--- Day changed Fri Aug 02 2019
00:01 -!- Comstock [Comstock@gateway/vpn/privateinternetaccess/comstock] has joined #joinmarket     
01:11 < waxwing> belcher_, argh they still didn't upload my message to the mailing list.
01:11 < waxwing> so i guess now everyone believes it's a categorical fact that joinmarket can be sybilled entirely for $32K
01:33 -!- Zenton [~user@unaffiliated/vicenteh] has joined #joinmarket     
02:24 < belcher_> :(     
02:25 -!- belcher [~belcher@unaffiliated/belcher] has joined #joinmarket     
03:00 < waxwing> oh so i had an idea as i was going for a walk
03:01 < waxwing> how about this: remember ring signatures don't work on addresses, what about publishing pubkey and locktime on an anon bulletin board and then ring sig-ing over the set for a published value range
03:02 < waxwing> one nice thing is it could work for the idea of fidelity bonds in general, so it wouldn't be restricted necessarily to Joinmarket maker anon set.
03:02 < waxwing> if there were other uses for fidelity bonds or whatnot.
03:02 < waxwing> also it's nice because everyone can independently verify the data in these lists, so the bulletin board is entirely untrusted. and you can use any ring sig tech you like, for example Schnorr AOS style would make sense I think.
03:02 < waxwing> belcher_, ^
03:05 < belcher> thats a good idea i think
03:06 < belcher> hold on, how would takers know the value of a maker's fidelity bond
03:07 < belcher> the proof would be that the maker has one bond, but i dont think it would reveal what is the corresponding bitcoin amount 
03:08 < waxwing> belcher, 'over the published value range'
03:08 < waxwing> my idea is that you join a set like 0.1-0.2 or 1.0-2.0
03:09 < waxwing> i mean clearly it's imperfect, but i'd always imagined these ring sigs working like that. like if you wanted to brag how rich you are you'd sign over a ring/set that is 'rich' which might mean like 500-1000BTC or something.
03:09 < belcher> the effect then is that a sacrifice of 1.99 btc is worth the same as one of 1.1 btc
03:09 < waxwing> too small a range or too large a range can both be problems of course.
03:09 < belcher> it could work perhaps
03:10 < waxwing> yes you'd expect people to cluster near the lower end, i don't actually know what's optimal
03:10 < belcher> yes, choosing the ranges is a tradeoff between anonymity and divisibility
03:10 < waxwing> my gut feel is small ranges like that'd be best - 0.1 to 0.2 and 1.0 to 2.0 and 10.0 to 20.0
03:11 < belcher> maybe choose the ranges based on how many other TXOs are in that range
03:11 < belcher> choose the range so you have 20 other coins within i
03:11 < waxwing> related question is what's the "right" way for the user to pay in. they can't really coinjoin in , as these utxos are distinguishable.
03:11 < waxwing> well these sets have to be of fidelity bonds only right, because these utxos are distinguishable.
03:12 < belcher> yes, only of fidelity bonds
03:14 < waxwing> i'll write it out in a couple of paragraphs in a gist to get comments i guess.
03:14 < waxwing> unless you have any other immediate thoughts.
03:17 < belcher> if multiple proofs for the same TXO use different ranges then by overlapping you could find which is the real TXO
03:17 < belcher> so proofs should always use the same ranges i think
03:17 < belcher> also, this scheme still reveals that those TXOs are something to do with joinmarket even if they dont reveal exactly which IRC nick owns them
03:18 < belcher> so i think you'd still have to mix before sending to an exchange in case they ask questions about joinmarket
03:29 < waxwing> i don't imagine you'd be using the same utxo for different ranges? the system would have to have pre-set globally agreed (not-contiguous) ranges.
03:30 < waxwing> re: reveal, yeah, but i think you're most of the way there already using CLTV.
03:30 < belcher> yes, it was in reference to my idea of "choose the range so that ~20 other TXOs are in the same range"
03:30 < waxwing> gotcha
03:34 < belcher> whats the threat model being solved with the ring sig? since if CLTV already marks it out as a joinmarket bond you still have to mix before using... the ringsig scheme stops the TXO being linked to your IRC nick, but an IRC nick is just random data that isnt linked to much else
03:36 < waxwing> yeah fair question. i was mostly trying to avoid long lasting identities.
03:37 < waxwing> it seems desirable that, as today, you can jump in and out without having a months long identity that someone can try to trace .. but admittedly this isn't really that clear.
03:38 < waxwing> one could just look at it as an attempt to strengthen, in general, the viability of a fidelity bond concept across a range of applications. because people will i think find it more compelling if it's not traceable across multiple usages.
03:38 < waxwing> like you could use the same bond for Joinmarket and System X, and it would defend against Sybil in both perhaps. Like a token, essentially, although a bit fudged.
03:39 < belcher> system x can be a coinswap implementation
03:39 < belcher> i think 12.5% of taker's choices should be makers with no bonds, so that people can still mix coins very slowly with yieldgenerator, and they would be essentially identityless
03:44 < waxwing> yeah. or just, different cost assessment and randomization.
03:44 < belcher> yep     
03:44 < belcher> also if you want to be identityless you can be a taker
03:45 < waxwing> well i think everyone participating wants to be identityless it's just hard to get it perfect. it's not like i'm saying you couldn't do fidelity bonds without ring sigs, i just am thinking (maybe) it'll make the idea more attractive/workable.
