sipa changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
dstadulis has joined #bitcoin-wizards
Zenton has quit [Read error: Connection reset by peer]
Zenton has joined #bitcoin-wizards
ynakasone has joined #bitcoin-wizards
Zenton has quit [Read error: Connection reset by peer]
Zenton has joined #bitcoin-wizards
ynakason_ has joined #bitcoin-wizards
weez17 has quit [Read error: Connection reset by peer]
dstadulis has quit [Quit: dstadulis]
weez17 has joined #bitcoin-wizards
weez17 has quit [Client Quit]
ynakasone has quit [Ping timeout: 252 seconds]
thomasan_ has quit [Read error: Connection reset by peer]
thomasan_ has joined #bitcoin-wizards
<roasbeef>
waxwing: yeh we found that a bit weird as well..worst case seems to be that the ciphertext actually isn't well formed so you'd end up with a garbage encryption, but doesn't seem like you'd end up leaking your key int he worst case
dstadulis has joined #bitcoin-wizards
Krellan has quit [Read error: Connection reset by peer]
dstadulis has quit [Quit: dstadulis]
dstadulis has joined #bitcoin-wizards
_tin has joined #bitcoin-wizards
Noldorin has joined #bitcoin-wizards
dstadulis has quit [Client Quit]
ynakason_ has quit [Remote host closed the connection]
Belkaar has quit [Ping timeout: 245 seconds]
ynakasone has joined #bitcoin-wizards
Belkaar has joined #bitcoin-wizards
Belkaar has joined #bitcoin-wizards
Belkaar has quit [Changing host]
ynakasone has quit [Ping timeout: 260 seconds]
ynakasone has joined #bitcoin-wizards
thomasan_ has quit [Read error: Connection reset by peer]
thomasa__ has joined #bitcoin-wizards
Giszmo has joined #bitcoin-wizards
Giszmo has quit [Read error: Connection reset by peer]
Giszmo has joined #bitcoin-wizards
_tin has quit [Ping timeout: 244 seconds]
alferz has joined #bitcoin-wizards
_tin has joined #bitcoin-wizards
thomasan_ has joined #bitcoin-wizards
thomasa__ has quit [Read error: Connection reset by peer]
alferz has quit [Ping timeout: 240 seconds]
_tin has quit [Ping timeout: 260 seconds]
ynakasone has quit [Remote host closed the connection]
ynakason_ has joined #bitcoin-wizards
ynakason_ has quit [Ping timeout: 252 seconds]
ynakasone has joined #bitcoin-wizards
_whitelogger has joined #bitcoin-wizards
Noldorin has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
ynakasone has joined #bitcoin-wizards
dstadulis has joined #bitcoin-wizards
dstadulis has quit [Quit: dstadulis]
_whitelogger has joined #bitcoin-wizards
thomasan_ has quit [Read error: Connection reset by peer]
thomasan_ has joined #bitcoin-wizards
ynakasone has quit [Remote host closed the connection]
ynakasone has joined #bitcoin-wizards
ynakason_ has joined #bitcoin-wizards
ynakasone has quit [Ping timeout: 260 seconds]
dstadulis has joined #bitcoin-wizards
ynakason_ has quit [Remote host closed the connection]
ynakasone has joined #bitcoin-wizards
rh0nj has quit [Remote host closed the connection]
rh0nj has joined #bitcoin-wizards
dstadulis has quit [Quit: dstadulis]
ynakason_ has joined #bitcoin-wizards
Krellan has joined #bitcoin-wizards
ynakasone has quit [Ping timeout: 252 seconds]
ynakason_ has quit [Remote host closed the connection]
thomasan_ has quit [Remote host closed the connection]
ynakasone has joined #bitcoin-wizards
ynakasone has quit [Remote host closed the connection]
ynakasone has joined #bitcoin-wizards
dstadulis has joined #bitcoin-wizards
ynakason_ has joined #bitcoin-wizards
ynakasone has quit [Ping timeout: 252 seconds]
ynakason_ has quit [Remote host closed the connection]
dstadulis has quit [Quit: dstadulis]
ynakasone has joined #bitcoin-wizards
