--- Log opened Tue Mar 26 00:00:07 2013
00:22 < jrmithdobbs> gmaxwell: ugh
00:47 < warren> I don't know anyone that uses NetBSD.
00:49 < gmaxwell> I have, but only on VAX. :P
00:51 < warren> heh.... "Thanks To ========= Thor Lancelot Simon for causing, finding and fixing the bug and helping with this advisory."
01:07 < gmaxwell> Has anyone given thought to what the Ultimate sighash types would look like?
01:15 < jgarzik> Ultimate?
01:35 < gmaxwell> Is there some simple(?) set of sighash features that actually captures all the sighash types we might wish for?
01:35 < gmaxwell> what we have now is clearly not ultimate since it's easy to come up with cases they miss in practice.
01:45 < jrmithdobbs> warren: lots of random embedded shit you'll never think of do
01:46 < jrmithdobbs> gmaxwell: i think it really needs to be revisisted as to whether specifying the hash/curve as part of the address might not be desirable
01:46 < jrmithdobbs> gmaxwell: as it relates to sighash, i'm not sure, i know it does but i'm rusty on the script ops
01:47 < jrmithdobbs> there's been too much random "we know this is good" shit being broken, at least academemically, recently =/
01:47 < gmaxwell> jrmithdobbs: you just use different address types for that.
01:48 < gmaxwell> Or really, P2SH and done.
01:48 < gmaxwell> I'm really not expecting much in the way of curve specific ECDSA attacks that don't undermine the whole thing.
01:48 < jrmithdobbs> gmaxwell: ya but might it be worth extending the base ops to include some things besides ripemd and sha2 in the base ops?
01:49 < gmaxwell> yes, well, when SHA3 is really finally specced we'll add that at least, I imagine.
01:49 < jrmithdobbs> that's the only related thing i've spent much time thinking about really
01:50 < jrmithdobbs> :P
01:51 < jrmithdobbs> funny, seeing as i distinctly remembering lamenting how i didn't think it was necessary at a point in the not-so-distant past
01:52 < gmaxwell> jrmithdobbs: the sighash types are pretty much entirely about which parts of the transaction get masked out when you sign.
01:55 < jrmithdobbs> oh those, just re looked over the contracts stuff
01:56 < jrmithdobbs> all/none/single are the current ones?
01:58 < gmaxwell> and the anyone can pay modifier.
01:58 < jrmithdobbs> that covers everything I can think of / care about (contracts and escrow)
01:58 < jrmithdobbs> right right
02:00 < warren> jrmithdobbs: does that random embedded shit have any entropy source at all?
02:00 < gmaxwell> jrmithdobbs: oh no way.. say for example that you and 10 friends want to collaborate to raise a 50 BTC bounty. For that what you want is a txn with an ANYONECANPAY and an output that pays 50 BTC that everone signs, but then also a bunch of change outputs signed only by the person providing their inputs.
02:00 < jrmithdobbs> warren: some of it, yes
02:00 < jrmithdobbs> gmaxwell: i always forget change
02:01 < gmaxwell> there are a bunch of examples where change gets in the way.
02:01 < jrmithdobbs> gmaxwell: i thought it was enough to cover multi-party escrow, but ya, you're right=/
02:02 < jrmithdobbs> to be perfectly blunt, though
02:02 < jrmithdobbs> would it really be such an imposition to have to pre-prep those inputs?
02:02 < gmaxwell> well you go from 1txn to 21 txn in that case.
02:02 < jrmithdobbs> they're uncommon enough specialized txns that you're going to have an hour or so notice before hand usually
02:02 < gmaxwell> er 11 (I said 10 friends)
02:03 < jrmithdobbs> ya but 20 of those txns are very simple and easy to verify and already pass isStandard()
02:03 < warren> If one of those 10 gets hit by a bus, all that money is gone?
02:03 < gmaxwell> huh. no. 0_o why would you think that?
