--- Day changed Wed Apr 25 2018
01:47 < adlai> waxwing: actually it seems that mars is in the house of belcher, or however the straylodgers call it... someone is running an aggressive disk padding service in the pits.
02:12 -!- lnostdal [~lnostdal@77.70.119.51] has quit [Ping timeout: 256 seconds]     
02:38 -!- lnostdal [~lnostdal@77.70.119.51] has joined #joinmarket     
03:02 -!- kcud_dab is now known as bad_duck     
03:26 -!- iinaj [sid110431@gateway/web/irccloud.com/x-cqoxbvtcsvwnmeyc] has quit []     
03:26 -!- iinaj [sid110431@gateway/web/irccloud.com/x-ctkoxrayogkzqjbk] has joined #joinmarket     
04:31 -!- lnostdal [~lnostdal@77.70.119.51] has quit [Ping timeout: 240 seconds]     
04:36 -!- lnostdal [~lnostdal@77.70.119.51] has joined #joinmarket     
04:53 -!- trotski2000 [sid206086@gateway/web/irccloud.com/x-urkfweimcaubqhig] has quit []     
04:53 -!- trotski2000 [sid206086@gateway/web/irccloud.com/x-spzilbshlmftjunn] has joined #joinmarket     
05:26 -!- Lightsword [~Lightswor@107.170.253.193] has joined #joinmarket     
07:14 -!- Althea74Kreiger [~Althea74K@ns334669.ip-5-196-64.eu] has joined #joinmarket     
07:28 < waxwing> adlai, you mean spamming messages that are not JM type, i take it? don't *think* i saw it my end, not being in the pit directly.
07:43 < waxwing> although i saw a lot of disconnections i think, that might be related
08:02 -!- Netsplit over, joins: Sentineo, instagibbs, M1, @ChanServ
08:03 -!- Netsplit over, joins: Lightsword
08:04 -!- Althea74Kreiger [~Althea74K@ns334669.ip-5-196-64.eu] has quit [Ping timeout: 260 seconds]     
08:04 -!- Netsplit over, joins: StopAndDecrypt, dx25, adlai
08:05 -!- trotski2000 [sid206086@gateway/web/irccloud.com/x-spzilbshlmftjunn] has quit [Changing host]     
08:05 -!- trotski2000 [sid206086@unaffiliated/trotski2000] has joined #joinmarket     
08:05 -!- trotski2000 [sid206086@unaffiliated/trotski2000] has quit [Changing host]     
08:05 -!- trotski2000 [sid206086@gateway/web/irccloud.com/x-spzilbshlmftjunn] has joined #joinmarket     
08:16 -!- Julianne90Bayer [~Julianne9@ns334669.ip-5-196-64.eu] has joined #joinmarket     
08:17 -!- arubi [~ese168@gateway/tor-sasl/ese168] has joined #joinmarket     
08:29 -!- StopAndDecrypt [~StopAndDe@unaffiliated/stopanddecrypt] has quit []     
08:29 -!- StopAndDecrypt [~StopAndDe@unaffiliated/stopanddecrypt] has joined #joinmarket     
08:56 -!- lnostdal [~lnostdal@77.70.119.51] has quit [Excess Flood]     
08:57 -!- lnostdal [~lnostdal@77.70.119.51] has joined #joinmarket     
08:57 -!- Giszmo [~leo@pc-37-38-86-200.cm.vtr.net] has joined #joinmarket     
09:10 -!- Xeha [~Xeha@unaffiliated/k1773r] has joined #joinmarket     
10:44 < arubi> just brainstorming here, no concrete proposal.  re. #693, afaict we want to forbid running multiple yigens off of the same wallet.  a (pub)key in a (canonical) jm wallet lives in a non-hardened HD path.  I'm wondering if it's possible to ask a maker to show us a path from their proposed pubkey for a join to some parent pubkey without disclosing the actual key (but keep the HD quality intact), so if a seconf maker has to prove the same and 
10:44 < arubi> they're using the same wallet, then the taker could figure out that these two proposed pubkeys share the same parent
10:45 < arubi> s/seconf/second/
11:16 < arubi> actually, while formulating a question to #-wizards, I realize that even if this is all possible to do securely (the true pubkeys end up being revlealed in the case of an honest prover), eventually some hardened parent is reached and afaict I can't prove anything to you past that point without revealing secret data.  so a dishonest prover could just set up all their accounts in such a way that the segregation is done in a hardened level of the 
11:16 < arubi> path and the taker would never be able to know.  I'm wondering if the HD scheme could be changed to something else than bip32 that somehow does support this kind of proof..
