sipa changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
d_t has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
son0p has quit [Read error: Connection reset by peer]
d9b4bef9 has quit [Remote host closed the connection]
d9b4bef9 has joined #bitcoin-wizards
meshcollider has quit [Quit: Connection closed for inactivity]
knifeofpi has quit [Client Quit]
SopaXorzTaker has joined #bitcoin-wizards
dx25 has quit [Remote host closed the connection]
Guyver2 has joined #bitcoin-wizards
priidu has joined #bitcoin-wizards
d_t has quit [Ping timeout: 248 seconds]
str4d has joined #bitcoin-wizards
priidu has quit [Remote host closed the connection]
meshcollider has joined #bitcoin-wizards
son0p has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
son0p has quit [Read error: No route to host]
son0p has joined #bitcoin-wizards
intcat has quit [Remote host closed the connection]
dnaleor has joined #bitcoin-wizards
intcat has joined #bitcoin-wizards
shesek has quit [Quit: Leaving]
SopaXorzTaker has quit [Read error: Connection reset by peer]
SopaXorzTaker has joined #bitcoin-wizards
itsme__ has joined #bitcoin-wizards
itsme__ has quit [Quit: My Mac Pro has gone to sleep. ZZZzzz…]
AmbientID has joined #bitcoin-wizards
Yogh has quit [Ping timeout: 248 seconds]
AaronvanW has quit [Remote host closed the connection]
Emcy has joined #bitcoin-wizards
Emcy_ has quit [Ping timeout: 264 seconds]
AaronvanW has joined #bitcoin-wizards
dx25 has joined #bitcoin-wizards
SopaXorzTaker has quit [Remote host closed the connection]
Chris_Stewart_5 has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 240 seconds]
meshcollider has quit [Quit: Connection closed for inactivity]
itsme__ has joined #bitcoin-wizards
nuncanada has joined #bitcoin-wizards
SopaXorzTaker has joined #bitcoin-wizards
cryptojanitor has joined #bitcoin-wizards
thrmo has joined #bitcoin-wizards
itsme__ has quit [Quit: My Mac Pro has gone to sleep. ZZZzzz…]
belcher has joined #bitcoin-wizards
Chris_Stewart_5 has quit [Ping timeout: 248 seconds]
<tromp>
is there a good writeup anywhere of the argument for coinbase maturity?
<tromp>
i guess it comes down to fungibility. freshly minted coins have higher rirsk of disappearing in reorg
itsme__ has joined #bitcoin-wizards
<tromp>
but so fresh outputs of recently confirmed txs
<belcher>
it may also help with incentives, as miners cant get paid unless more blocks keep being produced
dnaleor has quit [Quit: Leaving]
JackH has quit [Read error: Connection reset by peer]
JackH has joined #bitcoin-wizards
Chris_Stewart_5 has joined #bitcoin-wizards
daszorz has joined #bitcoin-wizards
adiabat has quit [Ping timeout: 252 seconds]
daszorz has quit [Ping timeout: 256 seconds]
daszorz has joined #bitcoin-wizards
daszorz has quit [Read error: Connection reset by peer]
daszorz has joined #bitcoin-wizards
daszorz has quit [Read error: Connection reset by peer]
dnaleor has joined #bitcoin-wizards
dnaleor has quit [Remote host closed the connection]
daszorz has joined #bitcoin-wizards
knifeofpi has joined #bitcoin-wizards
Giszmo has joined #bitcoin-wizards
knifeofpi has quit [Client Quit]
<tromp>
it seems an incentive to not follow the longest chain rule, if their coinbase is on a slightly shorter branch
<tromp>
but it's unlikely they could sell their coinbase before getting 6 confirmations anyway
<tromp>
and 6-deep reorgs are exceedingly rare
daszorz has quit [Read error: Connection reset by peer]
daszorz has joined #bitcoin-wizards
nuncanada has quit [Read error: Connection reset by peer]
Giszmo has quit [Read error: Connection reset by peer]
neha has quit [Quit: leaving]
arubi has joined #bitcoin-wizards
Guyver2 has quit [Quit: Going offline, see ya! (www.adiirc.com)]
PaulTroon has joined #bitcoin-wizards
Murch has joined #bitcoin-wizards
<sipa>
tromp: the theory is that absent a double spending attempt, transactions that get reorged out in one chain will quickly make it into the other chain
<sipa>
tromp: while a coinbase cannot move
RubenSomsen has joined #bitcoin-wizards
d9b4bef9 has quit [Remote host closed the connection]
d9b4bef9 has joined #bitcoin-wizards
dougsland has joined #bitcoin-wizards
itsme___ has joined #bitcoin-wizards
itsme__ has quit [Ping timeout: 240 seconds]
Murch has quit [Quit: Snoozing.]
jb554 has joined #bitcoin-wizards
<waxwing>
typos in proofs aside, the rewrite of section 4 of the BPs paper is really helpful. if you found it difficult to comprehend before (like i did), try the new one.
