00:27:22roidster:roidster is now known as Guest16109
04:19:09mike4:mike4 is now known as c--O-O
14:54:14tt_away:tt_away is now known as tacotime_
17:44:58nsh:vertcoin is planning to "implement zerocoin"
17:45:07nsh:i am trying to figure out what that actually means, if it means anything
17:45:53nsh:s/zerocoin/zerocash/ per http://www.reddit.com/r/vertcoin/comments/1xcnne/i_am_the_developer_of_vertcoin_here_to_explain_to/cfa6fcc
17:46:14nsh:we're still waiting on the specification of zerocash though, aren't we?
18:09:35andytoshi:idk what zerocash is supposed to be, but the other comments on that reddit link suggest this guy has no idea what he's talking about
18:10:10sipa:zerocash == zerocoin altcoin, no?
18:14:26gmaxwell:zerocash is what the new design based on the GGPR ZKP instead of the RSA accumulator is called.
18:15:23gmaxwell:(in particualr, it deserves the 'cash' name because its truly an anonymous ecash— the coins can spend their entire lives anonymous, including merging, splitting, and having arbritary value)
18:16:39sipa:what complexities for spending/verifying does it have?
18:16:49andytoshi:somebody posted on bct a transcription of a matt green talk about it. http://0bin.net/paste/pJZ1Pk0qajZCxoYe#n+S+MhRf12Ru3EbBSPwNp542Nz+1JU/3L467AktQIu4=
18:17:00andytoshi:(i moved it from pastebin to 0bin because pastebin was blocking my tor exit)
18:17:38andytoshi:i'm only partway through it, it doesn't look nearly technical enough to answer any of our questions..
18:21:36gmaxwell:sipa: it's the GGPR based ZKP meaning that the verifying complexity is very low... on the order of ~8 related pairing operations to verify a proof. a couple ms per transaction *(subject to some limitations, only being able to do 2 inputs/2 outputs at a time, just due to using a single canned program to verify)
18:22:02gmaxwell:proving (spending) is substantially more complex but they were talking about numbers in the 30 seconds range, so not completely unreasonable.
18:22:26sipa:that comes close to being practical indeed
18:22:36andytoshi:does it still have the crs problems?
18:22:51gmaxwell:Yep... the system needs a trusted initilization.
18:24:00gmaxwell:Coins in the system are just H(pubkey||H(value||nonce)) (or equal).. like the hash of a UTXO entry with a nonce.
18:25:15gmaxwell:To spend a coin you verify a proof that the coin you're spending is in a coins tree, and reveal its pubkey; You also provide the new coins you are creating (just their hashes), and verify that the values add up. You do this all under the ZKP system.
18:26:02gmaxwell:So under the ZKP you run a bunch of hash operations to verify the hash tree, verify the outputs, and two additions and three comparisons or something like that; so no much is done under the zkp.
18:26:32gmaxwell:The blockchain then adds the pubkey you spend to a search tree of coins that have been spent already, so you can't spend it again.
18:26:49andytoshi:ok, nice. i guess that's what matt green means when he talks about "optimizing these proofs", just minimizing the amount that he actually has to zkp
18:26:55gmaxwell:pubkey is used to sign the transaction, etc.
18:27:45gmaxwell:well not just that, they've apparently implemented sha256 directly, by hand, as an arithemetic circuit over whatever field this thing is using (some 200 bit prime field)... in order to make the hash function proving as fast as possible.
18:28:20gmaxwell:it's a quite simple system, similar to petertodds MMR thinking; but you do the operations under ZKP.
18:28:31gmaxwell:(which makes it private, and also makes the proofs quite compact)
18:29:08gmaxwell:there is actually a bunch of yet unsolved implementation complexity remaining in turning it into a real system.
18:29:32sipa:define "quite compact" ?
18:30:00gmaxwell:For example, if I pay you a zerocash coin— how the @#@$# do you know I did? I have to give you the nonce/value... or you have to given me the nonce/value so I can watch for it. Or we need a private messageing channel of some kind.
18:30:48sipa:that's not really a problem, i think
18:31:00sipa:just make it payment-protocol-only
18:32:44gmaxwell:sipa: 230 bytes for 80 bit security IIRC, I think 128 bit security makes them about 320 bytes. (this is just the proof, you'd also need to enumerate the pubkeys in use and the new coins you're creating— of course.
18:34:08gmaxwell:make 288 for 128. They're 8 G1 field elements and 1 G2 field element, they used a specially constructed curve where the G2 elements have a compact representation (instead of being 3000 bits long as is typical for pairing crypto G2 elements).
18:34:51andytoshi:this is in the GGPR12 paper? ben-sasson cites a GGPR13 paper, is that the same one?
18:36:53gmaxwell:andytoshi: well the original GGPR paper was a 2012 one, but it's been enhanced a number of times.
18:37:12gmaxwell:the later papers make it more efficient but fundimentally the same.
18:37:28andytoshi:ok, i'm sure i can track it down. i'm paper-backlogged at least 2 months right now anway
18:38:28gmaxwell:I call the approach 'quadratic span/arithemetic circuts proven by verifying encrypted polynomial evaluation via pairing crypto with CRS keys' GGPR12 ... the paper is not super transparent in any case.
