| 00:07:19 | paavo: | paavo has left #bitcoin-wizards |
| 03:27:53 | justanot1eruser: | justanot1eruser is now known as justanotheruser |
| 03:45:43 | andytoshi: | Eliel_: if you grep for ' |
| 03:46:07 | andytoshi: | 'Since P is forced' you will find an easy argument for why only so many ghost outputs can be real |
| 03:46:25 | andytoshi: | in https://download.wpsoftware.net/bitcoin/wizardry/brs-arbitrary-output-sizes.txt that is |
| 03:51:01 | gmaxwell: | andytoshi: for our curve only about half of all x values are valid points. |
| 03:53:06 | BlueMatt: | andytoshi: you should put this on bitcoin.ninja or similar so that we move wizarding things to a central repo |
| 03:53:07 | andytoshi: | kk i'll change "can be as simple as" to "might be as simple as" ;) |
| 03:53:24 | andytoshi: | gmaxwell: unless you can think of another one-liner as an example for COERCE? |
| 03:53:24 | gmaxwell: | the 'easier' way to do this is to just pick some strongly nothing up my sleeve point X, and then compute X*H()... |
| 03:53:35 | andytoshi: | ah, that's nicer, thx |
| 03:53:39 | andytoshi: | and it's group agnostic |
| 03:54:07 | andytoshi: | BlueMatt: will do. what do i need to do? |
| 03:54:11 | gmaxwell: | though the sqrt() testing loop for the point may be computationally cheaper. |
| 03:54:15 | andytoshi: | ah, go there and click the link.. |
| 03:54:27 | BlueMatt: | andytoshi: theres a github link on the site, just modify the html there |
| 03:56:35 | andytoshi: | BlueMatt: done |
| 03:57:16 | andytoshi: | gmaxwell: yeah, i can think of some schemes where you iterate H until you get a correct x value or something, but what i want for the paper is just a quick example function |
| 03:57:31 | andytoshi: | so i can say "you don't need to use EC math or bizarre crypto assumptions to do this" |
| 03:57:41 | andytoshi: | complex EC math* |
| 03:59:03 | andytoshi: | oh, X*H() is not easily invertible, my "proof" wants COERCE to be invertible.. |
| 04:01:04 | gmaxwell: | The simplicity of COERCE was why I didn't mention that before. |
| 04:01:34 | gmaxwell: | (I haven't thought too hard about X*H() it was just the most obvious thing to do where COERCE was non-trivial) |
| 04:06:46 | andytoshi: | i would like there to be an easy invertible thing that always works.. it's such a minor point, i feel like it should have a "minor" solution :) |
| 04:07:12 | andytoshi: | we could say, if x is not a valid coordinate, too bad, choose a new n value :P then for any n only half the outputs would be available to you |
| 04:08:28 | andytoshi: | oh, no, for each n it'd be all or nothing.. |
| 04:10:19 | andytoshi: | we could say, unlike zerocash with only one output size, we support a random half of all possible output sizes :) |
| 04:10:48 | gmaxwell: | I don't think it's unfair to have a COERCE. It's possible for some curves. |
| 08:22:36 | fanquake: | fanquake has left #bitcoin-wizards |
| 09:11:46 | wallet42: | wallet42 is now known as Guest91669 |
| 09:11:46 | wallet421: | wallet421 is now known as wallet42 |
| 09:46:20 | dansmith_btc: | andytoshi, this brs scheme in your link - are you describing how it is implemented in bytecoin already or are you suggesting how bitcoin could take advantage of it? |
| 09:51:39 | nshlike: | part descriptive, part speculative |
| 09:56:19 | nshlike: | ahhaa |
| 09:56:22 | nshlike: | -- |
| 09:56:23 | nshlike: | Chris Grayling was prevented from turning legal aid into “an instrument of discrimination” today, after three judges found his reforms to be unlawful. |
| 09:56:27 | nshlike: | -- http://kittysjones.wordpress.com/2014/07/16/devastating-blow-to-grayling-as-judges-halt-his-legal-aid-reform/ |
| 10:05:11 | nshlike: | (sorry, wrong channel) |
| 11:24:47 | Eliel_: | nshlike: it's most definitely not implemented anywhere yet. |
| 11:29:18 | nshlike: | *nods* |
| 11:32:32 | gmaxwell: | dansmith_btc: it's not discriptive of what bytecoin does, it's an improvement over what bytecoin does. |
| 12:41:04 | Eliel_: | andytoshi, gmaxwell: Is there a reason to allow transaction creator to choose V? Couldn't it just be fixed and thus save a couple of bytes per transaction since it doesn't need to be specified? |
| 12:42:55 | gmaxwell: | huh?! V is the value of the output. You need to specify how much you're paying someone. |
| 12:44:55 | Eliel_: | ... it looked like just a limit for the total sums of the ghost outputs to me... |
