/store/home/irc-logger/logs/irc.freenode.net:6667/bitcoinwizards/2014-07-30.txt

00:22:33	andytoshi:	gmaxwell: right now in bytecoin you can't have arbitrary scripts because ringsigs are too fundamental to the tx construction..
00:22:53	andytoshi:	does your script-deniability scheme (can't think of a good name) fix this?
00:23:54	andytoshi:	no, i guess not... the actual contents of the script will not have any anonymity set to them
00:27:03	andytoshi:	otoh cryptonote does have a tiny accumulator-based script which you can use for multisig (basically, it counts valid signatures). i wonder what the satisfiability requirements for those are..
00:28:38	gmaxwell:	andytoshi: whats in the paper is a very limited scheme (that is sadly confused and misses the point of things, e.g. it thinks you can replace hashlocked transactions with a KDF, totally breaking the possibility of atomic cross-chain swaps), and use of that scheme basically breaks all the anonymity properties.
00:29:09	andytoshi:	ah, i had remembered the anonymity being totally broken but not the details of how
00:29:13	gmaxwell:	What I propose partically recovers them since every txin could potentially be be a txin for some fancy script.
00:30:11	andytoshi:	and i haven't looked too deeply into cross-chain swaps, that was gonna be a first application of wizards-wallet and then i decided to rewrite a coinjoin server first
00:31:28	gmaxwell:	andytoshi: basically they say if you want to 'puzzle' lock a transaction just use a kdf and sign like normal with that key as a required signature. Of course, I am slapping my forehead because the whole goal in an atomic swap is to _not_ be zero knoweldge— you want to make publication of one signature enable the other.
00:33:50	andytoshi:	KDF on what? you have to expose the puzzle solution as well as a signature with a key derived from it?
00:34:05	andytoshi:	that's not ZK
00:34:44	gmaxwell:	andytoshi: no, as in you don't expose the puzzle solution, you use it as a private key.
00:35:28	gmaxwell:	They thought the purpose of hash locking was because bitcoin's authors were too stupid to know that you could convert an abritrary string into a DSA private key.
00:36:06	andytoshi:	if you use the solution as a private key, how can anyone verify that it's a solution?
00:36:20	gmaxwell:	by comparison with the public key.
00:36:22	andytoshi:	you have to know the solution when creating the ouutput?
00:36:31	gmaxwell:	yes, you do for a hash lock too
00:36:49	andytoshi:	ok, sorry, when you were talking about 'puzzles' i thought you meant like PT's preimage challenges
00:37:02	andytoshi:	i gotcha now
00:37:13	fanquake:	fanquake has left #bitcoin-wizards
00:37:15	gmaxwell:	"I want to pay to someone who knows the name of my dog, which hash sha1 631388fa042cfc8ec603b004a54eaeb34996f2ec" which is completely moronic
00:37:28	gmaxwell:	I guess this is some of the problems that are created when things are explained with toy examples.
00:38:41	gmaxwell:	since someone would see that example and just say "okay, well replace to 'KDF*G's out to pubkey 02xxx'" which is fine and all, but not actually what hashlocking is useful for.
00:38:53	andytoshi:	yeah, for the toy example using the dog's name as a key would actually be better
00:39:19	gmaxwell:	yep... and people were doing that in bitcoin before a hash locked txn ever showed up in the blockchain.
00:42:28	andytoshi:	ok, so i was thinking about M-of-N specifically, can we construct a multisig scripts
00:43:16	andytoshi:	where you can appear to satisfy the script, you can treat any output as a M-of-N output (for your specific M, N)
00:43:57	andytoshi:	..i should just read their scheme again, it's like one paragraph long..
00:45:33	gmaxwell:	andytoshi: I'm be somewhat surprised if there isn't just a way to threshold compute these signatures.
00:45:42	gmaxwell:	(for the M of N case)
00:45:51	gmaxwell:	obviously the first thing to try would be 2 of 2.
00:46:22	andytoshi:	yeah, i'm meaning to do this but i keep using all my good brain cycles chasing rust bugs
00:47:01	andytoshi:	so i was hoping i could do something stupid and just stick the breaks-anonymity bytecoin multisig scheme into your script-deniability scheme and get something workable out
00:55:20	andytoshi:	specifically, their scheme wrecks anonymity by making you specify the keys to participate in the multisig. but we could maybe put a list of keys inside the hash, and construct it somehow so that only one set of keys actually has corresponding privkeys
00:56:33	gmaxwell:	andytoshi: I think you're overcomplexifying things.
00:57:19	andytoshi:	yeah, i think you're right, i don't see how this gets past my high-level problems i talked about the other night
00:57:50	gmaxwell:	Hello network, I want to spend script 2/3{a,b,c} which I prove is the script for a coin on the network by proving knoweldge of private key X, such that X is committed to by one of {Q+script,W+script,Y+script}
00:57:53	andytoshi:	i.e. either your script proves some knowledge -or- it can be "satisfied" in a weak way that'll let it participate in an anonymity set for a third party
00:58:03	andytoshi:	can't have both
00:58:40	gmaxwell:	then you provide signatures Ring_Q,W,Y and conventual A,B
00:59:19	gmaxwell:	and this proves that one of Q,W,Y was a commitment to the 2/3{a,b,c} script, but doesn't tell you which one.
