--- Log opened Tue Jul 23 00:00:15 2013
02:42  * amiller grumbles
02:43 < amiller> i think the first rule of bitcoin is "no global identities"
22:14 < gmaxwell> http://www.tdp.cat/issues/tdp.a015a09.pdf
22:14 < gmaxwell> damnit I must be tired.
22:14 < gmaxwell> Can someone decode which properties there actually achieving there?
23:30 < petertodd> "secure against semi-honest servers" <- you've got good reasons to wonder
23:37 < petertodd> yeah, I don't think it's interesting for us - seems to be an interactive protocol where the client gets a proof that c \in S without knowing S, but you still need that round trip
23:38 < petertodd> I think the advantage over a merkle tree is supposed to be that the underlying primative can be a bloom filter, rather than a complete dataset like a merkle tree
23:40 < gmaxwell> https://news.ycombinator.com/item?id=6094383
23:40 < gmaxwell> there I tried to read it again and managed to uncross my eyes long enough to understand their first form.
23:41 < gmaxwell> it's relatively clever, at at least less obviously horrible to some of the oblivious query stuff... but I can't think of anything we could use it for.
23:41 < petertodd> yeah, and that kinda makes sense, but what they are talking about appears to have to be an interactive protocol
23:41 < gmaxwell> petertodd: it is.
23:41 < gmaxwell> you can't query membership without asking the other side to blind sign for you.
23:41 < petertodd> right, which isn't much better than just a merkle tree
23:42 < gmaxwell> I can't think of anything we can use it for.
23:42 < petertodd> same
23:42 < gmaxwell> petertodd: well look at my example and tell me how a merkle tree would work there?
23:43 < petertodd> oh, wait, stupid, I missed the S doesn't know c part somehow...
23:43 < petertodd> yeah, it's useful in that case
23:43 < petertodd> hmm... how about querying the UTXO set without telling the server what you are querying?
23:45 < gmaxwell> what would you query it for?
23:45 < petertodd> check that a txout is in the set, and thus a transaction someone handed you is valid
23:46 < gmaxwell> so one problem is say you get a hit ... now you say, okay give me the full transaction.
23:46 < gmaxwell> oops the server says, nah that was a fake hit I don't have that txout.
23:47 < petertodd> I'm more thinking you have a contract with a third-party UTXO database provider, and you want to know if a customer's transaction is valid, and neither you nor the customer has a UTXO set (so the customer can't give you a UTXO proof directly)
23:48 < petertodd> Only really useful if you have a safe zero-conf system of course...
23:49 < petertodd> Though it'd be useful for checking fidelity bonds.
23:51 < gmaxwell> In general I could see how this would be useful for a very large database to prevent censorship.
23:51 < gmaxwell> though how do you not get them to censor in advance when constructing the filter. hm.
23:51 < petertodd> Selective censorship
23:51 < petertodd> (client selective)
23:51 < gmaxwell> ah right.
23:52 < petertodd> Given how dodgy anonymous com channels are, that's a really useful thing to be able to do.
--- Log closed Wed Jul 24 00:00:18 2013