21
sipa	yes, commuativity, not communitivity	17:21
cjd	oh, I can't spell - as usual, sorry	17:21
sipa	seems i can't either	17:21
@gmaxwell	cjd: if you just define the requirement as have commuativity, then that alone is pretty much sufficient to make it insecure against quantum computers.	17:22
cjd	I'm probably using the wrong word here, I mean that basically for any given plaintext there is a single ciphertext	17:22
sipa	gmaxwell: did you copy paste my misspelling?	17:22
cjd	yeah, that's annoying	17:22
@gmaxwell	yes.	17:22
@gmaxwell	I can't spell that word either, I was waiting for one of you to use it.	17:23
cjd	btw is there any plan to add an opcode to do like NTRU or something ?	17:23
@gmaxwell	ugh. no.	17:23
* andytoshi gets to use his math degree!		17:23
andytoshi	"commutativity"	17:23
@gmaxwell	There is a straightforward path to have PQ secure bitcoin-- use hash based signatures.	17:23
cjd	ahh cool	17:23
cjd	that would make a neat press release	17:24
@gmaxwell	Virtually all other PQ signature schemes are a pile of hopes and handwaves and also slow enough to verify to be problematic.	17:24
andytoshi	interestingly we can get a OWAS-like system that is also purely hash-based	17:24
andytoshi	that gmaxwell wrote about a couple years ago .. lemme see if i can find it	17:24
sipa	cjd: we even know how to introduce PQ crypto in such a way that the blockchain isn't burdened before EC actually becomes insecure	17:24
kanzure	https://bitcointalk.org/index.php?topic=284194.0	17:24
@gmaxwell	I implemented hash based signatures eons ago, but just didn't publish it because I didn't want to deal with it showing up in idiotic altcoins.	17:24
andytoshi	https://download.wpsoftware.net/bitcoin/wizards/2014-06-22.html	17:24
kanzure	https://bitcointalk.org/index.php?topic=47037.0	17:24
cjd	haha	17:24
sipa	cjd: by making all wallets use a 1-of-2 (EC or PQ) keys	17:25
cjd	anything which is PQ should be 2 of 2	17:25
-!- Ylbam [uid99779@gateway/web/irccloud.com/x-egccbcfottwkanyi] has quit [Quit: Connection closed for inactivity]		17:25
cjd	EC & PQ	17:25
@gmaxwell	What sipa is referring to is a construction where you do a IF { AREWEPOSTQUANTUMYET_VERIFY standard checksig } ELSE { HASHBASED_PUBKEY }... and then after doomsday you just turn AREWEPOSTQUANTUMYET abort on execution.	17:26
cjd	oh wait, this is hash based, so indeed it's really boring and you can trust it	17:26
andytoshi	you could make it so that the 1-of-2 is softforkable into a 2-of-2	17:26
andytoshi	oh greg beat me to it	17:26
sipa	into a 1-of-1, really	17:26
@gmaxwell	andytoshi: well I described it a bit differently. 1 of 2 into a 1 of 1. but same kind of thinking aplies.	17:26
-!- justanotheruser [~Justan@unaffiliated/justanotheruser] has quit [Read error: Connection reset by peer]		17:26
cjd	Personally I would want to have PQ addresses	17:27
sipa	!hi5 gmaxwell	17:27
gribble	Error: "hi5" is not a valid command.	17:27
cjd	I mean we're not going to know when we're PQ, just the number of tin-hatters will grow slowly until it includes everyone	17:27
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has joined #bitcoin-wizards		17:28
sipa	nah, i'm sure there will be quantum denyers	17:28
cjd	:)	17:28
@gmaxwell	the address reuse problem though is especially annoying with space efficient hash based signatures.	17:28
cjd	oh right, there is a security issue using an addr after you spent from it, right ?	17:29
-!- justanotheruser [~Justan@unaffiliated/justanotheruser] has joined #bitcoin-wizards		17:30
-!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 276 seconds]		17:31
cjd	In addition, our construction yields two more interesting features: 1) the ability to "convert" a Pedersen commitment into a lattice-based one	17:32
cjd	http://eprint.iacr.org/2015/628/20150630:185350	17:32
cjd	Have not read (flipped thorough) it yet	17:32
-!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has joined #bitcoin-wizards		17:33
