| 13:01:07 | rajaniemi.freenode.net: | topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged at http://download.wpsoftware.net/bitcoin/wizards/. For questions about the logs talk to andytoshi. |
| 13:01:07 | rajaniemi.freenode.net: | Users on #bitcoin-wizards: andytoshi-logbot roconnor wallet42 hearn Aquent nairb aburan28 tjopper1 llllllllll damethos torsthaldo postpre jctb rdponticelli Guyver2 kmels AnoAnon vdo todaystomorrow jchp Quanttek lclc edulix melvster1 OneFixt artifexd pen Artea tacotime waxwing Guest45762 TheSeven NikolaiToryzin at0mat Ken` dgenr8 gribble GAit justusranvier @ChanServ mappum pigeons jaekwon danielpbarron abc56889_ kiddouk DoctorBTC gavinandresen tjopper spinza lianj |
| 13:01:07 | rajaniemi.freenode.net: | Users on #bitcoin-wizards: sl01 bobke wumpus jbenet tromp__ SomeoneWeird phantomcircuit samson phedny go1111111 drawingthesun epscy nkuttler Meeh jaromil @gmaxwell [Derek] Keefe warren asoltys_ jcorgan Kretchfoop midnightmagic LaptopZZ gwillen rs0 weex HM eordano zibbo Fistful_of_coins Guest79174 Cory Anduck otoburb michagogo poggy tromp_ pootietang irc88 nsh Burrito throughnothing_ Transisto altoz quickcoin BlueMatt [\\\] zenojis pajarillo Hunger-- harrow rn |
| 13:01:07 | rajaniemi.freenode.net: | Users on #bitcoin-wizards: Graet LarsLarsen arubi mortale a5m0 wizkid057 kanzure heakins catcow cluckj shesek comboy_ crescendo andytoshi Apocalyptic Guest6192 justanotheruser optimator UukGoblin e4xit Emcy roasbeef iddo kinlo mhanne ryan-c davidlatapie mkarrer espes__ digitalmagus7 melvster helo lechuga_ K1773R pi07r forrestv Eliel_ CodeShark mmozeiko EasyAt CryptOprah-ZzZzZ sipa Alanius nanotube quackgyver nshlike jj88 Luke-Jr dansmith_btc maaku gigavps amiller |
| 13:01:07 | rajaniemi.freenode.net: | Users on #bitcoin-wizards: Muis Logicwax Sangheili realzies burcin Krellan keus |
| 13:45:12 | andytoshi: | https://crypto.stackexchange.com/questions/18091/is-there-any-true-anonymous-cryptocurrencies was just posted, i'm going to reply with a massive wizardly summary |
| 13:45:50 | andytoshi: | there has been a reply about darkcoin/anoncoin, i don't know a thing about those so if somebody wants to comment on their 'anonymity' that would be useful.. |
| 13:47:16 | gmaxwell: | darkcoin has a closed source coinjoiny server that has spent most of the time not working at all, I don't know if it works at the moment. |
| 13:48:18 | andytoshi: | yeah, i have a quick dismissal that says that at the bottom of my thing. if that's all we know that's cool |
| 13:48:20 | wumpus: | anoncoin can run over I2P in addition to tor, I don't think it has any additional anonymity features in the chain |
| 13:49:35 | andytoshi: | :s why wouldn't they just make some bitcoin I2P bridges? |
| 13:51:20 | gmaxwell: | because ... ALTCOIN. |
| 13:53:53 | nsh: | exploring the search-space of possibly-non-gimmicky alternations is not necessarily something to turn ones nose up at |
| 13:54:08 | nsh: | *alterations |
| 13:54:23 | nsh: | look forward to reading your answer, andytoshi |
| 13:56:41 | andytoshi: | nsh: ten more minutes, i'm summarizing ringsigs then i'll link to the wizard logs with gmaxwell's hash-based guy-fawkes-secure transaction merging thing and gmaxwell's and my output-value-obscuring thing |
| 13:56:54 | nsh: | +1 |
| 13:56:56 | andytoshi: | and i have to briefly talk about scalability and how there is probably a privacy/storage tradeoff |
| 13:57:28 | andytoshi: | (which currently everyone takes as "max privacy but somehow also everything in RAM!") |
