2016-08-08.log

--- Log opened Mon Aug 08 00:00:19 2016
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 244 seconds]00:03
-!- BashCo [~BashCo@unaffiliated/bashco] has joined #bitcoin-wizards00:09
-!- da2ce7 [~da2ce7@opentransactions/dev/da2ce7] has quit [Quit: ZNC - http://znc.in]00:23
-!- da2ce7_mobile [~da2ce7@opentransactions/dev/da2ce7] has quit [Quit: ZNC - http://znc.in]00:23
-!- laurentmt [~Thunderbi@80.215.138.34] has joined #bitcoin-wizards00:28
-!- da2ce7_mobile [~da2ce7@opentransactions/dev/da2ce7] has joined #bitcoin-wizards00:31
-!- da2ce7 [~da2ce7@opentransactions/dev/da2ce7] has joined #bitcoin-wizards00:33
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has joined #bitcoin-wizards00:34
-!- JackH [~Jack@79-73-188-45.dynamic.dsl.as9105.com] has joined #bitcoin-wizards00:35
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has quit [Ping timeout: 265 seconds]00:38
-!- Guyver2 [~Guyver2@guyver2.xs4all.nl] has joined #bitcoin-wizards00:41
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has joined #bitcoin-wizards00:42
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has quit [Ping timeout: 258 seconds]00:47
-!- TheSeven [~quassel@rockbox/developer/TheSeven] has quit [Ping timeout: 250 seconds]00:50
-!- TheSeven [~quassel@rockbox/developer/TheSeven] has joined #bitcoin-wizards00:50
-!- da2ce7_mobile [~da2ce7@opentransactions/dev/da2ce7] has quit [Quit: ZNC - http://znc.in]00:54
-!- FNinTak [~jonhbit@tsarviajado.media.mit.edu] has quit [Quit: Leaving]00:56
-!- TheSeven [~quassel@rockbox/developer/TheSeven] has quit [Ping timeout: 258 seconds]00:57
-!- TheSeven [~quassel@rockbox/developer/TheSeven] has joined #bitcoin-wizards00:57
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards00:59
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 258 seconds]01:04
-!- da2ce7 [~da2ce7@opentransactions/dev/da2ce7] has quit [Quit: ZNC - http://znc.in]01:05
-!- da2ce7 [~da2ce7@opentransactions/dev/da2ce7] has joined #bitcoin-wizards01:14
-!- arowser [~quassel@106.120.101.38] has quit [Quit: No Ping reply in 180 seconds.]01:17
-!- arowser [~quassel@106.120.101.38] has joined #bitcoin-wizards01:18
-!- pro [~pro@unaffiliated/pro] has joined #bitcoin-wizards01:33
-!- TheSeven [~quassel@rockbox/developer/TheSeven] has quit [Ping timeout: 258 seconds]01:53
-!- TheSeven [~quassel@rockbox/developer/TheSeven] has joined #bitcoin-wizards01:57
-!- ThomasV [~ThomasV@unaffiliated/thomasv] has quit [Ping timeout: 276 seconds]02:08
-!- Giszmo [~leo@ip5f5ac08d.dynamic.kabel-deutschland.de] has joined #bitcoin-wizards02:18
-!- Guyver2 [~Guyver2@guyver2.xs4all.nl] has quit [Quit: :)]02:22
-!- jonasschnelli [~jonasschn@unaffiliated/jonasschnelli] has quit [Excess Flood]02:28
-!- jonasschnelli [~jonasschn@unaffiliated/jonasschnelli] has joined #bitcoin-wizards02:29
-!- ThomasV [~ThomasV@unaffiliated/thomasv] has joined #bitcoin-wizards02:42
-!- dnaleor [~dnaleor@78-23-74-78.access.telenet.be] has joined #bitcoin-wizards02:42
-!- jtimon [~quassel@55.31.134.37.dynamic.jazztel.es] has joined #bitcoin-wizards02:46
-!- toktok [~tim@37.139.12.32] has joined #bitcoin-wizards02:46
-!- Jaamg [jhpiloma@brute.org.aalto.fi] has quit [Remote host closed the connection]03:01
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards03:01
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 250 seconds]03:06
-!- aalex [~aalex@64.187.177.58] has quit [Ping timeout: 244 seconds]03:14
-!- aalex [~aalex@64.187.177.58] has joined #bitcoin-wizards03:15
-!- edvorg [~edvorg@14.169.57.10] has joined #bitcoin-wizards03:20
TaekOne-time costs can sort of be reasoned about as the ultimate extension of the hardware vs operation cost structure03:24
TaekQuantum hashing for example poses a risk, because if one company puts down (in stealth mode) hundreds of millions in R&D over the course of like 5 years, and then they release an ASIC, they've got a full monopoly on hashing until some other group can slug through the same up-front cost03:25
Taekand the first-to-market will have that X years of dominant income that nobody else will ever have, their amortization will perpetually be ahead03:25
-!- toktok [~tim@37.139.12.32] has quit [Quit: leaving]03:26
Taekgranted, I think it's pretty safe to say that if someone like BitFury were to announce a monopoly-grade ASIC, Bitcoin would threaten with a hardfork, and follow through if the tech was not made accessible to everyone03:26
-!- rubensayshi [~ruben@82.201.93.169] has joined #bitcoin-wizards03:36
-!- dEBRUYNE [~dEBRUYNE@unaffiliated/debruyne] has joined #bitcoin-wizards03:41
-!- thesnark [~mike@unaffiliated/thesnark] has joined #bitcoin-wizards04:01
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards04:02
-!- ThomasV [~ThomasV@unaffiliated/thomasv] has quit [Ping timeout: 264 seconds]04:02
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 240 seconds]04:06
-!- domwoe [~domwoe@209-6-39-253.c3-0.smr-ubr2.sbo-smr.ma.cable.rcn.com] has joined #bitcoin-wizards04:16
-!- domwoe [~domwoe@209-6-39-253.c3-0.smr-ubr2.sbo-smr.ma.cable.rcn.com] has quit [Remote host closed the connection]04:26
-!- chjj [~chjj@unaffiliated/chjj] has quit [Ping timeout: 244 seconds]04:40
-!- jtimon [~quassel@55.31.134.37.dynamic.jazztel.es] has quit [Ping timeout: 276 seconds]04:41
-!- stonecoldpat [~a9380004@janus-nat-128-240-225-56.ncl.ac.uk] has quit [Read error: Connection reset by peer]04:54
-!- chjj [~chjj@unaffiliated/chjj] has joined #bitcoin-wizards04:54
-!- ThomasV [~ThomasV@unaffiliated/thomasv] has joined #bitcoin-wizards04:57
waxwingtrying to grok MW, seems like sender will have to send blinding factors and amount, and then receiver can construct and attach kG signature, so it's kind of very weakly interactive? there aren't really round trips are there?04:59
waxwing0.5 RT?04:59
-!- domwoe [~domwoe@209-6-39-253.c3-0.smr-ubr2.sbo-smr.ma.cable.rcn.com] has joined #bitcoin-wizards05:00
TaekThat's also what I understood. Perhaps not technically interactive, but the reciever does need to be performing some action05:01
Taekreceiver could theoretically be offline though: email05:01
TaekI guess there's a kind of bonus. The sender can redact the send if the receiver never collects05:02
waxwingright, it's certainly not nothing, if that's a correct characterisation.05:02
Taekso, you'd never send money to a mis-typed address, because the receiver would never collect05:02
-!- dEBRUYNE_ [~dEBRUYNE@unaffiliated/debruyne] has joined #bitcoin-wizards05:02
-!- dEBRUYNE [~dEBRUYNE@unaffiliated/debruyne] has quit [Ping timeout: 250 seconds]05:04
-!- malte [Qcpr92R2DN@alkaid.uberspace.de] has quit [Max SendQ exceeded]05:09
-!- malte [2MBzcfp3WB@alkaid.uberspace.de] has joined #bitcoin-wizards05:10
-!- edvorg [~edvorg@14.169.57.10] has quit [Remote host closed the connection]05:13
-!- edvorg [~edvorg@14.169.57.10] has joined #bitcoin-wizards05:16
-!- jtimon [~quassel@55.31.134.37.dynamic.jazztel.es] has joined #bitcoin-wizards05:27
-!- ThomasV [~ThomasV@unaffiliated/thomasv] has quit [Ping timeout: 276 seconds]05:29
-!- domwoe [~domwoe@209-6-39-253.c3-0.smr-ubr2.sbo-smr.ma.cable.rcn.com] has quit [Remote host closed the connection]05:47
-!- byteflame [~byteflame@70-89-65-45-little-rock-ar.hfc.comcastbusiness.net] has joined #bitcoin-wizards05:47