-!- Cloudflare [~hmullerdo@unaffiliated/cloudflare] has joined #bitcoin-wizards		17:36
Cloudflare	hi	17:36
@gmaxwell	I haven't seen that paper, but I've seen one of the papers it references; and IIRC it only gave a PoK but does not have full additive homorphism.	17:36
cjd	ok that's no good, I'm trying to seek in on the spot where they make their promises now...	17:37
-!- Sleepnbum [~Sleepnbum@173.55.57.163] has joined #bitcoin-wizards		17:37
@gmaxwell	it's not difficult to make a plain pedersen like commitment unconditionally sound, (but not unconditionally private)-- an elgammal ciphertext is an example of that.	17:37
@gmaxwell	though it's easy to prove that something cannot be both unconditionally sound and unconditionally hiding, at least one of the two must be only a computational guarentee.	17:38
-!- renlord is now known as pocoyo		17:38
cjd	if you can't add them up, what is the value over a concatinate-and-hash commitment ?	17:39
Cloudflare	quit	17:40
Cloudflare	this	17:40
Cloudflare	channel	17:40
-!- Cloudflare [~hmullerdo@unaffiliated/cloudflare] has quit [Quit: WeeChat 1.5]		17:40
@gmaxwell	because their scheme is still unconditionally hiding.	17:41
-!- bumtime [~Sleepnbum@173.55.57.163] has joined #bitcoin-wizards		17:41
-!- Sleepnbum [~Sleepnbum@173.55.57.163] has quit [Ping timeout: 244 seconds]		17:41
cjd	so basically they're rules-lawyering their paper into relevance :)	17:41
andytoshi	this appears to be weakly additively homomorphic, if you add too many commitments together then it'll fail to be binding to the sum	17:42
cjd	hmm interesting	17:42
andytoshi	it's possible (though i'd have to run through their calcs precisely) that you can add two commitments together while retaining bindingness, without compromising security, and then do this "reblinding" thing	17:42
cjd	right, the HElib does this	17:43
cjd	they keep a noise parameter and you can reEncrypt to bring down the noise	17:43
@gmaxwell	andytoshi: AFAICT though their reblinding requires you know the commited value.	17:43
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has quit [Remote host closed the connection]		17:46
andytoshi	maybe we don't need unblinding. if you say that within a single transaction everything has to add to a commitment to zero, maybe this forces the noise on all outputs to be small (but still hiding? i dunno)	17:47
andytoshi	s/unblinding/reblinding/	17:47
andytoshi	will need to look into SVP lattice ring signatures .. handwave handwave this almost looks like we can import your rangeproofs into this system, it's so pedersen-like	17:48
andytoshi	but the security parameters in quantum crypto are weird. it's hard to say "x bits", you've got these radii and gaussian probabilites, i don't know how to think about them	17:49
cjd	hmm	17:52
cjd	I'm bad at math but I caught on to this HElib and I was playing with it, it allows you to encrypt a value with a public key and then add encrypted values	17:53
cjd	and it's based on NTRU	17:53
-!- iwilcox [~iwilcox@unaffiliated/iwilcox] has quit [Remote host closed the connection]		17:54
cjd	I can encrypt, add, decrypt but if I encrypt and add a set of polynomials which sum to zero, I do not get the same encrypted content at a plain 0 polynomial	17:55
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has joined #bitcoin-wizards		17:59
-!- Cloudflare [~hmullerdo@unaffiliated/cloudflare] has joined #bitcoin-wizards		18:12
-!- Cloudflare [~hmullerdo@unaffiliated/cloudflare] has quit [Quit: WeeChat 1.5]		18:12
-!- Cloudflare [~cloudflar@unaffiliated/cloudflare] has joined #bitcoin-wizards		18:15
Cloudflare	yo	18:15
Cloudflare	pocoyo: sup	18:15
-!- jaekwon [~jaekwon@108-239-230-147.lightspeed.sntcca.sbcglobal.net] has quit [Remote host closed the connection]		18:15
-!- jaekwon [~jaekwon@108-239-230-147.lightspeed.sntcca.sbcglobal.net] has joined #bitcoin-wizards		18:19
