13:01:07rajaniemi.freenode.net:topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged at http://download.wpsoftware.net/bitcoin/wizards/. For questions about the logs talk to andytoshi.
13:01:07rajaniemi.freenode.net:Users on #bitcoin-wizards: andytoshi-logbot roconnor wallet42 hearn Aquent nairb aburan28 tjopper1 llllllllll damethos torsthaldo postpre jctb rdponticelli Guyver2 kmels AnoAnon vdo todaystomorrow jchp Quanttek lclc edulix melvster1 OneFixt artifexd pen Artea tacotime waxwing Guest45762 TheSeven NikolaiToryzin at0mat Ken` dgenr8 gribble GAit justusranvier @ChanServ mappum pigeons jaekwon danielpbarron abc56889_ kiddouk DoctorBTC gavinandresen tjopper spinza lianj
13:01:07rajaniemi.freenode.net:Users on #bitcoin-wizards: sl01 bobke wumpus jbenet tromp__ SomeoneWeird phantomcircuit samson phedny go1111111 drawingthesun epscy nkuttler Meeh jaromil @gmaxwell [Derek] Keefe warren asoltys_ jcorgan Kretchfoop midnightmagic LaptopZZ gwillen rs0 weex HM eordano zibbo Fistful_of_coins Guest79174 Cory Anduck otoburb michagogo poggy tromp_ pootietang irc88 nsh Burrito throughnothing_ Transisto altoz quickcoin BlueMatt [\\\] zenojis pajarillo Hunger-- harrow rn
13:01:07rajaniemi.freenode.net:Users on #bitcoin-wizards: Graet LarsLarsen arubi mortale a5m0 wizkid057 kanzure heakins catcow cluckj shesek comboy_ crescendo andytoshi Apocalyptic Guest6192 justanotheruser optimator UukGoblin e4xit Emcy roasbeef iddo kinlo mhanne ryan-c davidlatapie mkarrer espes__ digitalmagus7 melvster helo lechuga_ K1773R pi07r forrestv Eliel_ CodeShark mmozeiko EasyAt CryptOprah-ZzZzZ sipa Alanius nanotube quackgyver nshlike jj88 Luke-Jr dansmith_btc maaku gigavps amiller
13:01:07rajaniemi.freenode.net:Users on #bitcoin-wizards: Muis Logicwax Sangheili realzies burcin Krellan keus
13:45:12andytoshi:https://crypto.stackexchange.com/questions/18091/is-there-any-true-anonymous-cryptocurrencies was just posted, i'm going to reply with a massive wizardly summary
13:45:50andytoshi:there has been a reply about darkcoin/anoncoin, i don't know a thing about those so if somebody wants to comment on their 'anonymity' that would be useful..
13:47:16gmaxwell:darkcoin has a closed source coinjoiny server that has spent most of the time not working at all, I don't know if it works at the moment.
13:48:18andytoshi:yeah, i have a quick dismissal that says that at the bottom of my thing. if that's all we know that's cool
13:48:20wumpus:anoncoin can run over I2P in addition to tor, I don't think it has any additional anonymity features in the chain
13:49:35andytoshi::s why wouldn't they just make some bitcoin I2P bridges?
13:51:20gmaxwell:because ... ALTCOIN.
13:53:53nsh:exploring the search-space of possibly-non-gimmicky alternations is not necessarily something to turn ones nose up at
13:54:23nsh:look forward to reading your answer, andytoshi
13:56:41andytoshi:nsh: ten more minutes, i'm summarizing ringsigs then i'll link to the wizard logs with gmaxwell's hash-based guy-fawkes-secure transaction merging thing and gmaxwell's and my output-value-obscuring thing
13:56:56andytoshi:and i have to briefly talk about scalability and how there is probably a privacy/storage tradeoff
13:57:28andytoshi:(which currently everyone takes as "max privacy but somehow also everything in RAM!")
13:57:41nsh:right. i think, in general, it's important to get people used to thinking in terms of trade-offs, as there seems to be a common comprehensive pitfall of failing to see the costs incurred by privacy and other desired features
13:57:55gmaxwell:andytoshi: make sure to not forget boring things like coinjoin/coinswap in bitcoin.
13:58:06nsh:this leads to utopian aspirations...