-!- domwoe [~domwoe@209-6-39-253.c3-0.smr-ubr2.sbo-smr.ma.cable.rcn.com] has joined #bitcoin-wizards05:47
-!- domwoe [~domwoe@209-6-39-253.c3-0.smr-ubr2.sbo-smr.ma.cable.rcn.com] has quit [Ping timeout: 244 seconds]05:52
-!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has joined #bitcoin-wizards05:57
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards06:02
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 276 seconds]06:07
-!- laurentmt [~Thunderbi@80.215.138.34] has quit [Ping timeout: 240 seconds]06:17
-!- domwoe [~domwoe@dhcp-18-189-35-89.dyn.MIT.EDU] has joined #bitcoin-wizards06:27
-!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 276 seconds]06:31
-!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has joined #bitcoin-wizards06:35
-!- dEBRUYNE_ is now known as dEBRUYNE06:37
-!- laurentmt [~Thunderbi@80.215.234.129] has joined #bitcoin-wizards06:53
-!- instagibbs [~instagibb@pool-100-15-118-244.washdc.fios.verizon.net] has joined #bitcoin-wizards06:57
-!- Guyver2 [~Guyver2@guyver2.xs4all.nl] has joined #bitcoin-wizards06:57
-!- AusteritySucks [~Austerity@unaffiliated/austeritysucks] has quit [Ping timeout: 250 seconds]07:01
-!- Tiraspoll is now known as Tiraspollll07:23
-!- stonecoldpat [~a9380004@janus-nat-128-240-225-56.ncl.ac.uk] has joined #bitcoin-wizards07:27
-!- MoALTz [~no@78-11-183-124.static.ip.netia.com.pl] has joined #bitcoin-wizards07:46
-!- Emcy [~MC@unaffiliated/mc1984] has joined #bitcoin-wizards07:48
-!- ThomasV [~ThomasV@unaffiliated/thomasv] has joined #bitcoin-wizards07:54
-!- AusteritySucks [~Austerity@unaffiliated/austeritysucks] has joined #bitcoin-wizards07:54
-!- domwoe [~domwoe@dhcp-18-189-35-89.dyn.MIT.EDU] has quit [Remote host closed the connection]08:02
-!- domwoe [~domwoe@dhcp-18-189-35-89.dyn.MIT.EDU] has joined #bitcoin-wizards08:02
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards08:03
-!- domwoe_ [~domwoe@dhcp-18-189-35-89.dyn.mit.edu] has joined #bitcoin-wizards08:05
-!- ThomasV [~ThomasV@unaffiliated/thomasv] has quit [Ping timeout: 276 seconds]08:06
-!- domwoe [~domwoe@dhcp-18-189-35-89.dyn.MIT.EDU] has quit [Ping timeout: 276 seconds]08:07
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 258 seconds]08:08
kanzurehttp://diyhpl.us/wiki/transcripts/mimblewimble-podcast/08:11
-!- AusteritySucks [~Austerity@unaffiliated/austeritysucks] has quit [Ping timeout: 240 seconds]08:12
-!- Noldorin [~noldorin@unaffiliated/noldorin] has joined #bitcoin-wizards08:15
-!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 258 seconds]08:16
-!- BashCo [~BashCo@unaffiliated/bashco] has quit [Remote host closed the connection]08:18
domwoe_awesome kanzure!08:19
-!- AusteritySucks [~Austerity@unaffiliated/austeritysucks] has joined #bitcoin-wizards08:28
-!- Ylbam [uid99779@gateway/web/irccloud.com/x-eoeeyhtxichmgjyj] has joined #bitcoin-wizards08:30
bsm117532Nice, thanks kanzure!08:30
-!- bildramer [~bildramer@ppp-94-67-116-162.home.otenet.gr] has quit [Ping timeout: 244 seconds]08:30
-!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has joined #bitcoin-wizards08:36
-!- BashCo [~BashCo@unaffiliated/bashco] has joined #bitcoin-wizards08:38
-!- laurentmt [~Thunderbi@80.215.234.129] has quit [Quit: laurentmt]08:45
-!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 244 seconds]08:45
-!- rubensayshi [~ruben@82.201.93.169] has quit [Remote host closed the connection]08:47
-!- zooko [~user@c-73-217-16-2.hsd1.co.comcast.net] has joined #bitcoin-wizards08:50
-!- mdavid613 [~Adium@cpe-172-251-161-231.socal.res.rr.com] has joined #bitcoin-wizards08:55
-!- ThomasV [~ThomasV@unaffiliated/thomasv] has joined #bitcoin-wizards08:58
-!- Sleepnbum [Sleepnbum@72.67.47.196] has joined #bitcoin-wizards09:02
kanzure.title https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2016-August/012948.html09:13
yoleaux[bitcoin-dev] Hiding entire content of on-chain transactions09:13
-!- domwoe_ [~domwoe@dhcp-18-189-35-89.dyn.mit.edu] has quit [Remote host closed the connection]09:14
kanzurehttps://bitcointalk.org/index.php?topic=1574508.009:15
maakuaka colored coins09:17
-!- jtimon [~quassel@55.31.134.37.dynamic.jazztel.es] has quit [Ping timeout: 276 seconds]09:18
-!- dEBRUYNE_ [~dEBRUYNE@unaffiliated/debruyne] has joined #bitcoin-wizards09:18
kanzurewhy is this claiming that you can't do OP_RETURN taint analysis?09:19
-!- dEBRUYNE [~dEBRUYNE@unaffiliated/debruyne] has quit [Ping timeout: 265 seconds]09:21
-!- domwoe [~domwoe@dhcp-18-189-27-226.dyn.MIT.EDU] has joined #bitcoin-wizards09:33
-!- domwoe [~domwoe@dhcp-18-189-27-226.dyn.MIT.EDU] has quit [Client Quit]09:33
-!- dEBRUYNE_ is now known as dEBRUYNE09:37
-!- Greybits [~Greybits@unaffiliated/greybits] has quit [Ping timeout: 244 seconds]09:43
-!- jaekwon [~jaekwon@2601:645:c001:263a:cd83:70eb:992c:718c] has joined #bitcoin-wizards09:56
-!- N0S4A2 [~weechat@174.127.172.104] has joined #bitcoin-wizards10:03
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards10:04
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 265 seconds]10:09
andytoshiwaxwing: yes, 0.5 RT between sender and receiver10:19
-!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has joined #bitcoin-wizards10:25
-!- edvorg [~edvorg@14.169.57.10] has quit [Ping timeout: 244 seconds]10:27
waxwingandytoshi: so your (k+k') trick, i have trouble understanding, is the idea that k' is publically known?10:27
waxwingoh i think i get it from reading the copied chat log10:30
andytoshiwaxwing: the idea is that after merging, only (k + k') is publicly known10:33
andytoshibut i'm thinking now that maybe all both of k, k' should be kept around while the transactions are in transit, so that when people try to merge overlapping transactions they're able to cancel out the intersection10:34
-!- pro [~pro@unaffiliated/pro] has quit [Ping timeout: 264 seconds]10:34
andytoshithis exposes the original transactions to monitors10:34
-!- pro [~pro@unaffiliated/pro] has joined #bitcoin-wizards10:34
andytoshito avoid this, you'd have to send your tx to at most one aggregation service (hopefully there'd be several) .. and this service could even interact with you to merge the kG values as well10:35
waxwingi'm lost at why (k+k') is public; i thought the idea was to publish kG and k' ?10:37
waxwingthen the network can sum the k'Gs and add it in10:37
andytoshiwaxwing: oh sorry, i'm overloading notation10:38
-!- execute [~execute@52.68.0.151] has quit [Ping timeout: 244 seconds]10:40
andytoshiwaxwing: lemme restart from your first question :)10:42
andytoshiyes. k' is publicly known10:42
andytoshithen if you have a second transaction with k2G and k2'10:42
andytoshiyou can combine the transaction and you have kG, k2G, (k' + k2')10:43
waxwingright10:43
andytoshiand the latter -sum- is the only thing that's publicly known, and given only this, you can't know k' or k2', and you therefore can't discern the original transaciton boundaries10:43
waxwingi see, like hiding in the addition, so that's why you're talking about "aggregation service"10:44
andytoshiyeah10:45
-!- Ylbam [uid99779@gateway/web/irccloud.com/x-eoeeyhtxichmgjyj] has quit [Quit: Connection closed for inactivity]10:45
andytoshiso the problem (and also a problem with OWAS like what the first anonymous guy did) is if i have transactions A, B, C and you have transactions A, B, D and we both give these to a miner10:46
