sipa changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
tromp has quit [Remote host closed the connection]
Zenton has quit [Ping timeout: 246 seconds]
TheoStorm has joined #bitcoin-wizards
TheoStorm has quit [Quit: Leaving]
Intensity has quit [Ping timeout: 240 seconds]
Dizzle has quit [Ping timeout: 252 seconds]
JackH has quit [Ping timeout: 245 seconds]
Aaronvan_ has joined #bitcoin-wizards
Aaronvan_ has quit [Client Quit]
AaronvanW has quit [Ping timeout: 245 seconds]
elichai2 has quit [Quit: Connection closed for inactivity]
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 245 seconds]
Belkaar has quit [Read error: Connection reset by peer]
Belkaar has joined #bitcoin-wizards
Belkaar has quit [Changing host]
Belkaar has joined #bitcoin-wizards
mryandao_ is now known as mryandao
DeanGuss has joined #bitcoin-wizards
bildramer has quit [Remote host closed the connection]
bildramer has joined #bitcoin-wizards
bildramer1 has joined #bitcoin-wizards
bildramer has quit [Ping timeout: 252 seconds]
d_t has joined #bitcoin-wizards
spinza has quit [Quit: Coyote finally caught up with me...]
spinza has joined #bitcoin-wizards
pinheadmz has quit [Quit: pinheadmz]
pinheadmz has joined #bitcoin-wizards
pinheadmz has quit [Quit: pinheadmz]
<kallewoof>
gmaxwell: would be nifty to have a .conf formatted banlist so i could just wget it and "includeconf=banlist.conf"
DeanGuss has quit [Quit: Leaving]
<sipa>
kallewoof: can you put bans in config?
<kallewoof>
I assumed you could, but now I'm not sure
<sipa>
it certainly seems like a useful feature!
<gmaxwell>
I don't think there is any way to do that right now.
<luke-jr>
well, you still need to fetch the file, and at that point you could just use RPC.. using the conf file would require a restart
scoobybejesus has quit [Ping timeout: 264 seconds]
scoobybejesus has joined #bitcoin-wizards
_whitelogger has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 246 seconds]
JackH has joined #bitcoin-wizards
enemabandit has joined #bitcoin-wizards
jungly has joined #bitcoin-wizards
yokwe__ has quit [Ping timeout: 264 seconds]
yokwe__ has joined #bitcoin-wizards
Guyver2 has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
Zenton has joined #bitcoin-wizards
setpill has joined #bitcoin-wizards
DeanGuss has joined #bitcoin-wizards
tromp has quit [Remote host closed the connection]
tromp has joined #bitcoin-wizards
spinza has quit [Quit: Coyote finally caught up with me...]
TheoStorm has joined #bitcoin-wizards
spinza has joined #bitcoin-wizards
mryandao has quit [Remote host closed the connection]
AaronvanW has joined #bitcoin-wizards
mryandao has joined #bitcoin-wizards
Aaronvan_ has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 255 seconds]
DeanGuss has quit [Remote host closed the connection]
DeanGuss has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
Aaronvan_ has quit [Ping timeout: 244 seconds]
gie_ is now known as gie
shesek has quit [Quit: Leaving]
belcher has joined #bitcoin-wizards
rafalcpp has quit [Remote host closed the connection]
setpill has quit [Quit: o/]
rafalcpp has joined #bitcoin-wizards
son0p_ has joined #bitcoin-wizards
d_t has quit [Ping timeout: 244 seconds]
son0p_ has quit [Remote host closed the connection]
pinheadmz has joined #bitcoin-wizards
rh0nj has quit [Remote host closed the connection]
<adiabat>
(Fraud Proofs: Maximising Light Client Security and Scaling Blockchains with Dishonest Majorities)
<adiabat>
I remember people having problems with it, if anyone has pointers to what those were, or maybe even just IRC logs that'd be a good place for me to start
<belcher>
adiabat the channel logs are in the topic
<adiabat>
ah! so they are :)
<adiabat>
(had to scroll to see that :)
<sarang>
Here's a question I've been thinking about regarding Bulletproofs' MPC construction... suppose you want to take part in an MPC but that any other player could be malicious
<sarang>
In each round of the MPC, the other players (if they don't precommit to their proof shares) could modify their shares relative to yours; you then use them to compute supposed aggregate F-S challenges
<sarang>
I can't identify a way that the other players could conspire to practically leak information about your (honest) values, but I wonder if it's possible to construct a simulator to show that provable zk is still possible (I think not)
<sarang>
(we could also assume that the other players can't convince you to rewind)
<gmaxwell>
the bullet proof is still ZK without being compacted.
<sarang>
Honest-verifier ZK...
<sarang>
But each aggregate F-S challenge is a hash of the sum of all the players' partial proof elements
<gmaxwell>
Yep. I get what you're saying.
<gmaxwell>
I think I would reflecively add a precommitment or delinerization there, but I'm not sure if it actually breaks it.
<sarang>
I'm quite sure that precommitment to proof shares makes everything a-ok, but it doubles the rounds
<sarang>
I wonder if you can get away with avoiding precommitment, using straight-up sums (as listed in the protocol), and still be confident of ZK
<andytoshi>
you could get away if you generated all your randomness deterministically and provided a zkp proving that you'd done so
<andytoshi>
you need to be bold in zkps. If you find your protocol doesn't work and think to turn back, don't!, the correct answer is to just add even more ZKPs
<andytoshi>
;)
<sarang>
lol
<sarang>
It is unfortunate for CoinJoin-style applications that the 3-round version assumes honest-but-curious adversaries only, which seems like a non-starter as a trust model
son0p_ has joined #bitcoin-wizards
Zenton has joined #bitcoin-wizards
Dyaheon has quit [Ping timeout: 250 seconds]
Dyaheon has joined #bitcoin-wizards
<gmaxwell>
sarang: huh, for coinjoins if someone jams the protocol, everyone is forced to open their commitments, and anyone who fails to do so (or whos openin was bogus) is kicked out.
