| 01:12:33 | Guest6546: | Guest6546 is now known as pigeons |
| 03:06:06 | freewil: | freewil has left #bitcoin-wizards |
| 03:52:47 | Pan0ram1x_: | Pan0ram1x_ is now known as Guest72358 |
| 03:52:48 | Guest72358: | Guest72358 is now known as Pan0ram1x |
| 03:52:51 | gmaxwell_: | gmaxwell_ is now known as Guest90080 |
| 03:52:51 | CryptOprah_: | CryptOprah_ is now known as CryptOprah |
| 03:53:18 | Pan0ram1x: | Pan0ram1x is now known as Guest12955 |
| 03:53:33 | Guest90080: | Guest90080 is now known as gmaxwell |
| 03:53:39 | quackgyver_: | quackgyver_ is now known as quackgyver |
| 04:01:19 | luke-jr_: | luke-jr_ is now known as Luke-Jr |
| 04:44:33 | maaku: | maaku is now known as Guest45558 |
| 05:10:00 | asoltys_: | asoltys_ is now known as asoltys |
| 05:15:57 | wump: | wump is now known as wumpus |
| 06:17:35 | cookie: | are there any zero knowledge zk snarks systems in existence? |
| 06:18:27 | sipa: | zkzk snarks? :p |
| 06:22:48 | gmaxwell: | I heard they use them for ATM machines. |
| 06:23:52 | sipa: | the SMS short message system uses them afaik |
| 06:24:15 | gmaxwell: | cookie: There is libsnark, but I'm guessing this isn't likely to be useful to you if you didn't already know about it. |
| 06:24:28 | cookie: | lol sipa |
| 06:25:02 | cookie: | no i meant projects using it already |
| 06:27:30 | cookie: | i've been wondering for a while if proof of funds scheme could be replaced by a zkp |
| 06:27:52 | cookie: | for an hour to be exact lol. |
| 06:28:13 | gmaxwell: | I've described pretty extensively in here before whats required. |
| 06:28:19 | gmaxwell: | go check the logs. |
| 06:28:23 | cookie: | ah crap |
| 06:28:26 | cookie: | how do i do that? |
| 06:28:41 | gmaxwell: | wget and grep? http://download.wpsoftware.net/bitcoin/wizards/ |
| 06:28:46 | kanzure: | http://google.com/search?q=site:http://download.wpsoftware.net/bitcoin/wizards/+gmaxwell+zkp+something |
| 06:29:18 | cookie: | gmaxwell what do you think about peter todds proof of funds? |
| 06:29:36 | gmaxwell: | I think you've made me sad and I'm going to go away now. |
| 06:29:36 | gmaxwell: | gmaxwell has left #bitcoin-wizards |
| 06:29:58 | cookie: | =( |
| 06:34:56 | cookie: | kanzure: thanks, so many logs. |
| 06:50:03 | gmaxwell: | jgarzik: I've got another application for moxie box— verifying the code is constant time. |
| 06:50:37 | gmaxwell: | e.g. CI tests on libsecp256k1 could do this. |
| 07:14:01 | gandalfthegrey: | fly you fools |
| 07:25:46 | Luke-Jr: | gmaxwell: intentionally not letting him actually fly? :p |
| 07:25:54 | Luke-Jr: | oh, he left on his own |
| 08:05:16 | barjavel.freenode.net: | topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged at http://download.wpsoftware.net/bitcoin/wizards/. For questions about the logs talk to andytoshi. |
| 08:05:16 | barjavel.freenode.net: | Users on #bitcoin-wizards: andy-logbot cbeams edulix Ursium gmaxwell LarsLarsen jaekwon lclc wumpus LaptopZZ grandmas- cym kdomanski__ Krellan__ epscy Guest54659 nsh [7] Guest12955 Luke-Jr o3u espes___ quackgyver zling__ Taek CryptOprah eizh__ Dr-G px1NbxQzEC OneFixt justusranvier roconnor execut3 DougieBot5000 e4xit forrestv tromp ryan-c jchp_ pigeons berndj-blackout [Derek] SDCDev Gnosis phedny so Mikalv waxwing digitalmagus7 iddo_ irc88_ Dyaheon- super3 michagogo |
| 08:05:16 | barjavel.freenode.net: | Users on #bitcoin-wizards: nkuttler a5m0 Aquent nsh_ samson_ putler realazthat kinlo daniel pi07r jbenet roasbeef Graet Sangheili Kretchfoop gavinandresen go1111111 EasyAt nickler BigBitz Muis artifexd HaltingState Anduck gribble copumpkin dgenr8 melvster TD-Linux tacotime DoctorBTC zenojis pajarillo wiretapped Hunger- jgarzik polyclef phantomcircuit CodeShark Cory jcorgan abc56889 kiddouk_ Alanius mr_burdell optimator UukGoblin HM otoburb andytoshi SomeoneWeird |
| 08:05:16 | barjavel.freenode.net: | Users on #bitcoin-wizards: nanotube spinza Keefe midnightmagic mmozeiko harrow Ken` @ChanServ mhanne tromp__ danneu burcin aynstein [\\\] poggy wizkid057 jaromil K1773R helo comboy Apocalyptic bbrittain smooth cfields lechuga_ kanzure crescendo BrainOverfl0w lianj BlueMatt zibbo_ asoltys warren dansmith_btc sl01 gwillen throughnothing petertodd catcow Logicwax trn @sipa rs0 amiller starsoccer Adohgg Iriez weex Eliel_ |