| 12:47:03 | gmaxwell: | Eliel_: It's the total amount actually output (as opposed to fake outputed via the ghost outputs, which has a total of ≈ V^2) |
| 12:52:13 | Eliel_: | am I missing something? It seems to me that only one single (n,i) choice is a real output. However, it also seems to me that there's only one option that doesn't throw a portion of that value out. |
| 12:55:23 | Eliel_: | and if people elect to use that option, the privacy gains are lost |
| 13:03:47 | gmaxwell: | Eliel_: Yes, you're missing at least one thing. |
| 13:05:31 | gmaxwell: | Eliel_: a single n is valid, all i ∈ [1 .. ceil(V/n)] for that n are valid. |
| 13:08:23 | gmaxwell: | because we know the discrete log of G the various i private keys are just your private key plus i. |
| 14:08:43 | Eliel_: | Ah, yes, that's what I was missing. |
| 15:09:42 | lclc_lclc: | lclc_lclc is now known as lclc |
| 16:35:01 | jgarzik: | jgarzik is now known as home_jg |
| 17:03:36 | wallet421: | wallet421 is now known as wallet42 |
| 17:44:27 | jgarzik: | amiller, gmaxwell, adam3us: I'm poking around with side chains putting 80-byte block header in OP_RETURN txout, in main chain. is there any clever way to get side chain miners to use the networks "only 1 of N transactions spending input ABCD is valid" property? ie. get all side chain miners to build upon their idea of the latest block, perhaps by all spending the same input (somehow). |
| 18:53:20 | petertodd: | jgarzik: be really easy to do as a convenant If the scripting system didn't suck |
| 18:54:27 | petertodd: | jgarzik: magic output can only be spent if tx contains magic output code... however you have the data-loss attack, which can get your system permanently stuck if you aren't careful - in general you need to ask what's the motivation for publishing your sidechain data? |
| 20:12:40 | home_jg: | home_jg is now known as jgarzik |
| 22:58:09 | gmaxwell: | andytoshi: perhaps you should solitic people to mine irc logs and the forums to add citations to some of your papers where these arguments have been presented elsewhere. |
| 22:58:24 | gmaxwell: | e.g. a seperate class of citations for informal 'industry' discussion. |
| 23:00:03 | coinheavy_: | I am interested in contributing to that effort |
| 23:00:09 | coinheavy_: | How might I help? |
| 23:01:35 | andytoshi: | coinheavy_: collecting links where ideas were first discussed would be great. probably submitting them to bitcoin.ninja as pull request would be great |
| 23:02:03 | gmaxwell: | hm. a discussion index, perhaps? |
| 23:02:11 | gmaxwell: | iwilcox might have some interest in contributing to that. |
| 23:02:19 | andytoshi: | there are a few academic things i'm missing, like impossiblity of distributed consensus, but mainly i'm looking for bitcointalk links |
| 23:02:28 | andytoshi: | i think |
| 23:03:15 | coinheavy_: | sounds like something I could do. If there are any specific topics you would like mined, please feel free to email them to admin@coinheavy.com |
| 23:03:27 | gmaxwell: | (might want to pull him in here) |
| 23:03:55 | coinheavy_: | I can start by looking for the first occurance of bitcointalk links and manually checking the context of each, tagging the relevant sections with topics and such. |
| 23:04:17 | HM: | if you're doing (a[i] * K) mod P where K is a constant and P is a prime |
| 23:04:23 | HM: | and a[i] is a big ass array |
| 23:04:30 | HM: | are there any optimisations you can make? |
| 23:05:19 | opencryptoreview: | what is this channel about then? all I see is what it's not about. |
| 23:05:49 | andytoshi: | lol. it's about research in the bitcoin space |
| 23:06:12 | opencryptoreview: | haha, I guess I should have known about it then |
| 23:06:15 | andytoshi: | cryptography, data structures, blockchains, contracts |
| 23:06:31 | opencryptoreview: | I actually made something called opensciencereview.com |
| 23:06:45 | opencryptoreview: | which was aimed at any pre-print or published article |
| 23:06:56 | opencryptoreview: | but it didn't fly, maybe it was too general |
| 23:07:03 | andytoshi: | it's a tough balancing act, we try not to advertise this space too loudly because it's fairly low-volume. but we miss people that way :/ |
| 23:07:33 | opencryptoreview: | I'm hoping that targeting a smaller community leads to more interest. I'm also interested to learn more about crypto at the same time |
| 23:07:35 | coinheavy_: | I mention it to competent researchers I meet in person at conferences and meetups but that’s about it. |
