--- Day changed Tue Jun 06 2017
02:27 -!- jtimon [~quassel@117.29.134.37.dynamic.jazztel.es] has quit [Ping timeout: 255 seconds]     
09:16 -!- jtimon [~quassel@117.29.134.37.dynamic.jazztel.es] has joined #secp256k1     
11:31 -!- SopaXorzTaker [~SopaXorzT@unaffiliated/sopaxorztaker] has quit [Remote host closed the connection]     
13:08 < arubi> not sure where to post this, but since andytoshi's sighacker was posted here, might be on topic?  say a new checksig op is defined that acts both as a checksig and also asserts some nonce given an input and a hash of the pubkey (sighash v2?), maybe double spending could be punished by exploiting "commitment re-use"?  reference : https://github.com/fivepiece/sigcracker
13:21 -!- instagibbs [~instagibb@pool-100-15-117-236.washdc.fios.verizon.net] has quit [Ping timeout: 268 seconds]     
13:26 -!- instagibbs [~instagibb@pool-100-15-117-236.washdc.fios.verizon.net] has joined #secp256k1     
13:48 < gmaxwell> arubi: oh, without creating nonce reuse?  I don't think you need to do anything so elaborate.
13:49 < gmaxwell> I wrote a spec for elements a while back to do probablistic payments that worked something like this:
13:50 < arubi> actually my thinking was asserting nonce reuse, but go on
13:51 < gmaxwell> well if you want to do that, just make the txout commit to the nonce, and use substr to check it. Then the nonce is forced.
13:51 < gmaxwell> Problem: I can craft a payment such that you provide a hash preimage, and then I sign and then only if the commited value is near enough to my signature in order to pay with some probablity.  But what stops a single probablistic payer from paying many people at once with the same coin?
13:52 -!- instagibbs [~instagibb@pool-100-15-117-236.washdc.fios.verizon.net] has quit [Quit: ZNC 1.6.3+deb1 - http://znc.in]     
13:53 < gmaxwell> So I propose that the payer create a bond output which they can recover after some date (e.g. three months from now)-- Or someone else can recover if they show two signatures with a particular key where the first 32 bits are the same and the next 128 bits are different.
13:54 < gmaxwell> Then when you want to make a prob payment, the payer shows you his bond and makes a signature of the current block height and the 128 bit ID.   Then the payee shares that signature with one or more doublspend servers.
13:55 < arubi> oh that's very cool :)
13:56 < arubi> right, I can see how this is better in "containing" the double spend so an honest one can go through anyway
13:56 < arubi> "eventually" rather
13:57 < gmaxwell> so then they get one spend at each height, and if they doublespend they'll get caught and lose their bond.
13:57 < gmaxwell> and all it needs is checksigfromstack and substr.  (which elements has)
13:57 < gmaxwell> and the meeting place servers which are trivial.
13:58 < gmaxwell> and they're allowed to doublespend just not too often which is exactly what you want for probablistic payment.
14:00 < arubi> do you think this can be ported to mainnet using current op_checksig?
14:00 < arubi> so, two checksigs, one is ALL and the other is some anyonecanpay|single at index 9
14:00 < arubi> er, index 0
14:01 -!- instagibbs [~instagibb@pool-100-15-117-236.washdc.fios.verizon.net] has joined #secp256k1     
14:01 < arubi> yea, not single.  anyonecanpay|none
14:01 < arubi> alongside a normal checksig ALL
14:03 -!- instagibbs [~instagibb@pool-100-15-117-236.washdc.fios.verizon.net] has quit [Client Quit]     
14:04 < arubi> I'll probably need to refine what I'm trying to describe here, if it's even possible at all and I'm not ignoring anything.  you sign up yourself to a script that would do that, maybe you want to prove some payee that you're not going to double spend
14:04 -!- instagibbs [~instagibb@pool-100-15-117-236.washdc.fios.verizon.net] has joined #secp256k1     
14:05 < gmaxwell> I don't know how to port it to mainnet, but the elements script enhancements are more or less trivial and I hope that when we do a new script version that supports multischnorr we'll pick up most of the things in elements.
14:05 < arubi> yea good point.  it's not too far off really
14:07 < arubi> it's pretty cool that you can prove proximity of the keys like that, I'll try that next heh
16:35 -!- echonaut [~echonaut@46.101.192.134] has quit [Remote host closed the connection]     
16:35 -!- echonaut [~echonaut@46.101.192.134] has joined #secp256k1     
17:49 -!- jtimon [~quassel@117.29.134.37.dynamic.jazztel.es] has quit [Ping timeout: 240 seconds]     
18:13 -!- echonaut [~echonaut@46.101.192.134] has quit [Remote host closed the connection]     
18:13 -!- echonaut1 [~echonaut@46.101.192.134] has joined #secp256k1     
23:56 -!- SopaXorzTaker [~SopaXorzT@unaffiliated/sopaxorztaker] has joined #secp256k1