sipa changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
fabianfabian has joined #bitcoin-wizards
michaelsdunn1 has quit [Remote host closed the connection]
michaelsdunn1 has joined #bitcoin-wizards
spinza has quit [Quit: Coyote finally caught up with me...]
spinza has joined #bitcoin-wizards
michaelsdunn1 has quit [Quit: My MacBook Air has gone to sleep. ZZZzzz…]
AaronvanW has quit [Remote host closed the connection]
AaronvanW has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 245 seconds]
sipa has quit [Remote host closed the connection]
sipa has joined #bitcoin-wizards
enemabandit has quit [Ping timeout: 245 seconds]
laurentmt has joined #bitcoin-wizards
laurentmt has quit [Client Quit]
kbc has quit [Quit: kbc]
kbc has joined #bitcoin-wizards
kbc has quit [Client Quit]
kbc has joined #bitcoin-wizards
kbc has quit [Quit: kbc]
kbc has joined #bitcoin-wizards
kbc has quit [Client Quit]
kbc has joined #bitcoin-wizards
kbc has quit [Quit: kbc]
kbc has joined #bitcoin-wizards
kbc has quit [Client Quit]
kbc has joined #bitcoin-wizards
kbc has quit [Quit: kbc]
kbc has joined #bitcoin-wizards
kbc has quit [Client Quit]
kbc has joined #bitcoin-wizards
kbc has quit [Quit: kbc]
kbc has joined #bitcoin-wizards
kbc has quit [Client Quit]
kbc has joined #bitcoin-wizards
adam3us is now known as grubles
grubles is now known as adam3us
enemabandit has joined #bitcoin-wizards
nephyrin has quit [Ping timeout: 240 seconds]
nephyrin has joined #bitcoin-wizards
kbc has quit [Quit: kbc]
kbc has joined #bitcoin-wizards
kbc has quit [Client Quit]
kbc has joined #bitcoin-wizards
elichai2 has joined #bitcoin-wizards
DeanGuss has quit [Ping timeout: 256 seconds]
TheoStorm has quit [Ping timeout: 250 seconds]
wildermind has joined #bitcoin-wizards
pinheadmz has joined #bitcoin-wizards
kbc has quit [Quit: kbc]
kbc has joined #bitcoin-wizards
nephyrin has quit [Ping timeout: 250 seconds]
nephyrin has joined #bitcoin-wizards
kbc has quit [Client Quit]
kbc has joined #bitcoin-wizards
rh0nj has quit [Remote host closed the connection]
rh0nj has joined #bitcoin-wizards
shesek has quit [Ping timeout: 245 seconds]
kbc has quit [Quit: kbc]
kbc has joined #bitcoin-wizards
kbc has quit [Client Quit]
kbc has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
enemabandit has quit [Quit: Lost terminal]
wildermind has quit [Quit: Connection closed for inactivity]
pinheadmz has quit [Quit: pinheadmz]
kbc has quit [Quit: kbc]
kbc has joined #bitcoin-wizards
kbc has quit [Client Quit]
kbc has joined #bitcoin-wizards
michaelsdunn1 has joined #bitcoin-wizards
michaelsdunn1 has quit [Client Quit]
DeanGuss has joined #bitcoin-wizards
AaronvanW has quit [Remote host closed the connection]
TheoStorm has joined #bitcoin-wizards
TheoStorm has quit [Quit: Leaving]
kbc has quit [Quit: kbc]
kbc has joined #bitcoin-wizards
<adam3us>
so waxwing and i were talking about whether one can actually have both perfect binding & binding :)
<adam3us>
my argument was well, you could in theory prove the remaining coins have not inflated.
<adam3us>
with binding but the spent coins in this block with blinding proofs
<adam3us>
eg do a coinjoin like elgamal/borrowmean proof of coins spent in the block not overflowing
<waxwing>
binding and hiding :) (let's go with hiding rather than blinding because binding and blinding are .. indistinguishable :) )
<adam3us>
and per coin pedersen or bulletproof coins.
kbc has quit [Client Quit]
<adam3us>
ok. too much terminology. binding joint elgamal proof of joined coins in block
<adam3us>
an hiding proofs with pedersen or bulletproofs per coin.
kbc has joined #bitcoin-wizards
<adam3us>
then post QC you don't have to take evasive action, even with sudden onset, the failure mode is the QC attacker learns the sum of the coins spent in a block only.