| 23:07:41 | andytoshi: | your cryptocurrency site looks like the kind of thing i am looking for, i have a lot of papers and it's hard to get rviewers |
| 23:08:05 | opencryptoreview: | I think that posting papers won't be the problem |
| 23:08:23 | opencryptoreview: | as you say, getting people to spend their time providing reviews is the tough problem |
| 23:08:43 | opencryptoreview: | but it could be a space where it might happen |
| 23:08:51 | opencryptoreview: | that's my hope anyway |
| 23:09:42 | andytoshi: | well, if there is a single place to review stuff it might get used |
| 23:09:50 | gmaxwell: | HM: do you sum the results later? |
| 23:10:03 | andytoshi: | i think a lot of reviewing goes on in private correspondence now, and that is not so portable |
| 23:10:41 | HM: | gmaxwell, not exactly no http://codepad.org/Ywc2dDPe |
| 23:10:45 | HM: | gmaxwell, it's the inner loop |
| 23:11:13 | HM: | c[i] is effectively constant for the duration of the loops, but a[j] is reused |
| 23:11:15 | opencryptoreview: | yeah, I'm hoping for a few things. summaries for the lay person, questions that authors can answer that will appear in a public space and general criticism. |
| 23:12:49 | andytoshi: | yeah. so like, a few months ago oleganza posted a paper purporting to do blind ecdsa signatures. there were some serious limitations and in the end it wasn't so useful, but we talked about it for a long time and tried similar ideas for stuff, and some of the tools from that paper are in the back of my mind for when i think about ECDSA |
| 23:13:04 | andytoshi: | but i can't point to anywhere where i wrote this down publically |
| 23:13:18 | andytoshi: | it is strewn across irc logs and some private emails between myself and oleganza. so that's no good |
| 23:14:13 | opencryptoreview: | Yeah, that's the main point of this site. I'm not sure how well it works for back and forth disscussion though. I going for the see how it goes approach. |
| 23:14:33 | opencryptoreview: | It's really just a mod of a question and answer site like stack overflow |
| 23:14:59 | opencryptoreview: | *I'm going for* |
| 23:15:32 | opencryptoreview: | Well I'm glad to have said something in bitcoin-dev while you were watching! |
| 23:15:43 | andytoshi: | :P yeah, lucky |
| 23:40:37 | andytoshi: | opencryptoreview: ok, i posted the PoS thing |
| 23:41:04 | andytoshi: | i see someone else has posted my asic-faq in the meantime |
| 23:41:12 | opencryptoreview: | andytoshi: thanks! yeah saw that too :) |
| 23:41:34 | opencryptoreview: | one thing that worries me is people posting without anyone adding commentary on the post |
| 23:41:51 | opencryptoreview: | the idea is to post a review on something that already exists |
| 23:42:09 | andytoshi: | yeah, i'll subscribe to the RSS feed and post reviews when i have time |
| 23:42:20 | opencryptoreview: | ok that will be great |
| 23:42:24 | andytoshi: | but i think initially you'll see an influx of links without much else, because there's so much out there |
| 23:42:37 | opencryptoreview: | is it your hope that people see your PoS post and comment themselves |
| 23:42:38 | opencryptoreview: | ? |
| 23:42:57 | andytoshi: | yeah, for now at least i'm tired of talking about PoS :) |
| 23:43:46 | opencryptoreview: | ok, my initial plan was to delete posts that get 0 action after some time |
| 23:44:05 | andytoshi: | hmm, at least for now i recommend against that |
| 23:44:10 | opencryptoreview: | but maybe I won't have to do this if the ranking system works well |
| 23:45:17 | opencryptoreview: | maybe there will be lots of self posts, hoping to get commentary on their work and then maybe 10% of those get commentary and the others just don't |
| 23:45:31 | opencryptoreview: | but they are still there and still searchable for later |
| 23:45:59 | andytoshi: | yeah, i'd like them to be searchable |
| 23:46:16 | opencryptoreview: | ok, maybe I won't delete them if they get no comments after some time |
| 23:46:24 | opencryptoreview: | I guess it's less work for me too :) |
| 23:46:28 | andytoshi: | also, if i was worried that stuff would get deleted, i might rather post on bitcointalk.. |
| 23:47:55 | opencryptoreview: | yeah, that's a point. I'll go and rewrite the faq a bit taking out the bits where I say I'll remove posts if they get no action. |
| 23:49:18 | opencryptoreview: | thanks for the feedback and the posts! I have to get to bed. 00:49 here. cheers. |
| 23:49:26 | andytoshi: | lol, alright goodnight |