18:39:56gmaxwell:sipa: if you're interested in performance, this paper http://eprint.iacr.org/2013/879.pdf has a ton of performance info. It's talking about vntinyram which is an implementation of a general purpose computer as the circuit being verified (instead of something specialized like a bunch of hash operations). The proving times are irrelevant to zerocash, but the verifying times should be exactly the same— since its the same verification.
18:41:42gmaxwell:(the advantage of verifying a general purpose computer is that the program is an input, so you can use a single circuit for all tasks, and thus only have to do the CRS thing once.... also branchy programs are much more efficiently implemented that way than as a direct circuit. Alas, a bunch of hash operations is not very efficient to implement that way— a hand coded circuit for the hash is like 1000x less complex to prove than one ...
18:41:42gmaxwell:... running in tinyram)
18:42:45andytoshi:have you read the tinyram paper? do you get the impression that we could build it from the paper even tho they have not released source?
18:44:10andytoshi:i think we could make a modified tinyram which had hash opcodes which baked to handwritten circuits.
18:45:37nsh:i think handwritten circuits might break the verification model, unless you can prove them independently
18:45:52nsh:should be surmountable at least
18:46:42andytoshi:but this crs stuff really kills me. matt green says several times in this talk "we just need to find somebody we trust", but ofc that person also needs to be willing to be tortured to death because everybody knows he has money-printing keying material
18:47:24sipa:andytoshi: it's probably easier to find someone who agrees to be just killed (instead of being potentially tortured to death)
18:48:33c0rw1n:find someone who's currently dying and release the public hashes when they're dead?
18:48:49c0rw1n:maybe someone who's already signed up for euthanasia
18:49:21nsh:it's not a question of brain-forgetting. it's a question of definitely destroying the digital traces
18:49:33nsh:it could be ceremonialized
18:49:42c0rw1n:"dead brainwallet" sounds secure enough to me
18:50:53andytoshi:anyway all the best to this altcoin fellow. he will run into some pretty thorny problems but hopefully we can learn something from it
18:52:01nsh:* nsh nods
18:55:09andytoshi:while we are talking about snarking coins tho, last we talked about a snarkcoin it was suggested to snark-prove VALID(old chainstate, new chainstate, chainstate diff, [zk] transactions). there is redundancy there b/c the diff + old chainstate implies the new chainstate
18:55:32andytoshi:... gmaxwell said, while we're being redundant also snark-prove the chainstate at blockheight/2
18:55:44andytoshi:then a new user can validate back to the genesis in logarithmic time
18:56:06andytoshi:this also has the neat effect of encouraging all miners to be archival nodes
18:57:11andytoshi:so two birds with one stone there. but i'm not clear on whether there are incentives then for miners to keep old blocks secret to try to exclude people from mining
18:57:49andytoshi:probably not, information wants to be free so you'd need 100% of the miners to collude to manage this.
19:05:24gmaxwell:well torturned isn't really quite the risk, since if the 'trusted' party destroys the secret data then there is no issue.
19:05:53gmaxwell:but you're talking about a key that yields unbounded undetectable inflation. How can you really trust that they deleted it?
19:06:00c0rw1n:point is the torturer might not believe that it's been destroyed, that's the risk for the secret holder
19:06:14nsh:first time a crypto problem has been solved by the creative application of an electromagnetic pulse weapon?
19:06:20nsh:that would be pretty fun
19:06:38nsh:you'd still have to get the CRS out though
19:07:08nsh:hard to isolate the system so that the CRS can emerge but no covert channels for the bad-data to escape
19:07:17c0rw1n:there will be some point where you need to trust something by fiat, no? you can't really be sure, say, the RNG hasn't been tampered with
19:07:46c0rw1n:or that there is no hidden copy of the secret
19:07:57sipa:have anyone who wants to have randonmess sent it
19:08:23sipa:make a giant document with a list of "name: " strings
19:09:25sipa:add a randomly generated (r,s) signature, deterministically from what goes before
19:09:45sipa:wait, just randomly i guess
19:10:04sipa:now have a trusted computer generate a private key to sign it using that signature (ecdsa self-signing feature)
19:10:33c0rw1n:^ how do you trust that computer for not having been tampered with?
19:11:16c0rw1n:(dat compiler attack in Reflections in trusting trust )
19:11:48sipa:depends on what you mean by tampering... if that includes a covert EM transmitter that sends the private key somewhere, sure
19:12:04c0rw1n:hey, they do exist :/
19:13:15c0rw1n:maybe put the computer in a faraday cage at the time it crunhes, then EMP blast it from the inside
19:14:02c0rw1n:won't prevent tampering with the computing/RNG/whatevr, but at least the secret would be safe
19:15:08c0rw1n:ooh maybe simpler with shamir secret sharing the key? so that no-one has it full
19:18:48gmaxwell:nsh: yea, I though an RF shielded bunker which you then explode would be fun.
