wumpus changed the topic of #bitcoin-wizards to: This channel is is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
<shen_noe>
what if we change this to check that the blinding factors don't add exactly to zero, but rather the sum of inputs and outputs commitments leaves zG
<shen_noe>
so sum of input commitments - output commitments is a commitment to zero
<shen_noe>
secret key only known to the sender
<shen_noe>
now, take a ring signature over C_1, ..., C_s, ..., C_n where C_i are possible input commitments taken ad-hoc from blockchain
<shen_noe>
C_s being the one belonging to signature
<shen_noe>
actually a ring sig over C_1 - outputs, ..., C_s - outputs, ..., C_n - outputs
<shen_noe>
so sender can prove that 1/n of these is a commitment to zero
<shen_noe>
(the LLW ring sig's are nice for this purpose)
Mably has quit [Ping timeout: 276 seconds]
<shen_noe>
after this, proceed as in normal CT (proving outputs are commitments to positive values), using boromean sigs if that helps,, etc
<shen_noe>
thoughts?
<shen_noe>
*C_s being the one belonging to the "signer"
<andytoshi>
shen_noe: i'm not quite sure what you gain here .. you need that every `inputs - outputs` is zero, so proving that 1/n of them are seems like it'd just be wasteful
<MRL-Relay>
[shen] andytoshi, I want to prove that 1/n of inputs - outputs is a commitment to zero
<MRL-Relay>
[shen] to not reveal which input index belongs to me
<andytoshi>
oh, i see 1/n of inputs
<andytoshi>
i guess, you are combining this with monero's usual ringsigs..
<shen_noe>
yeah, or the LLW that you guys used (which are more efficient)
<andytoshi>
and what it gets you is that you can ring-sign with arbitrary input sets, and not care about their sizes
<shen_noe>
and hide amounts better than currentlyy
hashtag has quit [Ping timeout: 246 seconds]
<andytoshi>
yeah, the exact scheme is not so important, what i'm trying to get is the high-level .. you have (a) a ringsignature over several inputs which proves you own one of them, (b) a "ring-CT proof" that one of these inputs is the right size
<shen_noe>
yeah
<andytoshi>
so, you need to link these two signatures somehow to make sure the input you're spending and the input whose value you're using are the same one
<andytoshi>
but i'd guess this is easy once you write out the algebra
<andytoshi>
but off the top of my head i'm not certain how
<andytoshi>
or maybe the original ring signature is not important actually..
<shen_noe>
so you need to link the two sigs: I think you can include all the original C_in's so a verifier can recreate the original sig themselves
<shen_noe>
(maybe?)
<andytoshi>
you use the delta from 0 in the `input - outputs` as your verification key
<shen_noe>
yeah
<andytoshi>
then if you are able to prove that `input - outputs == 0` this also proves you own the input
<andytoshi>
(i think)
<shen_noe>
so in language of CT paper, (x+z)G + aH = y1G + b1H + y2G + b2H
<shen_noe>
where x+z = y1+y2
<shen_noe>
and a = b1+b2
<andytoshi>
yeah
<shen_noe>
then z is sk
<andytoshi>
yeah
gielbier has quit [Ping timeout: 256 seconds]
<andytoshi>
so, let's think how this would work for a one-input-one-output tx, with a ringsize of one
<andytoshi>
so there is no ring sig magic here, i'm just trying to figure out when/how the pubkey is determined
gielbier has joined #bitcoin-wizards
<andytoshi>
with the current CT setup you've got something like an output value of `rG + vH` where r is secret and v is the hidden value
<shen_noe>
ok, so above equation I guess becomes (x+z)G + aH = xG + aH
<andytoshi>
yeah, sure, let's use your notatin
<andytoshi>
the output is (x + z)G + aH? z is the key, a is the value, what is x?
<shen_noe>
x + z = y is constructed as an equation of blinding factors
<shen_noe>
oh no y
<andytoshi>
ok i think you don't need both x and z
<andytoshi>
oh, no, you do, cuz you have to reveal zG at some point here
<andytoshi>
which if z was the only blinding factor, would reveal a
<andytoshi>
so my question is: what is the output? a value commitment (x + z)G + aH as well as a verification key zG?