ynakasone has quit [Remote host closed the connection]
ynakasone has joined #bitcoin-wizards
ynakason_ has joined #bitcoin-wizards
ynakasone has quit [Ping timeout: 260 seconds]
dstadulis has joined #bitcoin-wizards
ynakason_ has quit [Remote host closed the connection]
ynakasone has joined #bitcoin-wizards
ynakason_ has joined #bitcoin-wizards
ynakasone has quit [Ping timeout: 252 seconds]
ynakason_ has quit [Ping timeout: 260 seconds]
tromp has quit [Remote host closed the connection]
tromp has joined #bitcoin-wizards
ynakasone has joined #bitcoin-wizards
ynakasone has quit [Remote host closed the connection]
dstadulis has quit [Quit: dstadulis]
ynakasone has joined #bitcoin-wizards
ynakasone has quit [Remote host closed the connection]
ynakasone has joined #bitcoin-wizards
ynakasone has quit [Ping timeout: 260 seconds]
ynakasone has joined #bitcoin-wizards
ynakasone has quit [Ping timeout: 260 seconds]
ynakasone has joined #bitcoin-wizards
ynakasone has quit [Ping timeout: 252 seconds]
ynakasone has joined #bitcoin-wizards
Krellan has quit [Read error: Connection reset by peer]
Krellan has joined #bitcoin-wizards
ynakasone has quit [Remote host closed the connection]
<esotericnonsense>
gmaxwell: er; so if I'm not interpreting this; idea; an empty block via consensus requires the next block to be kMAX_WEIGHT where k<1
<esotericnonsense>
misinterpreting*
<aj>
esotericnonsense: underweight, so if you have an x kiloweight block, the next block could be at most k*x (k>1), i think?
<esotericnonsense>
the smaller block is less orphanable because it's smaller
<esotericnonsense>
(it propagates faster)
<aj>
hmm, k*x+a? x+a?
<esotericnonsense>
so this only works if fee income is preferred to fast blocks
BashCo_ has joined #bitcoin-wizards
<esotericnonsense>
and if fee income is preferred to fast blocks you don't get empty blocks anyway
<esotericnonsense>
perhaps I'm confused
BashCo_ has quit [Client Quit]
<esotericnonsense>
basically I don't see why there would be a preference for mining on the chain fork that doesn't have the empty block because the existence of the empty block shows that it's not cared about anyway (unless we're just talking about the odd empty 1 in 100, then does it matter?)
<aj>
esotericnonsense: miners might have different practices; if i mine an empty block because i don't care about fees, someone else might orphan me because they care more about fee income (they'd collect more fees in a larger block orphaning me)
<aj>
s/practices/preferences/
<esotericnonsense>
sure, that makes sense, but only in the case where there's two blocks at the same height and one is empty
<esotericnonsense>
is that common?
<esotericnonsense>
(could we also define most-work chain as same-height but not empty to combat that\?)
<aj>
esotericnonsense: that's the intended outcome of the change -- mine an empty block and someone else orphans you rather than building on top
<esotericnonsense>
see last comment; if you add that it works, yeah (I'm not aware this is how it works)
<esotericnonsense>
have to head out for a bit... jumped in whilst busy :P
<aj>
have fun
ynakasone has joined #bitcoin-wizards
<esotericnonsense>
ah i see now. 'define most work chain' is arbitrary, miners that want that will just knock the empty block out to consider the more-full-at-same-height target instead and hopefully that's dominant behaviour and so it makes sense to orphan. yeah.
* esotericnonsense
needs coffee.
<esotericnonsense>
and the k*x solution you mentioned deals with the 'game empty blocks stuff by making a 3tx block instead, ohoho' stuff.