<adam3us>
and can not do hidden inflation. the elgamal proof would need to go in the block and be verified
<adam3us>
(i thought this up sometime last year, just was something related waxwing an i were chatting about at the lisbon conf?)
takinbo has joined #bitcoin-wizards
<waxwing>
yeah i have no idea about the feasibility of these kind of ideas really, but the hope would be to create a scenario where a break results *only* in loss of hiding for the aggregate of coins in a block say, no chance of hidden inflation (e.g. elgamal for aggregate), no chance of revelation of individual coins in individual txs.
<waxwing>
gonna try to read real_or_random 's switch commitments paper again because it seems highly relevant :)
<adam3us>
it does imply coinjoin / key aggregation / mimble wimble like coordination.
<adam3us>
which is a bit of an inconvenience and question mark how well that works given the way people transact at present.
<adam3us>
also i'm not sure if you weren't careful that the multi-party part proofs might leak information. i guess ultimately you can do secure MPC but that's bandwidth expensive
<waxwing>
yes i'd guess a relative non-starter if there is no way to remove full interactive processing (like a coinjoin case).
<adam3us>
(leak info when attacked by a QC attacker)
<adam3us>
bitcoin kind of needs that for more coinjoins tho. but this would have a worse failure mode if you do not achieve full block aggregation
<waxwing>
yeah, true, there's a more positive way to look at it i guess
kbc has quit [Quit: kbc]
kbc has joined #bitcoin-wizards
<adam3us>
anyway i'm not sure how practical but it's interesting to think about ways to have binding & hiding simultaneously in a restricted way, because conventional summary was they are fundamentally incompatible.
kbc has quit [Client Quit]
kbc has joined #bitcoin-wizards
<waxwing>
yes i think logically incompatible in a single commitment, but wiggle room if you're prepared to commit to two different things as here :)
Murch has joined #bitcoin-wizards
DeanGuss has quit [Ping timeout: 256 seconds]
TheoStorm has joined #bitcoin-wizards
spinza has quit [Quit: Coyote finally caught up with me...]
elichai2 has quit [Quit: Connection closed for inactivity]
spinza has joined #bitcoin-wizards
TheoStorm has quit [Quit: Leaving]
spinza has quit [Quit: Coyote finally caught up with me...]
spinza has joined #bitcoin-wizards
<adam3us>
waxwing: well, how about this: you know the sum of all other coins as every CT transaction must add.
<adam3us>
could you not single handedly prove a elgamal commitment (binding) that the sum of all other coins, plus your outputs=the sum of allcoins with binding as that proof has a known answer that you don't care could be revealed by QC: the total number of mined coins
<adam3us>
(minus your inputs). and then prove with perfect hiding that your individual outputs don't wrap. if you could pull that off: QC poses no risk.
TheoStorm has joined #bitcoin-wizards
Murch has quit [Quit: Snoozing.]
DeanGuss has joined #bitcoin-wizards
<waxwing>
'sum of all other coins' - you mean the fees right? everything else balances to zero. i mean, i'm assuming ins are CT and outs are CT. i guess it's more complicated in mixed case.
<adam3us>
you can correct for non CT stuff by just subtracting it (immature outputs, fees)
<adam3us>
before the proof part.
<adam3us>
waxwing: no i mean all CT encrypted coins in circulation minus all cleartext ones
<adam3us>
say you have two inputs B,C and spending them to D,E clear text fees F, now you make a hiding proof that B+C=D+E+F
spinza has quit [Quit: Coyote finally caught up with me...]
<adam3us>
and A is sum of all other CT coins in the blockchain excluding B,C, A=sum(all)-B-C-T
<adam3us>
where T is sum of clear text coins
Guyver2 has quit [Quit: Going offline, see ya! (www.adiirc.com)]
<adam3us>
now make a binding proof that A+B+C=sum(all)-T
<adam3us>
for sum(all)-T=xG+vH we know v because it's public, v=current coin issuance-t. (T=tG)
<waxwing>
yes; so is your idea, that just one person/entity needs to do this, say, per block?
<adam3us>
S=sum(all)-T, you don't know x from S=xG+vH as that info is spread across all users of CT
<adam3us>
i am thinking you do it per transaction yourself without joining at block-level
<adam3us>
so there are n+1 proofs for an n output transaction. n hiding proofs and one binding proof that the total coin suply is preserved
<waxwing>
(i think you meant T=tH btw)
<adam3us>
question is can you make that proof without knowing x