<shen_noe>
output is yeah, yG + aH, where a is the sent amount, y is blinding factor
<andytoshi>
kk gotcha
<shen_noe>
so let's see (x + z)G + aH - yG + aH = zG
<shen_noe>
if z = y
<shen_noe>
and presumably you know log_G zG
<andytoshi>
if x = y you mean
<shen_noe>
since you made it
<shen_noe>
yes
<shen_noe>
(sorry been up late)
<andytoshi>
np
<shen_noe>
so if x = y, then (x + z)G + aH - yG - aH = zG
<shen_noe>
now, you know log_G zG, so you can sign make a signaturre from the above difference
<andytoshi>
yeah, understood
<andytoshi>
can you remind me what normally happens? basically z = 0 in that case
<shen_noe>
normally, z = 0, so it's more like xG + aH - yG - aH = 0 if x = y
<andytoshi>
oh, never mind, i'm being silly
<shen_noe>
the network verfies it's actually "is" zero
<shen_noe>
rather than commitment to zero
<andytoshi>
i was like "how do you prove you know the input" but that's not the commitment-proof's job in the original system
<shen_noe>
sure
<shen_noe>
:P
<andytoshi>
kk so now i need to think for a few mins about if you can game this somehow .. i guess not if zG is in the output and can't be changed
<shen_noe>
greatly appreciated
<andytoshi>
ok, so i think i can choose {z, zG} then spend any output like this by taking the input point and adding zG to it to get my output point
dEBRUYNE_ has quit [Read error: Connection reset by peer]
<andytoshi>
so i don't actually know x or a in this case
<shen_noe>
hmm, let's see how that would work
<shen_noe>
so C_in is chosen arbitrarilyy
<shen_noe>
you don't know C_in = xG + aH (you don't know x or a)
<shen_noe>
so zG + C_in - C_out = zG if C_in = C_out
<andytoshi>
(i'll let you work thru this, meanwhile i think i have a fix, tho it's a little bigger than a single sig)
<shen_noe>
is that what you mean?
<andytoshi>
yes
<shen_noe>
so basically you can send funds back to their outputs?
<shen_noe>
I mean inputs
<andytoshi>
hmmm, maybe that's all this wolud do..
<shen_noe>
it still might cause a problem somehow
<andytoshi>
is zG part of the output that's being spent? or is the idea is it's only computed as C_in - C_out?
<shen_noe>
so I'm thinking the input you know is xG + aH, then you decompose x into x = z + y
<shen_noe>
and then use y = sum outputs blinding factors
<shen_noe>
and z is sk
<andytoshi>
understood
<andytoshi>
my question is whether z is forced by the output that you're spending
<andytoshi>
i think the answer should be yes
<andytoshi>
like, what i'm saying is the output will be {C_in, zG}
<shen_noe>
it seems like it's forced not by output, but by the blinding factors you pick
<andytoshi>
ok, so the output is only C_in?
<shen_noe>
yeah C_in is something you've received from previous transaction
<andytoshi>
then i can choose C_in from an arbitary output, choose z randomly, and produce a tx whose output is C_out = C_in + zG
<andytoshi>
now i know z and can sign anything with it
<andytoshi>
i think putting zG in the output fixes this
<shen_noe>
lets see
<shen_noe>
C_in = xG + aH, C_out = xG + aH + zG
<shen_noe>
then C_in - C_out = -zG
<andytoshi>
..right, and then i know -z and can sign for that
<shen_noe>
so you can find z, then you can send funds to C_in + zG
<shen_noe>
let's see
<shen_noe>
what about the range proof in this case?
<andytoshi>
there should've been a range proof attached to C_in right?
<andytoshi>
i just copy that
<shen_noe>
now it's a range proof for C_in + zG though
<andytoshi>
oh hmm
<shen_noe>
does it still work the same?
<shen_noe>
(this is extremely helpful btw thx)
<andytoshi>
one sec i gotta find the rangeproof writeup to remind myself
<shen_noe>
now take a ring sig over (C_1 - \sum outputs, ..., C_s - \sum outputs, ..., C_n - \sum outputs)
<shen_noe>
where s is secret index
zooko has joined #bitcoin-wizards
<andytoshi>
shen_noe: i think 100% of CT was gmaxwell and adam3us, i had nothing to do with it
<shen_noe>
ahh i see I saw your name on the boromean paper
<gmaxwell>
shen_noe: adam proposed in his original thread that showing knowedlge of the discrete log of the blinding factor as a replacement for the normal signature (so long as you don't mind losing all the useful script properties)
<andytoshi>
yeah, i wrote the paper but all i invented was the time travel stuff
<andytoshi>
which was purely an explanatory device
<shen_noe>
gmaxwell, ahh nice
<shen_noe>
I've just seen your writeup of it actually
<gmaxwell>
shen_noe: but if I send you coins I also know your blinding factors, so the send is not a payment (as I can claw the funds back) unless we use an interactive proptocol to have you generate the blinded coins.
<gmaxwell>
(and their range proofs, etc)
<andytoshi>
oh, i see it now, yeah, you can't hide z from the payee without interaction .. dammit
<shen_noe>
oh i see... hmm yes sender would know the receivers blinding factors obviously
<gmaxwell>
so it didn't really seem like a big gain, also since the rangeproofs can often be omitted.
<andytoshi>
well, the gain was really for monero, so you could ringsign over inputs of varying values
<shen_noe>
the reason I was considering this, is if you modify for CryptoNote, then you need someway tto hide the input index
<shen_noe>
yeah
<gmaxwell>
Adam actually had a proposal to for a ringsig version, but I'm not sure if it was complete or correct.