Chris_Stewart_5 has quit [Ping timeout: 256 seconds]
ghost43 has quit [Remote host closed the connection]
<sipa>
tromp: i think 100 blocks wait is very much overkill, but the rationale for waiting before spending just-minted coins holds
nuncanada has joined #bitcoin-wizards
adiabat has joined #bitcoin-wizards
dcousens has quit [Ping timeout: 276 seconds]
dcousens has joined #bitcoin-wizards
RubenSomsen has quit [Ping timeout: 264 seconds]
knifeofpi has joined #bitcoin-wizards
knifeofpi has quit [Client Quit]
str4d has quit [Ping timeout: 256 seconds]
jephalien_ has joined #bitcoin-wizards
SopaXorzTaker has quit [Remote host closed the connection]
Chris_Stewart_5 has joined #bitcoin-wizards
d_t has joined #bitcoin-wizards
d_t has quit [Ping timeout: 248 seconds]
<tromp>
a question for rangeproof experts: if i know that some rangeproof is for an output r\*G+1\*H, could i change it to a rangeproof for r\*G+0\*H (not knowing r) ?
<waxwing>
you can't open a commitment to (a,b) to any different a',b' if the commitment is binding (which in that case it should be if you don't have the discrete log of H w.r.t. G
<waxwing>
although maybe i didn't understand the Q
<waxwing>
well, that's if you *do* know the values. if you don't even know the value r then you can't open it full stop, modified or otherwise.
dnaleor has joined #bitcoin-wizards
d_t has joined #bitcoin-wizards
<sipa>
tromp: a rangeproof for value 0 or 1 is just a ring signature for keys {commitment, commitment-H}
<sipa>
what you want to do is change the commitment by subtracting H from it, and then still have a rangeproof for it
<sipa>
generally i expect that the ring signature will sign the commitment, so that wouldn't be possible
<tromp>
yes, i worry about malleability of outputs, with either traditional or bulletproof rangeproofs
<tromp>
so for traditional rangeproof that amounts to changing a single ring sig
<tromp>
which should be impossible
<sipa>
right
<sipa>
if you're asking whether the existing rangeproof formulations allow this: no absolutely not
<sipa>
i thought you were asking if it would be possible to construct a rangeproof system for which this is possible
<tromp>
uh, no, just wanna make sure bulletproofs are immune to such malleability
laurentmt has joined #bitcoin-wizards
laurentmt has quit [Client Quit]
<waxwing>
the proofs are along the lines of "if you can open the commitment, you must be opening it to the commitment which represents the value, else you break the binding property of the (vector pedersen commitment)), i believe
<tromp>
this is not about opening the commitment, just about having the rangeproof validate
d_t has quit [Ping timeout: 256 seconds]
<sipa>
waxwing: i don't think that's technically in conflict with what tromp is asking
<sipa>
which is more a malleability like question
<waxwing>
well meh it's a bit more than that because you're proving that each bit is a bit by using the encoded-as-bits a_L but also a_R and proving they satisfy a_L - a_R = 1 and a_L hadamard a_R = 0
<waxwing>
(sorry started that before, not in response to last 2 messages :)
<waxwing>
isn't that the same issue though? you prove it has a structure of bits, and if you open those bits to anything other than the value (malleate?) you must have broken binding?
<sipa>
i may be missing something, but the original commitment is never opened
<waxwing>
hmm, ok, i'm talking about the proof (witness extractor)
<waxwing>
so yeah, i'm talking about "soundness". is there something subtle that that doesn't cover?
<sipa>
the question here is can you, based on a commitment, a proof, and the value it commits to (but not the blinding factor) construct a new commitment and proof for a different chosen value
<sipa>
i guess the answer is that the commitment doesn't care about values or blinding factors; they commit to the tuple of both
<andytoshi>
tromp: you definitely can't change the _value_, this would violate the zero-knowledge property because it'd reveal whether the value-offsetting thing you did pushed the value out of range or not
<andytoshi>
in both BPs and the old rangeproofs you also can't change the blinding factor
<sipa>
andytoshi: i'm not sure if it violates zero knowledge if the assumption is that you'd only be able to do this if you already know the value
<andytoshi>
ah yes, i think that's a loophole in my logic
<tromp>
right, sipa. i know i won't be able to do it in general. but maybe i cld just change value 1 to value 0
<andytoshi>
welll, no, you could guess the value
<sipa>
andytoshi: hmm!