andytoshithe miner is sorta screwed, he can't combine these, he has to pick one10:46
andytoshibut if everyone avoided doing the summing (and privacy conscious people -only- used a service that privately did the summing before broadcasting anything at all), you could avoid this10:46
andytoshiat the cost of privacy, ofc10:46
waxwingi guess there's no way to throw other nums basepoints at this since the whole point is that all the k-s are supposed to be in the same summation set.10:48
waxwingproslogion was just reminding me about proof of discrete log equivalence, hmm10:49
-!- jannes [~jannes@178.132.211.90] has quit [Quit: Leaving]10:50
andytoshii've thought about this a bit but i haven't come up with anything10:51
-!- proslogion [~proslogio@130.159.61.235] has joined #bitcoin-wizards10:53
-!- pro [~pro@unaffiliated/pro] has quit [Quit: Leaving]10:55
-!- pro [~pro@unaffiliated/pro] has joined #bitcoin-wizards10:56
-!- zooko [~user@c-73-217-16-2.hsd1.co.comcast.net] has quit [Ping timeout: 264 seconds]11:05
-!- N0S4A2 [~weechat@174.127.172.104] has quit [Quit: WeeChat 1.5]11:09
maakuhttps://eprint.iacr.org/2015/1028.pdf11:10
-!- mdavid6131 [~Adium@cpe-172-251-161-231.socal.res.rr.com] has joined #bitcoin-wizards11:13
-!- mdavid613 [~Adium@cpe-172-251-161-231.socal.res.rr.com] has quit [Ping timeout: 265 seconds]11:15
@gmaxwellmaaku: these schemes for incremental hashing do not support efficient membership proofs, right?11:19
-!- jaekwon [~jaekwon@2601:645:c001:263a:cd83:70eb:992c:718c] has quit [Remote host closed the connection]11:20
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has joined #bitcoin-wizards11:22
bsm117532I'm not aware of one that does, I've also looked into this.  I'd also like to find one that was constant size.11:22
-!- ThomasV [~ThomasV@unaffiliated/thomasv] has quit [Ping timeout: 260 seconds]11:24
-!- maaku [~quassel@173-228-107-141.dsl.static.fusionbroadband.com] has left #bitcoin-wizards ["http://quassel-irc.org - Chat comfortably. Anywhere."]11:25
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has quit [Ping timeout: 250 seconds]11:26
-!- dEBRUYNE [~dEBRUYNE@unaffiliated/debruyne] has quit [Ping timeout: 265 seconds]11:28
bsm117532 I've been wondering if there's an information-theoretic argument that an incremental hash function must be log(n) in terms of the number of stored elements, as this seems to be the case in the paper maaku linked.11:28
-!- dEBRUYNE [~dEBRUYNE@unaffiliated/debruyne] has joined #bitcoin-wizards11:29
-!- mn3monic_ [~guido@176.9.68.68] has joined #bitcoin-wizards11:50
-!- o3u [o3u@unaffiliated/o3u] has joined #bitcoin-wizards11:50
-!- so_ [~so@unaffiliated/so] has joined #bitcoin-wizards11:50
-!- livegnik_ [~livegnik@bnw.7c0.nl] has joined #bitcoin-wizards11:50
-!- Netsplit *.net <-> *.split quits: BonyM, mn3monic, Fistful_of_Coins, luke-jr, so, livegnik, RedEmerald, Guyver2, mr_burdell11:50
-!- Netsplit over, joins: mr_burdell11:50
-!- Netsplit over, joins: RedEmerald11:50
-!- Netsplit over, joins: luke-jr11:51
-!- BonyM1 [~BonyM-I@ua-83-227-211-4.cust.bredbandsbolaget.se] has joined #bitcoin-wizards11:52
-!- qpm [~qpm@unaffiliated/midnightmagic/bot/qpm] has quit [Ping timeout: 240 seconds]11:52
-!- Guyver2 [~Guyver2@guyver2.xs4all.nl] has joined #bitcoin-wizards11:53
-!- qpm [~qpm@unaffiliated/midnightmagic/bot/qpm] has joined #bitcoin-wizards11:54
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards12:05
-!- proslogion [~proslogio@130.159.61.235] has quit [Ping timeout: 240 seconds]12:08
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 250 seconds]12:09
-!- bildramer [~bildramer@80.106.204.148] has joined #bitcoin-wizards12:17
-!- bildramer [~bildramer@80.106.204.148] has quit [Read error: Connection reset by peer]12:20
-!- bildramer [~bildramer@80.106.204.148] has joined #bitcoin-wizards12:29
TaekI've thought some about the monitor issue with regards to OWAS/JoinMarket/MW/etc, and perhaps you could do some peer assignment12:38
Taekmeaning, you have some method for selecting peers each block that are in charge of merging everything12:39
Taekyou let those peers access (as little as possible) the de-anonymizing data, and then rely on them to merge everything into one giant transaction without sharing the data12:39
Taekmaybe you also slip them a little something in transaction fees12:40
Taeksometimes monitors/enemies *will* end up as the selected peer / one of the selected peers12:40
Taekbut this is still better than situations where the monitor gets to view most everything all of the time12:40
Taekand, a lot of forensics really relies on being able to see multiple steps12:40
Taekif a monitor is only able to view the transaction history every other block, it's more likely that they will have critical gaps which prevent them from doing full de-anonymization12:41
TaekThe method for selecting peers would need some Sybil resistence, and given the miner centralization I would not use PoW to determine who to choose as the de-anonymizer12:43
Taekplus you'd have to accept a DoS vulnerability, as occasionally peers may refuse to participate without you realizing that you should move on to the next peer12:44
TaekMaybe you could employ some sort of WoT technique. You ~approx trust the 8 peers you are connected to, so you sign off on their uptime/reliability. Every node does this, so you can form an approximate graph of the network based on peer uptime12:45
Taekyou can ignore any weightings over N hops, perhaps 2.12:45
TaekThis gives you *some* resistance to Sybil attacks. Then you have some technique for using the peer id (either a pubkey or an ip address) and the hash of the most recent block for determining which has the highest score12:46
TaekIf your pool is 8^3 large, and most of those nodes have high uptime, there's a good chance that a large number of other nodes are sending the winner transactions as well12:47
Taek(*handwave*)12:47
TaekThen you still need the winning nodes to have a way to talk to eachother and combine transactions, but at that point the anonymity set is greatly improved12:48
instagibbsTrusted mixers will most likely work fine, imo.12:49
waxwinglike Bitcoin VPNs? :)12:50
instagibbsGuard Nodes, but for aggregating transactions12:50
instagibbsRun them over Tor, on a hardened HSM12:50
* instagibbs handwaves12:51
instagibbsAny wallets with co-signing services already get a bunch of protection, and why wouldn't each service gossip to each other first before releasing batches, etc.12:52
-!- ThomasV [~ThomasV@unaffiliated/thomasv] has joined #bitcoin-wizards12:55
-!- MoALTz [~no@78-11-183-124.static.ip.netia.com.pl] has quit [Quit: Leaving]13:00
TaekWould be interesting to have something like guard node HSMs that get distributed by a company like Blockstream, where the HSM public key is signed by multiple members of the ecosystem13:05
Taekthen all transactions get encrypted such that only the HSM can decrypt them13:05
kanzureyou mean PKI things?13:08
kanzureer, CA things13:08
Taeksimilar, except that the CA in this case is authenticating an HSM instead of a tls key13:09
andytoshineat, so the idea is that encrypted transactions go out, the HSMs are the only ones that can decode these, and they only output merged transactions13:12