<shen_noe>
would love to see that.. hmm
<shen_noe>
do you remember how many steps in the interactive protocol?
<gmaxwell>
I think the ringsig is not very exciting though since coninjoin works so will with the CT approach... and the ringsig has other costs.
hashtag has joined #bitcoin-wizards
<shen_noe>
i.e. most sigma protocols (3 steps) can be made non-interactive
<andytoshi>
shen_noe: it won't be a sigma protocol, here both parties need knowledge of secret data
<gmaxwell>
shen_noe: it requires interaction because the reciever needs to have a secret.
<shen_noe>
yeah, it was more of a thought exercise, since the size with ring sigs included makes it fairly large
<shen_noe>
I see, so something like receiver passing you their blinding factor
zooko has quit [Ping timeout: 248 seconds]
<gmaxwell>
shen_noe: they can't do that or you can spend their coins. Rather the reciever has to create two outputs and their range proofs and tell you their blinding factor sum and value sum.
<shen_noe>
I wonder if you could "key-image" outputs
jtimon has quit [Ping timeout: 264 seconds]
<shen_noe>
and then since change-addresses are one-time keys...
eudoxia has quit [Quit: Leaving]
<gmaxwell>
then you can create a transaction which includes their outputs where only you know the discrete log of the sum of the blinding factors.
<andytoshi>
shen_noe: yeah, the LWW paper has a really generic way of making key images, you just have another generator H, then the key image of xG is xH, and you provide a proof-of-equal-discrete-logs
<andytoshi>
or ring-proof-of-equal-discrete-logs or whatever
<shen_noe>
andytoshi, I'll have to read that more carefully
<gmaxwell>
(but then you get into problems where you have to prohibit spending those two coins in the same transaction and other stupidity.)
<shen_noe>
so.. maybe it would work, with some caveats on how you spend coins..
<CodeShark>
are many of the insights in partially homomorphic crypto using the discrete log problem applicable to lattice-based crypto?
<gmaxwell>
and interaction on send.
<shen_noe>
like all oupts are otk's by force, and can be spent once
<andytoshi>
CodeShark: i don't -think- so
jgarzik_ has joined #bitcoin-wizards
<andytoshi>
CodeShark: lattice crypto is about having a secret basis in which matrices can be efficiently manipulated in sorta ad-hoc ways, i'm not aware of something similar to this "have two generators so given aG + bH nobody can know its discrete log"
<gmaxwell>
shen_noe: double spending is not an issue there; the problem is the symmetry of the reciever and the senders knoweldge. It can be broken, with a cost, but the benefit is pretty small.
<CodeShark>
my understanding (which admittedly isn't as good as I would like) is that lattice based homomorphic encryption is based on ideals
jgarzik_ has quit [Client Quit]
<CodeShark>
as in ideals of rings
<shen_noe>
gmaxwell, right, I was momentarily confused - so makes the transaction with the coins first wins
<CodeShark>
but I really need to read up more :p
<andytoshi>
CodeShark: oh, i'm only dimly aware of that side of the literature
<andytoshi>
if you have any intuitions they probably trump mine
gmaxwell has left #bitcoin-wizards [#bitcoin-wizards]
* CodeShark
pulls out his old algebraic geometry texts :)
midnightmadness has quit [Remote host closed the connection]
<shen_noe>
so maybe it would need a "coins" received function where receiver scans blockchain and when they find their coins, send it to a new address.. I'm not sure what that implies
<shen_noe>
andytoshi thx for feedback
<andytoshi>
np shen_noe
<andytoshi>
but i think now the complexity is not worth it
<andytoshi>
interaction is pretty much a dealbreaker
<shen_noe>
yeah: there is a much simpler method (but not as good) which already works in monero actually
<shen_noe>
just split up your amount into like n = n_1 + n_2 + ... + n_m
<shen_noe>
and the cardinality of possiblities is 2^m
<shen_noe>
(since one-time keys for change addresses and receive addresses)
<shen_noe>
although I think you could get away with not full interaction: receiver only interacts by scanning blockchain and "accepting" their transaction
<shen_noe>
by sending it to a new address they control
<shen_noe>
with new blinding factors
<andytoshi>
i see what you're saying, yeah, that works
<shen_noe>
so it's open to chargebacks until the receiver decides they want it
<andytoshi>
i think
<shen_noe>
and (unless other problems) it costs an additional transaction fee
<shen_noe>
in any case, gotta run
shen_noe has quit [Quit: quitquitquit]
Quanttek has quit [Ping timeout: 264 seconds]
Dr-G has quit [Disconnected by services]
Dr-G2 has joined #bitcoin-wizards
moa has joined #bitcoin-wizards
OneFixt has quit [Remote host closed the connection]
snthsnth has joined #bitcoin-wizards
OneFixt has joined #bitcoin-wizards
M-_mis has quit [Remote host closed the connection]
MatrixBridge has quit [Remote host closed the connection]
MatrixBridge has joined #bitcoin-wizards
snthsnth has quit [Ping timeout: 246 seconds]
MatrixBridge is now known as 5EXABJ6GG
MatrixBridge has joined #bitcoin-wizards
MatrixBridge has quit [Remote host closed the connection]
prodatalab has quit [Ping timeout: 248 seconds]
hashtag has quit [Ping timeout: 244 seconds]
thrasher` has quit [Ping timeout: 255 seconds]
thrasher` has joined #bitcoin-wizards
getplank has joined #bitcoin-wizards
getplank has quit [Client Quit]
getplank has joined #bitcoin-wizards
TheSeven has quit [Disconnected by services]
[7] has joined #bitcoin-wizards
Giszmo has quit [Quit: Leaving.]
