sipa changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
rusty has joined #bitcoin-wizards
rusty has quit [Changing host]
rusty has joined #bitcoin-wizards
Jackielove4u_ has joined #bitcoin-wizards
suraeNoether_ has joined #bitcoin-wizards
Varunram_ has joined #bitcoin-wizards
aspect__ has joined #bitcoin-wizards
gmaxwell_ has joined #bitcoin-wizards
windsok_ has joined #bitcoin-wizards
_Iriez has joined #bitcoin-wizards
jonasschnelli_ has joined #bitcoin-wizards
tomtau[m] has quit [*.net *.split]
knuteis[m] has quit [*.net *.split]
Jackielove4u has quit [*.net *.split]
aspect_ has quit [*.net *.split]
Varunram has quit [*.net *.split]
windsok has quit [*.net *.split]
suraeNoether has quit [*.net *.split]
gambpang has quit [*.net *.split]
jonasschnelli has quit [*.net *.split]
gmaxwell has quit [*.net *.split]
triazo has quit [*.net *.split]
Iriez has quit [*.net *.split]
Jackielove4u_ is now known as Jackielove4u
aspect__ is now known as aspect_
suraeNoether_ is now known as suraeNoether
Varunram_ is now known as Varunram
Belkaar has quit [Ping timeout: 255 seconds]
gambpang has joined #bitcoin-wizards
Belkaar has joined #bitcoin-wizards
Belkaar has quit [Changing host]
Belkaar has joined #bitcoin-wizards
triazo has joined #bitcoin-wizards
knuteis[m] has joined #bitcoin-wizards
tomtau[m] has joined #bitcoin-wizards
pinheadmz has quit [Quit: pinheadmz]
gmaxwell_ has quit [Changing host]
gmaxwell_ has joined #bitcoin-wizards
gmaxwell_ is now known as gmaxwell
pinheadmz has joined #bitcoin-wizards
pinheadmz has quit [Quit: pinheadmz]
Belkaar has quit [Ping timeout: 255 seconds]
Belkaar has joined #bitcoin-wizards
Belkaar has joined #bitcoin-wizards
Belkaar has quit [Changing host]
pinheadmz has joined #bitcoin-wizards
justanotheruser has joined #bitcoin-wizards
pinheadmz has quit [Quit: pinheadmz]
spinza has quit [Quit: Coyote finally caught up with me...]
pinheadmz has joined #bitcoin-wizards
Dean_Guss has joined #bitcoin-wizards
spinza has joined #bitcoin-wizards
_whitelogger has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
jmabsd has joined #bitcoin-wizards
tromp has quit [Ping timeout: 246 seconds]
<jmabsd>
Where in libsecp256k1 are logics to validate a privkey?
<jmabsd>
secp256k1_ec_seckey_verify() obviously.
<gmaxwell>
there is almost but not quite nothing to validate about a private key.
belcher has quit [Ping timeout: 245 seconds]
pinheadmz has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 245 seconds]
pinheadmz has quit [Quit: pinheadmz]
jonasschnelli_ has quit [Changing host]
jonasschnelli_ has joined #bitcoin-wizards
jnewbery has quit [Ping timeout: 246 seconds]
jnewbery has joined #bitcoin-wizards
<Blackwolfsa>
Is it possible to to construct a bulletproof for a pedersen commitment that was constructed out of more than pederson commitment, all with valid bulletproofs, in effect hiding the other two commitments?
<Blackwolfsa>
I know that normally the if you want to do that bulletproof stops you from doing this as you can lock up someone else’ UTXO. I also know its possible to construct a bulletproof for the pederson commitment (vH + (k1+k2)G) without any party knowing both K1 and k2 by sharing T1, T2 and tx.
<Blackwolfsa>
What in effect I want to know is, this, you have two commitments: (v1H + k1G) and (v2H + k2G), you can you let a trusted 3rd party create a new commitment ((v1+v2)H + (k1+k2)G) without any single party knowing v1, v2, k1 and k2?