03:47 < belcher> its interesting comparing PoW and fidelity bonds both as solutions to sybil attacks... they both require a sacrifice to create an identity but PoW immediately throws away that identity while fidelity bonds dont (i dont have a point here im just thinking generally aloud)
03:49 < belcher> using coin age as a way to create fidelity bonds would be a way to avoid having CLTV mark the coin
03:50 < belcher> although an exchanges chain analysis company could scrape the fidelity bond message board and from that figure out your TXO is suspicious even if theres no CLTV involved, so you'd still need to mix
03:51 < waxwing> sorry i wasn't keeping up with the coin age discussion yet, but yeah, that's relevant
03:54 < belcher> tl;dr using CLTV a sacrifice of future time-value, coin age is a sacrifice of past time-value... both can be valid methods, coin age requires less miner fees because you dont have to make a transaction every 6-12 months
03:55 < waxwing> hmm right. as we use currently on taker side. (if crudely).
03:55 < belcher> for podle commitments you mean? yes a little bit like that
03:56 < waxwing> well yes, not the same mechanics of course but using the same principle to achieve some scarcity
03:56 < belcher> yes     
03:56 < belcher> the maths for CLTV and coin age should be the same, so a hypothetical sybil attacker still needs to burn or lock up lots of coins
03:58 < belcher> but in terms of anonymity you'd still need to mix before spending (but if you hodl forever you dont need to mix :p)
04:03 < waxwing> hang on, i'm being dumb. ring sigs per se don't work; they don't provide uniqueness, so a Sybiller could provide multiple sigs on the same utxo without you knowing.
04:03 < waxwing> you have to use the LSAG type design that Monero uses.
04:03 < waxwing> you have a 'key image' which will always be the same from the same signer.
04:03 < waxwing> i really need to think this through a bit more lol
04:10 < waxwing> belcher, forgetting ring sig for a moment, how *exactly* did you envision the mechanism of publishing the bond working, in Joinmarket?
04:14 < belcher> as well as saying !swabsoffer/!swreloffer, makers can also say !bond which has parameters of the proof (signature, locktime, outpoint, etc)
04:14 < belcher> then on the taker side each offer may have an associated bond value
04:16 < belcher> note that its backward compatible, a maker might never say !bond (because they dont have a bond or they never updated to the new software) and takers can still understand the protocol and might still choose them for coinjoins
04:17 < belcher> waxwing ^
04:20 < waxwing> yeah, i think that fits, thanks
04:44 -!- takamatsu is now known as mauro|call     
07:00 -!- viasil [~viasil@95.174.67.204] has quit [Ping timeout: 246 seconds]     
07:06 -!- viasil [~viasil@95.174.67.204] has joined #joinmarket     
08:01 < waxwing> hmm it's linear in the anon set. which wouldn't be a problem but yuck if needs to be constantly posted.
08:20 < belcher> what is linear?
08:48 < waxwing> ring sigs like this. in particular LSAG.
08:48 < waxwing> i've finished writing something up i'll post it on wizards. it's only fairly vague, but still.
09:02 < waxwing> anyway all that crypto shenanigans aside, the backwards in time vs forwards in time discussion is interesting, i'll think about that more.
09:12 < belcher> iv read your writings on that gist
09:15 < belcher> its a document about the things we talked about here earlier but in more detail, so i have nothing much more to add
09:23 < belcher> i realize the ranges have to involve the timelock too
09:24 < belcher> because the timelock time is involved in the calculation of the bond value... so perhaps the ranges should be in btc^2 bond value rather than just btc
09:25 < belcher> thats a small detail though and an easy change to make
09:56 -!- emzy_ [~quassel@raspberry.emzy.de] has quit [Changing host]     
09:56 -!- emzy_ [~quassel@unaffiliated/emzy] has joined #joinmarket     
10:00 -!- Comstock [Comstock@gateway/vpn/privateinternetaccess/comstock] has quit [Remote host closed the connection]     
10:18 -!- Zenton [~user@unaffiliated/vicenteh] has quit [Ping timeout: 248 seconds]     
11:18 -!- reallll [~belcher@unaffiliated/belcher] has joined #joinmarket     
11:21 -!- belcher [~belcher@unaffiliated/belcher] has quit [Ping timeout: 258 seconds]     
12:20 -!- Zenton [~user@unaffiliated/vicenteh] has joined #joinmarket     
12:51 -!- luke-jr [~luke-jr@unaffiliated/luke-jr] has quit [Excess Flood]     
12:52 -!- luke-jr [~luke-jr@unaffiliated/luke-jr] has joined #joinmarket     
12:55 -!- luke-jr [~luke-jr@unaffiliated/luke-jr] has quit [Excess Flood]     
12:56 -!- luke-jr [~luke-jr@unaffiliated/luke-jr] has joined #joinmarket     
13:24 -!- reallll is now known as belcher     
14:24 < qubenix> joinmarket was discussed on the latest Tales From the Crypt: https://overcast.fm/+KiHp3KIAo
17:38 -!- AgoraRelay [~jmrelayfn@p5DE4AAF8.dip0.t-ipconnect.de] has quit [Ping timeout: 258 seconds]     
17:40 -!- CgRelayBot [~CgRelayBo@p5DE4AAF8.dip0.t-ipconnect.de] has quit [Ping timeout: 268 seconds]     
17:50 -!- AgoraRelay [~jmrelayfn@p54866101.dip0.t-ipconnect.de] has joined #joinmarket     
17:52 -!- CgRelayBot [~CgRelayBo@p54866101.dip0.t-ipconnect.de] has joined #joinmarket