| 13:57:41 | nsh: | right. i think, in general, it's important to get people used to thinking in terms of trade-offs, as there seems to be a common comprehensive pitfall of failing to see the costs incurred by privacy and other desired features |
| 13:57:55 | gmaxwell: | andytoshi: make sure to not forget boring things like coinjoin/coinswap in bitcoin. |
| 13:58:06 | nsh: | this leads to utopian aspirations... |
| 13:58:17 | andytoshi: | oh, yeah, i was forgetting those :P |
| 13:58:33 | gmaxwell: | andytoshi: also the the BCN privacy isn't perfect... so you should mention some of the limitations there. |
| 13:59:21 | andytoshi: | yeah, i will |
| 13:59:31 | gmaxwell: | (e.g. your input is A you spend combined with A,B,C ... then later B and C each go off and spend them one at a time, and now you're retroactively deanonymized) |
| 13:59:50 | nsh: | oh, interesting |
| 14:00:39 | nsh: | anonymity loves company, and privacy etiquette |
| 14:01:05 | andytoshi: | yeah, that will bridge well into "we want tons of outputs with the same value" |
| 14:01:22 | andytoshi: | which leads nicely into our "every output has every value" trick |
| 14:11:25 | wumpus: | andytoshi: creating an altcoin just to add features to the client (which don't involve the chain) is indeed bullshit |
| 14:11:29 | andytoshi: | does BRS depend on pairing? |
| 14:11:42 | gmaxwell: | not at all. |
| 14:11:53 | gmaxwell: | it's a schnorr signature over a regular EC group. |
| 14:11:54 | andytoshi: | ok, just checking |
| 14:12:05 | andytoshi: | really? man, i should read the damn paper.. |
| 14:50:38 | andytoshi: | nsh: lol, it'll be like an hour.. i always underestimate writing times |
| 14:50:47 | andytoshi: | (which is good, because i would never start otherwise0 |
| 14:52:40 | nshlike: | no hurry :) |
| 14:53:39 | gmaxwell: | andytoshi: feel free to pastebin your draft at some point. |
| 14:56:39 | andytoshi: | gmaxwell: http://0bin.net/paste/gmUhDbDRGqE1KyM0#CF299P3Mli334gjbbMlt0P-K1CTjiy7pXKRrkCga8vL haven't done (a) the coinjoin/coinswap stuff, which i'll put at the top, (b) the rest of the BRS stuff which is at the bottom |
| 14:56:42 | jaromil: | guys. i have a strangely appealing vision. this is kind of weird and this is the best place to do it |
| 14:57:06 | jaromil: | the vision is coming from jtimon PRs from pow2 and proof branches for POW modularization |
| 14:57:25 | jaromil: | i discouraged jorge to use polymorphism for N reasons and suggesting to use function pointers |
| 14:57:50 | jaromil: | now dealing with inline functions can be tricky, but zooming out to a good poin we could keep serialization inlines |
| 14:57:57 | andytoshi: | also, do you have a better link to the OWAS paper? i have seen it linked exactly once in my logs and it is https://www.dropbox.com/s/nkh22cibel8stb4/horasyuanmouton.pdf and it's disabled now |
| 14:58:03 | sipa: | jaromil: #bitcoin-dev |
| 14:58:09 | jaromil: | yet, having function pointers for the POW stuff we can get to dlopen() pow dlos |
| 14:58:12 | jaromil: | ops |
| 14:58:13 | andytoshi: | i can rehond it |
| 14:58:15 | gmaxwell: | andytoshi: thats all I've got. The authors name is a anagram. |
| 14:58:20 | jaromil: | sipa: not here? |
| 14:58:30 | jaromil: | isn't it too long term? |
| 14:58:32 | jaromil: | ok |
| 14:58:35 | andytoshi: | ok, if he's hiding then i'll just rehost it, he can't sue if he's a shadow |
| 14:58:59 | gmaxwell: | oh the link is broken too. interesting. |
| 14:59:10 | gmaxwell: | andytoshi: I have it. |
| 14:59:13 | gmaxwell: | if you don't. |
| 14:59:17 | andytoshi: | i've got it |