Taekyeah. With the idea being that an adversary with an HSM is not going to be able to use it to figure out what the decrypted inputs are13:13
TaekI'm not sure how hard it is to pull the key out of an HSM13:13
andytoshifor a proper HSM you need an electron microscope and you need to know how to dissemble it without it triggering key erasure13:13
andytoshiyou could also do this in a way that you can detect if an HSM has not included your transaction (and won't), then you can encrypt to another HSM without worrying about causing conflicts13:16
kanzurei wonder if you could make it so that for transaction merging you could split it among multiple machines without any machine seeing the pre-merged transaction itself13:16
kanzureer, see the entire pre-merged transactions13:17
Taekoh hmm. So you give an output to 1 machine, another output to another, input to another, etc, and then when they all combine they get the right answer?13:17
Taekseems easy to DoS though, just make a transaction that's missing an output13:18
kanzurelike all denial-of-service problems this one can be solved by requiring a fee13:18
-!- marcinja [~marcinja@dhcp-18-111-88-96.dyn.mit.edu] has joined #bitcoin-wizards13:23
nicklerThere's probably no need to trust the HSM. There are lots of protocols that prevent revealing input/output relationships the the centralized mixer like coinshuffle++ or tumblebit. With mimblewimble they can probably be simplified.13:25
waxwinggood point, but coinshuffle++ has a fair amount of interactivity right (dc-net)13:26
-!- zooko [~user@73.95.139.83] has joined #bitcoin-wizards13:27
instagibbsreintroducing interactivity makes baby Voldemort cry13:29
waxwingjust thinking, why not have a ring signature over multiple kG values?13:29
kanzureinstagibbs: some forms of interactivity are tolerable, like in p2p transactions before broadcast, might not be end of world13:31
-!- zooko` [~user@c-73-14-173-69.hsd1.co.comcast.net] has joined #bitcoin-wizards13:39
-!- dnaleor [~dnaleor@78-23-74-78.access.telenet.be] has quit [Quit: Leaving]13:40
-!- zooko [~user@73.95.139.83] has quit [Ping timeout: 265 seconds]13:40
-!- dnaleor [~dnaleor@78-23-74-78.access.telenet.be] has joined #bitcoin-wizards13:43
nshandytoshi, would it be possible to create a MW-merged transaction of [some subset of] existing alpha-CT blockchain retrospectively?13:44
-!- dgenr8 [~dgenr8@unaffiliated/dgenr8] has quit [Ping timeout: 240 seconds]13:46
-!- contrapumpkin is now known as copumpkin13:47
andytoshinsh: nope, unfortunately, becuase the exsting alpha-CT chain uses scriptsigs for authentication13:48
* nsh nods13:50
-!- LeMiner2 [LeMiner@unaffiliated/leminer] has quit [Read error: Connection reset by peer]13:55
-!- LeMiner2 [LeMiner@5ED1AFBF.cm-7-2c.dynamic.ziggo.nl] has joined #bitcoin-wizards13:55
-!- jtimon [~quassel@55.31.134.37.dynamic.jazztel.es] has joined #bitcoin-wizards14:00
-!- dgenr8 [~dgenr8@unaffiliated/dgenr8] has joined #bitcoin-wizards14:02
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards14:05
-!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 258 seconds]14:08
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 276 seconds]14:10
-!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has joined #bitcoin-wizards14:24
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards14:26
-!- byteflame [~byteflame@70-89-65-45-little-rock-ar.hfc.comcastbusiness.net] has quit [Ping timeout: 260 seconds]14:27
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 244 seconds]14:30
-!- bildramer [~bildramer@80.106.204.148] has quit [Ping timeout: 276 seconds]14:31
-!- marcinja [~marcinja@dhcp-18-111-88-96.dyn.mit.edu] has quit [Remote host closed the connection]14:35
-!- bildramer [~bildramer@ppp-94-67-125-5.home.otenet.gr] has joined #bitcoin-wizards14:35
nshas a node syncing with MW, i construct eventually from honest nodes a chain that has all explicit inputs, a current UTXOset in the form of pederson commitments, with merkle proofs that each commitment reallocated r-values representing spending authority in such a way that ownership of spendable r-values derive ultimately from explicit inputs through a series of steps [of indeterminate number] keepin14:40
nshg total value invariant?14:40
nshand i settle upon this chain because it has the longest PoW still?14:40
nshthe k-values i get with the latest block allow me to prove that the commitments sum to zero and there is a non-inflationary history from genesis14:41
nshbut i am aghostic of the possible histories in terms of ownership [re]allocation and output age14:42
nshhowever, transactors can prove a transaction occurred at what chain height and can give a minimum age to an implicit output14:43
nshis that roughly accurate, andytoshi?14:43
nshas far as i'm concerned the genesis could have been followed by a single block that merged all the transactions, but i know the extent of history still from block height [assuming things about block discovery time distribution] and i know something about the complexity of the transaction graph from the merkle proofs and cumulative k-values?14:45
nsh[as far as i'm concerned regarding non-inflation and non-theft]14:46
-!- proslogion [~proslogio@2.217.2.220] has joined #bitcoin-wizards14:46
proslogionit's perhaps trivial, that if everyone using mimblewimble signs with the same nonce, then all k_n*G signatures can be aggregated into one14:47
proslogionwhich of course has serious problems14:47
cjdoh cool mw conversaion :D14:50
bsm117532How do forks work with MW?  Does one choose to keep a (sub)set of past blocks, and then discard them when you're reasonably sure that a reorg can't happen?  Is there a danger that history is lost and a reorg can't be performed?14:51
cjdbsm117532: AFAICT you can basically just scrap everything and revalidate from zero if there is a reorg14:51
cjd22:40 < nsh> and i settle upon this chain because it has the longest PoW still?  <-- yes14:52
cjd22:43 < nsh> however, transactors can prove a transaction occurred at what chain height and can give a minimum age to an implicit output  <-- no because the transaction outputs are unglued from the inputs and unglued from the block, all you know is that they're valid14:53
-!- Emcy_ [~MC@cpc3-swan1-0-0-cust1003.7-3.cable.virginm.net] has joined #bitcoin-wizards14:53
-!- Emcy_ [~MC@cpc3-swan1-0-0-cust1003.7-3.cable.virginm.net] has quit [Changing host]14:53
-!- Emcy_ [~MC@unaffiliated/mc1984] has joined #bitcoin-wizards14:53
cjdI am speaking from what I understand, I might also be very wrong14:54
sipacjd: if you have 'merged' multiple blocks together, you don't have the ability to only validate part of it14:54
sipayou could download it again from the network of course, assuming someone kept the non-merged blocks14:54
cjdYou have only outputs in memory and you just reorg the header chain then add everything up, no?14:55
sipabut you don't know the outputs that were spent by the blocks that are reorged14:55
-!- Ylbam [uid99779@gateway/web/irccloud.com/x-egccbcfottwkanyi] has joined #bitcoin-wizards14:56
nshi think if you store your receipt rangeproof and blinding value, then you can prove afterwards that you participated in a transaction by signing the blinding value and showing that it rewinds the proof14:56