13:58:17andytoshi:oh, yeah, i was forgetting those :P
13:58:33gmaxwell:andytoshi: also the the BCN privacy isn't perfect... so you should mention some of the limitations there.
13:59:21andytoshi:yeah, i will
13:59:31gmaxwell:(e.g. your input is A you spend combined with A,B,C ... then later B and C each go off and spend them one at a time, and now you're retroactively deanonymized)
13:59:50nsh:oh, interesting
14:00:39nsh:anonymity loves company, and privacy etiquette
14:01:05andytoshi:yeah, that will bridge well into "we want tons of outputs with the same value"
14:01:22andytoshi:which leads nicely into our "every output has every value" trick
14:11:25wumpus:andytoshi: creating an altcoin just to add features to the client (which don't involve the chain) is indeed bullshit
14:11:29andytoshi:does BRS depend on pairing?
14:11:42gmaxwell:not at all.
14:11:53gmaxwell:it's a schnorr signature over a regular EC group.
14:11:54andytoshi:ok, just checking
14:12:05andytoshi:really? man, i should read the damn paper..
14:50:38andytoshi:nsh: lol, it'll be like an hour.. i always underestimate writing times
14:50:47andytoshi:(which is good, because i would never start otherwise0
14:52:40nshlike:no hurry :)
14:53:39gmaxwell:andytoshi: feel free to pastebin your draft at some point.
14:56:39andytoshi:gmaxwell: http://0bin.net/paste/gmUhDbDRGqE1KyM0#CF299P3Mli334gjbbMlt0P-K1CTjiy7pXKRrkCga8vL haven't done (a) the coinjoin/coinswap stuff, which i'll put at the top, (b) the rest of the BRS stuff which is at the bottom
14:56:42jaromil:guys. i have a strangely appealing vision. this is kind of weird and this is the best place to do it
14:57:06jaromil:the vision is coming from jtimon PRs from pow2 and proof branches for POW modularization
14:57:25jaromil:i discouraged jorge to use polymorphism for N reasons and suggesting to use function pointers
14:57:50jaromil:now dealing with inline functions can be tricky, but zooming out to a good poin we could keep serialization inlines
14:57:57andytoshi:also, do you have a better link to the OWAS paper? i have seen it linked exactly once in my logs and it is https://www.dropbox.com/s/nkh22cibel8stb4/horasyuanmouton.pdf and it's disabled now
14:58:03sipa:jaromil: #bitcoin-dev
14:58:09jaromil:yet, having function pointers for the POW stuff we can get to dlopen() pow dlos
14:58:13andytoshi:i can rehond it
14:58:15gmaxwell:andytoshi: thats all I've got. The authors name is a anagram.
14:58:20jaromil:sipa: not here?
14:58:30jaromil:isn't it too long term?
14:58:35andytoshi:ok, if he's hiding then i'll just rehost it, he can't sue if he's a shadow
14:58:59gmaxwell:oh the link is broken too. interesting.
14:59:10gmaxwell:andytoshi: I have it.
14:59:13gmaxwell:if you don't.
14:59:17andytoshi:i've got it
14:59:27gmaxwell:should probably add it to bitcoin.ninja
14:59:37andytoshi:download dated jan 6... jeez, and i still haven't read it
15:00:20gmaxwell:if you just want to see the math— https://bitcointalk.org/index.php?topic=290971.msg3140972#msg3140972
15:02:04andytoshi:thx, i've linked both in my writeup now. (not that anyone will follow these, it's as an aside /after/ heey, we can do this with hashes)
15:10:31jaromil:so yea i was spacing out too much but well this chan is better sipa
15:10:55jaromil:after this i think that: function pointers are not needed. I'm curious about your template approach
15:11:11jaromil:i don't understand it well yet
15:11:37andytoshi:jaromil: C++ is solved as far as it can be solved, so it is not appropriate for this research channel. certainly programming techniques are OT here
15:12:23jaromil:andytoshi: i am not sure you understood what we are talking about?
