--- Day changed Sat Oct 28 2017
00:08 < waxwing> proslogion, maybe arubi could give a good answer; he continued to investigate that a lot
00:57 -!- zxccxz_ [4f7c1260@gateway/web/freenode/ip.79.124.18.96] has quit [Ping timeout: 260 seconds]     
00:57 -!- xcvvcxvcx [53e42f33@gateway/web/freenode/ip.83.228.47.51] has quit [Ping timeout: 260 seconds]     
01:21 -!- coins123 [~coins123@37.176.24.41] has joined #joinmarket     
01:21 -!- coins123 [~coins123@37.176.24.41] has quit [Changing host]     
01:21 -!- coins123 [~coins123@unaffiliated/coins123] has joined #joinmarket     
01:24 < arubi> I began writing an answer but I see that there's a lot to tell.  I'll paste it soon :)
01:29 < proslogion> arubi, :)
01:55 < arubi> okay here we go.  it's gonna be a wall of text
01:56 < arubi> The idea was\is to create encumbrance on specific parts of the transaction using a pre-signed signature, and incorporate it into a scriptpubkey so that when you pay to that script, you assert that your funds can only be spent in a specific way.
01:56 < arubi> The way to authorize such a script would be to run pubkey recovery on the signature in the script + the agreed upon sighash.
01:56 < arubi> With this pubkey + sig pair, if you could place them both in a scriptpubkey and pay to it, you would know for a fact that any funds could only be redeemed to the pre-specified transaction template.
01:56 < arubi> Using op_codeseparator in the correct places, you can actually make the checksig operation skip serializing the recovered pubkey, which is the only thing that can't sign itself.  with a "mock" txid in the input (txid is a chosen value) utxo with such a script and a pre-determined template, this actually works.
01:56 < arubi> The major block was the fact that with any bitcoin spend, you always sign the previous transaction's txid in the input.  This means that even when using code separators to remove the scriptpubkey from sighash, you would still be signing its data which stays embedded in the txid.  This breaks crypto unfortunately (and why this only works with a mock txid).
01:56 < arubi> The next tweak was to try and levarage anyonecanpay|single, if you place the utxo with this script in such an index that the sighash is "bugged" to become the sighash "one", then you don't break crypto, but you've lost all security as sighash no longer commits to the tx template.
01:56 < arubi> It became apparent that in order to do something like this, creating encumbrance for outputs (really it's just called a covenant), you need to have some sort of sighash scheme that doesn't commit to the previous txid while still committing to the other things like outputs and amounts.
01:56 < arubi> Around v0.13.1, a bip114 proposal was made with a new sighash scheme that could do just that (and more).  You could set it up so you don't have to commit to a prev txid, but it came with a new block which was that it always copied the pubkey that is used in checksig into the sighash.  This creates the same problem like the txid being present in sighash, so again it was not useful.
01:56 < arubi> Recently a new version of bip114 was put forward, and this time commitment to the pubkey in sighash is not a part of it.  It also defines two new opcodes called PUSHTXDATA which actually places elements from the transaction onto the stack, and a CHECKSIGFROMSTACK which is kinda like a detached checksig over arbitrary data.  These two together with the new rules enable output encumbrance and covenants in full.
01:56 < arubi> The block for now is that bip114 is not soft fork into bitcoin yet :)
02:06 < adlai> waxwing: a.uc-l.o doesn't have quite enough "nines" to be a reliable blog link... i'm not sure it even has a single one :P
02:07  * adlai is but a guest on that server; it goes down for maintenance without his approval, crashes due to yoloy dev-on-production, etc
02:15 < proslogion> arubi, thanks, the new proposal was the one from mark right
02:15 < arubi> no that's a different one.  the one I'm talking about is from jl2012
02:17 < arubi> it does have some type of checksigfromstack it seems, which actually might be enough for very crude covenants.  the beauty is combining it with pushtxdata so a script is executed on *this transaction rather than parameters embedded in the scriptpubkey
02:18 < arubi> this is a cache of all bip114 related stuff https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2017-September/014963.html
02:35 < waxwing> arubi, just reach out to craig. he'll show you how to do it.
02:35 < arubi> lol, it's probably "coming soon to bch" right?  nchain just needs to finish up getting all its patents
02:36 < waxwing> adlai, ok, i see. it'd be interesting to aggregate the data somehow. i'm (probably) going to try and gather some data with blocksci, but they haven't bothered to update for segwit according to their github issues, not exactly promising.
02:36 < waxwing> still it seems to be a very serious effort, one way or another.