-!- Emcy [~MC@unaffiliated/mc1984] has quit [Ping timeout: 265 seconds]14:56
cjdahh indeed so when you reorg you both add and remove utxos14:56
nshbut this still depends on some nodes storing more than is required for consensus14:56
nshi think14:56
sipai expect that every node will just not merge the blocks at the tip14:56
sipaeveryone will keep some range of blocks unmerged, to deal with reorgs14:57
@gmaxwellAssuming you only care about MW-security you can just sync the new header chain and then do set reconciliation to change to the new utxo set.14:57
cjd^^this14:57
@gmaxwellThen you don't even need to deal with reorgs.14:57
sipawhat is MW security?14:57
@gmaxwell(By MW security I mean the anti-inflation and anti-theft properties of MW, rather than, say, script validation)14:57
nsh( Simple Multi-Party Set Reconciliation [with invertable bloom look-up tables] -- http://arxiv.org/abs/1311.2037 )14:58
cjdSo I also have a concern with the proposal, can't Eve just create a spend transaction for money that's not hers but then add an output for which she does not know the key and plow a little bit of money into the ground ?   It seems to me that outputs must sign themselves...14:59
@gmaxwellI'm pretty disenchanted by iblt. The constant factors kill its performance. But whatever, there are other approaches to set reconciliation.14:59
@gmaxwellcjd: eve cannot produce a rangeproof for a junk output.14:59
nshthis might be more suited: https://www.ics.uci.edu/~eppstein/pubs/EppGooUye-SIGCOMM-11.pdf14:59
cjdahh I see, I had imagined it without the rangeproof since it seems not required15:00
nshi don't think you can prove you transacted without saving the range-proof15:00
nshbut i could be wrong15:00
cjdehhh hang on a sec15:00
cjdyou range proof vG but you still can add arbitrary rH15:00
nsh(you can prove by letting people spend your currently-spendable outputs but that's less fun)15:00
@gmaxwellnsh: this is what I like: https://www.cs.bu.edu/~reyzin/code/fuzzy.html15:00
cjdyou don't know r so you make up a number to balance the budget...15:01
nshoh right, you can use another knapsack15:01
nshthat's fine then15:01
nshgmaxwell, cool, ty15:01
cjdhmm it seems that somehow you need to prove knowledge of  v *and* r in order to not be making up magical numbers to balance the sum15:03
proslogionthat's what k*G is for15:07
-!- ThomasV [~ThomasV@unaffiliated/thomasv] has quit [Ping timeout: 240 seconds]15:07
cjdmaybe I'm being silly here but this is my attack:  I make a transaction which pays out a zillion coins to myself and I tag on a little signature15:09
cjdI add up the outputs and subtract the inputs and the signature, ok problem it's not zero15:09
cjdnow I add a new output which pays 0.00001 and it pays it to a key which I don't have the private key but the public key is the sum of all the above plus the new output value  (times H) which I just added15:10
cjdpresto valid transaction15:10
cjdor not ?15:10
nshyou don't pay to keys in CT15:11
cjdCT ?15:11
nshconfidential transactions15:11
cjdok what do you call them? They're things which you point-multiply15:12
nshso inputs and outputs are points, you interactive create a commitment that proves the sum to zero15:12
nsh*interactively15:12
nsh*they15:12
cjdright, and I can make it zero by adding an arbitrary output which I cannot spend...15:13
nshso the recipient choses their outputs15:13
nshafter the sender has committed15:13
nshor pre-half-committed, i don't know15:14
cjdIf you don't make me prove knowledge of the private key somehow, I will always be able to balance anything to zero15:14
cjdby private key I mean "the value of r", in practice it is effectively a private key15:15
nshsure15:16
nshyou prove knowledge of the private keys for unspent outputs by committing to a blinding multiple of the H-generator that cancels out the amount multiple of the G generator15:16
nsh(you inherit this ability to match G and H multiples from when you were paid those outputs)15:17
cjdok you lost me, what exactly is it that the sender and recipient broadcast to the rest of the world ?      [ inputID, r*G, v*H, proof_v_is_in_range ] ?15:19
cjdthat and a signature across emptystring to prove knowledge of the difference ?15:20
cjdIf that's all you're sending then you're not proving knowledge of r and if I can put multiple outputs in a transaction then your protocol is going to be funny15:20
nshwell, in alpha's CT txs are broadcast more like bitcoin. in MW you'd broadcast the pederson commitment, the excess blinding value and the empty string signed with its discrete logarithm15:21
cjdI don't know CT at all, I only read MW15:21
cjdoh in leu of the range proof, you could make v be a 256 bit number where the lower 64 bits are the value and then sign v*H using v15:23
cjdthat's a proof of knowledge15:23
cjdand if r*G is signed with r then I can nolonger add silly crap to balance the sum15:23
-!- Guyver2 [~Guyver2@guyver2.xs4all.nl] has quit [Quit: :)]15:35
-!- dnaleor [~dnaleor@78-23-74-78.access.telenet.be] has quit [Quit: Leaving]15:37
nshletting any of the v be chosen by either participant breaks the security model. v must be dictated by the prior inputs, the sender's precommitment and recipient's blinding factor choices for their outputs15:38
-!- Giszmo [~leo@ip5f5ac08d.dynamic.kabel-deutschland.de] has quit [Quit: Leaving.]15:40
cjdyeah I guess you're right15:43
cjdit sounded nice15:43
-!- mdavid6131 [~Adium@cpe-172-251-161-231.socal.res.rr.com] has quit [Quit: Leaving.]15:48
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards15:52
-!- Emcy_ [~MC@unaffiliated/mc1984] has quit [Ping timeout: 252 seconds]16:06
-!- Emcy [~MC@unaffiliated/mc1984] has joined #bitcoin-wizards16:12
-!- mdavid613 [~Adium@cpe-172-251-161-231.socal.res.rr.com] has joined #bitcoin-wizards16:13
-!- zooko` [~user@c-73-14-173-69.hsd1.co.comcast.net] has quit [Ping timeout: 276 seconds]16:14
-!- proslogion [~proslogio@2.217.2.220] has quit [Ping timeout: 258 seconds]16:16
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 244 seconds]16:22
-!- renlord [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards16:26
-!- proslogion [~proslogio@130.159.234.219] has joined #bitcoin-wizards16:29
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has joined #bitcoin-wizards16:46
andytoshinsh: you can fix the age thing by means of having each block commit to the utxoset. but yep, that sounds right16:47
andytoshilol proslogion, if i know your nonce then i know your secret key16:47
andytoshicjd: the CT rangeproof forces you to know r16:50
cjdok thanks, I guessed that it must be such after thinking more, certainly such an elementry error would not go overlooked16:51
andytoshiyep. and you definitely can't sign the excess values with the r value from an output, that links all the outputs :)16:51
cjdSo my understanding is that MW requires these signatures of emptystring to persist forever, is this correct ?16:52
andytoshicjd: but even without that, observe that if every output has a rangeproof of being in [0, 2^64], you can't make outputs with negative values anyway16:52
andytoshicjd: correct16:52
cjdAhh no, I meant to sign the output itself using the output's r which would not link it to stuff but might reveal things16:52
andytoshiunless they can be aggregated somehow (if it used a pairing based curve this could be done)16:52