-!- pro [~pro@unaffiliated/pro] has quit [Quit: Leaving]		18:20
-!- bumtime [~Sleepnbum@173.55.57.163] has quit [Ping timeout: 260 seconds]		18:23
@gmaxwell	Cloudflare: http://i.stack.imgur.com/dzUaZ.png	18:23
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has quit [Remote host closed the connection]		18:37
Cloudflare	gmaxwell: hahaha	18:46
Cloudflare	that's amazing	18:46
-!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 250 seconds]		18:49
-!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has joined #bitcoin-wizards		19:00
-!- mdavid613 [~Adium@cpe-172-251-161-231.socal.res.rr.com] has quit [Quit: Leaving.]		19:06
-!- cyphase [~cyphase@unaffiliated/cyphase] has quit [Ping timeout: 258 seconds]		19:06
-!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 258 seconds]		19:11
-!- cyphase_eviltwin [~cyphase@unaffiliated/cyphase] has joined #bitcoin-wizards		19:16
-!- Sleepnbum [~Sleepnbum@173.55.57.163] has joined #bitcoin-wizards		19:18
-!- jaekwon [~jaekwon@108-239-230-147.lightspeed.sntcca.sbcglobal.net] has quit [Remote host closed the connection]		19:21
-!- jaekwon [~jaekwon@75-101-96-71.dsl.static.fusionbroadband.com] has joined #bitcoin-wizards		19:26
-!- jaekwon [~jaekwon@75-101-96-71.dsl.static.fusionbroadband.com] has quit [Remote host closed the connection]		19:27
-!- jaekwon [~jaekwon@75-101-96-71.dsl.static.fusionbroadband.com] has joined #bitcoin-wizards		19:27
-!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has joined #bitcoin-wizards		19:28
-!- pocoyo [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 244 seconds]		19:32
-!- blockzombie [~blockzomb@eth59-167-133-100.static.internode.on.net] has quit [Remote host closed the connection]		19:33
-!- blockzombie [~blockzomb@eth59-167-133-100.static.internode.on.net] has joined #bitcoin-wizards		19:34
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has joined #bitcoin-wizards		19:44
-!- thesnark [~mike@unaffiliated/thesnark] has quit [Remote host closed the connection]		19:47
-!- jtimon [~quassel@55.31.134.37.dynamic.jazztel.es] has quit [Ping timeout: 258 seconds]		19:51
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has quit [Remote host closed the connection]		20:04
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has joined #bitcoin-wizards		20:06
-!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 258 seconds]		20:09
-!- wetdinghy [~loltastic@99-8-65-117.lightspeed.davlca.sbcglobal.net] has joined #bitcoin-wizards		20:19
-!- rodarmor [rodarmor@2600:3c01::f03c:91ff:fe61:6c68] has joined #bitcoin-wizards		20:27
-!- pocoyo [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards		20:28
-!- ThomasV [~ThomasV@unaffiliated/thomasv] has joined #bitcoin-wizards		20:29
-!- pocoyo [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 252 seconds]		20:33
-!- instagibbs [~instagibb@pool-100-15-118-244.washdc.fios.verizon.net] has quit [Ping timeout: 252 seconds]		20:33
-!- pocoyo [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards		20:36
-!- instagibbs [~instagibb@pool-100-15-118-244.washdc.fios.verizon.net] has joined #bitcoin-wizards		20:40
-!- rusty2 [~rusty@pdpc/supporter/bronze/rusty] has joined #bitcoin-wizards		20:44
-!- rusty2 is now known as rusty		20:46
-!- wetdinghy [~loltastic@99-8-65-117.lightspeed.davlca.sbcglobal.net] has quit [Quit: AndroIRC - Android IRC Client ( http://www.androirc.com )]		20:46
-!- CrazyTruthYakDDS [uid67551@gateway/web/irccloud.com/x-pxbdahbgqyeqrbov] has joined #bitcoin-wizards		20:56
-!- r0ach [~r0ach@107-217-214-192.lightspeed.jcvlfl.sbcglobal.net] has quit []		21:04
-!- pompom [~pompom36@ctngya111073.ct.ftth.ppp.infoweb.ne.jp] has joined #bitcoin-wizards		21:11
-!- pompom [~pompom36@ctngya111073.ct.ftth.ppp.infoweb.ne.jp] has left #bitcoin-wizards ["Leaving"]		21:18
-!- iddo [~idddo@hyena.cs.cornell.edu] has quit [Changing host]		21:19
