00:07:19paavo:paavo has left #bitcoin-wizards
03:27:53justanot1eruser:justanot1eruser is now known as justanotheruser
03:45:43andytoshi:Eliel_: if you grep for '
03:46:07andytoshi:'Since P is forced' you will find an easy argument for why only so many ghost outputs can be real
03:46:25andytoshi:in https://download.wpsoftware.net/bitcoin/wizardry/brs-arbitrary-output-sizes.txt that is
03:51:01gmaxwell:andytoshi: for our curve only about half of all x values are valid points.
03:53:06BlueMatt:andytoshi: you should put this on bitcoin.ninja or similar so that we move wizarding things to a central repo
03:53:07andytoshi:kk i'll change "can be as simple as" to "might be as simple as" ;)
03:53:24andytoshi:gmaxwell: unless you can think of another one-liner as an example for COERCE?
03:53:24gmaxwell:the 'easier' way to do this is to just pick some strongly nothing up my sleeve point X, and then compute X*H()...
03:53:35andytoshi:ah, that's nicer, thx
03:53:39andytoshi:and it's group agnostic
03:54:07andytoshi:BlueMatt: will do. what do i need to do?
03:54:11gmaxwell:though the sqrt() testing loop for the point may be computationally cheaper.
03:54:15andytoshi:ah, go there and click the link..
03:54:27BlueMatt:andytoshi: theres a github link on the site, just modify the html there
03:56:35andytoshi:BlueMatt: done
03:57:16andytoshi:gmaxwell: yeah, i can think of some schemes where you iterate H until you get a correct x value or something, but what i want for the paper is just a quick example function
03:57:31andytoshi:so i can say "you don't need to use EC math or bizarre crypto assumptions to do this"
03:57:41andytoshi:complex EC math*
03:59:03andytoshi:oh, X*H() is not easily invertible, my "proof" wants COERCE to be invertible..
04:01:04gmaxwell:The simplicity of COERCE was why I didn't mention that before.
04:01:34gmaxwell:(I haven't thought too hard about X*H() it was just the most obvious thing to do where COERCE was non-trivial)
04:06:46andytoshi:i would like there to be an easy invertible thing that always works.. it's such a minor point, i feel like it should have a "minor" solution :)
04:07:12andytoshi:we could say, if x is not a valid coordinate, too bad, choose a new n value :P then for any n only half the outputs would be available to you
04:08:28andytoshi:oh, no, for each n it'd be all or nothing..
04:10:19andytoshi:we could say, unlike zerocash with only one output size, we support a random half of all possible output sizes :)
04:10:48gmaxwell:I don't think it's unfair to have a COERCE. It's possible for some curves.
08:22:36fanquake:fanquake has left #bitcoin-wizards
09:11:46wallet42:wallet42 is now known as Guest91669
09:11:46wallet421:wallet421 is now known as wallet42
09:46:20dansmith_btc:andytoshi, this brs scheme in your link - are you describing how it is implemented in bytecoin already or are you suggesting how bitcoin could take advantage of it?
09:51:39nshlike:part descriptive, part speculative
09:56:23nshlike:Chris Grayling was prevented from turning legal aid into “an instrument of discrimination” today, after three judges found his reforms to be unlawful.
09:56:27nshlike:-- http://kittysjones.wordpress.com/2014/07/16/devastating-blow-to-grayling-as-judges-halt-his-legal-aid-reform/
10:05:11nshlike:(sorry, wrong channel)
11:24:47Eliel_:nshlike: it's most definitely not implemented anywhere yet.
11:32:32gmaxwell:dansmith_btc: it's not discriptive of what bytecoin does, it's an improvement over what bytecoin does.
12:41:04Eliel_:andytoshi, gmaxwell: Is there a reason to allow transaction creator to choose V? Couldn't it just be fixed and thus save a couple of bytes per transaction since it doesn't need to be specified?
12:42:55gmaxwell:huh?! V is the value of the output. You need to specify how much you're paying someone.
