--- Day changed Tue Dec 05 2017
04:24 -!- SopaXorzTaker [~SopaXorzT@unaffiliated/sopaxorztaker] has joined #secp256k1     
07:08 -!- cloudcell [~cloudcell@81.23.9.160] has joined #secp256k1     
07:08 -!- cloudcell [~cloudcell@81.23.9.160] has quit [Remote host closed the connection]     
07:10 -!- jtimon [~quassel@164.31.134.37.dynamic.jazztel.es] has joined #secp256k1     
07:33 -!- cloudcell [~cloudcell@81.23.9.160] has joined #secp256k1     
07:33 -!- cloudcell is now known as Guest12026     
08:43 -!- Guest12026 [~cloudcell@81.23.9.160] has quit [Read error: Connection reset by peer]     
10:07 -!- hdevalence [~hdevalenc@199-188-193-243.PUBLIC.monkeybrains.net] has joined #secp256k1     
10:38 -!- SopaXorzTaker [~SopaXorzT@unaffiliated/sopaxorztaker] has quit [Remote host closed the connection]     
13:05 -!- hdevalence [~hdevalenc@199-188-193-243.PUBLIC.monkeybrains.net] has quit [Ping timeout: 255 seconds]     
14:31 -!- arubi [~ese168@gateway/tor-sasl/ese168] has quit [Ping timeout: 248 seconds]     
14:35 -!- arubi [~ese168@gateway/tor-sasl/ese168] has joined #secp256k1     
14:55 -!- arubi [~ese168@gateway/tor-sasl/ese168] has quit [Ping timeout: 248 seconds]     
14:56 -!- arubi [~ese168@gateway/tor-sasl/ese168] has joined #secp256k1     
17:59 -!- jtimon [~quassel@164.31.134.37.dynamic.jazztel.es] has quit [Ping timeout: 240 seconds]     
18:46 < andytoshi> had a call with benedikt today. he suggested a scheme for "small assets" where you increase the size of `l` and `r` by the total number of assets (bulletproofs are log-sized in this size) .. so basically zero space increase, a constant verify-time increase. no need for asset tags. (the scheme we talked about on the call had a lot of hand-waving in it but we think we can flesh out the details). you
18:46 < andytoshi> can also support multiple assets in one output but there are tradeoffs here (you multiply the verification time by the # of assets and add log(# assets) size to your proofs)
18:47 < andytoshi> re "big assets", issued assets, that situation is harder. no clear replacement for the ASPs. benedikt observes that we need to be very careful with these blinded asset tags because if multiple tags represent the same asset, that's a discrete log relation that a prover knows which is potentially sufficient to break the proof
18:48 < andytoshi> having said that i'm pretty sure we can use my original proposal to split `t` into multiple parts so a linear 32-byte hit for each asset, essentially we make all of our polynomials multivariate
18:48 < andytoshi> benedikt suggests that by using the bootle matrix trick we can reduce this linearity to square root. haven't worked out the details yet
18:49 < andytoshi> i want to spend some time exploring the design space here. maybe ASPs are a bad fit for bulletproofs but there is something else with equivalent privacy that is more reasonable
19:17 < sipa> so small assets is effectively similar to the idea we had before CA
19:17 < sipa> where the total number of assets needs to be known and bounded
19:18 < andytoshi> yes     
19:21 < andytoshi> "small assets"/"big assets" are terms we've used since the beginning, as have the potential tradeoffs for small assets that i described
19:22 < andytoshi> but nobody cares about small assets for liquid/elements, so we never explored this
23:33 -!- jtimon [~quassel@164.31.134.37.dynamic.jazztel.es] has joined #secp256k1