sipa changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
rockhouse has quit [Read error: Connection reset by peer]
rockhouse has joined #bitcoin-wizards
enemabandit has quit [Ping timeout: 245 seconds]
kallewoof has quit [Read error: Connection reset by peer]
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 246 seconds]
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 268 seconds]
fkinglag has quit [Read error: Connection reset by peer]
fkinglag has joined #bitcoin-wizards
comedy has quit [Quit: comedy]
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 245 seconds]
DeanGuss has joined #bitcoin-wizards
jtimon has quit [Ping timeout: 246 seconds]
TheoStorm has quit [Quit: Leaving]
drexl has quit [Quit: drexl]
Belkaar has quit [Read error: Connection reset by peer]
tromp has joined #bitcoin-wizards
Belkaar has joined #bitcoin-wizards
Belkaar has quit [Changing host]
Belkaar has joined #bitcoin-wizards
tromp has quit [Ping timeout: 246 seconds]
Emcy has quit [Ping timeout: 244 seconds]
Emcy has joined #bitcoin-wizards
mappum_ has joined #bitcoin-wizards
DeanGuss has quit [Remote host closed the connection]
DeanGuss has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 245 seconds]
tromp has joined #bitcoin-wizards
DarkNetizen has joined #bitcoin-wizards
tromp has quit [Ping timeout: 244 seconds]
DarkNetizen has quit [Quit: leaving]
DarkNetizen has joined #bitcoin-wizards
DarkNetizen has quit [Client Quit]
DarkNetizen has joined #bitcoin-wizards
<mappum_>
would a variant of Schnorr work if you reused the nonce but multiplied it by some deterministic, publicly derivable scalar for each signature?
<sipa>
no, that will instantly leak your private key
<mappum_>
this might be impossible, but i'm trying to find a scheme where R can be publicly derived based on the message. seems easy to do interactively, e.g. the signer picks a random nonce k and reveals kG for each signature they will make, but is it possible to do with only picking one k at key generation time?
_whitelogger has joined #bitcoin-wizards
<mappum_>
sipa: btw for my first message, i mean the scalar is different for each signature
<gmaxwell>
No, doing that instantly reveals the key.
<gmaxwell>
Yes, thats clear, and it instantly reveals the keys.
<sipa>
mappum_: it doesn't matter that the nonce is different
<gmaxwell>
if there is any known relationship between the nonces, you leak the key.
<sipa>
the nonce needs to be completely unpredictable to the attacker
<gmaxwell>
take your signatures, and write them out --- k_n G = s_n G + e_n xG and if your system of equations has doesn't have more unknown variables than distinct equations, its solvable and you can find the key(s).
<sipa>
even a slight bias favoring some nonces over others may be enough to leak your keys
<gmaxwell>
Even partial knoweldge of the Ks, like knowing that they're all 160 bit numbers, is enough to break the security.
<mappum_>
interesting, thanks. so there's no way to deterministically derive k' from k, while allowing people to publicly derive k'G from kG?
<gmaxwell>
There are plenty of ways but they're inherently insecure. Only linear operations allow you to modify both k and kG. And if the k in two distinct signatures are related via any known linear relation, then you can write one in terms of the other, and solve the linear system.
<sipa>
no, there are ways to do it deterministically, but it certainly won't result in an observable relation between tbe public nonces
<gmaxwell>
You can do "Generate N values in advance, and then use them to generate up to N secure nonces later.".. but that also isn't terribly useful.
<mappum_>
@gmaxwell i was afraid that would be the best way to do it
<mappum_>
it might still be ok for my application
<mappum_>
someone on the bitcoin-dev mailing list got my hopes up, saying "One possibility is to derive `R` using standard hierarchical derivation." but I couldn't figure it out
<sipa>
nope, that definitely doesn't work
<mappum_>
this paper from May 2017 (https://eprint.iacr.org/2017/394) mentions a scheme where public keys include a precommitment to R in the output to prevent double-spends, since double-spends would then reveal the private key. this can be used to increase confidence in unconfirmed txs
<mappum_>
is there some reason this hasn't been discussed more by the core devs?