<andytoshi>
and then you'd learn whether or not your guess was right by whether you could malleate the proof
<sipa>
especially if it's a small range
<sipa>
yup, i agree
<tromp>
ok, so all is good:-)
<andytoshi>
tromp: in general i see no logical reason why you shouldn't be able to malleate the blinding factor, or even malleate the proof independently of the commitment .. but in fact existing schemes also prevent this
<andytoshi>
yes :)
son0p has joined #bitcoin-wizards
Chris_Stewart_5 has quit [Ping timeout: 240 seconds]
<sipa>
andytoshi: actually, i still disagree
<sipa>
no, nevermind
<sipa>
you're right
<waxwing>
i don't understand why it's interesting if you know the value and can create a new commitment to a new value? if you don't know, and can use it to create a commitment to v+10 then i guess that's what you guys are talking about?
<sipa>
right, if the value offsetting thing you do also offsets the range, i guess there is nothing theoretical to prevent it
<andytoshi>
i suspect tromp is worried about theft attacks in MW .. and it is true that you need some sort of anti-malleability property to your rangeproofs if you want MW to work
<sipa>
you take a commitment to 0 or 1 - there is no reason why you shouldn't be allowed to turn it into a commitment to 10 or 11 with a rangeproof that it is 10 or 11
<waxwing>
ah .. offsets the range ...
<waxwing>
i wouldn't have thought that'd be possible, but interesting for sure :)
<andytoshi>
and i don't know exactly what this property is, but existing rangeproofs definitely have it because (a) they are proofs of knowledge and (b) they are totally non-malleable without knowing the blinding factor
Giszmo has joined #bitcoin-wizards
<waxwing>
how would a linear offset work? the existing setup requires that the bit or its complement (aL, aR) are zero. and the proof extracts a witness for that?
<andytoshi>
with BPs you can add an explicit offset f, then just add z^2*f*H to the verification equation
<andytoshi>
you're just changing the sum 2^i a_i = v thing by adding f to one side of it
<sipa>
you can do the same with traditional rangeproofs
<sipa>
just say that if you want to verify a commitment C, a proof P, and a range [A..B], you instead verify C-A*H with range [0..B-A]
<andytoshi>
yep. (and in elements we actually do, we enforce that 0-value outputs don't exist because they mess up issuance token reasoning)
<andytoshi>
right you can also do that, it's fully general for any kind of rangeproof
<sipa>
now the proof doesn't change if you change the offset
<waxwing>
yes it was more intuitive to me (anyway) that it makes sense for borromean style
<tromp>
yes, i was worried because MW would break with value-malleable rangeproofs
<andytoshi>
the borromean proofs sign the offset (i had to check the code to make sure)
<tromp>
if i'm receiving money and know the sender has change of 1, i could steal that into my output
<andytoshi>
yes, that is logically impossible for any zk rangeproof
Chris_Stewart_5 has joined #bitcoin-wizards
jb554 has joined #bitcoin-wizards
jb554 has quit [Ping timeout: 256 seconds]
Giszmo has quit [Ping timeout: 240 seconds]
meshcollider has joined #bitcoin-wizards
spinza has quit [Quit: Coyote finally caught up with me...]
spinza has joined #bitcoin-wizards
d_t has joined #bitcoin-wizards
d_t has quit [Ping timeout: 248 seconds]
daszorz has quit [Read error: Connection reset by peer]
luke-jr has quit [Read error: Connection reset by peer]
luke-jr has joined #bitcoin-wizards
Chris_Stewart_5 has quit [Ping timeout: 260 seconds]
grubles_ has quit [Quit: Leaving]
grubles has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
Aaronvan_ has joined #bitcoin-wizards
PaulTroon_ has joined #bitcoin-wizards
PaulTroon has quit [Ping timeout: 240 seconds]
AaronvanW has quit [Ping timeout: 256 seconds]
contrapumpkin has joined #bitcoin-wizards
harry_potter has joined #bitcoin-wizards
harry_potter is now known as PottyLarry
<PottyLarry>
Hello all, I'd like to get more involved in blockchain. I have time to give .. to learn and experience with software development
<PottyLarry>
If anybody needs any help with anything, I'm keen
<belcher>
wrong channel, please ask in #bitcoin instead
<PottyLarry>
I'd like to get involved with gringots