15:12:32jaromil:broke up conversation from #bitcoin-dev
15:12:42sipa:this channels isn't really about how to use templates in C++ :)
15:13:24jaromil:anyway 17:05 template class ValidationState { class CBlockHeader { POW pow; ...}; }
15:13:46jaromil:i'm wondering how to go next after PR #4377
15:14:19sipa:i don't think any of those approaches will be accepted in bitcoind
15:14:31jaromil:I've discouraged jtimon from going into #4506
15:14:42jaromil:not even #4377?
15:14:59jaromil:then after that i've wondered about function pointers, now I'm dropping the idea for good
15:15:09sipa:yeah 4377 seems fine
15:15:20jaromil:and thinking #4377 should be enough for everything
15:15:53jaromil:but well i'll try to understand your template POW approach above (not lack of template knowledge, but of bitcoind architecture in this case)
15:16:23jaromil:oh. ok. looking better, i get it
15:16:32jaromil:so you want to create a new ValidationState class?
15:16:45sipa:or Validator or Blockchain or whatever
15:17:15gmaxwell:andytoshi: you might want to have some more clarity as to why the BRS approach isn't perfect anonymity.
15:17:16sipa:which paves the way for modifying parts of the logic (more general than PoW)
15:17:26sipa:anyway, all of that seems offtopic here too
15:18:47andytoshi:gmaxwell: i have "the anonymity set is only as large as you make it, probably just two or three potential keys per signature", and ""your anonymity can be compromised after the fact by others in your anonymity set" and "you need all potential inputs to have same (or similar) value"
15:21:12gmaxwell:andytoshi: indeed. Probably just add "This means that while it is not trivially linkable but an attacker with good analysis tools can potentially learn a lot compared to a system that operates in zero knoweldge"
15:22:55andytoshi:This provides good anonymity, but even with the improvements listed presently, this is not a zero-knowledge scheme. This means that linkability is confounded but an ad
15:22:56andytoshi:versary with good analysis tools will certainly be able to glean a non-zero amount of information.
15:23:41andytoshi:maybe i should add (literally infinity times as much as zero!) :)
15:24:57andytoshi:http://0bin.net/paste/psOHPEAQHfU5FCmk#jJNbjxeFbOo-oo9Jp7tsXSOQ/fc9fZKMel5p+MbF34u done except for coinjoin/coinswap
15:32:18andytoshi:can i recommend darkwallet for coinjoin?
15:36:34gmaxwell:andytoshi: I've still ( :( ) not used it but I believe its the best thing available for general users right now.
15:38:13andytoshi:ok, i'll recommend but not link it.. the link is not working from my tor exit anyway
15:40:05andytoshi:final draft (added coinjoin/coinswap to the top) http://0bin.net/paste/kiWPaxPtsctGP+t1#XboNzGCG9FsSjEObuCrs5NWbhen7UocSzWbHZrfxW6I
15:40:48andytoshi:i'm gonna wait to see if the question is booted off of crypto.SE before posted. i didn't realize, i thought it was on bitcoin.SE ...
15:43:04gmaxwell:andytoshi: your answer kind of redeems it.
15:43:17gmaxwell:perhaps you'd want to include some more crypto background though. :(
15:43:26gmaxwell:(and maybe a remark that it should be on bitcoin.se)
15:44:54andytoshi:hmm, i will go through and link every italicized term to wikipedia...that is all the background i have the energy to provide :)
15:45:48gmaxwell:andytoshi: you or I need to write up how the output obfscuation works in a bit of detail, Adam was asking about it and I realized I couldn't even really point to the irc log because you'd have to read the whole conversation to get it.
15:46:17andytoshi:yeah, i agree, i've been frustrated by that too
15:46:42andytoshi:it's really simple and really cool, i think i can do it today..
15:47:28andytoshi:ugh, i hate the wiki page on CRS, i have never been able to find good link for that. i had to read several academic papers to infer what is meant by it..
15:47:41gmaxwell:yea. isn't that awesome?
15:48:01andytoshi:and nobody even says outright what it means in real life
15:48:14andytoshi:just "in the common reference string model... here is the common referenc string ...."
15:48:19nsh:the tao that can be spoken...