12:44:55Eliel_:... it looked like just a limit for the total sums of the ghost outputs to me...
12:47:03gmaxwell:Eliel_: It's the total amount actually output (as opposed to fake outputed via the ghost outputs, which has a total of ≈ V^2)
12:52:13Eliel_:am I missing something? It seems to me that only one single (n,i) choice is a real output. However, it also seems to me that there's only one option that doesn't throw a portion of that value out.
12:55:23Eliel_:and if people elect to use that option, the privacy gains are lost
13:03:47gmaxwell:Eliel_: Yes, you're missing at least one thing.
13:05:31gmaxwell:Eliel_: a single n is valid, all i ∈ [1 .. ceil(V/n)] for that n are valid.
13:08:23gmaxwell:because we know the discrete log of G the various i private keys are just your private key plus i.
14:08:43Eliel_:Ah, yes, that's what I was missing.
15:09:42lclc_lclc:lclc_lclc is now known as lclc
16:35:01jgarzik:jgarzik is now known as home_jg
17:03:36wallet421:wallet421 is now known as wallet42
17:44:27jgarzik:amiller, gmaxwell, adam3us: I'm poking around with side chains putting 80-byte block header in OP_RETURN txout, in main chain. is there any clever way to get side chain miners to use the networks "only 1 of N transactions spending input ABCD is valid" property? ie. get all side chain miners to build upon their idea of the latest block, perhaps by all spending the same input (somehow).
18:53:20petertodd:jgarzik: be really easy to do as a convenant If the scripting system didn't suck
18:54:27petertodd:jgarzik: magic output can only be spent if tx contains magic output code... however you have the data-loss attack, which can get your system permanently stuck if you aren't careful - in general you need to ask what's the motivation for publishing your sidechain data?
20:12:40home_jg:home_jg is now known as jgarzik
22:58:09gmaxwell:andytoshi: perhaps you should solitic people to mine irc logs and the forums to add citations to some of your papers where these arguments have been presented elsewhere.
22:58:24gmaxwell:e.g. a seperate class of citations for informal 'industry' discussion.
23:00:03coinheavy_:I am interested in contributing to that effort
23:00:09coinheavy_:How might I help?
23:01:35andytoshi:coinheavy_: collecting links where ideas were first discussed would be great. probably submitting them to bitcoin.ninja as pull request would be great
23:02:03gmaxwell:hm. a discussion index, perhaps?
23:02:11gmaxwell:iwilcox might have some interest in contributing to that.
23:02:19andytoshi:there are a few academic things i'm missing, like impossiblity of distributed consensus, but mainly i'm looking for bitcointalk links
23:02:28andytoshi:i think
23:03:15coinheavy_:sounds like something I could do. If there are any specific topics you would like mined, please feel free to email them to admin@coinheavy.com
23:03:27gmaxwell:(might want to pull him in here)
23:03:55coinheavy_:I can start by looking for the first occurance of bitcointalk links and manually checking the context of each, tagging the relevant sections with topics and such.
23:04:17HM:if you're doing (a[i] * K) mod P where K is a constant and P is a prime
23:04:23HM:and a[i] is a big ass array
23:04:30HM:are there any optimisations you can make?
23:05:19opencryptoreview:what is this channel about then? all I see is what it's not about.
23:05:49andytoshi:lol. it's about research in the bitcoin space
23:06:12opencryptoreview:haha, I guess I should have known about it then
23:06:15andytoshi:cryptography, data structures, blockchains, contracts
23:06:31opencryptoreview:I actually made something called opensciencereview.com
23:06:45opencryptoreview:which was aimed at any pre-print or published article
23:06:56opencryptoreview:but it didn't fly, maybe it was too general
23:07:03andytoshi:it's a tough balancing act, we try not to advertise this space too loudly because it's fairly low-volume. but we miss people that way :/
23:07:33opencryptoreview:I'm hoping that targeting a smaller community leads to more interest. I'm also interested to learn more about crypto at the same time
23:07:35coinheavy_:I mention it to competent researchers I meet in person at conferences and meetups but that’s about it.