<gmaxwell>
it's an old idea called a single show signature, you can see conversations about them back in 2013 in here.
<gmaxwell>
They're exceptionally fragle (like .. revise your fees? oops lost your coins), and don't actually prevent theft-- since they just cause coins loss.
<gmaxwell>
also, specific to that paper, they're using opcodes that don't exist in bitcoin. (OP_AND)
<mappum_>
right, i would have thought it would end up as its own opcode where the public key was concatenated with R, and the signature was just s
<gmaxwell>
seems pointless.
<gmaxwell>
(I mean there is no reason to add special functionality which is otherwise covered by boring usage of OP_CAT, just to cover a single specialized use case which has ambigious utility)
<mappum_>
makes sense. well i'm trying to do bitcoin proof-of-stake where block signers (similar to the Liquid strong federation) can have outputs stolen from them if they sign multiple blocks at the same height since their private key can be derived, but the best I have right now is the one-precomitted-R-per-block design
<mappum_>
then i was going to see if i could combine a scheme for that with MuSig, but now i see i'm out of my element here
<gmaxwell>
Why does that even incentivize them to behave? they can just steal their own outputs first?
<mappum_>
not necessarily, their chances of stealing it are based on their bitcoin hashpower
<gmaxwell>
Aside for that sort of thing, what you probably want is a CHECKSIGFROMSTACK (like in liquid) and then you could acutally check for two distinct signatures and don't need any wonky R fragility thing.
<mappum_>
the outputs are stolen on the mainchain
<mappum_>
interesting, guess i didn't see liquid mention that opcode, what's your confidence interval on that being enforced by a majority of the bitcoin hashrate in the next 2 years?
<mappum_>
basically i'm trying to see what i can do with whatever will realistically get deployed for schnorr opcodes
<gmaxwell>
more likely than any specific machinery for a single show signature, at least.
<gmaxwell>
The fact that no one seemed to really care about trying anything out using that opcode in elements (other than roconnor's kinda crazy valt construction) doesn't really bode that well for its actual utility.
<gmaxwell>
in any case, there are probably other ways to do what you want that don't require any additions to bitcoin, but are just more complex outside of it.
<mappum_>
well if you have any hints on how then i'm all ears
<gmaxwell>
oh I see you were already thinking of using a single show signature to sign your blocks, then just allowing that to leak a key used in bitcoin. So you were already not assuming any changes.
<gmaxwell>
mappum_: you can, for example, staple to your blocks a zero knoweldge proof that the k used in the block signature (with pubkey xG) is H(x||height).
<gmaxwell>
then no need to communicate the nonces in advance.
<gmaxwell>
but a duplicate signature at the same height will leak the key.
spinza has quit [Quit: Coyote finally caught up with me...]
<mappum_>
sounds like something i can't implement myself, but i guess now i'll try to read the bulletproofs whitepaper and see if i can get my brain closer to that
<mappum_>
until then i'll have a static set of validators/block signers
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 250 seconds]
spinza has joined #bitcoin-wizards
fabianfabian has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
jtimon has joined #bitcoin-wizards
elichai2 has joined #bitcoin-wizards
rh0nj has quit [Remote host closed the connection]
rh0nj has joined #bitcoin-wizards
tiagotrs has joined #bitcoin-wizards
tromp has quit [Remote host closed the connection]
tromp has joined #bitcoin-wizards
shesek has quit [Read error: Connection reset by peer]
_whitelogger has joined #bitcoin-wizards
TheoStorm has joined #bitcoin-wizards
spinza has quit [Quit: Coyote finally caught up with me...]