19:19:04nsh:indeed :)
19:19:30gmaxwell:But even for that you'd want to implement the thing under multiparty computation and have the bunker just be one part of it— due to it being basically impossible to avoid having a leak of some kind.
19:19:55nsh:right, forgetting-in-depth
19:20:48gmaxwell:doing it via MPC is I think still just pure theory wank. it would be a much harder computation than has ever been done in any kind of mpc.
19:20:56gmaxwell:The proving keys are rather enormous too.
19:21:15gmaxwell:(like hundreds of megabytes) (these are keys you only need for signing, and they're universal for the system)
19:21:42c0rw1n:wow we need to upgrad the internet then
19:21:50gmaxwell:what? why?
19:22:00c0rw1n:connections throughput
19:22:05gmaxwell:for what?
19:22:09nsh:this would be a one-time thing not requiring networking necessary
19:22:17c0rw1n:keys that take up hundredes of megs?
19:22:35c0rw1n:(gah catastrophic amont of typos)
19:22:35gmaxwell:::sigh:: you've misunderstood, darnit, and I tried to hard to be clear above.
19:22:36nsh:c0rw1n, still in the context of initiating the common-reference-string of a zerocash-like system
19:23:02gmaxwell:They're just an initilization parameter of the system. They're the same for everyone. It's just additional size for wallet software.
19:23:12nsh:(a forget-then-forget action, heh...)
19:23:19c0rw1n:ok ok, i got it
19:23:38c0rw1n:(i'm not smart enough to talk here dammit, why do i keep doing that)
19:23:42gmaxwell:But it contributes to making it infeasable to use MPC to compute the initilization because just a lot (in MPC terms) of data is involved.
19:24:04nsh:what affects the scaling of the keys most?
19:24:30gmaxwell:c0rw1n: psh. Nah, if I were really excillently explaining it, it would be clear to even an idiot... and I doubt you're an idiot in any case. :)
19:24:44gmaxwell:nsh: proving key scales with the size of the circuit being proven.
19:25:33nsh:is there a determinate lower bound for CRS length/complexity?
19:25:38gmaxwell:verifying key is a constant size, about 2kb (+/- depending on what precomputation you do to speed up verifying). Proofs are a constant size (couple hundred bytes).
19:26:22gmaxwell:nsh: the proving keys are basically two (IIRC) field elements per arithemetic gate in the circuit or something like that.
19:26:57nsh:so for zerocash it's bounded by the minimum length of the accumulator functions?
19:27:12nsh:(which i guess are still subject to some improvement?)
19:27:26nsh:s/length of/length of circuits for/
19:27:30gmaxwell:Right, which is bounded by how big the hashfunction is in the arithemetic circuit representation, and also by how deep a hash tree you need to prove.
19:28:21gmaxwell:e.g. the 2 in 2 out circuit you'd normally need for spending verifies membership two 64 deep hashtrees (the two inputs), plus a couple hashes to verify the outputs.
19:28:54nsh:does that mean that a zerocash initialization has an implicit 'lifespan' in terms of the tree depth, or can that be prevented from growing indefinitely through use?
19:28:57gmaxwell:I suggested they consider reducing the depth to 33 or something like that and then providing the upper parts of the tree publically, this would reduce the anonymity set size to one in 8 billion coins, but would make the proving a lot faster.
19:29:09nsh:ah, right, it bounds the total coins
19:29:26nsh:(not transactions)
19:29:37gmaxwell:nsh: kinda. though they reason that 2^64 is close enough to infinite. I had suggested instead that they just support having more tree outside of the proof, that removes the limit and potentially lets the proof be smaller.
19:29:48nsh:* nsh nods
19:29:56gmaxwell:(mildly inflating the proof sizes)
19:30:15c0rw1n:* c0rw1n goes learn moar math
19:30:31nsh:i wonder if matt can get funding to have students simulate all these tweak ramifications
19:30:46nsh:(or another academic)
19:31:01gmaxwell:Mozilla is funding him on some other stuff.
19:31:24nsh:* nsh nods
19:33:20gmaxwell:the having part of the tree outside of the proof also fits nicely with petertodd's thoughts on spending old coins just requiring longer signatures for the MMR stuf.
19:34:06nsh:is that thinking explained on the list or a thread somewhere?
19:40:52gmaxwell:I wrote up some summary of it someplace.
19:42:28nsh:ah, lemme know if it turns up. got plenty to read in the meantime :)
20:27:06rdymac_:rdymac_ is now known as rdymac
21:08:47tromp:tromp has left #bitcoin-wizards
22:19:04nsh:* nsh pokes justanotheruser's client until it stops that
22:41:18tacotime_:Are multisig addresses just hashes of the concatenation of the public keys of potential signatories?
22:48:37sipa:there are no 'multisig addresses'
22:48:54sipa:there are P2SH addresses, which are the hash of a subscript
22:49:16sipa:if that subscript is something that enforces signatures from multiple keys, it's a multisig destination
22:49:25sipa:but you can't tell from just the address
22:49:30sipa:(nor should you)
22:55:52tacotime_:I see. So the subscript itself specifies that it requires multiple public keys signing in order to conduct a transaction.