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 246 seconds]
jmabsd has quit [Read error: Connection reset by peer]
tromp has joined #bitcoin-wizards
jmabsd has joined #bitcoin-wizards
<sipa>
Blackwolfsa: just adding the commitments will do that
<sipa>
pedersen commitments are linear in both the value and the blinding factor
<sipa>
no need for any bulletproof, or even a third oartt
<sipa>
*third party
harding has quit [Ping timeout: 255 seconds]
harding has joined #bitcoin-wizards
<Blackwolfsa>
I want have the trusted 3rd party add an additional blinding factor to the commitment
<Blackwolfsa>
So from the party of 3, they know there commitment is in there, but no one else does
enemabandit has joined #bitcoin-wizards
<Blackwolfsa>
From a perspective of anyone else, they should just see a normal pedersen commitment with a bulletproof they can validate. They should not know it was combined
rusty has quit [Quit: Leaving.]
<sipa>
Blackwolfsa: so you have P1=(r1G+v1H) and P2=(r2G+v2H), and you want to compute P = (r1+r2+r3)G + (v1+v2)H, and prove P is a commitment to the sum of the values of P1 and P2, without knowing what those values are?
<Blackwolfsa>
yes
<sipa>
it'd be trivial in a bulletproof, but you can't construct one without knowing v1 and v2
<sipa>
oh; this is very easy
<sipa>
compute R3 = r3G, and give a Schnorr signature for R3 (which proves it's a straight known multiple of G)
<Blackwolfsa>
I am going by that this will be an interactive process and we can/have valid bulletproofs for P1 and P2
<sipa>
and then P = P1+P2+R
<gmaxwell>
sipa: that was also my thought but I was holding my tongue since I figured there must be something excluding doing the obvious thing...
<Blackwolfsa>
what will you submit to the baselayer then?
<sipa>
what does baselayer mean?
<Blackwolfsa>
sorry, typing faster than my thoughts can complete here.
<Blackwolfsa>
You need to submit this P3 with some bullet proof so that the verifier does not know its a collection of commitments
<sipa>
a caveat here is that the verifier (the party checking the proof) needs to see P1 and P2; i don't think that can be avoided
<Blackwolfsa>
Yeah thats something I am trying to avoid
<sipa>
i suspect that it's impossible, unless the prover knows v1/v2/r1/r2
<gmaxwell>
sipa: but verifying what.
<gmaxwell>
What are they verifying.
<sipa>
yeah... that's a good question :)
<gmaxwell>
are they verifying P3 is a sum of some specific P1 and P2 ? then them needing to see it is true by definition.
<sipa>
if the verifier doesn't know P1 and P2, there isn't much to prove
<gmaxwell>
Are they verifying that is a possible some of some unspecified P1 and P2? thats tautologically true by virtue of the group behavior.
<Blackwolfsa>
They are verifying only wants to proof that P3 is valid and that the value inside P3 is greater than 0
<sipa>
ah!
<sipa>
that's something else
<gmaxwell>
All points are valid, so beyond just checking that it's actually a point the first half is automatically true.
<sipa>
i suspect that's not possible without knowing v1 and v2
<Blackwolfsa>
for more context I am looking in payment channels for mimblewimble
<sipa>
unless you're given proofs for P1 and P2, and then combine them using a recursive bulletproof
* sipa
hides
<gmaxwell>
sipa: sure it is.
<Blackwolfsa>
the idea being P3 should be a valid mw utxo
<sipa>
you can show that P3 is a reblinded sum of P1 and P2, if the verifier knows P1 and P2
<sipa>
or if you know the values/blinding factors of P1 and P2, you can just construct a new bulletproof for whatever the sum is
<gmaxwell>
You can also show P3 is in range by showing reblindlings P1' and P2' are in range.
<sipa>
right, but not without knowing value/blindingfactor of P1 and P2
<gmaxwell>
a bullet proof can also be privately multiparty computed.