cjdOk I believe I have a solution16:52
andytoshicjd: ah, yeah, understood. that is not necessary, the rangeproof itself is effectively a signature with r16:53
cjdperfect16:53
cjdSuppose I make a payment to you and so I pass you the sum of inputs and outputs for you to add in your output, then you and I both bcast the transaction incomplete with the sum of all of our input and output private values and the remaining value (fee)16:54
cjdthe miner is a participant in the transaction, he adds another output to take the fee and thus he is the one who makes the signature on emptystring16:54
cjdbut then he can produce only one per block16:54
cjdam I talking shit?16:54
andytoshicjd: he can put as many outputs as he likes. he's gotta add another k*G value to be sure that nobody else can know this output's key16:55
andytoshiand he can do a single output for every transaction that he's received16:55
cjdright16:56
cjdand if I am not mistaken, he needs only one signature to balance the entire block16:56
andytoshiyep16:56
-!- JackH [~Jack@79-73-188-45.dynamic.dsl.as9105.com] has quit [Ping timeout: 252 seconds]16:57
proslogionandytoshi: sorry, only meant the pubkey of the nonce16:57
andytoshiproslogion: ah, yes, though this requires interaction16:57
proslogiontrue16:57
cjdfurthermore, we can as a matter of protocol, we can require that he rebalances out that signature in order to spend the fee money16:57
-!- rhett [~rhett@c-73-223-86-218.hsd1.ca.comcast.net] has joined #bitcoin-wizards16:57
cjdbut if we are paying 64 bytes per block, we have already made a breakthrough16:58
cjdNow, can we make this post-quantum ? :)16:58
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has quit [Remote host closed the connection]17:00
cjdor wait, do we even need to add the signature at all? can we not just make that value become one of the outputs for the miner ?17:00
-!- rhett [~rhett@c-73-223-86-218.hsd1.ca.comcast.net] has quit [Client Quit]17:00
-!- jaekwon [~jaekwon@108-239-230-147.lightspeed.sntcca.sbcglobal.net] has joined #bitcoin-wizards17:01
cjdassuming the miner mines pays out to at least 2 outputs and he knows the sum of secrets, he can make the first value be secret and the second value is what is needed to balance the numbers, he will need to be sure to store this secret key to disk as soon as he mines the block17:01
cjdbut being a miner he should be capable of handing that17:01
andytoshicjd: the sum of secrets is sufficient knowledge to spend both outputs at once17:02
andytoshiso if the rest of the block was created by one person, and the miner does not add a kG, his money can be stolen by that person17:02
cjdargh right :)  317:02
andytoshiyup :(17:02
andytoshii had a similar scheme before MW came out that made exactly this mistake17:02
cjdrequiring the miner to produce 3 outputs is not a serious harm though17:02
-!- blockzombie [~blockzomb@eth59-167-133-100.static.internode.on.net] has joined #bitcoin-wizards17:03
cjdnow what about post-quantum? have you looked at it at all ?17:03
andytoshicjd: 3 outputs doesn't help, one output plus an extra kG value is sufficent17:05
andytoshias far as post-quantum, oleganza tells me he has a scheme for making CT quantum-safe, but i don't know any details yet17:05
andytoshiand i haven't thought at all about how that would affect mimblewimble17:06
cjdok if you find pederson type stuff that runs post-quantum, please ping me17:06
andytoshiprobably mimblewimble would be screwed, because "quantum safe" simply means that inflation remains impossible17:06
-!- proslogion [~proslogio@130.159.234.219] has quit [Ping timeout: 260 seconds]17:06
-!- Emcy_ [~MC@unaffiliated/mc1984] has joined #bitcoin-wizards17:06
andytoshiit does -not- mean that the commitments stay hidden17:06
andytoshii will absolutely. this interests me as well17:06
andytoshii might hafta go back to school and talk to the lattice people, i'm sure something similar can be done..17:07
cjdright17:07
cjdlattice or polynomials17:07
andytoshimaybe even LWE17:08
cjdI got really excited by HElib which does homomorphic and is thought by some people to be post-quantum but alas it does not have communitive behavior17:08
cjdbut I got to brush up on C++ and have fun with polynomials17:08
andytoshiuse rust ;)17:09
cjdno, you have to write things in other languages so you can *rewrite* them in rust17:09
-!- Emcy [~MC@unaffiliated/mc1984] has quit [Ping timeout: 276 seconds]17:10
cjd(it's a meme, rust community people are constantly asking for everyhing to be rewritten in rust)17:10
andytoshioh, ofc, otherwise you'll never be able to rewrite everything in rust17:10
andytoshiyep :P17:10
cjdok I see the problem re sum of secrets17:10
cjdI'm annoyed that there is no solution and you have to sum entries for each block but dammit, 64 bytes per block is not bad17:11
andytoshiwelll, with a pairing-friendly curve you can aggregate all the kG values and their signatures17:11
-!- Sleepnbum [Sleepnbum@72.67.47.196] has quit [Ping timeout: 250 seconds]17:12
cjdI'd rather KISS because I want everything to run twice, once over a curve and second time using something post-quantum17:12
cjdif we're going to do another blockchain, IMO it's mandatory17:12
@gmaxwellit appears to be currently impossible to construct schemes like this that are usefully 'post-quantum'.17:14
-!- dEBRUYNE [~dEBRUYNE@unaffiliated/debruyne] has quit [Quit: Leaving]17:14
@gmaxwellThe kind of homomorphism that makes this work is also what makes discrete log easy on quantum computers.17:14
cjdthat's... annoying17:15
sipathere is not even an efficient equivalent to diffie-hellman exchange in PQC, right?17:17
@gmaxwellsipa: depends on how you define efficient.17:17
@gmaxwellThe isogenies ladder thing is kind of efficient. I've linked to it in here before.17:18
cjdThis: https://en.wikipedia.org/wiki/Supersingular_isogeny_key_exchange claims to be DH like17:18
@gmaxwellthats what I'm referring to.17:18
sipaoh, ok17:18
@gmaxwellwho knows if its even classically secure...17:19
* sipa hides in a superposition of corners17:19
cjdBut we need what is effectively homomorphic encryption but with communitivity17:19
@gmaxwellprobably only a few dozen people in the world really understand it at a level enough to begin to evaluate its security.17:19
cjdIMO it's not harmful to roll out something without fully understanding it as long as you're backed up by well understood curves17:20
sipacommutativity?17:20
sipaor what is communitivity17:20
cjdx + y == y + x17:21
-!- Tiraspollll is now known as Tiraspolll17:21
sipayes, commuativity, not communitivity17:21
cjdoh, I can't spell - as usual, sorry17:21
sipaseems i can't either17:21
@gmaxwellcjd: if you just define the requirement as have commuativity, then that alone is pretty much sufficient to make it insecure against quantum computers.17:22
cjdI'm probably using the wrong word here, I mean that basically for any given plaintext there is a single ciphertext17:22
sipagmaxwell: did you copy paste my misspelling?17:22
cjdyeah, that's annoying17:22
@gmaxwellyes.17:22
@gmaxwellI can't spell that word either, I was waiting for one of you to use it.17:23
cjdbtw is there any plan to add an opcode to do like NTRU or something ?17:23
@gmaxwellugh. no.17:23