amiller has quit [Excess Flood]
p15 has joined #bitcoin-wizards
Guest30532 has joined #bitcoin-wizards
getplank has quit [Quit: My Mac has gone to sleep. ZZZzzz…]
snthsnth has joined #bitcoin-wizards
ThomasV has joined #bitcoin-wizards
snthsnth has quit [Ping timeout: 252 seconds]
Zooko-phone has joined #bitcoin-wizards
Burrito has quit [Quit: Leaving]
p15_ has joined #bitcoin-wizards
p15 has quit [Ping timeout: 250 seconds]
getplank has joined #bitcoin-wizards
getplank has quit [Client Quit]
hashtag has joined #bitcoin-wizards
hashtag has quit [Ping timeout: 248 seconds]
MrTratta has quit [Ping timeout: 272 seconds]
prodatalab has joined #bitcoin-wizards
jgarzik has quit [Quit: This computer has gone to sleep]
<CodeShark>
so you can compress many levels of sha256 into a single proof whose size does not depend on the number of levels in a tree?
<CodeShark>
oh very cool
Xh1pher has joined #bitcoin-wizards
<CodeShark>
so it's an optimized "gadget" within an NP-complete language
<Luke-Jr>
hm! is it possible, I wonder, to design a PoW that *must* be performed in a SNARK? <.<
d1ggy has joined #bitcoin-wizards
<CodeShark>
creating the proof is expensive - but in principle verification could be made much simpler than just brute force hashing
<CodeShark>
that's why the NP-complete part :p
d1ggy_ has quit [Ping timeout: 256 seconds]
<Luke-Jr>
right, I'm wondering this as a way to prevent block withholding on even p2pool
<CodeShark>
substitute "in practice" for "in principle" :)
<gmaxwell>
Luke-Jr: you've asked this before. The answer is no.
Guest30532 has quit [Changing host]
Guest30532 has joined #bitcoin-wizards
Guest30532 is now known as amiller
<Luke-Jr>
:|
<gmaxwell>
CodeShark: yes, you can, so long as you're willing to take on a whole host of new strong cryptographic assumptions; and a long (like 30 seconds to minutes) proving time. And verification that runs on the order of 200 proofs per second.
p15x has joined #bitcoin-wizards
<CodeShark>
it's based on paired crypto?
ThomasV has quit [Ping timeout: 248 seconds]
<gmaxwell>
_pairing_ crypto; though it has many more assuptions than just the hardness of discrete logs in bilinar groups and the normal stuff for most pairing crypto.
<CodeShark>
pairing crypto, yes. that's what I meant :)
<gmaxwell>
(I'm not dissing the approach I think it's just important to keep in mind Magic's Price)
<CodeShark>
are the other assumptions largely surrounding statistical vs. computational zero knowledge?
<gmaxwell>
no, absolutely not.
<CodeShark>
so all these approaches don't assume anything more than computional zk, right?
<gmaxwell>
(well the non-falsifyable one is)
<CodeShark>
or specifically, this library
<gmaxwell>
CodeShark: the ZK in this is perfect. The soundness is computational.
<CodeShark>
ok, got it
<gmaxwell>
No succinect proof system for genral NP can have better than computational security in any case (owing to a counting argument).
<gmaxwell>
(er better than computational security for soundness)
<CodeShark>
right...
<gmaxwell>
but I'm not talking just about the hardness, I mean there are new strong assumptions; e.g. that certant functions cannot be efficiently computed; for which no proof currently exists that reduces them to an existing prior known strong assumption. (like the hardness of the computational discrete log problem in a bilinear group). They sound plausable and fortunately its an interesting enough area t
<gmaxwell>
hat people are actually working on breaking them and such.
<CodeShark>
so what are the other big assumptions with bilinear group stuff?