<esotericnonsense>
nice.
tombusby has quit [Remote host closed the connection]
tombusby has joined #bitcoin-wizards
ynakasone has quit [Ping timeout: 252 seconds]
TheoStorm has joined #bitcoin-wizards
ynakasone has joined #bitcoin-wizards
ynakason_ has joined #bitcoin-wizards
ynakaso__ has joined #bitcoin-wizards
ynakasone has quit [Ping timeout: 240 seconds]
TheoStorm has quit [Quit: Leaving]
ynakason_ has quit [Ping timeout: 252 seconds]
ynakaso__ has quit [Ping timeout: 240 seconds]
Guyver2 has joined #bitcoin-wizards
gribble has quit [Read error: Connection reset by peer]
belcher_ has quit [Ping timeout: 244 seconds]
gribble has joined #bitcoin-wizards
belcher has joined #bitcoin-wizards
TheoStorm has joined #bitcoin-wizards
TheoStorm has quit [Quit: Leaving]
SopaXorzTaker has joined #bitcoin-wizards
tromp has quit [Remote host closed the connection]
tromp has joined #bitcoin-wizards
tromp has quit [Remote host closed the connection]
tromp has joined #bitcoin-wizards
_whitelogger has joined #bitcoin-wizards
douglas_ has joined #bitcoin-wizards
douglas_ has quit [Ping timeout: 240 seconds]
jcorgan_ has joined #bitcoin-wizards
Noldorin has joined #bitcoin-wizards
<waxwing>
roasbeef, so conner's code for this is coming out soon-ish iiuc? just coming back to these papers and in addition to the above confusion, i also don't understand how Boudot gets 225k bits for his proof size. I see 4 group elements/scalars of size 1024 per run and 2 of size 512bits, and 80 runs, that gives 409k bits
<waxwing>
andytoshi, so still teasing us with the cross curve thing eh :)
<sipa>
waxwing: "DLEQ"
<waxwing>
yeah he told me as much in milan ... ages ago. just, don't make me actually try to think, please :)
jcorgan has quit [Ping timeout: 252 seconds]
<sipa>
have the error (when represented as scalar) that is applied to the two adaptor signatures in the two sides be the same
<sipa>
but instead of having that result in the same error in point form, these will be two points with equal DL
<sipa>
so include a proof in the OOB communication that those two points have equal DL
<waxwing>
hmm yes, i can see from a quick review that DLEQ seems to work fine for two different curves as long as i can pick a nonce k, and a private key x, that are in range of whatever the smaller group is.
<nsh>
what's being discussed?
<waxwing>
hmm stated like that it seems very simple (so your 't' is the same, as before in adaptor sig, but just T_1 and T_2 with DLEQ instead of T). probably there's more to it, though.
<waxwing>
nsh, adaptor sigs with the two sides on different elliptic curves.
<nsh>
ah, ty
<waxwing>
obv example might be ed25519 and secp256k1
<waxwing>
that was the source of my joke :) andytoshi was talking about this quite a while ago, i was just watching a talk in Scaling where he was mentioning to the speaker he hasn't published it yet (and thought that he had)
<waxwing>
yes, that one. just a comment after the talk.
<nsh>
seems there was a draft last year but maybe not circulated
* nsh
nods
<nsh>
ty
<nsh>
so proving DL equality maybe saves something relative to proving a more general statement because of equivalence class redundancy or whatever
<waxwing>
i was vaguely mulling that topic (kinda) yesterday; think, like a canonical ZKP is basically "run a game and prove you know something clever by winning the game N times", but this is inefficient. whereas, Schnorr protocol is stupidly compact, why? i think because you're leveraging the structure of the group and proving something about an element
<nsh>
exactly so i think
<waxwing>
structure here basically means additive homomorphism, i guess
<waxwing>
so DLEQ is nothing more than the schnorr protocol (just, another slight variant on it)
* nsh
nods
<nsh>
because of singularity/degeneracy with nilpotence / nilsummation it means you get a lot more from it than proof of a more fixed concrete relation
<nsh>
or the universality of quantification is maximised to the group size. i don't know how a mathematician would put it most betterly
<nsh>
yeah that's just two generators in the same curve, sorry
<waxwing>
but it's all over the literature, not sure who first wrote it down, but probably the 80s :)
* nsh
nods
<waxwing>
gmaxwell, showed me that ^ link, was a nice compact summary
<nsh>
cool
<waxwing>
exercise for the reader, prove knowledge soundness of the protocol in the case where you're on two different curves (does the proof carry over?)