* andytoshi gets to use his math degree!17:23
andytoshi"commutativity"17:23
@gmaxwellThere is a straightforward path to have PQ secure bitcoin-- use hash based signatures.17:23
cjdahh cool17:23
cjdthat would make a neat press release17:24
@gmaxwellVirtually all other PQ signature schemes are a pile of hopes and handwaves and also slow enough to verify to be problematic.17:24
andytoshiinterestingly we can get a OWAS-like system that is also purely hash-based17:24
andytoshithat gmaxwell wrote about a couple years ago .. lemme see if i can find it17:24
sipacjd: we even know how to introduce PQ crypto in such a way that the blockchain isn't burdened before EC actually becomes insecure17:24
kanzurehttps://bitcointalk.org/index.php?topic=284194.017:24
@gmaxwellI implemented hash based signatures eons ago, but just didn't publish it because I didn't want to deal with it showing up in idiotic altcoins.17:24
andytoshihttps://download.wpsoftware.net/bitcoin/wizards/2014-06-22.html17:24
kanzurehttps://bitcointalk.org/index.php?topic=47037.017:24
cjdhaha17:24
sipacjd: by making all wallets use a 1-of-2 (EC or PQ) keys17:25
cjdanything which is PQ should be 2 of 217:25
-!- Ylbam [uid99779@gateway/web/irccloud.com/x-egccbcfottwkanyi] has quit [Quit: Connection closed for inactivity]17:25
cjdEC & PQ17:25
@gmaxwellWhat sipa is referring to is a construction where you do a IF { AREWEPOSTQUANTUMYET_VERIFY standard checksig } ELSE { HASHBASED_PUBKEY }... and then after doomsday you just turn AREWEPOSTQUANTUMYET abort on execution.17:26
cjdoh wait, this is hash based, so indeed it's really boring and you can trust it17:26
andytoshiyou could make it so that the 1-of-2 is softforkable into a 2-of-217:26
andytoshioh greg beat me to it17:26
sipainto a 1-of-1, really17:26
@gmaxwellandytoshi: well I described it a bit differently. 1 of 2 into a 1 of 1. but same kind of thinking aplies.17:26
-!- justanotheruser [~Justan@unaffiliated/justanotheruser] has quit [Read error: Connection reset by peer]17:26
cjdPersonally I would want to have PQ addresses17:27
sipa!hi5 gmaxwell17:27
gribbleError: "hi5" is not a valid command.17:27
cjdI mean we're not going to know when we're PQ, just the number of tin-hatters will grow slowly until it includes everyone17:27
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has joined #bitcoin-wizards17:28
sipanah, i'm sure there will be quantum denyers17:28
cjd:)17:28
@gmaxwellthe address reuse problem though is especially annoying with space efficient hash based signatures.17:28
cjdoh right, there is a security issue using an addr after you spent from it, right ?17:29
-!- justanotheruser [~Justan@unaffiliated/justanotheruser] has joined #bitcoin-wizards17:30
-!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 276 seconds]17:31
cjdIn addition, our construction yields two more interesting features: 1) the ability to "convert" a Pedersen commitment into a lattice-based one17:32
cjdhttp://eprint.iacr.org/2015/628/20150630:18535017:32
cjdHave not read (flipped thorough) it yet17:32
-!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has joined #bitcoin-wizards17:33
-!- Cloudflare [~hmullerdo@unaffiliated/cloudflare] has joined #bitcoin-wizards17:36
Cloudflarehi17:36
@gmaxwellI haven't seen that paper, but I've seen one of the papers it references; and IIRC it only gave a PoK but does not have full additive homorphism.17:36
cjdok that's no good, I'm trying to seek in on the spot where they make their promises now...17:37
-!- Sleepnbum [~Sleepnbum@173.55.57.163] has joined #bitcoin-wizards17:37
@gmaxwellit's not difficult to make a plain pedersen like commitment unconditionally sound, (but not unconditionally private)-- an elgammal ciphertext is an example of that.17:37
@gmaxwellthough it's easy to prove that something cannot be both unconditionally sound and unconditionally hiding, at least one of the two must be only a computational guarentee.17:38
-!- renlord is now known as pocoyo17:38
cjdif you can't add them up, what is the value over a concatinate-and-hash commitment ?17:39
Cloudflarequit17:40
Cloudflarethis17:40
Cloudflarechannel17:40
-!- Cloudflare [~hmullerdo@unaffiliated/cloudflare] has quit [Quit: WeeChat 1.5]17:40
@gmaxwellbecause their scheme is still unconditionally hiding.17:41
-!- bumtime [~Sleepnbum@173.55.57.163] has joined #bitcoin-wizards17:41
-!- Sleepnbum [~Sleepnbum@173.55.57.163] has quit [Ping timeout: 244 seconds]17:41
cjdso basically they're rules-lawyering their paper into relevance :)17:41
andytoshithis appears to be weakly additively homomorphic, if you add too many commitments together then it'll fail to be binding to the sum17:42
cjdhmm interesting17:42
andytoshiit's possible (though i'd have to run through their calcs precisely) that you can add two commitments together while retaining bindingness, without compromising security, and then do this "reblinding" thing17:42
cjdright, the HElib does this17:43
cjdthey keep a noise parameter and you can reEncrypt to bring down the noise17:43
@gmaxwellandytoshi: AFAICT though their reblinding requires you know the commited value.17:43
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has quit [Remote host closed the connection]17:46
andytoshimaybe we don't need unblinding. if you say that within a single transaction everything has to add to a commitment to zero, maybe this forces the noise on all outputs to be small (but still hiding? i dunno)17:47
andytoshis/unblinding/reblinding/17:47
andytoshiwill need to look into SVP lattice ring signatures .. *handwave handwave* this almost looks like we can import your rangeproofs into this system, it's so pedersen-like17:48
andytoshibut the security parameters in quantum crypto are weird. it's hard to say "x bits", you've got these radii and gaussian probabilites, i don't know how to think about them17:49
cjdhmm17:52
cjdI'm bad at math but I caught on to this HElib and I was playing with it, it allows you to encrypt a value with a public key and then add encrypted values17:53
cjdand it's based on NTRU17:53
-!- iwilcox [~iwilcox@unaffiliated/iwilcox] has quit [Remote host closed the connection]17:54
cjdI can encrypt, add, decrypt but if I encrypt and add a set of polynomials which sum to zero, I do not get the same encrypted content at a plain 0 polynomial17:55
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has joined #bitcoin-wizards17:59
-!- Cloudflare [~hmullerdo@unaffiliated/cloudflare] has joined #bitcoin-wizards18:12
-!- Cloudflare [~hmullerdo@unaffiliated/cloudflare] has quit [Quit: WeeChat 1.5]18:12
-!- Cloudflare [~cloudflar@unaffiliated/cloudflare] has joined #bitcoin-wizards18:15
Cloudflareyo18:15
Cloudflarepocoyo: sup18:15
-!- jaekwon [~jaekwon@108-239-230-147.lightspeed.sntcca.sbcglobal.net] has quit [Remote host closed the connection]18:15
-!- jaekwon [~jaekwon@108-239-230-147.lightspeed.sntcca.sbcglobal.net] has joined #bitcoin-wizards18:19
-!- pro [~pro@unaffiliated/pro] has quit [Quit: Leaving]18:20
-!- bumtime [~Sleepnbum@173.55.57.163] has quit [Ping timeout: 260 seconds]18:23
@gmaxwellCloudflare: http://i.stack.imgur.com/dzUaZ.png18:23
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has quit [Remote host closed the connection]18:37
Cloudflaregmaxwell: hahaha18:46
Cloudflarethat's amazing18:46
