| 00:24:53 | contrapumpkin: | contrapumpkin is now known as copumpkin |
| 01:43:08 | paavo: | paavo is now known as bitcorn |
| 01:46:54 | bitcorn: | bitcorn is now known as paavo |
| 02:51:07 | Guest12444: | Guest12444 is now known as ageis |
| 06:41:07 | maaku: | maaku is now known as Guest9182 |
| 07:21:08 | maaku: | maaku is now known as Guest16289 |
| 09:43:05 | wallet421: | wallet421 is now known as wallet42 |
| 11:16:51 | luke-jr_: | luke-jr_ is now known as Luke-Jr |
| 13:44:33 | maaku: | maaku is now known as Guest28874 |
| 14:49:30 | mortale_: | mortale_ is now known as mortale |
| 16:11:21 | Guest28874: | Guest28874 is now known as maaku |
| 16:31:46 | [BNC]dansmith: | [BNC]dansmith is now known as dansmith_btc |
| 17:09:25 | andrew__1: | andrew__1 is now known as justanotheruser |
| 17:53:14 | maaku: | maaku is now known as Guest64344 |
| 18:15:29 | justanotheruser: | Can I please get a reference for peercoin having a stake grinding attack done against it? |
| 18:16:51 | tacotime: | https://bitcointalk.org/index.php?topic=131940.0 |
| 18:20:43 | justanotheruser: | tacotime: thanks |
| 18:43:06 | andrew__1: | andrew__1 is now known as justanotheruser |
| 18:55:19 | Pan0ram1x: | Pan0ram1x is now known as Guest88748 |
| 20:33:33 | andytoshi: | gmaxwell: regarding dummy outputs to disguise values, we can actually make every uniform output distribution possible. that is, an output of size N might appear as N 1-satoshi outputs, N/2 2-satoshi outputs, N/3 3-satoshi outputs, etc (with the final output being a remainder in all cases) |
| 20:33:37 | andytoshi: | gmaxwell: just have the payment be labelled with pubkey P. then to spend the ith output of size N, you use the key iG + H(nothing-up-my-sleeve||N), where nothing-up-my-sleeve is a chain parameter and H is SHA256d coerced to a EC point |
| 20:33:43 | andytoshi: | an attacker can only know the corresponding privkey for a single N (an attacker who can find two privkeys given at most q queries to the random oracle, can be used to solve DL with loss 1/q^2), so this does not invite double-spending |
| 20:33:49 | andytoshi: | but when spending an input of size M, you can put literally any output of total size ≥ M into the anonymity set |
| 20:36:09 | andytoshi: | just by using the every-output-has-size-M choice of distribution |
| 20:36:48 | gmaxwell: | \O/ I understand and agree. Hurrah. Every output is plausably spendable with all sizes smaller than it, in a way that doesn't burn coins. |
| 20:37:03 | gmaxwell: | Though some sizes are more plausable than others. :P |
| 20:37:37 | gmaxwell: | e.g. "You didn't really take that coin as 1e6 one satoshi outputs" |
| 20:39:30 | andytoshi: | yeah, people would need to be a bit smart about their claimed output distribitions (i'm not sure it's feasible or desirable to randomize them as we did when we were considering only finitely many possible distributions) |
| 20:41:18 | gmaxwell: | well you could impose differential transaction fees on the claimed coins in a mixin input, so it would make sense to create outputs that agree with that fee distribution. |
| 20:41:52 | gmaxwell: | E.g. if it's cheapest to spend a 1 btc input that has been split 4 ways, you'll be more likely to make yours that way, instead of making it just a single output. |
| 20:42:16 | gmaxwell: | and this function could depend on the state of the network at the time the output is created. |
| 23:29:23 | Emcy: | -NickServ- Last failed attempt from: Emcy!~Emcy@h-140-31.a336.priv.bahnhof.se on Jun 27 17:17:53 2014. |
| 23:29:37 | Emcy: | let it be known in case i appear to turn up in a bitcoin channel scamming one day |