--- Log opened Wed Nov 11 00:00:13 2020 01:32 -!- reallll is now known as belcher 07:43 < andytoshi> musing about what the API for "streaming bulletproofs" should be 07:44 < andytoshi> i'd like to be able to produce uncompressed BPs (the list of scalars, before going through the log-size EC-heavy compression phase) in a way that a hww can take each scalar (or pair of scalars or whatever makes sense) 07:44 < andytoshi> and dump it over USB/to disk/whatever 07:44 < andytoshi> and then forget about it. so it never has to have the whole proof in memory 07:45 < andytoshi> is there an idiomatic way to do this in C 08:17 < andytoshi> hmm maybe i can encapsulate the whole proof in an "engine" similar to what we do with hashes 08:21 < real_or_random> andytoshi: so who is streaming and who's receiving here? 09:21 < andytoshi> real_or_random: oh a high level? the hww is streaming and the host is receiving 10:11 < real_or_random> something like a socket, just with special purpose? 10:11 < real_or_random> or maybe your question is about something different, not sure 10:16 < sipa> andytoshi: what context is this? proving or verifying? 10:17 < sipa> conceptually i'd say have a state type like the sha256 hashers, with update functions and a finalize function 10:17 < sipa> but i don't know what you're actually talking about 10:32 < real_or_random> +1 10:33 < ja> sipa: i saw you have been playing with haskell. i made a musig haskell ffi, but of course it is insecure because it cannot guarantee that the intermediate state is not reused (the state is just a regular haskell value). i was thinking of using the linear typing in ghc 9 but another alternative may be Control.Monad.ST. do you have an opinion? 10:35 < sipa> ja: haha,i haven't touched anything haskell in a very long time (since 2011 or so...) 10:35 < sipa> i vaguely remember what the ST monad is 10:36 < ja> all right.. i think maybe i will just offer both. then it won't require ghc 9. there are a lot of different styles of writing haskell 10:36 < real_or_random> provably correct SIMD chacha20 https://github.com/project-everest/hacl-star/blob/master/dist/c89-compatible/Hacl_Chacha20_Vec256.c 10:39 < real_or_random> they also have this https://github.com/project-everest/hacl-star/blob/master/dist/c89-compatible/sha256-x86_64-linux.S 10:43 < sipa> real_or_random: bitcoin core also has a SHA-NI based sha256 implementation 10:43 < real_or_random> yep I'm aware 10:43 < sipa> but i assume this one is proven correct? 10:44 < real_or_random> yes indeed 10:44 < real_or_random> I could imagine this one is faster by e.g. 5 instructions but I'm somewhat hesitant to start this discussion :D 10:45 < real_or_random> I meant cycles. 10:46 < sipa> probably; the bitcoin core one is written using intrinsics instead of directly in assembly 10:46 < sipa> which means register allocation etc is still up to the compiler 10:47 < real_or_random> well that doesn't mean it's faster 10:48 < sipa> register allocation tends to be something that hand-written assembly can better at than compilers... but of course that doesn't mean that's the case here 10:49 < sipa> in the other direction, intrinsics mean you don't have a function call overhead at the C/asm boundary, but that's probably negligible even compared to other gains 10:54 < ja> real_or_random: there is also one in Simplicity, i think? with verification in Coq instead of F* 10:54 < real_or_random> their poster says they're still 3% to 9% slower compared to hand-optimized assembly 10:54 < real_or_random> depending on the algorithm 10:55 < real_or_random> but yeah, that's a pretty good number then given that their thing just outputs the assembly for a number of platforms and different SIMD widths etc. 10:58 < sipa> real_or_random: core also has a 2-way SHA-NI implementation (which interleaves two SHA256 transforms on two different states)... turns out that's faster than doing them sequentially 10:58 < real_or_random> https://eprint.iacr.org/2020/572.pdf see table 2 12:02 < andytoshi> sipa: real_or_random: i'm talking about bulletproof proving on a low-memory device 12:03 < andytoshi> i think (though i haven't started cutting code) that i can do this with almost no aux memory, so the proof itself would wind up taking up the bulk of my memory budget 12:04 < andytoshi> well, maybe not "almost no" memory, but an appreciably smaller amount of memory than the proof would take 12:04 < andytoshi> so i'd like an API in secp-zkp that could be used on a hww, such that the proving code produces the proof in chunks 12:04 < andytoshi> and these chunks can be sent over USB and then their memory can be reused 13:37 -!