<Blackwolfsa>
so this is not at all possible without knowing P1 and P2
<sipa>
Blackwolfsa: perhaps if the prover is given some extra auxiliary data about P1 and P2... i'm not sure
<Blackwolfsa>
I am going by the assumption that P3 is constructed between the 3 parties privately (ie sharing some data) and then only submitting a final P3 and bulletproof together
<Blackwolfsa>
The only thing is no single party should know all the v's and r's
<Blackwolfsa>
If you create a bulletproof for (vH + (r1 + r2)G) you share the T1,T2,tx and neither know r1 and r2.
jmabsd has quit [Ping timeout: 268 seconds]
jmabsd has joined #bitcoin-wizards
neonknight64 has joined #bitcoin-wizards
stanimal has joined #bitcoin-wizards
tromp has quit [Remote host closed the connection]
setpill has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
belcher has joined #bitcoin-wizards
midnightmagic has joined #bitcoin-wizards
jmabsd has quit [Read error: Connection reset by peer]
<clefru>
Blackwolfsa: I am sure that you have seen Dandelion transaction propagation in Mimblewimble blockchains, that claim to also mix with other transactions. I would assume that they would neat a mixing for the rangeproof parts as well. At least transaction mixing is claimed by beam-mw https://medium.com/beam-mw/about-dandelion-and-mimblewimble-e083597e0355
<clefru>
neat=need.
<clefru>
I guess that this just implements cut-through, not really an aggregation as you want it.
spinza has quit [Quit: Coyote finally caught up with me...]
spinza has joined #bitcoin-wizards
TheoStorm has joined #bitcoin-wizards
AaronvanW has joined #bitcoin-wizards
Aaronvan_ has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 268 seconds]
strattog has joined #bitcoin-wizards
strattog has quit [Client Quit]
T-Junk has joined #bitcoin-wizards
<Blackwolfsa>
Yeah dandelion doesn't do what I want.
Guyver2 has joined #bitcoin-wizards
T-Junk has quit []
belcher has quit [Ping timeout: 246 seconds]
rafalcpp has quit [Excess Flood]
rafalcpp has joined #bitcoin-wizards
belcher has joined #bitcoin-wizards
TheoStorm has quit [Quit: Leaving]
whartung1 has joined #bitcoin-wizards
fkinglag has quit [Read error: Connection reset by peer]
fkinglag has joined #bitcoin-wizards
tromp has quit [Remote host closed the connection]
tromp has joined #bitcoin-wizards
pinheadmz has joined #bitcoin-wizards
tromp has quit [Ping timeout: 246 seconds]
clefru has quit [Ping timeout: 240 seconds]
TheoStorm has joined #bitcoin-wizards
jb55 has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 245 seconds]
whartung1 has quit []
_Sam-- has joined #bitcoin-wizards
matael1 has joined #bitcoin-wizards
morcos_ has joined #bitcoin-wizards
setpill has quit [Quit: o/]
morcos has quit [Ping timeout: 256 seconds]
morcos_ is now known as morcos
pinheadmz has quit [Quit: pinheadmz]
tromp has joined #bitcoin-wizards
spinza has quit [Quit: Coyote finally caught up with me...]
Dean_Guss has quit [Ping timeout: 256 seconds]
spinza has joined #bitcoin-wizards
enemabandit has quit [Ping timeout: 246 seconds]
Aaronvan_ is now known as AaronvanW
tromp has quit [Remote host closed the connection]
enemabandit has joined #bitcoin-wizards
pinheadmz has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
chmod755 has joined #bitcoin-wizards
matael1 has quit []
Jayflux has joined #bitcoin-wizards
tromp has quit [Remote host closed the connection]
TheoStorm has quit [Quit: Leaving]
justanotheruser has quit [Ping timeout: 250 seconds]
Aaronvan_ has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 244 seconds]
TheoStorm has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
jonasschnelli_ is now known as jonasschnelli
tromp has quit [Ping timeout: 255 seconds]
enemabandit has quit [Ping timeout: 250 seconds]
chmod755 has quit [Quit: Ex-Chat]
Guyver2 has quit [Quit: Going offline, see ya! (www.adiirc.com)]