00:24:53contrapumpkin:contrapumpkin is now known as copumpkin
01:43:08paavo:paavo is now known as bitcorn
01:46:54bitcorn:bitcorn is now known as paavo
02:51:07Guest12444:Guest12444 is now known as ageis
06:41:07maaku:maaku is now known as Guest9182
07:21:08maaku:maaku is now known as Guest16289
09:43:05wallet421:wallet421 is now known as wallet42
11:16:51luke-jr_:luke-jr_ is now known as Luke-Jr
13:44:33maaku:maaku is now known as Guest28874
14:49:30mortale_:mortale_ is now known as mortale
16:11:21Guest28874:Guest28874 is now known as maaku
16:31:46[BNC]dansmith:[BNC]dansmith is now known as dansmith_btc
17:09:25andrew__1:andrew__1 is now known as justanotheruser
17:53:14maaku:maaku is now known as Guest64344
18:15:29justanotheruser:Can I please get a reference for peercoin having a stake grinding attack done against it?
18:20:43justanotheruser:tacotime: thanks
18:43:06andrew__1:andrew__1 is now known as justanotheruser
18:55:19Pan0ram1x:Pan0ram1x is now known as Guest88748
20:33:33andytoshi:gmaxwell: regarding dummy outputs to disguise values, we can actually make every uniform output distribution possible. that is, an output of size N might appear as N 1-satoshi outputs, N/2 2-satoshi outputs, N/3 3-satoshi outputs, etc (with the final output being a remainder in all cases)
20:33:37andytoshi:gmaxwell: just have the payment be labelled with pubkey P. then to spend the ith output of size N, you use the key iG + H(nothing-up-my-sleeve||N), where nothing-up-my-sleeve is a chain parameter and H is SHA256d coerced to a EC point
20:33:43andytoshi:an attacker can only know the corresponding privkey for a single N (an attacker who can find two privkeys given at most q queries to the random oracle, can be used to solve DL with loss 1/q^2), so this does not invite double-spending
20:33:49andytoshi:but when spending an input of size M, you can put literally any output of total size ≥ M into the anonymity set
20:36:09andytoshi:just by using the every-output-has-size-M choice of distribution
20:36:48gmaxwell:\O/ I understand and agree. Hurrah. Every output is plausably spendable with all sizes smaller than it, in a way that doesn't burn coins.
20:37:03gmaxwell:Though some sizes are more plausable than others. :P
20:37:37gmaxwell:e.g. "You didn't really take that coin as 1e6 one satoshi outputs"
20:39:30andytoshi:yeah, people would need to be a bit smart about their claimed output distribitions (i'm not sure it's feasible or desirable to randomize them as we did when we were considering only finitely many possible distributions)
20:41:18gmaxwell:well you could impose differential transaction fees on the claimed coins in a mixin input, so it would make sense to create outputs that agree with that fee distribution.
20:41:52gmaxwell:E.g. if it's cheapest to spend a 1 btc input that has been split 4 ways, you'll be more likely to make yours that way, instead of making it just a single output.
20:42:16gmaxwell:and this function could depend on the state of the network at the time the output is created.
23:29:23Emcy:-NickServ- Last failed attempt from: Emcy!~Emcy@h-140-31.a336.priv.bahnhof.se on Jun 27 17:17:53 2014.
23:29:37Emcy:let it be known in case i appear to turn up in a bitcoin channel scamming one day