<CodeShark>
besides difficulty of discrete log, of course
<CodeShark>
oh, hmm
<CodeShark>
nvm, I was late on the keyboard :p
<gmaxwell>
The papers go over them, though unless you're a current postdoc in that subfield you'll probably (like me) mostly just shrug at them. :)
www1 has quit [Ping timeout: 244 seconds]
<CodeShark>
this whole zkSNARK thing does seem too good to be true...so yeah, there's a price for that magic
<gmaxwell>
CodeShark: one of them is that it has trusted setup.
<CodeShark>
is there no known way around that still?
<gmaxwell>
There are proposals to potentially use multiparty computation for it, so the trusted setup gets some threshold security.
mjerr has joined #bitcoin-wizards
<gmaxwell>
People are also working on other schemes for NP proofs with a totally different cryptographic basis which won't have that problem; but their proofs will be less efficient.
<CodeShark>
less efficient for the prover? the verifier? or both?
<gmaxwell>
Less space efficient. They may well be faster to verify.
p15_ has quit [Ping timeout: 255 seconds]
<CodeShark>
by totally different cryptographic basis you're referring to something other than bilinear crypto or pairing crypto?
<gmaxwell>
right
p15x has quit [Ping timeout: 264 seconds]
drwin has joined #bitcoin-wizards
<CodeShark>
but still using discrete log? or LWE or something else?
ThomasV has joined #bitcoin-wizards
p15x has joined #bitcoin-wizards
<gmaxwell>
No; likely using using just random oracle assumptions.
<gmaxwell>
PCP theorem plus fiat shamir tell us that at least in principle there are efficient computationally sound, statstically private proof systems for NP; that have no strong assumptions except the RO used for the fiat shamir. Though making them pratical is hard.
<gmaxwell>
(as the most direct routes require you to e.g. build a hashtree over a set of bits with substantially more entries than atoms in the universe)
<gmaxwell>
andytoshi: do you see any obvious way to do an _efficient_ proof of polysig equivilence. E.g. say there is a set of keys for a polysig, and some unknown permutation, and I want to prove to you that a given polysig series corresponds to that set without revealing the permutation?
spinza has quit [Excess Flood]
spinza has joined #bitcoin-wizards
p15x has quit [Ping timeout: 252 seconds]
p15x has joined #bitcoin-wizards
davi has quit [Ping timeout: 246 seconds]
arubi_ has joined #bitcoin-wizards
damethos has joined #bitcoin-wizards
sneak has quit [Ping timeout: 252 seconds]
sneak has joined #bitcoin-wizards
sneak has quit [Changing host]
sneak has joined #bitcoin-wizards
ThomasV has quit [Ping timeout: 246 seconds]
kmels has quit [Remote host closed the connection]
Mably has joined #bitcoin-wizards
OneFixt has quit [Read error: Connection reset by peer]
OneFixt has joined #bitcoin-wizards
davi has joined #bitcoin-wizards
binaryatrocity has quit [Quit: No Ping reply in 180 seconds.]
binaryatrocity_ has joined #bitcoin-wizards
davi has quit [Ping timeout: 246 seconds]
nessence has quit []
ThomasV has joined #bitcoin-wizards
davi has joined #bitcoin-wizards
p15x has quit [Ping timeout: 256 seconds]
andy-logbot has quit [Remote host closed the connection]
andy-logbot has joined #bitcoin-wizards
* andy-logbot
is logging
p15x has joined #bitcoin-wizards
jtimon has joined #bitcoin-wizards
Mably has quit [Ping timeout: 252 seconds]
p15x_ has joined #bitcoin-wizards
p15x has quit [Ping timeout: 250 seconds]
damethos has quit [Remote host closed the connection]
damethos has joined #bitcoin-wizards
jtimon has quit [Ping timeout: 250 seconds]
dEBRUYNE has joined #bitcoin-wizards
drwin has quit []
davi has quit [Ping timeout: 246 seconds]
ThomasV has quit [Quit: Quitte]
davi has joined #bitcoin-wizards
p15x_ has quit [Max SendQ exceeded]
p15x has joined #bitcoin-wizards
prodatalab has quit [Ping timeout: 248 seconds]
orperelman has joined #bitcoin-wizards
davi has quit [Ping timeout: 246 seconds]
Quanttek has joined #bitcoin-wizards
damethos has quit [Quit: Bye]
davi has joined #bitcoin-wizards
5EXABJ6GG has quit [Remote host closed the connection]
jmcn_ has quit [Remote host closed the connection]
jmcn has joined #bitcoin-wizards
davi has joined #bitcoin-wizards
drwin has joined #bitcoin-wizards
p15x_ has joined #bitcoin-wizards
p15x has quit [Ping timeout: 265 seconds]
AaronvanW has quit [Ping timeout: 246 seconds]
prodatalab has joined #bitcoin-wizards
jtimon has joined #bitcoin-wizards
davi has quit [Ping timeout: 256 seconds]
orperelman has quit [Ping timeout: 256 seconds]
AaronvanW has joined #bitcoin-wizards
hashtag has joined #bitcoin-wizards
BitReX has joined #bitcoin-wizards
execut3 has quit [Ping timeout: 255 seconds]
p15x_ has quit [Read error: Connection reset by peer]
p15x has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 246 seconds]
p15x has quit [Ping timeout: 248 seconds]
p15x_ has joined #bitcoin-wizards
execut3 has joined #bitcoin-wizards
erasmospunk has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
ThomasV has quit [Ping timeout: 265 seconds]
www has joined #bitcoin-wizards
hashtag has quit [Ping timeout: 248 seconds]
hashtag has joined #bitcoin-wizards
erasmospunk has quit [Remote host closed the connection]
hashtag has quit [Ping timeout: 246 seconds]
erasmospunk has joined #bitcoin-wizards
moa has quit [Quit: Leaving.]