-!- iddo [~idddo@unaffiliated/iddo] has joined #bitcoin-wizards		21:19
-!- arowser [~quassel@106.120.101.38] has quit [Remote host closed the connection]		21:28
-!- ThomasV [~ThomasV@unaffiliated/thomasv] has quit [Ping timeout: 252 seconds]		21:33
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has quit [Remote host closed the connection]		21:33
-!- arowser [~quassel@106.120.101.38] has joined #bitcoin-wizards		21:41
-!- cyphase_eviltwin is now known as cyphase		21:46
-!- Alopex [~bitcoin@cyber.dealing.ninja] has quit [Remote host closed the connection]		21:48
-!- contrapumpkin [~copumpkin@haskell/developer/copumpkin] has joined #bitcoin-wizards		21:49
-!- Alopex [~bitcoin@cyber.dealing.ninja] has joined #bitcoin-wizards		21:50
-!- copumpkin [~copumpkin@haskell/developer/copumpkin] has quit [Ping timeout: 258 seconds]		21:51
-!- jaekwon [~jaekwon@75-101-96-71.dsl.static.fusionbroadband.com] has quit [Read error: Connection reset by peer]		22:12
-!- jaekwon [~jaekwon@75-101-96-71.dsl.static.fusionbroadband.com] has joined #bitcoin-wizards		22:12
-!- asynk [~aknix@65.78.54.2] has joined #bitcoin-wizards		22:27
-!- pocoyo is now known as renlord		22:30
-!- ThomasV [~ThomasV@unaffiliated/thomasv] has joined #bitcoin-wizards		22:30
-!- arowser_ [~quassel@106.120.101.38] has joined #bitcoin-wizards		22:32
-!- arowser_ [~quassel@106.120.101.38] has quit [Remote host closed the connection]		22:33
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has joined #bitcoin-wizards		22:34
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has quit [Ping timeout: 252 seconds]		22:38
-!- renlord is now known as pocoyo		22:42
-!- pocoyo is now known as mryandao		22:43
-!- mryandao is now known as help		22:43
-!- sdaftuar [~sdaftuar@unaffiliated/sdaftuar] has quit [Ping timeout: 258 seconds]		22:43
-!- help is now known as mryandao		22:43
-!- sdaftuar [~sdaftuar@unaffiliated/sdaftuar] has joined #bitcoin-wizards		22:45
-!- wumpus [~quassel@pdpc/supporter/professional/wumpus] has quit [Ping timeout: 264 seconds]		23:07
-!- AusteritySucks [~Austerity@unaffiliated/austeritysucks] has quit [Ping timeout: 276 seconds]		23:08
-!- mryandao [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Read error: Connection reset by peer]		23:09
-!- Cloudflare [~cloudflar@unaffiliated/cloudflare] has quit [Read error: Connection reset by peer]		23:09
-!- wumpus [~quassel@pdpc/supporter/professional/wumpus] has joined #bitcoin-wizards		23:11
-!- Cloudflare [~cloudflar@unaffiliated/cloudflare] has joined #bitcoin-wizards		23:11
-!- CrazyTruthYakDDS [uid67551@gateway/web/irccloud.com/x-pxbdahbgqyeqrbov] has quit [Quit: Connection closed for inactivity]		23:11
-!- mryandao [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards		23:15
-!- jgarzik [~jgarzik@unaffiliated/jgarzik] has quit [Read error: Connection reset by peer]		23:23
-!- Cloudflare [~cloudflar@unaffiliated/cloudflare] has quit [Quit: WeeChat 1.5]		23:24
-!- jgarzik [~jgarzik@104-178-201-106.lightspeed.tukrga.sbcglobal.net] has joined #bitcoin-wizards		23:24
-!- jgarzik [~jgarzik@104-178-201-106.lightspeed.tukrga.sbcglobal.net] has quit [Changing host]		23:24
-!- jgarzik [~jgarzik@unaffiliated/jgarzik] has joined #bitcoin-wizards		23:24
-!- yoleaux [~yoleaux@xn--ht-1ia18f.nonceword.org] has quit [Ping timeout: 244 seconds]		23:26
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has joined #bitcoin-wizards		23:35
-!- jannes [~jannes@178.132.211.90] has joined #bitcoin-wizards		23:39
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has quit [Ping timeout: 250 seconds]		23:39
-!- BashCo [~BashCo@unaffiliated/bashco] has quit [Remote host closed the connection]		23:47
-!- asynk is now known as wipogee		23:50
-!- dnaleor [~dnaleor@78-23-74-78.access.telenet.be] has joined #bitcoin-wizards		23:59
--- Log closed Tue Aug 09 00:00:20 2016

Generated by irclog2html.py 2.15.0.dev0 by Marius Gedminas - find it at mg.pov.lt!