00:59:32	andytoshi:	yup
00:59:39	andytoshi:	yeah, i get that..
00:59:43	gmaxwell:	okay. whew.
01:00:42	andytoshi:	i was still thinking about letting people copy the script they way they can copy the value
01:01:03	andytoshi:	so that somebody using different i values but the same script doesn't prove that they're the same person
01:01:50	andytoshi:	but i continue to think that's impossible (no matter how badly you weaken the script)
01:12:00	andytoshi:	gmaxwell: i've updated https://download.wpsoftware.net/bitcoin/wizardry/brs-arbitrary-output-sizes.txt with a section to describe the anonymity hit from reusing {P, V, n} with different i... does this make sense to you?
01:12:53	andytoshi:	also, anyone who didn't understand the scheme from the start is welcome to chip in -- i'm trying to make this accessible :)
01:13:26	gmaxwell:	andytoshi: I think thats sensible, but perhaps not super clear.
01:13:40	andytoshi:	it's hard to describe, there are too many variables :/
01:14:52	andytoshi:	"this anonymity risk -- that real outputs share a property while ghost outputs do not -- will become more serious in the next section"
01:15:25	andytoshi:	if i add that, i think that'll summarize what the problem is
01:15:58	gmaxwell:	sounds good.
01:18:04	gmaxwell:	hah: https://www.nsa.gov/ redirects to http://www.nsa.gov/ subtle message?
01:18:30	sipa:	No 's' Anymore.
01:59:19	Emcy:	oh wow that recruitment video is real, its on nsa.gov domain
01:59:27	Emcy:	i thought it was a parody
02:00:08	Emcy:	that guy with the pink fringe that looks like a Hackers extra
02:00:10	Emcy:	wow
03:01:04	grubles:	Emcy, ???
08:40:37	randy-waterhouse:	http://beta.slashdot.org/story/205241
09:44:39	otoburb_:	otoburb_ is now known as Guest32810
09:53:10	Anduck_:	Anduck_ is now known as Anduck
10:00:14	Dr-G2:	Dr-G2 is now known as Dr-G
10:12:07	tobiaskim:	Quatloo-Trader API just upgraded with small fixes - lot of cool development in this - https://bitcointalk.org/index.php?topic=711966.0 - check out #QuatlooCoin where the trade-bot-developers hang out, they take community requests and implement them fast in this trade-app - perfect to trade your coins with automatic and you can make money with it while you are sleeping.
10:34:21	dansmith_btc2:	dansmith_btc2 is now known as dansmith_btc
11:11:26	Guyver2:	Guyver2 has left #bitcoin-wizards
11:21:47	dansmith3:	dansmith3 is now known as grandmaster2
11:38:18	atgreen:	jgarzik: gdb connectivity to moxiebox is starting to work
12:06:02	jgarzik:	atgreen, cool
12:06:42	jgarzik:	atgreen,
12:06:44	jgarzik:	=== configuring in build-gnulib (/home/jgarzik/local/build/gdb/build-gnulib)
12:06:46	jgarzik:	...
12:07:00	jgarzik:	checking whether makeinfo --split-size=5000000 supports @click... yes
12:07:00	jgarzik:	checking for default auto-load directory... $debugdir:$datadir/auto-load
12:07:01	jgarzik:	checking for default auto-load safe-path... $debugdir:$datadir/auto-load
12:07:01	jgarzik:	configure: error: configuration moxie-unknown-moxiebox is unsupported.
12:07:01	jgarzik:	make[1]: *** [configure-gdb] Error 1
12:07:11	jgarzik:	atgreen, Getting closer to building upstream binutils-gdb.git
12:07:26	jgarzik:	atgreen, config.sub seems to have landed in some places but not all?
12:36:11	Guest82968:	Guest82968 is now known as nimrods
13:54:43	tobiaskim:	All the cool kids trade Altcoins and Bitcoins with BOTS - now you can too - /join #quatloocoin to discover the community - and Download the Quatloo-Trader for Windows here: https://bitcointalk.org/index.php?topic=711966.0;all and connect it to Bittrex (Cryptsy, Mintpal, etc will be added one by one shortly) - The API is powered by 500 QuatlooCoin - so you need to get those here: https://bittrex.com/Market/Index?MarketName=BTC-Q
13:54:43	tobiaskim:	TL
13:58:19	sipa:	sipa has kicked tobiaskim from #bitcoin-wizards
15:35:22	petertod1:	kazure: best if yoi open issues for those things om github yourself; yes i am auditing counterparty
18:08:36	Guest24743:	Guest24743 is now known as smooth
18:11:17	zooko:	Dear #bitcoin-wizards: If you know Jon Matonis's email address, would you please private message it to me? Thanks.
18:37:13	Keefe_:	Keefe_ is now known as Keefe
19:43:24	gwollon:	gwollon is now known as gwillen
21:12:37	rdponticelli:	rdponticelli has left #bitcoin-wizards
22:00:09	andytoshi:	gmaxwell: i've updated https://download.wpsoftware.net/bitcoin/wizardry/brs-arbitrary-output-sizes.txt with a section on scripts, but i'm not happy with how wordy it is
22:47:23	jps_:	jps_ is now known as jps
22:48:46	fanquake:	fanquake has left #bitcoin-wizards