BitReX has quit [Ping timeout: 252 seconds]
belcher has quit [Quit: Leaving]
jgarzik has joined #bitcoin-wizards
JackH has quit [Ping timeout: 256 seconds]
JackH has joined #bitcoin-wizards
jgarzik has quit [Quit: This computer has gone to sleep]
Iriez has quit [Ping timeout: 248 seconds]
ThomasV has joined #bitcoin-wizards
Giszmo has joined #bitcoin-wizards
<andytoshi>
gmaxwell: (a) no, and (b) i think this is pretty hard actually, adam and i ran repeatedly into a related problem (proving a sum of keys was actually computed using the keys, without eg adding r to one and -r to another) when we were trying to make constant-size ringsigs. i don't remember the details but it was related to permutations (since the real key had to occupy a specific "slot" or something
<andytoshi>
like that which ofc should not be revealed) and we got nowhere
jgarzik has joined #bitcoin-wizards
<andytoshi>
i'll think about how to do it in say linear time wrt the size of the permutation tho..
jgarzik has quit [Changing host]
jgarzik has joined #bitcoin-wizards
alferz has quit [Ping timeout: 244 seconds]
<andytoshi>
but what was killing us was not so much our efficiency requirements, it was that you can't do much of anything to aggregate keys except adding them together, and that loses a ton of information
<kanzure>
would there be any value in limiting the number of transactions in each block? rather than block size.
<kanzure>
or, in addition to block size.
ThomasV has quit [Ping timeout: 252 seconds]
<andytoshi>
kanzure: it'd encourage coinjoining
<kanzure>
awful!
<andytoshi>
lol
<maaku>
kanzure: value? yes it'd make the merkle trees smaller
<maaku>
but while it encourages coinjoining, it works against OWAS or some p2p market ideas
<nsh>
tends towards signer/coalition centralization
<nsh>
doubleplusungood
<nsh>
[even if there exist privacy-enhancing coalitions, you can bet dollars to donuts they will be sparse among the types of coalition that emerge when you incentizive them]
Iriez has joined #bitcoin-wizards
<kanzure>
is there a good reason we don't have a good aggregatable signature scheme yet
<kanzure>
i'm aware of the concept, but not of any specific bitcoin proposals
<maaku>
well it'd be a hard-fork change, so it hasn't got much attention
<kanzure>
this seems to be focused on anonymity
<maaku>
(but it's something you could do in a sidechain!)
<kanzure>
i'd be fine with an aggregate signature scheme that has no anonymity
<maaku>
kanzure: for what purpose then?
<kanzure>
abridging intermediate transaction history
<kanzure>
instead of dumping all transactions into a blockchain
<maaku>
kanzure: oh, well lightning
<maaku>
and micropayment hubs
<kanzure>
lightning is only a bi-directional channel
<kanzure>
i want to send 100k payments and have each of my 100k different receivers also send 10k payments, and none of the intermediate transactions should need to be on the blockchain itself
<kanzure>
and also, it would be nice if there could be arbitrarily-deep transaction chains that bridge the history of an even larger transaction chain
<maaku>
kanzure: lightning is much more than a bidirectional channel, which is why it needs so many changes
<maaku>
i'm not sure why you think you can't do that with micropayment channels
* nsh
listens attentively
<kanzure>
as you increase the number of people on each side of the channel, you increase the probability that one of them will want to throw the transaction into the blockchain to close the channel
<maaku>
so? it only affects their channel
<maaku>
it doesn't require anything else to hit the chain
<kanzure>
well, the other users have to reopen channels
<kanzure>
so....
<maaku>
no, channels are direct
<maaku>
if you close your channel with hub A, I don't have to close my channel with hub A
<maaku>
now you move an insane amount of money around in one direction at once, it is true you will saturate one direction of a channel
<kanzure>
closing a channel means putting a transaction on the blockchain....
<kanzure>
sigh
<maaku>
"well, the other users have to reopen channels" <-- this is incorrect
<kanzure>
i was talking about a single channel
<kanzure>
it's correct.