| 14:59:27 | gmaxwell: | should probably add it to bitcoin.ninja |
| 14:59:37 | andytoshi: | download dated jan 6... jeez, and i still haven't read it |
| 14:59:55 | andytoshi: | https://download.wpsoftware.net/bitcoin/wizardry/horasyuanmouton-owas.pdf |
| 15:00:20 | gmaxwell: | if you just want to see the math— https://bitcointalk.org/index.php?topic=290971.msg3140972#msg3140972 |
| 15:02:04 | andytoshi: | thx, i've linked both in my writeup now. (not that anyone will follow these, it's as an aside /after/ heey, we can do this with hashes) |
| 15:10:15 | jaromil: | ok |
| 15:10:31 | jaromil: | so yea i was spacing out too much but well this chan is better sipa |
| 15:10:55 | jaromil: | after this i think that: function pointers are not needed. I'm curious about your template approach |
| 15:11:11 | jaromil: | i don't understand it well yet |
| 15:11:37 | andytoshi: | jaromil: C++ is solved as far as it can be solved, so it is not appropriate for this research channel. certainly programming techniques are OT here |
| 15:12:23 | jaromil: | andytoshi: i am not sure you understood what we are talking about? |
| 15:12:32 | jaromil: | broke up conversation from #bitcoin-dev |
| 15:12:42 | sipa: | this channels isn't really about how to use templates in C++ :) |
| 15:13:24 | jaromil: | anyway 17:05 template class ValidationState { class CBlockHeader { POW pow; ...}; } |
| 15:13:46 | jaromil: | i'm wondering how to go next after PR #4377 |
| 15:14:19 | sipa: | i don't think any of those approaches will be accepted in bitcoind |
| 15:14:31 | jaromil: | I've discouraged jtimon from going into #4506 |
| 15:14:42 | jaromil: | not even #4377? |
| 15:14:59 | jaromil: | then after that i've wondered about function pointers, now I'm dropping the idea for good |
| 15:15:09 | sipa: | yeah 4377 seems fine |
| 15:15:20 | jaromil: | and thinking #4377 should be enough for everything |
| 15:15:53 | jaromil: | but well i'll try to understand your template POW approach above (not lack of template knowledge, but of bitcoind architecture in this case) |
| 15:16:23 | jaromil: | oh. ok. looking better, i get it |
| 15:16:32 | jaromil: | so you want to create a new ValidationState class? |
| 15:16:45 | sipa: | or Validator or Blockchain or whatever |
| 15:16:48 | jaromil: | yep |
| 15:17:15 | gmaxwell: | andytoshi: you might want to have some more clarity as to why the BRS approach isn't perfect anonymity. |
| 15:17:16 | sipa: | which paves the way for modifying parts of the logic (more general than PoW) |
| 15:17:26 | sipa: | anyway, all of that seems offtopic here too |
| 15:18:47 | andytoshi: | gmaxwell: i have "the anonymity set is only as large as you make it, probably just two or three potential keys per signature", and ""your anonymity can be compromised after the fact by others in your anonymity set" and "you need all potential inputs to have same (or similar) value" |
| 15:21:12 | gmaxwell: | andytoshi: indeed. Probably just add "This means that while it is not trivially linkable but an attacker with good analysis tools can potentially learn a lot compared to a system that operates in zero knoweldge" |
| 15:22:55 | andytoshi: | This provides good anonymity, but even with the improvements listed presently, this is not a zero-knowledge scheme. This means that linkability is confounded but an ad |
| 15:22:56 | andytoshi: | versary with good analysis tools will certainly be able to glean a non-zero amount of information. |
| 15:22:59 | andytoshi: | /quote |
| 15:23:41 | andytoshi: | maybe i should add (literally infinity times as much as zero!) :) |
