00:22:33andytoshi:gmaxwell: right now in bytecoin you can't have arbitrary scripts because ringsigs are too fundamental to the tx construction..
00:22:53andytoshi:does your script-deniability scheme (can't think of a good name) fix this?
00:23:54andytoshi:no, i guess not... the actual contents of the script will not have any anonymity set to them
00:27:03andytoshi:otoh cryptonote does have a tiny accumulator-based script which you can use for multisig (basically, it counts valid signatures). i wonder what the satisfiability requirements for those are..
00:28:38gmaxwell:andytoshi: whats in the paper is a very limited scheme (that is sadly confused and misses the point of things, e.g. it thinks you can replace hashlocked transactions with a KDF, totally breaking the possibility of atomic cross-chain swaps), and use of that scheme basically breaks all the anonymity properties.
00:29:09andytoshi:ah, i had remembered the anonymity being totally broken but not the details of how
00:29:13gmaxwell:What I propose partically recovers them since every txin could potentially be be a txin for some fancy script.
00:30:11andytoshi:and i haven't looked too deeply into cross-chain swaps, that was gonna be a first application of wizards-wallet and then i decided to rewrite a coinjoin server first
00:31:28gmaxwell:andytoshi: basically they say if you want to 'puzzle' lock a transaction just use a kdf and sign like normal with that key as a required signature. Of course, I am slapping my forehead because the whole goal in an atomic swap is to _not_ be zero knoweldge— you want to make publication of one signature enable the other.
00:33:50andytoshi:KDF on what? you have to expose the puzzle solution as well as a signature with a key derived from it?
00:34:05andytoshi:that's not ZK
00:34:44gmaxwell:andytoshi: no, as in you don't expose the puzzle solution, you use it as a private key.
00:35:28gmaxwell:They thought the purpose of hash locking was because bitcoin's authors were too stupid to know that you could convert an abritrary string into a DSA private key.
00:36:06andytoshi:if you use the solution as a private key, how can anyone verify that it's a solution?
00:36:20gmaxwell:by comparison with the public key.
00:36:22andytoshi:you have to know the solution when creating the ouutput?
00:36:31gmaxwell:yes, you do for a hash lock too
00:36:49andytoshi:ok, sorry, when you were talking about 'puzzles' i thought you meant like PT's preimage challenges
00:37:02andytoshi:i gotcha now
00:37:13fanquake:fanquake has left #bitcoin-wizards
00:37:15gmaxwell:"I want to pay to someone who knows the name of my dog, which hash sha1 631388fa042cfc8ec603b004a54eaeb34996f2ec" which is completely moronic
00:37:28gmaxwell:I guess this is some of the problems that are created when things are explained with toy examples.
00:38:41gmaxwell:since someone would see that example and just say "okay, well replace to 'KDF*G's out to pubkey 02xxx'" which is fine and all, but not actually what hashlocking is useful for.
00:38:53andytoshi:yeah, for the toy example using the dog's name as a key would actually be better
00:39:19gmaxwell:yep... and people were doing that in bitcoin before a hash locked txn ever showed up in the blockchain.
00:42:28andytoshi:ok, so i was thinking about M-of-N specifically, can we construct a multisig scripts
00:43:16andytoshi:where you can appear to satisfy the script, you can treat any output as a M-of-N output (for your specific M, N)
00:43:57andytoshi:..i should just read their scheme again, it's like one paragraph long..
00:45:33gmaxwell:andytoshi: I'm be somewhat surprised if there isn't just a way to threshold compute these signatures.
00:45:42gmaxwell:(for the M of N case)
00:45:51gmaxwell:obviously the first thing to try would be 2 of 2.
00:46:22andytoshi:yeah, i'm meaning to do this but i keep using all my good brain cycles chasing rust bugs
00:47:01andytoshi:so i was hoping i could do something stupid and just stick the breaks-anonymity bytecoin multisig scheme into your script-deniability scheme and get something workable out
00:55:20andytoshi:specifically, their scheme wrecks anonymity by making you specify the keys to participate in the multisig. but we could maybe put a list of keys inside the hash, and construct it somehow so that only one set of keys actually has corresponding privkeys
00:56:33gmaxwell:andytoshi: I think you're overcomplexifying things.
00:57:19andytoshi:yeah, i think you're right, i don't see how this gets past my high-level problems i talked about the other night
00:57:50gmaxwell:Hello network, I want to spend script 2/3{a,b,c} which I prove is the script for a coin on the network by proving knoweldge of private key X, such that X is committed to by one of {Q+script,W+script,Y+script}
00:57:53andytoshi:i.e. either your script proves some knowledge -or- it can be "satisfied" in a weak way that'll let it participate in an anonymity set for a third party
00:58:03andytoshi:can't have both
00:58:40gmaxwell:then you provide signatures Ring_Q,W,Y and conventual A,B
00:59:19gmaxwell:and this proves that one of Q,W,Y was a commitment to the 2/3{a,b,c} script, but doesn't tell you which one.
