sipa changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
Avelino has quit []
fluffypony has joined #bitcoin-wizards
rlaager1 has joined #bitcoin-wizards
sipa has joined #bitcoin-wizards
Chris_Stewart_5 has quit [Ping timeout: 252 seconds]
tromp has quit [Remote host closed the connection]
rafalcpp has quit [Excess Flood]
rafalcpp has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
Dean_Guss has quit [Ping timeout: 256 seconds]
tromp has quit [Ping timeout: 252 seconds]
Guest44098 has quit []
beaups1 has joined #bitcoin-wizards
setpill has joined #bitcoin-wizards
uiuc-slack has quit [Remote host closed the connection]
jb55 has quit [Ping timeout: 252 seconds]
uiuc-slack has joined #bitcoin-wizards
elichai2 has joined #bitcoin-wizards
midnightmagic has quit [Ping timeout: 264 seconds]
jb55 has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
shesek has quit [Ping timeout: 258 seconds]
AaronvanW has quit []
AaronvanW has joined #bitcoin-wizards
belcher has joined #bitcoin-wizards
shesek has joined #bitcoin-wizards
shesek has quit [Changing host]
shesek has joined #bitcoin-wizards
midnightmagic has joined #bitcoin-wizards
Deinogalerix21 has joined #bitcoin-wizards
jtimon has quit [Ping timeout: 250 seconds]
Deinogalerix21 has quit [Quit: WeeChat 2.4]
spinza has quit [Quit: Coyote finally caught up with me...]
queip has quit [Ping timeout: 244 seconds]
rafalcpp has quit [Ping timeout: 245 seconds]
rafalcpp has joined #bitcoin-wizards
Chris_Stewart_5 has joined #bitcoin-wizards
spinza has joined #bitcoin-wizards
queip has joined #bitcoin-wizards
arubi has quit [Remote host closed the connection]
arubi has joined #bitcoin-wizards
TheoStorm has joined #bitcoin-wizards
jimmyrizzle has joined #bitcoin-wizards
Chris_Stewart_5 has quit [Ping timeout: 268 seconds]
beaups1 has quit []
jtimon has joined #bitcoin-wizards
Chris_Stewart_5 has joined #bitcoin-wizards
Chris_Stewart_5 has quit [Ping timeout: 255 seconds]
jimmyrizzle has left #bitcoin-wizards [#bitcoin-wizards]
IGHOR has joined #bitcoin-wizards
Chris_Stewart_5 has joined #bitcoin-wizards
Iriez has quit [Remote host closed the connection]
laptop500 has joined #bitcoin-wizards
Iriez has joined #bitcoin-wizards
<ariard>
Hi, I've read sometimes ago here on a secondary p2p stack, something likely based on PIR, does anyone have more links/pointers on this ?
davterra has quit [Quit: Leaving]
justanotheruser has quit [Quit: WeeChat 2.4]
Aaronvan_ has joined #bitcoin-wizards
pinheadmz has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 246 seconds]
Barras2 has joined #bitcoin-wizards
setpill has quit [Quit: o/]
Barras2 has quit []
AimHere1 has joined #bitcoin-wizards
jamesob has quit [Ping timeout: 264 seconds]
jamesob has joined #bitcoin-wizards
drexl has joined #bitcoin-wizards
jimmyrizzle has joined #bitcoin-wizards
jimmyrizzle has left #bitcoin-wizards [#bitcoin-wizards]
_Sam-- has quit [Disconnected by services]
spinza has quit [Quit: Coyote finally caught up with me...]
spinza has joined #bitcoin-wizards
TheoStorm has quit [Quit: Leaving]
jtimon has quit [Ping timeout: 250 seconds]
Emcy has quit [Remote host closed the connection]
_whitelogger has joined #bitcoin-wizards
Emcy has joined #bitcoin-wizards
enemabandit has quit [Ping timeout: 246 seconds]
davterra has joined #bitcoin-wizards
TheoStorm has joined #bitcoin-wizards
nkohen has joined #bitcoin-wizards
<nkohen>
Are there any nice, non-interactive, proposed solutions out there for MultiSignature in the general m-of-n case that are better than just doing mCn MuSig leaves on a MAST?