| 15:24:57 | andytoshi: | http://0bin.net/paste/psOHPEAQHfU5FCmk#jJNbjxeFbOo-oo9Jp7tsXSOQ/fc9fZKMel5p+MbF34u done except for coinjoin/coinswap |
| 15:32:18 | andytoshi: | can i recommend darkwallet for coinjoin? |
| 15:36:34 | gmaxwell: | andytoshi: I've still ( :( ) not used it but I believe its the best thing available for general users right now. |
| 15:38:13 | andytoshi: | ok, i'll recommend but not link it.. the link is not working from my tor exit anyway |
| 15:40:05 | andytoshi: | final draft (added coinjoin/coinswap to the top) http://0bin.net/paste/kiWPaxPtsctGP+t1#XboNzGCG9FsSjEObuCrs5NWbhen7UocSzWbHZrfxW6I |
| 15:40:48 | andytoshi: | i'm gonna wait to see if the question is booted off of crypto.SE before posted. i didn't realize, i thought it was on bitcoin.SE ... |
| 15:43:04 | gmaxwell: | andytoshi: your answer kind of redeems it. |
| 15:43:17 | gmaxwell: | perhaps you'd want to include some more crypto background though. :( |
| 15:43:26 | gmaxwell: | (and maybe a remark that it should be on bitcoin.se) |
| 15:44:54 | andytoshi: | hmm, i will go through and link every italicized term to wikipedia...that is all the background i have the energy to provide :) |
| 15:45:48 | gmaxwell: | andytoshi: you or I need to write up how the output obfscuation works in a bit of detail, Adam was asking about it and I realized I couldn't even really point to the irc log because you'd have to read the whole conversation to get it. |
| 15:46:17 | andytoshi: | yeah, i agree, i've been frustrated by that too |
| 15:46:42 | andytoshi: | it's really simple and really cool, i think i can do it today.. |
| 15:47:28 | andytoshi: | ugh, i hate the wiki page on CRS, i have never been able to find good link for that. i had to read several academic papers to infer what is meant by it.. |
| 15:47:41 | gmaxwell: | yea. isn't that awesome? |
| 15:48:01 | andytoshi: | and nobody even says outright what it means in real life |
| 15:48:14 | andytoshi: | just "in the common reference string model... here is the common referenc string ...." |
| 15:48:19 | nsh: | the tao that can be spoken... |
| 15:49:22 | nsh: | "However, ZeroCash's trusted setup is orders of magnitude more complex than any other MPC that has ever been done. And the most efficient MPC schemes known depend on a trusted-setup as well, so we haven't gained anything." <-- mathematics is deliciously kafkesque sometimes |
| 15:53:19 | andytoshi: | ok, posted https://crypto.stackexchange.com/questions/18091/is-there-any-true-anonymous-cryptocurrencies/18096#18096 |
| 15:53:48 | ryan-c: | sipa: the scheme i was fiddling with signed hashed data, i just didn't think about it enough for also using that hash for something else |
| 15:53:53 | andytoshi: | oh, i should stick adam's name on the list of people i discussed with, since he did the HE-value thing and the other guy cited adam.. |
| 15:54:58 | nsh: | probably stupid question, but how are cryptonote's ring-sig key-images safe from malleability? |
| 15:55:01 | ryan-c: | andytoshi: you markdown seems to have gone slightly awry - the coinswap link near the beginning didn't work right |
| 15:55:21 | nsh: | there's definitely only one possible key-image for any equivalent transaction set? |
| 15:55:27 | andytoshi: | oh, thx ryan-c |
| 15:55:59 | andytoshi: | nsh: only one key-image per signing key |
| 15:56:11 | andytoshi: | it doesn't matter what set the key is in |
| 15:56:36 | nsh: | * nsh thinks harder |
| 15:57:08 | andytoshi: | so if i have the privkey to pubkey A, and i try to make signatures with anonsets { A, B, C } and { A, D, E } |