02:03 < jrmithdobbs> warren: huh? no the final couldn't be created until the first 20 were done
02:04 < gmaxwell> s/20/10/ for consistency. :)
02:04 < jrmithdobbs> right ;p
02:05 < warren> ugh
02:05 < jrmithdobbs> gmaxwell: the complexity of handling the change and the infrequency of the use of that type of mechanism ... is it worth handling the change? the minor txn spam argument seems pretty flimsy framed in this way
02:07 < jrmithdobbs> i could be convinced it's worth it if you could maybe postulate on some reasons why the use of multi party escrow or extremely complex contracts would be come the *norm* vs current simple addr txns
02:07 < gmaxwell> jrmithdobbs: Perhaps not. This is -wizards, I'm not talking about a pratical short term change to the system.
02:08 < jrmithdobbs> and i can maybe come up with some with some devil's advocate ones ;)
02:08 < gmaxwell> Handingling the change isn't the only gap in sighash types. They're just the one I was thinking about tonight.
02:08 < jrmithdobbs> oh i know i know
02:08 < jrmithdobbs> just talkin
02:09 < gmaxwell> Now I'm trying to remember what other cases were missing.
02:09 < jrmithdobbs> well it almost needs a _multi
02:09 < jrmithdobbs> so that one can sign more than just one part of nothing
02:10 < jrmithdobbs> but that gets hairy
02:10 < jrmithdobbs> err more than one part OR nothing
02:12 < gmaxwell> then there are things like partial constraints. sign output X but first normalize the value by min(value,1000000).  "Output X must be at least 1 BTC".
02:13 < gmaxwell> arguably you can do many of the applications by just SIGHASH_ALL but you can't do anyone can pay in that case.
02:13 < gmaxwell> one possiblity would be to have the scriptpubkey specify a masking script.
02:14 < gmaxwell> basically the only thing you sign is a script. And the script gets the whole txn pushed onto the stack and the signature is valid if the script returns true.
02:19 < jrmithdobbs> i dunno, i've been driving or flying for like 5 days straight now, i'm going to go sleep in my own damned bed finally ;p
02:21 < jrmithdobbs> actually
02:21 < jrmithdobbs> i think we're overthinking that
02:21 < jrmithdobbs> (not the sleep part, that's def happening in a bit, ha)
02:22 < jrmithdobbs> gmaxwell: i think all/one/none + anyone can pay *is* enough
02:22 < jrmithdobbs> gmaxwell: we're  falling into that whole "one person/party == one key" mindset
02:22 < jrmithdobbs> if any party needs to sign multiple parts they use multiple keys
02:22 < jrmithdobbs> if proof someone is in control of said group of keys, that's trivial
02:23 < jrmithdobbs> if proof is desired*
02:23 < jrmithdobbs> but maybe i've been paying too much attention to zooko lately, ha ;p
02:24 < gmaxwell> uh. I think you should sleep, 'cause nothing I've said is at all one person = one key. material. :P
02:24 < jrmithdobbs> no it's not
02:24 < gmaxwell> jrmithdobbs: he doesn't have you freebasing bacon greese does he? :P
02:24 < jrmithdobbs> but i'm saying the cases where being able to sign multiple but not all/none parts can be solved with multiple keys per party
02:25 < jrmithdobbs> but ya, i'm incoherent ;p
02:26 < gmaxwell> jrmithdobbs: that doesn't work so well if you want to have everyone sign output zero, and then each person sighash single the rest.
02:26 < jrmithdobbs> why not?
02:26 < jrmithdobbs> that just means you need to know how many keys per party and whether you want to bind their associations at the start
02:26 < jrmithdobbs> doesn't seem entirely out of the question
02:27 < gmaxwell> You're not making any sense to me.
02:28 < gmaxwell> Me and my N friends want to pay bob 50 BTC, and take our change. I don't even know N in advance. But I know I want bob paid, and I want my darn change back. Maybe I want to use N inputs too. in which case each of my N inputs wants bob and my change output to get paid.
02:29 < jrmithdobbs> i'll reread that in the morning/tomorrow and try and translate, i'm sure i'm saying what i think i am, just poorly :)
--- Log closed Wed Mar 27 00:00:08 2013