<amiller>
its now safe to outsource your snark proofs to k/n servers
<amiller>
they can produce snark proofs for you without actually having to know your secrets (unless more than k of them collude or whatever)
<fluffypony>
ooooh I like this
<amiller>
and it doesn't require a change to the underlying pinocchio protocol so even if they all cheat, then your secrets are stolen but at least the rest of whatever the system relying on the snark proofs (e.g. zerocash) isn't compromised
<fluffypony>
yeah
priidu has quit [Ping timeout: 258 seconds]
oleganza has joined #bitcoin-wizards
priidu has joined #bitcoin-wizards
ThomasV has joined #bitcoin-wizards
nivah has joined #bitcoin-wizards
NewLiberty has quit [Ping timeout: 252 seconds]
spinza has quit [Excess Flood]
spinza has joined #bitcoin-wizards
<gmaxwell>
amiller: not compatible with the latest SNARK papers that use the recursive construction to get perfectly linear scaling, alas.
GGuyZ has joined #bitcoin-wizards
GGuyZ has quit [Client Quit]
rubensayshi has quit [Remote host closed the connection]
<Luke-Jr>
amiller: is there a library that can be used for this purpose yet? ie, something I can throw in BFGMiner
<Luke-Jr>
ie, something that doesn't require the executor to compile and run potentially malicious code
frankenmint has joined #bitcoin-wizards
oleganza has quit [Quit: oleganza]
belcher has joined #bitcoin-wizards
belcher has joined #bitcoin-wizards
damethos has quit [Quit: Bye]
damethos has joined #bitcoin-wizards
shesek has joined #bitcoin-wizards
hashtag has quit [Ping timeout: 258 seconds]
shen_noe has quit [Ping timeout: 265 seconds]
shen_noe has joined #bitcoin-wizards
gill3s has joined #bitcoin-wizards
antanst has quit [Quit: Leaving.]
Guyver2 has quit [Remote host closed the connection]
gill3s has quit [Client Quit]
gill3s has joined #bitcoin-wizards
zooko has quit [Remote host closed the connection]
damethos has quit [Remote host closed the connection]
<andytoshi>
the argument was that you can't get rid of trusted setup for all systems (in particular this timelock scheme that i hand-wavily defined using obfuscation)
<andytoshi>
but it doesn't argue that the obfuscation primitive itself requires a trusted setup
<andytoshi>
(i feel like i did argue this somewhere, but didn't write it up, and don't recall how it went .. maybe i told it to gmaxwell here or offline and he remembers enough to prompt me?)
<gmaxwell>
I think you did.
dc17523be3 has quit [Ping timeout: 265 seconds]
dc17523be3 has joined #bitcoin-wizards
<andytoshi>
i have argued that both obfuscation and snarks require multilinear maps, and that one went "matiyasevich's theorem says the computable subsets of NN are exactly the diophantine ones, therefore "cryptographically secure general computation" is as hard as "simultaneously cryptographically secure ring operations" for any definition of "cryptographically secure"
<andytoshi>
but i am optimistic (though not very) that there will be some breakthrough in lattice crypto that allows efficient oblivious multiplication and addition without the trusted setup that graded encoded schemes do (graded encoded schemes are used in place of multilinear maps since there are no candidates for "pure" multilinear maps)
Mably has quit [Ping timeout: 244 seconds]
felipelalli has quit [Quit: felipelalli]
felipelalli has joined #bitcoin-wizards
sparetire_ has joined #bitcoin-wizards
shen_noe has quit [Quit: quitquitquit]
shen_noe has joined #bitcoin-wizards
shen_noe has quit [Client Quit]
Quanttek has quit [Ping timeout: 272 seconds]
Guest2268 has quit [Remote host closed the connection]
gill3s has quit [Quit: My Mac has gone to sleep. ZZZzzz…]
dEBRUYNE__ is now known as dEBRUYNE
HostFat has joined #bitcoin-wizards
hashtag has joined #bitcoin-wizards
kmels has quit [Ping timeout: 265 seconds]
PRab_ has joined #bitcoin-wizards
PRab has quit [Ping timeout: 265 seconds]
PRab_ is now known as PRab
hearn has joined #bitcoin-wizards
adlai has quit [Quit: Quit message adspace for sale! half price! offers by PM only]
felipelalli has quit [Ping timeout: 252 seconds]
frankenmint has quit [Remote host closed the connection]
<amiller>
gmaxwell, actually i don't see any obstacle to using it recursively
o84wb76g has joined #bitcoin-wizards
jae has joined #bitcoin-wizards
o84wb76g has joined #bitcoin-wizards
jae is now known as Guest3385
go1111111 has joined #bitcoin-wizards
yr4xd7cfy has quit [Ping timeout: 258 seconds]
<gmaxwell>
amiller: you fully seralize.
<gmaxwell>
amiller: e.g. yea, sure you could distribute each step but then you need a full RTT per machine instruction and a full resharing and such, and so what did the delegation accomplish?
<amiller>
i dunno, at the output of one round of this, each server gets a secret share of the resulting proof
<amiller>
so i dont see why you can't use those shares of the resulting proof as an input to a subsequent round, which involves computing on that proof
c0rw|away is now known as c0rw|zZz
<gmaxwell>
you can but that doesn't sound useful as the users will end up having to do a communication round trip and resharing for every single tinyram instruction.
<amiller>
i don't see where the users round trip came in
temujin has quit [Ping timeout: 246 seconds]
<amiller>
user just provide some initial secret shares of the input, that's all
<amiller>
the servers can compute function after function after function, each time receiving shares of the output
<amiller>
the user doesn't even have to be there in the first place
<amiller>
the user could distribute the shares of the private key to the servers at the very beginning
<amiller>
and if k/n of the servers want to do something, anything, with that key, they can do so
<gmaxwell>
not seeing how this works, the recursive function requires you verify a completed proof (with a different group) inside a proof. You can't verify a share. You can't update the hashtree over memory with just shares.
<gmaxwell>
I'm sure (due to the existance of MPC generally) that its fundimentally possible, but I don't see how the efficient trick there would work.
<amiller>
it's totally possible i'm misinterpreting some limitation of this, i'm not reading it at any close level at this point...
<amiller>
i think you could update the hashtree over the memory using just the shares using generic MPC
<amiller>
and that's fine, generic MPC isn't perfect but it's within the range of powerful servers
<gmaxwell>
It's not clear to me that its actually "within the range of powerful servers", at least for actively secure MPC.
<amiller>
you only need to use the 'efficient trick' to operate on the snarks
<amiller>
anyway i dont think its necessary to bring hashtrees into this either, i think i like geppetto's approach better (but i also want to stay out of the 'snark wars' as much as possible)
frankenmint has quit [Remote host closed the connection]
frankenmint has joined #bitcoin-wizards
moa has joined #bitcoin-wizards
rusty has joined #bitcoin-wizards
d1ggy_ has quit [Quit: Leaving]
a5m0_ is now known as a5m0
DougieBot5000 has joined #bitcoin-wizards
gill3s has quit [Quit: My Mac has gone to sleep. ZZZzzz…]
dEBRUYNE has quit [Read error: Connection reset by peer]
TheSeven has quit [Ping timeout: 245 seconds]
TheSeven has joined #bitcoin-wizards
hearn has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
gill3s has joined #bitcoin-wizards
o84wb76g has quit [Ping timeout: 256 seconds]
antgreen` has joined #bitcoin-wizards
antgreen has quit [Ping timeout: 264 seconds]
StephenM347 has quit []
frankenmint has quit [Remote host closed the connection]