15:49:22nsh:"However, ZeroCash's trusted setup is orders of magnitude more complex than any other MPC that has ever been done. And the most efficient MPC schemes known depend on a trusted-setup as well, so we haven't gained anything." <-- mathematics is deliciously kafkesque sometimes
15:53:19andytoshi:ok, posted https://crypto.stackexchange.com/questions/18091/is-there-any-true-anonymous-cryptocurrencies/18096#18096
15:53:48ryan-c:sipa: the scheme i was fiddling with signed hashed data, i just didn't think about it enough for also using that hash for something else
15:53:53andytoshi:oh, i should stick adam's name on the list of people i discussed with, since he did the HE-value thing and the other guy cited adam..
15:54:58nsh:probably stupid question, but how are cryptonote's ring-sig key-images safe from malleability?
15:55:01ryan-c:andytoshi: you markdown seems to have gone slightly awry - the coinswap link near the beginning didn't work right
15:55:21nsh:there's definitely only one possible key-image for any equivalent transaction set?
15:55:27andytoshi:oh, thx ryan-c
15:55:59andytoshi:nsh: only one key-image per signing key
15:56:11andytoshi:it doesn't matter what set the key is in
15:56:36nsh:* nsh thinks harder
15:57:08andytoshi:so if i have the privkey to pubkey A, and i try to make signatures with anonsets { A, B, C } and { A, D, E }
15:57:30andytoshi:if try to use A's privkey twice, i'll get the same key image out and people will detect it
15:57:42andytoshi:even though they can't tell which of A, B, C i'm using the privkey to
15:57:51nsh:ah okay, i see the conservation now
16:06:37nsh:"This means that linkability is confounded but an adversary with good analysis tools will certainly be able to glean a non-zero (literally, infinity times as much as zero) amount of information." it's not clear to me that infinite time zero has much of literal meaning :)
16:06:46nsh:*infinity times
16:07:20gmaxwell:well it's not technically infinite since zk is still no anonymity set larger than all the users... but I forgave that as color. :)
16:08:15nsh:i guess there's a potentially-unbounded number of spherical users
16:13:53nsh:"This can be fixed by allowing outputs of any size in the anonymity set, and taking the minimum size to be the spend amount. But then given a ring signature across several outputs' keys, people will know that the output with smallest size will be the "real" one. This is because each output can only be spent once, so if you mix it with smaller outputs, you are basically shrinking it to the size of those outputs since the network will only recognize the
16:13:53nsh:smaller value."
16:14:23nsh:this is maybe neat in that it allows people to pay for extra anonymity. or maybe that isn't neat.
16:14:49gmaxwell:nsh: it was my observation that it was neat.
16:14:55nsh:* nsh nods
16:15:41nsh:great write-up andytoshi; thanks
16:19:24nsh:which paper is good to read on guy-fawkes signature protocol? "Anderson, R., Bergadano, F., Crispo, B., Lee, J.H., Manifavas, C., Needham, R.: Anew family of authentication protocols. ACM SIGOPS Operating Systems Review 32(4), 9–20 (1998)" ?
16:21:22gmaxwell:well what I proposed is not guy-fawkes but is the idea of guy-fawkes for anonymity.
16:21:42nsh:ah ok
16:22:27gmaxwell:guy-fawkes-miners. The idea is that miners mine "I know input satisifying this case but I'm not publishing it" and if the miners cheat the users are watching and saying "NO! you lie, here is proof!" — in doing so they lose their anonymity but prevent theft by the miner.
16:35:38Luke-Jr:meh, so my registrar made a total screwup of preregistrations and I basically didn't get any of them
16:36:13Luke-Jr:hopefully they weren't squatted
17:41:13HobGoblin:HobGoblin is now known as Guest43922
17:42:16kinlo_:kinlo_ is now known as kinlo
20:28:45justanot1eruser:Regarding nothing at stake: If some stakecoin became the world currency, then everyone with any money or stake in the economy would have stake in the PoScoin succeeding. This seems like it would make it very hard to find people who are willing to sell you "used stake" so you can perform a nothing at stake attack. To my understanding, you would only need to get as much used stake from a time period as the collective forg
20:30:54justanot1eruser:I'm wondering how hard that would be to do
20:45:37justanotheruser:I got cut off: ...you would only need to get as much used stake from a time period as the collective forgers had at that specific time period. This is probably hard to do, but it only has to be done once.
21:30:44DoctorBTC:DoctorBTC is now known as Guest52371