<gmaxwell>
and then you redo, with new addresses.
<sarang>
Sure, it works but I'd say fails the 3-round advertisement :)
<gmaxwell>
I don't think any protocol can do better there.
<gmaxwell>
If a protocol is actively secure but someone sends garbage, you still have to kick them out and restart.
<sarang>
I suppose it would be fine if it were still provably ZK in the face of maliciously-generated challenges
<sarang>
but otherwise it's really a 6-round protocol for trustless MPC operations
<real_or_random>
sarang by the way https://eprint.iacr.org/2014/764.pdf Theorem 1 shows that special HVZK => (malicious) witness-indistinguishable for (3-round) sigma protocols
<real_or_random>
but we have 5 round (can be generalized maybe?) and WI is not enough here
spinza has quit [Quit: Coyote finally caught up with me...]
<real_or_random>
at least WI is not enough *in general* to make confidential transaction work... I had a counter example somehwere
<sarang>
Hmm interesting
<sarang>
The practical requirement here is really that the adversary not have a statistical advantage in determining the pedersen blinder, of course (amount themselves being quite limited in practice)
DougieBot5000_ has joined #bitcoin-wizards
<real_or_random>
okay counter example why WI rangeproofs are not enough for CT: assume for simplicity we have a transaction with one input and one output (you don't need a range proof there but the example can be extended to larger transactions)
DougieBot5000 has quit [Ping timeout: 245 seconds]
son0p_ has quit [Quit: leaving]
<real_or_random>
input c1 = h^x2 * g^r2, output c2 = h^x2 * g^r2, and two rangeproofs. say the range proof is WI but additionally leaks s^r1 (and the second range proof leaks s^r2) for another generator s
<real_or_random>
(and yes, I use multiplicative notation :P)
<real_or_random>
no scratch that leakage... too stupid to read from my board
<real_or_random>
new attempt: input c1 = h^x2 * g^r2, output c2 = h^x2 * g^r2, and two rangeproofs. say the range proof with witness x,r is WI but additionally leaks f(x,r) = if |x| = 5 then s^r else random group element
spinza has joined #bitcoin-wizards
<real_or_random>
(that should be possible if the proof is WI)
<real_or_random>
now for CT you will reveal r1+r2 to open the sum commitment. and then everybody can check whether f(x1,r1)*f(x2,r2)=s^(r1+r2)
<real_or_random>
if so, then the transaction amount was 5
<real_or_random>
note that this counter example does not work if we prove in zero-knowledge that we know r1+r2 as the opening of the sum commitment to 0.
<sarang>
In our case that's what you do, though
<real_or_random>
in general, composing zero-knowledge proofs with other zero-knowledge proofs is fine. composing WI proofs with different WI proofs and other stuff can have weird interactions
<real_or_random>
yes indeed. maybe that's an interesting approach to look at
<real_or_random>
the problem is that multi-transaction CT is very difficult to formalize then. if everything is ZK, I'm somewhat more confident that there are no weird interactions
DougieBot5000_ is now known as DougieBot5000
<sarang>
The easy solution must be to construct a simulator in the face of adaptively-chosen challenges :D
<real_or_random>
yes the problem is that we don't even know have a proof that the schnorr identification protocol is zero-knowledge (against malicious verifiers)
<real_or_random>
it will be interesting to have a look at variants where the (malicious) verifier outputs x and the challenge is H(x) for a random oracle H. I don't think people considered this case so far
<sarang>
That is surprising
<sarang>
In the case of such an MPC that's the case you'd be in without precommitment
<real_or_random>
with H(x)? yes that's why I'm thinking about this case
<sarang>
other players send you A1, A2, ..., An and you include your own share A0 to form commitment H(A0 + A1 + ...)
<sarang>
righto
<sarang>
A malicious player could force the challenge to be H(x) for any desired x that it wishes
<sarang>
Is it really that different of a scenario (from a simulator perspective) as the adversary choosing whatever challenges it wants?
DeanGuss has quit [Ping timeout: 256 seconds]
jimmysong__ has joined #bitcoin-wizards
jimmysong_ has quit [Ping timeout: 244 seconds]
tombusby has quit [Ping timeout: 256 seconds]
tombusby has joined #bitcoin-wizards
<real_or_random>
maybe not
spinza has quit [Quit: Coyote finally caught up with me...]
<sarang>
I'd be very surprised if the H(x) approach leaked anything about the witness, but it seems like the element distribution would look the same in the attempt to construct a malicious-verifier simulator as the adversary-picks-the-challenge case
<sarang>
I'd be very curious to hear andytoshi's view since he was an author on the paper :D
IGHOR has quit [Read error: No route to host]
IGHOR has joined #bitcoin-wizards
IGHOR has quit [Ping timeout: 246 seconds]
IGHOR has joined #bitcoin-wizards
spinza has joined #bitcoin-wizards
tromp has quit [Remote host closed the connection]
Guyver2 has quit [Quit: Going offline, see ya! (www.adiirc.com)]