<maaku>
if you have 100k people receiving payments, and 15 of them decide to close their channel, 15 transactions hit the chain
<maaku>
i'm sorry, I'm just not seing the issue. maybe I'm dense
* nsh
doubts there's a way to nontrivially improve on that
<nsh>
sorry, doubts there's a trivial way to improve on that
<kanzure>
so, that's unrelated to a single channel, i think
<maaku>
nsh: me being dense? probably. nootropics?
<kanzure>
the idea was to abridge transaction history, not "hope that they all collectively decide to close their channels after transacting in a way that happens to reduce the total number of transactions"
* nsh
is definitely the denser :)
<nsh>
kanzure, abridging without cooperation is... i don't want to say impossible
<maaku>
snarks
<nsh>
yeah, moonmathematical
<maaku>
otherwise... nothing i know
<kanzure>
i'd be okay with cooperation.
<nsh>
that's a nice compromise between possible and impossible :)
<nsh>
well, not closing your channel is cooperation
<maaku>
kanzure: well, an active fee market is also important
<kanzure>
no, snarks cooperation would probably involve stuff like "here, sign my fart"
<kanzure>
instead of just "plz don't close your channel"
<maaku>
kanzure: where I'm being dense is I don't understand the concern. closing a channel is not an externalized cost, due to fees
<maaku>
if you want to close your channel, fine. pay up
<maaku>
well, modulo all of bitcoin being an externalized cost to non-mining full nodes, etc. etc.
Guest87353 is now known as mr_burdell
mr_burdell has quit [Changing host]
mr_burdell has joined #bitcoin-wizards
<kanzure>
so you believe that large quantities of transactions- perhaps billions- will have users that choose to use software that tries to find ways to close the channels in a way that minimizes the number of fees and number of transactions that get into the blockchain?
<nsh>
no, i imagine the people paying the users will be strongly incentivized to minimise the overhead for the recipients
<nsh>
and that will tend towards streamlining
<maaku>
kanzure: when transaction fees are $100/tx, yes
davi has joined #bitcoin-wizards
orperelman has joined #bitcoin-wizards
arubi_ has quit [Quit: Leaving]
cosmo has joined #bitcoin-wizards
Giszmo has quit [Quit: Leaving.]
davi has quit [Ping timeout: 273 seconds]
Zooko-phone has joined #bitcoin-wizards
damethos has quit [Ping timeout: 264 seconds]
c0rw1n is now known as c0rw|away
jaekwon has joined #bitcoin-wizards
davi has joined #bitcoin-wizards
jaekwon has quit [Remote host closed the connection]
<andytoshi>
kanzure: OWAS is slow and depends on pairing. it hasn't been implemented 'til now because it'd be a controversial hardfork for bitcoin plus it'd have bad scaling consequences (why there has been no "pairing-crypto alt" idk, nobody here has done it because there are better uses of our time)
<andytoshi>
but given gmax's comments above about how OWAS interacts with CT, and adam's periodic musings on a "BDH-secure sidechain" (meaning one where pairing crypto's security assumptions are considered sufficient), i'm sure something will crop up in this area sooner or later..
Zooko-phone has quit [Ping timeout: 256 seconds]
<nsh>
well, i think once alpha proves the sidechains concept is feasible [assuming it does], then there might be a cambrian explosion
<nsh>
to put it in provocative hyperbolic terms, after my idiom
ThomasV has joined #bitcoin-wizards
<maaku>
the only reason OWAS wasn't in alpha was because CT was easier to get out the door first
orperelman has quit [Ping timeout: 255 seconds]
hashtag has joined #bitcoin-wizards
damethos has joined #bitcoin-wizards
www1 has joined #bitcoin-wizards
www has quit [Ping timeout: 272 seconds]
davi has quit [Ping timeout: 246 seconds]
arubi_ has joined #bitcoin-wizards
arubi_ has quit [Client Quit]
damethos has quit [Ping timeout: 252 seconds]
davi has joined #bitcoin-wizards
JackH has quit [Quit: Leaving]
<maaku>
maybe-interesting observation : with onion routing of lightning payments you can have "hidden" payment addresses
<Luke-Jr>
can't you already? just payment protocol over tor
<nsh>
CT can easily allow for hidden payment addresses by using address-ratcheting [OTR-style] through the side-channel. doesn't deal with the first address issue though
<nsh>
(likewise OTR doesn't deal with identity/presence management)
orperelman has joined #bitcoin-wizards
p15x_ has quit [Read error: Connection reset by peer]
p15x has joined #bitcoin-wizards
superobserver has quit [Quit: Leaving]
arubi_ has joined #bitcoin-wizards
BigBitz has quit [Ping timeout: 252 seconds]
MoALTz has joined #bitcoin-wizards
orperelman has quit [Ping timeout: 252 seconds]
orperelman has joined #bitcoin-wizards
BigBitz has joined #bitcoin-wizards
kmels has joined #bitcoin-wizards
BigBitz has quit [Ping timeout: 250 seconds]
superobserver has joined #bitcoin-wizards
p15x_ has joined #bitcoin-wizards
p15x has quit [Ping timeout: 255 seconds]
superobserver has quit [Remote host closed the connection]
nuke1989 has quit [Remote host closed the connection]
superobserver has joined #bitcoin-wizards
BigBitz has joined #bitcoin-wizards
gill3s has quit [Quit: My Mac has gone to sleep. ZZZzzz…]
ThomasV has quit [Ping timeout: 264 seconds]
hashtag_ has joined #bitcoin-wizards
gill3s has joined #bitcoin-wizards
hashtag has quit [Ping timeout: 265 seconds]
jaekwon has joined #bitcoin-wizards
hashtag_ has quit [Read error: Connection reset by peer]
Xh1pher has quit [Read error: Connection reset by peer]
snthsnth has joined #bitcoin-wizards
jaekwon has quit [Ping timeout: 246 seconds]
Xh1pher has joined #bitcoin-wizards
hashtag has joined #bitcoin-wizards
unrealduck has joined #bitcoin-wizards
<Tiraspol>
Anyone here who can help me with some java questions?