23:07:41andytoshi:your cryptocurrency site looks like the kind of thing i am looking for, i have a lot of papers and it's hard to get rviewers
23:08:05opencryptoreview:I think that posting papers won't be the problem
23:08:23opencryptoreview:as you say, getting people to spend their time providing reviews is the tough problem
23:08:43opencryptoreview:but it could be a space where it might happen
23:08:51opencryptoreview:that's my hope anyway
23:09:42andytoshi:well, if there is a single place to review stuff it might get used
23:09:50gmaxwell:HM: do you sum the results later?
23:10:03andytoshi:i think a lot of reviewing goes on in private correspondence now, and that is not so portable
23:10:41HM:gmaxwell, not exactly no http://codepad.org/Ywc2dDPe
23:10:45HM:gmaxwell, it's the inner loop
23:11:13HM:c[i] is effectively constant for the duration of the loops, but a[j] is reused
23:11:15opencryptoreview:yeah, I'm hoping for a few things. summaries for the lay person, questions that authors can answer that will appear in a public space and general criticism.
23:12:49andytoshi:yeah. so like, a few months ago oleganza posted a paper purporting to do blind ecdsa signatures. there were some serious limitations and in the end it wasn't so useful, but we talked about it for a long time and tried similar ideas for stuff, and some of the tools from that paper are in the back of my mind for when i think about ECDSA
23:13:04andytoshi:but i can't point to anywhere where i wrote this down publically
23:13:18andytoshi:it is strewn across irc logs and some private emails between myself and oleganza. so that's no good
23:14:13opencryptoreview:Yeah, that's the main point of this site. I'm not sure how well it works for back and forth disscussion though. I going for the see how it goes approach.
23:14:33opencryptoreview:It's really just a mod of a question and answer site like stack overflow
23:14:59opencryptoreview:*I'm going for*
23:15:32opencryptoreview:Well I'm glad to have said something in bitcoin-dev while you were watching!
23:15:43andytoshi::P yeah, lucky
23:40:37andytoshi:opencryptoreview: ok, i posted the PoS thing
23:41:04andytoshi:i see someone else has posted my asic-faq in the meantime
23:41:12opencryptoreview:andytoshi: thanks! yeah saw that too :)
23:41:34opencryptoreview:one thing that worries me is people posting without anyone adding commentary on the post
23:41:51opencryptoreview:the idea is to post a review on something that already exists
23:42:09andytoshi:yeah, i'll subscribe to the RSS feed and post reviews when i have time
23:42:20opencryptoreview:ok that will be great
23:42:24andytoshi:but i think initially you'll see an influx of links without much else, because there's so much out there
23:42:37opencryptoreview:is it your hope that people see your PoS post and comment themselves
23:42:57andytoshi:yeah, for now at least i'm tired of talking about PoS :)
23:43:46opencryptoreview:ok, my initial plan was to delete posts that get 0 action after some time
23:44:05andytoshi:hmm, at least for now i recommend against that
23:44:10opencryptoreview:but maybe I won't have to do this if the ranking system works well
23:45:17opencryptoreview:maybe there will be lots of self posts, hoping to get commentary on their work and then maybe 10% of those get commentary and the others just don't
23:45:31opencryptoreview:but they are still there and still searchable for later
23:45:59andytoshi:yeah, i'd like them to be searchable
23:46:16opencryptoreview:ok, maybe I won't delete them if they get no comments after some time
23:46:24opencryptoreview:I guess it's less work for me too :)
23:46:28andytoshi:also, if i was worried that stuff would get deleted, i might rather post on bitcointalk..
23:47:55opencryptoreview:yeah, that's a point. I'll go and rewrite the faq a bit taking out the bits where I say I'll remove posts if they get no action.
23:49:18opencryptoreview:thanks for the feedback and the posts! I have to get to bed. 00:49 here. cheers.
23:49:26andytoshi:lol, alright goodnight