02:59 -!- coins123 [~coins123@unaffiliated/coins123] has quit [Ping timeout: 258 seconds]     
03:06 < proslogion> waxwing, can you do this: create a sighash_single tx under a schnorr signature aggregation scheme, sign your own input and output, then handicap your sig into a adaptor sig and publish it, then wait for other people to add their own inputs and outputs, and until you deem the tx satisfactory, you throw in the missing t to generate the aggregated sig and allows it to validate for everything and get mined
03:06 < proslogion> probably very stupid
03:07 < proslogion> hmmm, doesn't seem to help for anything
03:08 < proslogion> until everyone
03:08 < proslogion> until everyone's t values are sufficiently mixed beforehand as well
03:12 < waxwing> yes at first glance i can't see what it buys you. but it does sound like an interesting line of thinking.
03:12 < waxwing> i'm betting there's a lot of crazy/cool things that can be done with the adaptor signature concept
03:15 -!- takamatsu [~takamatsu@unaffiliated/takamatsu] has joined #joinmarket     
03:18 < proslogion> what will happen if I create e from three pubkeys, and sign my m(my part of the sighash_single tx), but only, say, the holder of P2's privkey responds?
03:19 < proslogion> i.e, we have e=H(P1+P2+P3||R1+R2+R3||m), but only s1 and s2
03:19 < proslogion> seems that it could work as well
03:22 < arubi> what's the important of sighash single here?
03:22 < arubi> importance*
03:24 < proslogion> so the outputs don't have to be fixed, ideally, otherwise an initiator has to specify where other participants would want to send their coins
03:25 < proslogion> the goal is of cuz as little interaction as possible
03:26 < arubi> alright, and eventually the initiator signs all participants' inputs, or should the be able to add those on their own?
03:27 < proslogion> for sighash single, the answer seems to be everyone signs everyone's inputs, partially
03:28 < proslogion> well, no, just your own input and output, sorry
03:28 -!- zxccxz [4f7c1260@gateway/web/freenode/ip.79.124.18.96] has joined #joinmarket     
03:28 < arubi> that would be anyonecanpay|single, where you sign your own input and the corresponding output index in the tx
03:29 < proslogion> correct, thanks for resolving the confusion :)
03:29 < arubi> also it's a bit different in segwit now, much more flexible
03:30 < arubi> before segwit, your acp|single would still commit to its index in the vin, so you had to have "that many" signers before you
03:30 < proslogion> :O     
03:30 < arubi> with bip143, you don't commit to an input index in anyonecanpay, so acp|single becomes a signature for a 1->1 "lego block"
03:31 < arubi> these 1->1 signed acp|single can be added together and permuted, and still be valid.  it's a very cool aggregation thing :)
03:33 < proslogion> hmmm, i seem to have made a stupid mistake, all the 1-1 pairs still need to be validated for the one aggregated sig
03:34 < proslogion> so the connection is still visible, you still know which input goes to which output
03:34 < proslogion> bleh
03:39 < proslogion> what does sighash_single without acp do then? Does it fix the input set?
03:40 < arubi> right
03:41 < arubi> so single,all,none are for manipulating which outputs are signed, and anyonecanpay is to flip "I'm signing all inputs" to "I'm just signing mine".  it was kinda useless before segwit because of the input index commitment, but much more flexible now
03:44 < waxwing> not useless imo
03:44 < waxwing> if anything i think acp should be the default :)
03:45 < waxwing> if it sends the money where i want, what do i care if someone else adds more?
03:45 < arubi> well, just don't have them add more of your own to end up as fees :P
03:45 < proslogion> yeah, lack of segwit
03:45 < proslogion> satoshi sucks
03:45 < waxwing> i'm hoping they can't sign for my inputs though ?
03:46 < arubi> you would sign those independently, and they could be aggregated
03:46 < arubi> maybe it's still okay?  hm
03:47 < waxwing> it seems clear, if i sign a certain input for a certain set of outputs, i'm authorising that. i'm not going to sign more for the same output set. perhaps in some weird scenario, but basically.
03:48 < arubi> ah well, I couldn't aggregate them even if I wanted to then
03:48 < arubi> because the aggregate will have a different set of outputs
03:49 < arubi> you can't have just anybody adding, you'll have to resign with each addition
03:49 < waxwing> i think acp default would be fine. maybe i missed something.
03:49 < proslogion> the phrase 'anyone can pay' sounds non-problematic at all at least :)
03:49 < arubi> yes, you can't lose from setting acp|all
03:50 < waxwing> py3.6 on ubuntu1604 is core dumping every time i exit() the interpreter. well that's crap.