<waxwing>
hmm, but it's not technically a proof of knowledge, so there's that...
* nsh
nods
rh0nj has quit [Remote host closed the connection]
rh0nj has joined #bitcoin-wizards
<waxwing>
test
<waxwing>
now i think about it a bit more carefully, i dont actually understand how you build it: in the same-curve case, you just make a `s = k + ex` after having sent (interactive case) K_P, K_Q for the two claimed points P, Q against different generators G, J. but `s = k + ex` is calced mod the order of the curve.
<waxwing>
if there are two curves with different orders, how would it work; send two different s values calced mod the two different orders?
<gmaxwell>
waxwing: the curve being different order changes nothing
<gmaxwell>
you choose s so it fits in both
<waxwing>
gmaxwell, ah so you can just do s = k + ex and then mod for each curve afterwards when you do your verify step.
<gmaxwell>
The signer can choose s to be less than the smaller of the two orders.
tromp has quit [Remote host closed the connection]
<waxwing>
i don't get it :)
tromp has joined #bitcoin-wizards
<waxwing>
for context, say i'm the prover, i have points P, Q on different curves, claimed same privkey x, i send K_P, K_Q for same nonce k, receive e (or via F-S), then construct s = k + ex , but has to be mod order of either curve, or ...?
<gmaxwell>
pick s to be the right size, derrive k.
<waxwing>
but isn't the whole point of the schnorr (identity protocol, sig) that you can't go in that backward direction?
<waxwing>
maybe relevant, but maybe not exactly the same Q being asked/answered
wildermind has joined #bitcoin-wizards
SopaXorzTaker has quit [Remote host closed the connection]
sldfkjoq has joined #bitcoin-wizards
sldfkjoq has quit [Client Quit]
belcher has quit [Ping timeout: 252 seconds]
intcat has quit [Remote host closed the connection]
intcat has joined #bitcoin-wizards
tromp has quit [Remote host closed the connection]
Zenton has quit [Read error: Connection reset by peer]
Zenton has joined #bitcoin-wizards
belcher has joined #bitcoin-wizards
rh0nj has quit [Remote host closed the connection]
rh0nj has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
tromp has quit [Remote host closed the connection]
tromp has joined #bitcoin-wizards
Zenton has quit [Read error: Connection reset by peer]
Zenton has joined #bitcoin-wizards
intcat has quit [Ping timeout: 256 seconds]
intcat has joined #bitcoin-wizards
Zenton has quit [Read error: Connection reset by peer]
Zenton has joined #bitcoin-wizards
wildermind has quit [Quit: Connection closed for inactivity]
Emcy has quit [Ping timeout: 252 seconds]
Guyver2 has quit [Quit: Going offline, see ya! (www.adiirc.com)]
Emcy has joined #bitcoin-wizards
tromp has quit [Remote host closed the connection]
tromp has joined #bitcoin-wizards
Emcy has quit [Ping timeout: 272 seconds]
Giszmo1 has joined #bitcoin-wizards
CheckDavid has joined #bitcoin-wizards
Giszmo1 has quit [Client Quit]
Emcy has joined #bitcoin-wizards
Giszmo1 has joined #bitcoin-wizards
Giszmo1 has quit [Remote host closed the connection]
tromp has quit [Remote host closed the connection]
tromp has joined #bitcoin-wizards
<waxwing>
earlier mentioned BCDG/Boudot thing: now I think it's ~ 327k bits: 2 initial commits each 1024, then *either* 1x512+2x1024 (1x512 because don't need to give w_2 as w_1 defines it), *or* 1x512 +1x1024 (you only give one (x+w, r+eta) pair if c=1). so 50% chance and average ends up with 327K bits for 80 runs.