11:17 < arubi> basically, the issue of "utxos belonging to the same wallet" and "pubkeys belonging to the same wallet" seem interchangeable to me, so that's what got me wondering
11:19 < arubi> interchangeable - with two "unrelated" pubkeys belonging to the same wallet being stronger of the two
11:34 < waxwing> hmm, so you want a proof (ideally zero knowledge) that a pair of keys (perhaps a set) share the same root.
11:36 < waxwing> yeah my first instinct on that would be a bip32 like scheme would maybe not be possible without revealing info (or even worse, secrets), but perhaps some whacky alternate pure-EC derivation scheme it might be possible.
11:36 < waxwing> but having it not be a complete security fail is probably a challenge :)
11:38 < waxwing> but to make it address the 693 problem, even assuming such a thing were possible, seems like a tall order indeed. if it's just 'well all my keys are in this set' that's not enough to stop someone using subsets as separate wallets.
11:38 < waxwing> err .. or something. damn, that's confusing.
11:40 < arubi> right, some canonical path has to be established without letting the maker just partition keys across derivation paths
11:42 -!- player1 [~player1@ip5b40631b.dynamic.kabel-deutschland.de] has joined #joinmarket     
11:44 < waxwing> there's a difference between an algo that "proves key X is a member of wallet W" and "proves key X1 is in the same wallet as key X2". you're talking about the latter, but it would tend not to be enough to achieve the goal, for the reason just mentioned.
11:45 < waxwing> the former has the problem that it's basically fingerprinting makers (even ignoring the problem that it can't be done with bip32 hardened as you mentiond)
11:48 < arubi> it only fingerprints them if the proving algo always takes the same input though right?  in my mind the algo takes ephemeral inputs but given X1 and X2 from different proofs, a taker can figure out they belong to the same W
11:48 < waxwing> that's the latter of the two options right
11:49 < arubi> ah, that's what I initially wanted to achieve
11:49 < waxwing> i was saying the *former* suffered from fingerprinting, not the latter
11:49 < arubi> I see what you mean now
11:50 < arubi> so prove that X is in W is one thing, and "figure out" that X1 and X2 are both in W is different
11:50 < waxwing> but hmm. if such a fantastic beast did exist, i'm slightly optimistic that it could solve 693. kinda. keep changing my mind :)
11:50 < waxwing> yeah the idea being that in the latter, you wouldn't necessarily be able to identify W across different requests.
11:51 < waxwing> although hmm over time you connect them/cluster them just like with utxos :)
11:53 < arubi> if the proof is specific to "this" cj, maybe it's non transferable?  although yea, nothing keeps you from learning and keeping past proofs
11:53 < arubi> wish I knew "more math" to be useful heh :)
11:53 < waxwing> if you have a key P and you tweak with k, so the new key Q is P+kG, then revealing k proves that P and Q are connected and under your control (if you can sign for P and Q).
11:56 < arubi> right, initially I wanted to avoid the tweak being a scalar at all.  the same relation can be proved by signing for both P (which you eventually do) and the a public tweak kG without giving away k itself
11:56 < waxwing> ah. if I have two pubkeys P, Q, then if i can sign for the pubkey (Q-P) it proves I know *both* privkeys in zk (zkpop). true or false?
11:56 < waxwing> oh i see you said something similar :)
11:56 < arubi> :)     
11:57 < waxwing> problem is this kind of positive proof is not quite what we want, we want negative proofs.
11:57 < waxwing> we need alice to prove she's not bob, so to speak
11:58 < arubi> ah, exactly,
11:58 < arubi> I wonder if by "trying" to prove that you're not using signatures, then being caught, that your privkeys become known to the taker
12:01 < arubi> signatures like sign-to-contract come to mind, where a public tweak is given but trying to sign twice for the same contract with different sigs gives away the private key
12:02 < arubi> using the same public tweak that is, but if the "punisher" can figure out a scalar value between two seemingly unrelated pub tweaks, then they can compromise..  I think, long since I looked at it closely
12:03 < waxwing> how does that work? can you remember the equations/details?
12:03 < waxwing> sign to contract means put the hash of the contract as a tweak to the nonce point right? so R is R + H(contract) or something?
12:03 < waxwing> actually somebody did (finally) write this up a bit recently, i'll see if i can find it
12:04 < arubi> I have this : https://github.com/fivepiece/btc-bash-ng/blob/master/bc/ecdsa/contract_hash.bc
12:06 < waxwing> yeah it's basically what i said according to this at least: https://blog.eternitywall.com/2018/04/13/sign-to-contract/
12:06 < waxwing> well R + H(R||C) not just R+H(C)
12:07 < arubi> oh that looks like a nice writeup
12:08 < waxwing> yup, especially nice because it exists :) S2C and P2C were those annoying things everybody talks about and you can't remember how they work :)
12:08 < arubi> haha yea, I'm still vague on p2c
12:10 < player1> hey guys, I am just getting started with joinmarket, heard a lot of good things
12:10 < player1> is it okay if my copy of bitcoin is running with txindex enabled?