-!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 250 seconds]18:49
-!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has joined #bitcoin-wizards19:00
-!- mdavid613 [~Adium@cpe-172-251-161-231.socal.res.rr.com] has quit [Quit: Leaving.]19:06
-!- cyphase [~cyphase@unaffiliated/cyphase] has quit [Ping timeout: 258 seconds]19:06
-!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 258 seconds]19:11
-!- cyphase_eviltwin [~cyphase@unaffiliated/cyphase] has joined #bitcoin-wizards19:16
-!- Sleepnbum [~Sleepnbum@173.55.57.163] has joined #bitcoin-wizards19:18
-!- jaekwon [~jaekwon@108-239-230-147.lightspeed.sntcca.sbcglobal.net] has quit [Remote host closed the connection]19:21
-!- jaekwon [~jaekwon@75-101-96-71.dsl.static.fusionbroadband.com] has joined #bitcoin-wizards19:26
-!- jaekwon [~jaekwon@75-101-96-71.dsl.static.fusionbroadband.com] has quit [Remote host closed the connection]19:27
-!- jaekwon [~jaekwon@75-101-96-71.dsl.static.fusionbroadband.com] has joined #bitcoin-wizards19:27
-!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has joined #bitcoin-wizards19:28
-!- pocoyo [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 244 seconds]19:32
-!- blockzombie [~blockzomb@eth59-167-133-100.static.internode.on.net] has quit [Remote host closed the connection]19:33
-!- blockzombie [~blockzomb@eth59-167-133-100.static.internode.on.net] has joined #bitcoin-wizards19:34
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has joined #bitcoin-wizards19:44
-!- thesnark [~mike@unaffiliated/thesnark] has quit [Remote host closed the connection]19:47
-!- jtimon [~quassel@55.31.134.37.dynamic.jazztel.es] has quit [Ping timeout: 258 seconds]19:51
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has quit [Remote host closed the connection]20:04
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has joined #bitcoin-wizards20:06
-!- Chris_Stewart_5 [~Chris_Ste@unaffiliated/chris-stewart-5/x-3612383] has quit [Ping timeout: 258 seconds]20:09
-!- wetdinghy [~loltastic@99-8-65-117.lightspeed.davlca.sbcglobal.net] has joined #bitcoin-wizards20:19
-!- rodarmor [rodarmor@2600:3c01::f03c:91ff:fe61:6c68] has joined #bitcoin-wizards20:27
-!- pocoyo [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards20:28
-!- ThomasV [~ThomasV@unaffiliated/thomasv] has joined #bitcoin-wizards20:29
-!- pocoyo [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Ping timeout: 252 seconds]20:33
-!- instagibbs [~instagibb@pool-100-15-118-244.washdc.fios.verizon.net] has quit [Ping timeout: 252 seconds]20:33
-!- pocoyo [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards20:36
-!- instagibbs [~instagibb@pool-100-15-118-244.washdc.fios.verizon.net] has joined #bitcoin-wizards20:40
-!- rusty2 [~rusty@pdpc/supporter/bronze/rusty] has joined #bitcoin-wizards20:44
-!- rusty2 is now known as rusty20:46
-!- wetdinghy [~loltastic@99-8-65-117.lightspeed.davlca.sbcglobal.net] has quit [Quit: AndroIRC - Android IRC Client ( http://www.androirc.com )]20:46
-!- CrazyTruthYakDDS [uid67551@gateway/web/irccloud.com/x-pxbdahbgqyeqrbov] has joined #bitcoin-wizards20:56
-!- r0ach [~r0ach@107-217-214-192.lightspeed.jcvlfl.sbcglobal.net] has quit []21:04
-!- pompom [~pompom36@ctngya111073.ct.ftth.ppp.infoweb.ne.jp] has joined #bitcoin-wizards21:11
-!- pompom [~pompom36@ctngya111073.ct.ftth.ppp.infoweb.ne.jp] has left #bitcoin-wizards ["Leaving"]21:18
-!- iddo [~idddo@hyena.cs.cornell.edu] has quit [Changing host]21:19
-!- iddo [~idddo@unaffiliated/iddo] has joined #bitcoin-wizards21:19
-!- arowser [~quassel@106.120.101.38] has quit [Remote host closed the connection]21:28
-!- ThomasV [~ThomasV@unaffiliated/thomasv] has quit [Ping timeout: 252 seconds]21:33
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has quit [Remote host closed the connection]21:33
-!- arowser [~quassel@106.120.101.38] has joined #bitcoin-wizards21:41
-!- cyphase_eviltwin is now known as cyphase21:46
-!- Alopex [~bitcoin@cyber.dealing.ninja] has quit [Remote host closed the connection]21:48
-!- contrapumpkin [~copumpkin@haskell/developer/copumpkin] has joined #bitcoin-wizards21:49
-!- Alopex [~bitcoin@cyber.dealing.ninja] has joined #bitcoin-wizards21:50
-!- copumpkin [~copumpkin@haskell/developer/copumpkin] has quit [Ping timeout: 258 seconds]21:51
-!- jaekwon [~jaekwon@75-101-96-71.dsl.static.fusionbroadband.com] has quit [Read error: Connection reset by peer]22:12
-!- jaekwon [~jaekwon@75-101-96-71.dsl.static.fusionbroadband.com] has joined #bitcoin-wizards22:12
-!- asynk [~aknix@65.78.54.2] has joined #bitcoin-wizards22:27
-!- pocoyo is now known as renlord22:30
-!- ThomasV [~ThomasV@unaffiliated/thomasv] has joined #bitcoin-wizards22:30
-!- arowser_ [~quassel@106.120.101.38] has joined #bitcoin-wizards22:32
-!- arowser_ [~quassel@106.120.101.38] has quit [Remote host closed the connection]22:33
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has joined #bitcoin-wizards22:34
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has quit [Ping timeout: 252 seconds]22:38
-!- renlord is now known as pocoyo22:42
-!- pocoyo is now known as mryandao22:43
-!- mryandao is now known as help22:43
-!- sdaftuar [~sdaftuar@unaffiliated/sdaftuar] has quit [Ping timeout: 258 seconds]22:43
-!- help is now known as mryandao22:43
-!- sdaftuar [~sdaftuar@unaffiliated/sdaftuar] has joined #bitcoin-wizards22:45
-!- wumpus [~quassel@pdpc/supporter/professional/wumpus] has quit [Ping timeout: 264 seconds]23:07
-!- AusteritySucks [~Austerity@unaffiliated/austeritysucks] has quit [Ping timeout: 276 seconds]23:08
-!- mryandao [~renlord@14-203-125-246.static.tpgi.com.au] has quit [Read error: Connection reset by peer]23:09
-!- Cloudflare [~cloudflar@unaffiliated/cloudflare] has quit [Read error: Connection reset by peer]23:09
-!- wumpus [~quassel@pdpc/supporter/professional/wumpus] has joined #bitcoin-wizards23:11
-!- Cloudflare [~cloudflar@unaffiliated/cloudflare] has joined #bitcoin-wizards23:11
-!- CrazyTruthYakDDS [uid67551@gateway/web/irccloud.com/x-pxbdahbgqyeqrbov] has quit [Quit: Connection closed for inactivity]23:11
-!- mryandao [~renlord@14-203-125-246.static.tpgi.com.au] has joined #bitcoin-wizards23:15
-!- jgarzik [~jgarzik@unaffiliated/jgarzik] has quit [Read error: Connection reset by peer]23:23
-!- Cloudflare [~cloudflar@unaffiliated/cloudflare] has quit [Quit: WeeChat 1.5]23:24
-!- jgarzik [~jgarzik@104-178-201-106.lightspeed.tukrga.sbcglobal.net] has joined #bitcoin-wizards23:24
-!- jgarzik [~jgarzik@104-178-201-106.lightspeed.tukrga.sbcglobal.net] has quit [Changing host]23:24
-!- jgarzik [~jgarzik@unaffiliated/jgarzik] has joined #bitcoin-wizards23:24
-!- yoleaux [~yoleaux@xn--ht-1ia18f.nonceword.org] has quit [Ping timeout: 244 seconds]23:26
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has joined #bitcoin-wizards23:35
-!- jannes [~jannes@178.132.211.90] has joined #bitcoin-wizards23:39
-!- tromp [~tromp@ool-944bc34f.dyn.optonline.net] has quit [Ping timeout: 250 seconds]23:39
-!- BashCo [~BashCo@unaffiliated/bashco] has quit [Remote host closed the connection]23:47
-!- asynk is now known as wipogee23:50
-!- dnaleor [~dnaleor@78-23-74-78.access.telenet.be] has joined #bitcoin-wizards23:59
--- Log closed Tue Aug 09 00:00:20 2016

Generated by irclog2html.py 2.15.0.dev0 by Marius Gedminas - find it at mg.pov.lt!