03:50 < arubi> you'd be vulnerable to malleability though :P
03:50 < waxwing> yes     
03:51 < proslogion> so anyway, it sounds like, two people can each sign a tx with two same inputs but one different output and aggregate the sigs under sighash_single
03:52 < arubi> no because then the size of vin is smaller than the size of vout.  one of the sigs will not sign its output index, instead will sign 0x0000...000
03:53 < arubi> s/will sign/will be validated against/
03:53 < arubi> or "one" pre-segwit
03:53 < arubi> ah wait that's the other way around, the same inputs?
03:53 < proslogion> yeah
03:54 < arubi> so the second output index isn't protected by sighash
04:19 -!- Giszmo [~leo@pc-204-28-214-201.cm.vtr.net] has quit [Quit: Leaving.]     
04:59 -!- quitobro [~quitobro@pool-108-41-0-186.nycmny.fios.verizon.net] has joined #joinmarket     
05:04 -!- quitobro [~quitobro@pool-108-41-0-186.nycmny.fios.verizon.net] has quit [Ping timeout: 248 seconds]     
05:10 -!- quitobro [~quitobro@gateway/vpn/privateinternetaccess/quitobro] has joined #joinmarket     
05:17 -!- Giszmo [~leo@pc-204-28-214-201.cm.vtr.net] has joined #joinmarket     
06:20 -!- quitobro [~quitobro@gateway/vpn/privateinternetaccess/quitobro] has quit [Quit: quitobro]     
06:23 -!- luke-jr [~luke-jr@unaffiliated/luke-jr] has quit [Ping timeout: 258 seconds]     
06:30 -!- coins123 [~coins123@unaffiliated/coins123] has joined #joinmarket     
07:52 -!- MaxSan [~user@213.152.162.84] has joined #joinmarket     
08:06 -!- coins123 [~coins123@unaffiliated/coins123] has quit [Remote host closed the connection]     
08:07 -!- technonerd [~techno@unaffiliated/technonerd] has quit [Quit: WeeChat 1.9.1]     
08:21 -!- coins123 [~coins123@unaffiliated/coins123] has joined #joinmarket     
09:17 -!- coins123 [~coins123@unaffiliated/coins123] has quit []     
09:17 -!- zxccxz [4f7c1260@gateway/web/freenode/ip.79.124.18.96] has quit [Quit: Page closed]     
09:23 -!- MaxSan [~user@213.152.162.84] has quit [Ping timeout: 240 seconds]     
10:05 -!- puddinpop [~puddinpop@unaffiliated/puddinpop] has quit [Ping timeout: 252 seconds]     
10:50 -!- puddinpop [~puddinpop@unaffiliated/puddinpop] has joined #joinmarket     
10:54 -!- luke-jr [~luke-jr@unaffiliated/luke-jr] has joined #joinmarket     
11:04 -!- zxccxz [4f7c1260@gateway/web/freenode/ip.79.124.18.96] has joined #joinmarket     
11:16 -!- technonerd [~techno@gateway/tor-sasl/technonerd] has joined #joinmarket     
12:07 -!- zxccxz [4f7c1260@gateway/web/freenode/ip.79.124.18.96] has quit [Quit: Page closed]     
13:25 -!- MaxSan [~user@213.152.162.84] has joined #joinmarket     
14:09 -!- delinquentme [~delinquen@108-235-112-153.lightspeed.sntcca.sbcglobal.net] has joined #joinmarket     
15:02 -!- zxccxz [4f7c1260@gateway/web/freenode/ip.79.124.18.96] has joined #joinmarket     
15:22 -!- berndj-blackout [~berndj@mail.azna.co.za] has joined #joinmarket     
15:23 -!- berndj [~berndj@mail.azna.co.za] has quit [Ping timeout: 240 seconds]     
15:24 -!- berndj-blackout is now known as berndj     
15:28 < delinquentme> i need persistent channel logging =/
17:00 < delinquentme> any ideas on the fees :DDD???
17:01 < delinquentme> well see if I make any progress
17:05 -!- Giszmo [~leo@pc-204-28-214-201.cm.vtr.net] has quit [Quit: Leaving.]     
17:08 -!- Giszmo [~leo@pc-204-28-214-201.cm.vtr.net] has joined #joinmarket     
17:56 -!- quitobro [~quitobro@pool-108-41-0-186.nycmny.fios.verizon.net] has joined #joinmarket     
18:16 < delinquentme> Or should I not be asking about what the fees are...
19:16 -!- delinquentme [~delinquen@108-235-112-153.lightspeed.sntcca.sbcglobal.net] has quit [Quit: Leaving]     
20:53 -!- quitobro [~quitobro@pool-108-41-0-186.nycmny.fios.verizon.net] has quit [Quit: quitobro]     
23:50 -!- MaxSan [~user@213.152.162.84] has quit [Ping timeout: 240 seconds]