| 15:57:30 | andytoshi: | if try to use A's privkey twice, i'll get the same key image out and people will detect it |
| 15:57:42 | andytoshi: | even though they can't tell which of A, B, C i'm using the privkey to |
| 15:57:51 | nsh: | ah okay, i see the conservation now |
| 16:06:37 | nsh: | "This means that linkability is confounded but an adversary with good analysis tools will certainly be able to glean a non-zero (literally, infinity times as much as zero) amount of information." it's not clear to me that infinite time zero has much of literal meaning :) |
| 16:06:46 | nsh: | *infinity times |
| 16:06:50 | nsh: | +a |
| 16:07:20 | gmaxwell: | well it's not technically infinite since zk is still no anonymity set larger than all the users... but I forgave that as color. :) |
| 16:08:15 | nsh: | i guess there's a potentially-unbounded number of spherical users |
| 16:08:51 | helo: | heh |
| 16:13:53 | nsh: | "This can be fixed by allowing outputs of any size in the anonymity set, and taking the minimum size to be the spend amount. But then given a ring signature across several outputs' keys, people will know that the output with smallest size will be the "real" one. This is because each output can only be spent once, so if you mix it with smaller outputs, you are basically shrinking it to the size of those outputs since the network will only recognize the |
| 16:13:53 | nsh: | smaller value." |
| 16:14:23 | nsh: | this is maybe neat in that it allows people to pay for extra anonymity. or maybe that isn't neat. |
| 16:14:49 | gmaxwell: | nsh: it was my observation that it was neat. |
| 16:14:55 | nsh: | * nsh nods |
| 16:15:41 | nsh: | great write-up andytoshi; thanks |
| 16:19:24 | nsh: | which paper is good to read on guy-fawkes signature protocol? "Anderson, R., Bergadano, F., Crispo, B., Lee, J.H., Manifavas, C., Needham, R.: Anew family of authentication protocols. ACM SIGOPS Operating Systems Review 32(4), 9–20 (1998)" ? |
| 16:21:22 | gmaxwell: | well what I proposed is not guy-fawkes but is the idea of guy-fawkes for anonymity. |
| 16:21:42 | nsh: | ah ok |
| 16:22:27 | gmaxwell: | guy-fawkes-miners. The idea is that miners mine "I know input satisifying this case but I'm not publishing it" and if the miners cheat the users are watching and saying "NO! you lie, here is proof!" — in doing so they lose their anonymity but prevent theft by the miner. |
| 16:35:38 | Luke-Jr: | meh, so my registrar made a total screwup of preregistrations and I basically didn't get any of them |
| 16:36:13 | Luke-Jr: | hopefully they weren't squatted |
| 17:41:13 | HobGoblin: | HobGoblin is now known as Guest43922 |
| 17:42:16 | kinlo_: | kinlo_ is now known as kinlo |
| 20:28:45 | justanot1eruser: | Regarding nothing at stake: If some stakecoin became the world currency, then everyone with any money or stake in the economy would have stake in the PoScoin succeeding. This seems like it would make it very hard to find people who are willing to sell you "used stake" so you can perform a nothing at stake attack. To my understanding, you would only need to get as much used stake from a time period as the collective forg |
| 20:30:54 | justanot1eruser: | I'm wondering how hard that would be to do |
| 20:45:37 | justanotheruser: | I got cut off: ...you would only need to get as much used stake from a time period as the collective forgers had at that specific time period. This is probably hard to do, but it only has to be done once. |
| 21:30:44 | DoctorBTC: | DoctorBTC is now known as Guest52371 |