TheoStorm has quit [Quit: Leaving]
jtimon has joined #bitcoin-wizards
Chris_Stewart_5 has quit [Ping timeout: 244 seconds]
<sipa>
nkohen: with interactive setup, sure
assaf has quit [Ping timeout: 245 seconds]
<nkohen>
could you link me to an example? much appreciated :)
Guyver2 has joined #bitcoin-wizards
<sipa>
nkohen: not so much an example, but the term you're looking for is threshold signatures
<sipa>
you're asking for non-interactive, what does that mean?
<sipa>
generally all efficient threshold schemes have some interaction at setup
licnep has joined #bitcoin-wizards
<sipa>
and musig has interaction at signing time (but not at setup time)
jimmyrizzle has joined #bitcoin-wizards
Dean_Guss has joined #bitcoin-wizards
<nkohen>
I guess I meant by non-interactive something equivalent to using a MAST with mCn MuSig leaves, where as long as you know everyone's public keys, then you can construct the entire transaction without interaction and the only interaction necessary to spend is m-1 of your n-1 peers telling you their partial signature
<nkohen>
I see now that MuSig actually requires more interaction than just that
jimmyrizzle has quit [Ping timeout: 246 seconds]
<sipa>
musig has 3 interaction rounds at signing time
<sipa>
though there are pairing based signature schemes without interaction rounds in the same use case
Chris_Stewart_5 has joined #bitcoin-wizards
DougieBot5000 has quit [Ping timeout: 245 seconds]
DougieBot5000 has joined #bitcoin-wizards
<nkohen>
I guess what I'm really looking for as a scheme where spending looks like a simple, single key, spend (like MuSig) but where what is actually happening is m-of-n multisignature (i.e. if m of the n participants collaborate, they can sign for the aggregate public key)
<nkohen>
And where there isn't any visible (to the chain) interaction like in graftroot
AimHere1 has quit []
<sipa>
nkohen: without interaction at setup time that will be hard
Gaz has joined #bitcoin-wizards
<nkohen>
In that case do you know of any scheme with relatively little interaction during setup?
<gmaxwell>
nkohen: your question is underspecified. What the heck does "relatively little interaction"? mean? m-of-n can be done with two rounds in setup.
<gmaxwell>
nkohen: You musig adjust the keys then do a verifyable secret sharing.
Dean_Guss has quit [Ping timeout: 256 seconds]
<nkohen>
gmaxwell: Is there a write-up someplace that process in detail?
<sipa>
nkohen: papers :)
<sipa>
(and there is a pretty big difference between "this is easy in theory, this paper shows it!" and "there is a well-reviewed production ready library that makes this kind of thing safe to do")
<nkohen>
My favorite :) I'm not seeing threshold signatures described in the original MuSig paper, is there a nice one you can think of?
<gmaxwell>
No writeup is going to do much towards helping to produce a safely usable implementation though.
<nkohen>
Noted, I'll leave implementation to the experts :)
<gmaxwell>
in any case if {A, B, C} are 2of3 secret shares of key K, then if you sign with A and B and then interpolate the signatures exactly as you would interpolate A,B to get K, then you get a signature with K.
<gmaxwell>
so really the thing to read about is secret sharing, and then "now do the same thing but with signatures".