jkjk has quit [Quit: #bitcoin-research]
spinza has joined #bitcoin-wizards
jb55 has quit [Quit: WeeChat 2.3]
enemabandit has joined #bitcoin-wizards
Guyver2 has joined #bitcoin-wizards
nephyrin has quit [Ping timeout: 240 seconds]
nephyrin has joined #bitcoin-wizards
cjd has quit [Ping timeout: 252 seconds]
cjd has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
Livestradamus has quit [Quit: Livestradamus]
AaronvanW has quit [Remote host closed the connection]
Livestradamus has joined #bitcoin-wizards
son0p has joined #bitcoin-wizards
tombusby has quit [Remote host closed the connection]
tombusby has joined #bitcoin-wizards
recursive has quit [Ping timeout: 268 seconds]
recursive has joined #bitcoin-wizards
Amnesia has left #bitcoin-wizards [#bitcoin-wizards]
nephyrin has quit [Ping timeout: 250 seconds]
nephyrin has joined #bitcoin-wizards
recursive has quit [Read error: Connection reset by peer]
jkgfuk has joined #bitcoin-wizards
tiagotrs has quit [Ping timeout: 244 seconds]
epscy has quit [Ping timeout: 240 seconds]
tiagotrs has joined #bitcoin-wizards
tiagotrs has quit [Remote host closed the connection]
tiagotrs has joined #bitcoin-wizards
spinza has quit [Quit: Coyote finally caught up with me...]
<andytoshi>
mappum_: i think what you're describing is equivalent (or implies, at lesat) identity based encryption
<andytoshi>
IOW, it appears impossible without pairings :(
<waxwing>
there've been a few minor corrections as per pdf here: https://github.com/AdamISZ/from0k2bp (although download it; for some reason doesn't display correctly on github itself).
spinza has joined #bitcoin-wizards
TheoStorm has joined #bitcoin-wizards
drexl has joined #bitcoin-wizards
TheoStorm has quit [Quit: Leaving]
tombusby has quit [Remote host closed the connection]
tombusby has joined #bitcoin-wizards
epscy has joined #bitcoin-wizards
elichai2 has quit [Quit: Connection closed for inactivity]
belcher has quit [Quit: Leaving]
jkgfuk has quit [Ping timeout: 256 seconds]
DarkNetizen has quit [Ping timeout: 250 seconds]
DougieBot5000_ is now known as DougieBot5000
AaronvanW has joined #bitcoin-wizards
enemabandit has quit [Ping timeout: 250 seconds]
elichai2 has joined #bitcoin-wizards
sfhi has joined #bitcoin-wizards
merc1er has joined #bitcoin-wizards
merc1er has quit [Client Quit]
TheoStorm has joined #bitcoin-wizards
<waxwing>
i hope i'll be forgiven for whimsy in this rather serious channel :) the other day i was discussing with belcher that in a simulation, PoW might still convey its value, but then i contradicted myself thinking, hmm, what if in the simulation computers were programmed to lie about the outputs of hash functions. it's just occurred to me that that's exactly how ZK security proofs work :)
TheoStorm has quit [Ping timeout: 272 seconds]
<waxwing>
e.g. an Extractor controls the environment of a prover and makes up the output of a random oracle and "lies" about it.
* waxwing
wonders if it's possible to create a ZKP that we're living inside a simulation.
TheoStorm has joined #bitcoin-wizards
TheoStorm has quit [Ping timeout: 272 seconds]
belcher has joined #bitcoin-wizards
<kanzure>
uh oh waxwing just proved himself out of existence
* kanzure
resets waxwing
enemabandit has joined #bitcoin-wizards
<waxwing>
as long as you don't apply the forking lemma to me and make multiple copies, we're fine.
sakalli_ has joined #bitcoin-wizards
<kanzure>
as long as you don't apply the forking lemma to me and make multiple copies, we're fine.
sakalli_ has quit [Client Quit]
Aaronvan_ has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 246 seconds]
Aaronvan_ has quit [Remote host closed the connection]
AaronvanW has joined #bitcoin-wizards
AaronvanW has quit [Remote host closed the connection]
Guyver2 has quit [Quit: Going offline, see ya! (www.adiirc.com)]
AaronvanW has quit [Remote host closed the connection]
TheoStorm has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
tromp has quit [Remote host closed the connection]
<adlai>
[crypto]currencies are much more effective as tools for coordinating/optimizing your simulation if they actually work as advertised
spinza has quit [Quit: Coyote finally caught up with me...]
<adlai>
obviously nothing precludes the operation of a "pointless" simulation, other than power bills; and then you're back to PoW, one level higher on the simulation stack.