- Netsplit *.net <-> *.split quits: dr_orlovsky 13:37 -!- Netsplit over, joins: dr_orlovsky 13:40 -!- Netsplit *.net <-> *.split quits: ariard, user___ 13:40 -!- Netsplit *.net <-> *.split quits: belcher 13:41 -!- Netsplit over, joins: user___, ariard, belcher 13:41 -!- Netsplit *.net <-> *.split quits: wxss, andytoshi, ja, queip 13:42 -!- Netsplit over, joins: andytoshi, wxss, ja 13:43 -!- Netsplit *.net <-> *.split quits: sipa 13:44 -!- meshcollider [meshcollid@gateway/shell/ircnow/x-lesqambwizyhgzeh] has quit [Ping timeout: 264 seconds] 13:45 -!- elichai2 [sid212594@gateway/web/irccloud.com/x-vkxamqyuloefpaxf] has quit [Ping timeout: 264 seconds] 13:45 -!- Netsplit over, joins: sipa 13:45 -!- meshcollider [meshcollid@gateway/shell/ircnow/x-vmynyavngcrbrncl] has joined #secp256k1 13:46 -!- queip [~queip@unaffiliated/rezurus] has joined #secp256k1 13:46 -!- elichai2 [sid212594@gateway/web/irccloud.com/x-rzimnonivggyksik] has joined #secp256k1 13:46 -!- Netsplit *.net <-> *.split quits: dkrm, fanquake, lightningbot, sanket1729_, robot-dreams, Cory, meshcollider, TD-Linux, stackingcore21, niftynei, (+37 more, use /NETSPLIT to show all of them) 13:47 -!- Netsplit over, joins: elichai2, meshcollider, andytoshi, belcher, dr_orlovsky, jonatack, midnight, RubenSomsen, robot-dreams, felixweis (+35 more) 13:48 -!- Netsplit *.net <-> *.split quits: fjahr, digi_james, dkrm 13:50 -!- Cory [~Cory@unaffiliated/cory] has joined #secp256k1 13:50 -!- sanket1729_ [~sanket172@ec2-100-24-255-95.compute-1.amazonaws.com] has joined #secp256k1 13:51 -!- fjahr [sid374480@gateway/web/irccloud.com/x-idmozsqtyjsaymjn] has joined #secp256k1 13:51 -!- digi_james [sid281632@gateway/web/irccloud.com/x-jxyqlpnraydxvprs] has joined #secp256k1 13:51 -!- dkrm [~dkrm@2001:41d0:8:3f7b::1] has joined #secp256k1 13:51 -!- Netsplit *.net <-> *.split quits: Apocalyptic, jonatack, ensign 13:51 -!- Netsplit *.net <-> *.split quits: niftynei 13:53 -!- Netsplit over, joins: niftynei, jonatack, Apocalyptic, ensign 13:53 -!- Netsplit *.net <-> *.split quits: kcalvinalvin, jnewbery, Fredia1, aj 13:54 -!- Netsplit *.net <-> *.split quits: kallewoof, real_or_random, RubenSomsen, harding, wallet42__, michaelfolkson, windsok 13:54 -!- Netsplit over, joins: aj, kcalvinalvin, jnewbery, Fredia1 13:54 -!- Netsplit *.net <-> *.split quits: dongcarl, nsh, TD-Linux, nickler 13:54 -!- Netsplit over, joins: RubenSomsen, michaelfolkson, windsok, harding, kallewoof, real_or_random, wallet42__ 13:55 -!- Netsplit over, joins: nickler, dongcarl, TD-Linux, nsh 13:55 -!- dongcarl [~dongcarl@unaffiliated/dongcarl] has quit [Max SendQ exceeded] 13:55 -!- nsh [~lol@wikipedia/nsh] has quit [Max SendQ exceeded] 13:55 -!- dongcarl1 [~dongcarl@unaffiliated/dongcarl] has joined #secp256k1 13:58 -!- elichai2 [sid212594@gateway/web/irccloud.com/x-rzimnonivggyksik] has quit [Ping timeout: 244 seconds] 13:58 -!- nsh [~lol@wikipedia/nsh] has joined #secp256k1 14:01 -!- elichai2 [sid212594@gateway/web/irccloud.com/x-rbfbgiogvwgpuexh] has joined #secp256k1 16:44 < andytoshi> lol i think i might need zero state. i can just have the user pass an index of which part of the proof they want to get 16:45 < andytoshi> there are four EC points in an uncompressed bulletproof, which i'm tempted to make x-only by grinding some blinding factors til they always have even y 16:45 < andytoshi> but unfortunately that would break rewinding 16:48 < andytoshi> also. after working with yannick i kinda wish we could go back and rewrite the BPs paper. it's really hard to get from the contents of the paper to a NIZK, you have to find all the P→V lines (which are not highlighted in any way) in the interactive protocol, which is interleaved with algebraic derivations and exposition 16:49 < andytoshi> i guess, in this "i wish i could go back" hypothetical i also wish i was involved in any way with writing the paper :P 16:53 -!- queip [~queip@unaffiliated/rezurus] has quit [Ping timeout: 240 seconds] 18:51 -!- queip [~queip@unaffiliated/rezurus] has joined #secp256k1 19:54 -!- belcher_ [~belcher@unaffiliated/belcher] has joined #secp256k1 19:56 -!- belcher [~belcher@unaffiliated/belcher] has quit [Ping timeout: 272 seconds] 23:44 -!- queip [~queip@unaffiliated/rezurus] has quit [Ping timeout: 246 seconds] 23:49 -!- queip [~queip@unaffiliated/rezurus] has joined #secp256k1 --- Log closed Thu Nov 12 00:00:14 2020