<gmaxwell>
The verifyable part is just needed at setup time so that a trouble maker can't jam the process and make themselves necessary to the signing.
elichai2 has quit [Quit: Connection closed for inactivity]
<ghost43>
say I have n xpubs and want to create an n-of-n multisig HD wallet. can I use musig and taproot to spend my UTXOs in p2pk-like spends? can I restore this wallet just from the n xpubs (and a synced full node). skimming the paper, it seems the random-gen part is after the aggregate pubkey generation (which is crucial as otherwise you would need additional state to find your UTXOs; could not just restore from xpubs)
<sipa>
ghost43: yes
<sipa>
the only difference is that the signing process is more complicated (you need interaction rounds between the n signers)
jimmyrizzle has joined #bitcoin-wizards
<ghost43>
yes, I got that part
<sipa>
but on chain you end up with something that looks like just a pubkey in the sPK, and a signature in the spend
<nkohen>
gmaxwell: thanks!
<ghost43>
great! very cool. for some reason I thought the aggregate pubkey would be random
<sipa>
ghost43: n-of-n MuSig and Taproot are all non-interactive at setup time
<sipa>
if you want k-of-n using threshold schemes, this is no longer true (but if you use a merkle tree where every leaf is a k-of-k MuSig combination it still works0
<Chris_Stewart_5>
Interesting, so you enumerate all possible valid spends in the tree at construction time?
<sipa>
yes
<gmaxwell>
it's not the most efficient construction, but it is accountable.
<Chris_Stewart_5>
I guess the next logical question is consensus rule proposals for limiting that... but maybe it is a bit early in the day to bikeshed ;)
<gmaxwell>
Chris_Stewart_5: huh? for limiting it??!
<sipa>
why do you need to limit it?
<sipa>
it's expensive on the signer's part
<sipa>
validation is trivial
<Chris_Stewart_5>
ah -- because we are aggregating everything?
<sipa>
at validation time you see a couple hashes for a merkle branch, and a key, and a signature to check against the key
<gmaxwell>
no because hash trees have log() verification costs.
<gmaxwell>
so even a tree with a billion leaves is only 30 hashes.
<Chris_Stewart_5>
yes, i guess i was envisioning something similar to OP_CHECKMULTISIG currently where there is that linear scaling, but if all of this is taken care of during construction that isnt a problem
<sipa>
right
rusty has joined #bitcoin-wizards
<Chris_Stewart_5>
ugh, I was going to try avoiding getting distracted by reading your BIP sipa but I just can't resist now! Be back in a few hours :-)
<nsh>
'We introduce a new form of encryption that we namematchmaking encryption(ME).Using ME, sender S and receiver R (each with its own attributes) can both specify policiesthe other party must satisfy in order for the message to be revealed. The main securityguarantee is that of privacy-preserving policy matching: During decryption nothing is leakedbeyond the fact that a match occurred/did not occur.'
ddustin has quit [Remote host closed the connection]
<yoleaux>
Cryptographic breakthrough allows using handshake-style encryption for time-delayed communications - Help Net Security
ddustin has joined #bitcoin-wizards
<nsh>
'Crucially, matchmaking encryption does away with the need for real-time interactions, allowing messages to be sent on a “dead drop” basis and read at a later date.'
ddustin has quit [Remote host closed the connection]
ddustin has joined #bitcoin-wizards
<nsh>
(unclear as yet whether this can be leveraged directly to ameliorate interaction requirements for MAST/Taproot/MuSig applications)
ddustin has quit [Remote host closed the connection]
ddustin has joined #bitcoin-wizards
ddustin has quit [Ping timeout: 246 seconds]
Aaronvan_ is now known as AaronvanW
Emcy has quit [Remote host closed the connection]
Emcy has joined #bitcoin-wizards
Zenton has quit [Ping timeout: 246 seconds]
<real_or_random>
paper intro: "In ME, a trusted authority generates encryption and decryption keys associated, respectively, to attributes of the sender
<real_or_random>
and the receiver."
spinza has quit [Quit: Coyote finally caught up with me...]
tromp has quit [Remote host closed the connection]
spinza has joined #bitcoin-wizards
justanotheruser has joined #bitcoin-wizards
gie__ has quit [Remote host closed the connection]
gie__ has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
spinza has quit [Quit: Coyote finally caught up with me...]