00:59:39andytoshi:yeah, i get that..
00:59:43gmaxwell:okay. whew.
01:00:42andytoshi:i was still thinking about letting people copy the script they way they can copy the value
01:01:03andytoshi:so that somebody using different i values but the same script doesn't prove that they're the same person
01:01:50andytoshi:but i continue to think that's impossible (no matter how badly you weaken the script)
01:12:00andytoshi:gmaxwell: i've updated https://download.wpsoftware.net/bitcoin/wizardry/brs-arbitrary-output-sizes.txt with a section to describe the anonymity hit from reusing {P, V, n} with different i... does this make sense to you?
01:12:53andytoshi:also, anyone who didn't understand the scheme from the start is welcome to chip in -- i'm trying to make this accessible :)
01:13:26gmaxwell:andytoshi: I think thats sensible, but perhaps not super clear.
01:13:40andytoshi:it's hard to describe, there are too many variables :/
01:14:52andytoshi:"this anonymity risk -- that real outputs share a property while ghost outputs do not -- will become more serious in the next section"
01:15:25andytoshi:if i add that, i think that'll summarize what the problem is
01:15:58gmaxwell:sounds good.
01:18:04gmaxwell:hah: https://www.nsa.gov/ redirects to http://www.nsa.gov/ subtle message?
01:18:30sipa:No 's' Anymore.
01:59:19Emcy:oh wow that recruitment video is real, its on nsa.gov domain
01:59:27Emcy:i thought it was a parody
02:00:08Emcy:that guy with the pink fringe that looks like a Hackers extra
03:01:04grubles:Emcy, ???
09:44:39otoburb_:otoburb_ is now known as Guest32810
09:53:10Anduck_:Anduck_ is now known as Anduck
10:00:14Dr-G2:Dr-G2 is now known as Dr-G
10:12:07tobiaskim:Quatloo-Trader API just upgraded with small fixes - lot of cool development in this - https://bitcointalk.org/index.php?topic=711966.0 - check out #QuatlooCoin where the trade-bot-developers hang out, they take community requests and implement them fast in this trade-app - perfect to trade your coins with automatic and you can make money with it while you are sleeping.
10:34:21dansmith_btc2:dansmith_btc2 is now known as dansmith_btc
11:11:26Guyver2:Guyver2 has left #bitcoin-wizards
11:21:47dansmith3:dansmith3 is now known as grandmaster2
11:38:18atgreen:jgarzik: gdb connectivity to moxiebox is starting to work
12:06:02jgarzik:atgreen, cool
12:06:44jgarzik:=== configuring in build-gnulib (/home/jgarzik/local/build/gdb/build-gnulib)
12:07:00jgarzik:checking whether makeinfo --split-size=5000000 supports @click... yes
12:07:00jgarzik:checking for default auto-load directory... $debugdir:$datadir/auto-load
12:07:01jgarzik:checking for default auto-load safe-path... $debugdir:$datadir/auto-load
12:07:01jgarzik:configure: error: configuration moxie-unknown-moxiebox is unsupported.
12:07:01jgarzik:make[1]: *** [configure-gdb] Error 1
12:07:11jgarzik:atgreen, Getting closer to building upstream binutils-gdb.git
12:07:26jgarzik:atgreen, config.sub seems to have landed in some places but not all?
12:36:11Guest82968:Guest82968 is now known as nimrods
13:54:43tobiaskim:All the cool kids trade Altcoins and Bitcoins with BOTS - now you can too - /join #quatloocoin to discover the community - and Download the Quatloo-Trader for Windows here: https://bitcointalk.org/index.php?topic=711966.0;all and connect it to Bittrex (Cryptsy, Mintpal, etc will be added one by one shortly) - The API is powered by 500 QuatlooCoin - so you need to get those here: https://bittrex.com/Market/Index?MarketName=BTC-Q
13:58:19sipa:sipa has kicked tobiaskim from #bitcoin-wizards
15:35:22petertod1:kazure: best if yoi open issues for those things om github yourself; yes i am auditing counterparty
18:08:36Guest24743:Guest24743 is now known as smooth
18:11:17zooko:Dear #bitcoin-wizards: If you know Jon Matonis's email address, would you please private message it to me? Thanks.
18:37:13Keefe_:Keefe_ is now known as Keefe
19:43:24gwollon:gwollon is now known as gwillen
21:12:37rdponticelli:rdponticelli has left #bitcoin-wizards
22:00:09andytoshi:gmaxwell: i've updated https://download.wpsoftware.net/bitcoin/wizardry/brs-arbitrary-output-sizes.txt with a section on scripts, but i'm not happy with how wordy it is
22:47:23jps_:jps_ is now known as jps
22:48:46fanquake:fanquake has left #bitcoin-wizards