12:10 < arubi> it doesn't hurt
12:10 < player1> ok thanks
12:10 < arubi> yw     
12:13 < waxwing> arubi, i don't quite get it; k is deterministic on m, if you sign again with the *same* contract, isn't everything the same?
12:13 < waxwing> what does "with different sigs" mean?
12:15 < arubi> two different signatures using the same k0, tweaked by two different tweaks, signing the same message
12:15 < waxwing> tweak = h(R||contract) ?
12:15 < arubi> both signed by the same privkey too
12:15 < arubi> yea, here the contract is different, but message is the same
12:16 < waxwing> ok. earlier you said "trying to sign twice for the same contract"
12:16 < arubi> you're right.  s/same contract/same message/
12:16 < waxwing> different contract, same message then yes, i get it.
14:26 < belcher_> adlai: my joinmarket/logs/ dir is 225 MB and joinmarket-clientserver/.../logs is 400 MB
14:37 -!- belcher [~belcher@unaffiliated/belcher] has joined #joinmarket     
15:03 < belcher> so on the issue #693 (many makers one wallet), did anyone see this comment of mine? https://github.com/JoinMarket-Org/joinmarket/issues/693#issuecomment-336749103
15:03 < belcher> we were talking about using podle commitments but i believe using sha256() as a commitment would work just as well
15:15 -!- viasil_ [~viasil@185.212.171.215] has joined #joinmarket     
15:18 -!- viasil [~viasil@185.212.171.215] has quit [Ping timeout: 240 seconds]     
16:25 -!- belcher [~belcher@unaffiliated/belcher] has quit [Quit: Leaving]     
16:31 -!- lnostdal [~lnostdal@77.70.119.51] has quit [Ping timeout: 276 seconds]     
16:43 -!- lnostdal [~lnostdal@85-118-79-125.mtel.net] has joined #joinmarket     
16:49 -!- lnostdal [~lnostdal@85-118-79-125.mtel.net] has quit [Ping timeout: 265 seconds]     
16:51 -!- viasil_ is now known as viasil     
17:02 -!- lnostdal [~lnostdal@85-118-79-125.mtel.net] has joined #joinmarket     
17:26 -!- lnostdal [~lnostdal@85-118-79-125.mtel.net] has quit [Ping timeout: 248 seconds]     
17:39 -!- lnostdal [~lnostdal@85.118.83.239] has joined #joinmarket     
17:47 -!- lnostdal [~lnostdal@85.118.83.239] has quit [Ping timeout: 248 seconds]     
18:00 -!- lnostdal [~lnostdal@85-118-78-196.mtel.net] has joined #joinmarket     
19:10 -!- emzy_ [~quassel@raspberry.emzy.de] has joined #joinmarket     
19:11 -!- deafboy_ [quasselcor@cicolina.org] has joined #joinmarket     
19:12 -!- core_ [~core@ilya.xxx] has joined #joinmarket     
19:13 -!- core [~core@unaffiliated/core] has quit [Ping timeout: 256 seconds]     
19:13 -!- deafboy [quasselcor@cicolina.org] has quit [Ping timeout: 256 seconds]     
19:13 -!- emzy [~quassel@unaffiliated/emzy] has quit [Ping timeout: 256 seconds]     
19:13 -!- core_ is now known as core     
19:13 -!- core [~core@ilya.xxx] has quit [Changing host]     
19:13 -!- core [~core@unaffiliated/core] has joined #joinmarket     
20:11 -!- AgoraRelay [~jmrelayfn@p5DE4A385.dip0.t-ipconnect.de] has quit [Ping timeout: 255 seconds]     
20:26 -!- AgoraRelay [~jmrelayfn@p5DE4A328.dip0.t-ipconnect.de] has joined #joinmarket     
21:13 -!- lnostdal [~lnostdal@85-118-78-196.mtel.net] has quit [Ping timeout: 260 seconds]     
21:14 -!- raedah [~x@184.75.223.211] has quit [Ping timeout: 240 seconds]     
22:43 -!- lnostdal [~lnostdal@77.70.119.51] has joined #joinmarket     
23:00 < arubi> hm but belcher doesn't this mean that a taker can just try "for utxo in utxo_set: sha256(utxo|my_nonce) =? maker_published_value"  for everything they get to hear about from makers?  the utxo set is still pretty small for such a search, but maybe I'm missing some other context so sorry if that's the case.
23:00  * arubi goes to boring day job
23:59 -!- xcvvcx [53e42f33@gateway/web/freenode/ip.83.228.47.51] has joined #joinmarket