prodatalab has quit [Ping timeout: 264 seconds]
hashtag has quit [Read error: Connection reset by peer]
hashtag has joined #bitcoin-wizards
prodatalab has joined #bitcoin-wizards
<fluffypony>
Tiraspol: ##java
ThomasV has joined #bitcoin-wizards
Xh1pher has quit [Read error: Connection reset by peer]
davi has quit [Ping timeout: 246 seconds]
hearn has joined #bitcoin-wizards
orperelman has quit [Ping timeout: 264 seconds]
snthsnth has quit [Ping timeout: 246 seconds]
hashtag has quit [Read error: Connection reset by peer]
hashtag has joined #bitcoin-wizards
hashtag has quit [Read error: Connection reset by peer]
Dr-G has joined #bitcoin-wizards
execut3 has quit [Ping timeout: 264 seconds]
Tiraspol has quit [Ping timeout: 246 seconds]
Tiraspol has joined #bitcoin-wizards
qawap has quit [Read error: Connection reset by peer]
Dr-G2 has quit [Ping timeout: 250 seconds]
Zooko-phone has joined #bitcoin-wizards
qawap has joined #bitcoin-wizards
qawap has quit [Changing host]
qawap has joined #bitcoin-wizards
execut3 has joined #bitcoin-wizards
mjerr has quit [Ping timeout: 252 seconds]
alferz has joined #bitcoin-wizards
p15x_ has quit [Max SendQ exceeded]
ThomasV has quit [Ping timeout: 264 seconds]
p15x has joined #bitcoin-wizards
hearn_ has joined #bitcoin-wizards
hearn has quit [Ping timeout: 265 seconds]
davi has joined #bitcoin-wizards
hearn has joined #bitcoin-wizards
hearn_ has quit [Ping timeout: 272 seconds]
moa has joined #bitcoin-wizards
goregrind has quit [Read error: Connection reset by peer]
sparetire_ has joined #bitcoin-wizards
c0rw|away is now known as c0rw1n
ThomasV has joined #bitcoin-wizards
goregrind has joined #bitcoin-wizards
unrealduck has quit [Ping timeout: 250 seconds]
Zooko-phone has quit [Ping timeout: 265 seconds]
prodatalab has quit [Ping timeout: 248 seconds]
ThomasV has quit [Ping timeout: 250 seconds]
p15x_ has joined #bitcoin-wizards
Quanttek has quit [Ping timeout: 272 seconds]
p15x has quit [Ping timeout: 276 seconds]
pavel_ has joined #bitcoin-wizards
paveljanik has quit [Ping timeout: 248 seconds]
jaekwon has joined #bitcoin-wizards
belcher has joined #bitcoin-wizards
jaekwon has quit [Remote host closed the connection]
p15x has joined #bitcoin-wizards
Mably has quit [Ping timeout: 276 seconds]
p15x_ has quit [Ping timeout: 276 seconds]
c0rw1n is now known as c0rw|zZz
Tebbo has joined #bitcoin-wizards
davi has quit [Ping timeout: 246 seconds]
jps has joined #bitcoin-wizards
drwin has quit [Remote host closed the connection]
drwin has joined #bitcoin-wizards
dEBRUYNE has quit [Ping timeout: 244 seconds]
hearn has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
isis has quit [Quit: she's probably out making total destroy on all of the things]
isis has joined #bitcoin-wizards
p15x has quit [Max SendQ exceeded]
p15x has joined #bitcoin-wizards
hashtag has joined #bitcoin-wizards
erasmospunk has quit [Remote host closed the connection]