| 08:09:02 | BlueMatt: | I think you've made me sad and I'm going to go away now. <-- can we get this in a topic somewhere? |
| 08:09:22 | BlueMatt: | "dont make gamxwell sad, dont ask noob questions" |
| 08:26:09 | sipa: | i wonder how he feels about typo's in his nickname |
| 08:44:49 | Luke-Jr: | IMO that was a case for +q <.< |
| 08:51:45 | maaku: | maaku is now known as Guest57788 |
| 08:51:48 | Guest12955: | Guest12955 is now known as Pan0ram1x |
| 09:04:41 | kdomanski__: | kdomanski__ is now known as kdomanski |
| 09:45:24 | iddo_: | iddo_ is now known as iddo |
| 12:17:51 | jgarzik: | gmaxwell, RE constant time... I had an interesting thought related to that and crypto-accelerators. |
| 12:18:11 | jgarzik: | gmaxwell, right now, without accel, things are slower but CPU accounting is accurate. |
| 12:18:40 | jgarzik: | gmaxwell, with accel, you jump out of the simulator to run OpenSSL code, making CPU budget accounting much, much more difficult. |
| 12:21:54 | gmaxwell: | jgarzik: indeed, my thinking was that part of the accelerator defintion would be the number of 'cycles' they take. |
| 12:22:28 | gmaxwell: | and have that just be part of the system definition or 'accelrator version' defintion. |
| 12:23:24 | gmaxwell: | and care should be taken to budget for their worst case. (easy for most direct crypto primitives, harder for— say— a bignum accelerator set) |
| 12:27:50 | jgarzik: | gmaxwell, Indeed. I was planning on going dumb, initially: "if (crypto accel) cpu_cycles += 10000;" (ie. treat a crypto instruction as taking 10,000 cpu cycles) Not the best logic, but it gives a very rough approximation for moxiebox. |
| 12:29:52 | jgarzik: | gmaxwell, Including bitcoin transaction and script verf in the moxiebox runtime lib should be easy, too. Obviously, you have to provide the full transaction inputs of the TX being verf'd, since there is no I/O, there is no blockchain or other data to query. |
| 12:30:03 | gmaxwell: | yea, can be tuned later. I imagine that adjusting for real costs will find they're not all that high. |
| 12:30:48 | gmaxwell: | e.g. so if a busyloop of accele-sha256 and moxie-sha256 are compared I bet the cost of a accele-sha256 is only a fairly small number of cycles. |
| 12:31:19 | jgarzik: | agreed |
| 12:31:25 | jgarzik: | I just worry about algorithmic attacks |
| 12:31:51 | gmaxwell: | sha256 and the ecdsa operations have clearly defined upper bounds at least. |
| 12:31:58 | jgarzik: | ie. budget A cycles, but sneaky person figures out how to make an algorithm behave wildly different from your guess |
| 12:32:01 | jgarzik: | yes |
| 12:32:06 | gmaxwell: | (well sha256 is ~constant) |
| 12:33:22 | gmaxwell: | jgarzik: yea, wrt transaction and script this is partly why I think the C ports of bitcoin-qt code are interesting. :) |
| 12:34:01 | jgarzik: | it seems easy to abuse a bignum implementation, if bignum accel primitives are exported. MUCH less so for aes, sha256, ... |
| 12:34:26 | jgarzik: | well, s/easy/more difficult to account/ |
| 12:34:35 | jgarzik: | well, s/easy to abuse/more difficult to account/ |
| 12:34:38 | gmaxwell: | yea, a generic bignum is trivially abusable if great care isn't taken to confine it. |
| 12:36:43 | jgarzik: | Related: For sha256 accel, I was going to add number-of-rounds as an input. Makes implementing double-sha256 easy, but provides interesting properties if the round count is simply a variable. |
| 12:36:59 | jgarzik: | AES functions in some C libs take a round count, so why count start doing it with hashes too. |
| 12:37:13 | jgarzik: | sigh. *so why not start.... |
| 12:37:19 | jgarzik: | * jgarzik goes to look for coffee (Pepsi) |
| 12:37:33 | gmaxwell: | because sha256 isn't just a set of rounds, there is message expansion and the length adding and such? |
| 12:37:52 | gmaxwell: | (though you could have a sha256 round function call, and have the caller implement the complete function) |
| 12:38:09 | jgarzik: | gmaxwell, I view it as a tail call or extra finalization step |
| 12:38:50 | gmaxwell: | though the accelrator can be faster for long messages if you just pass in a pointer to the whole message and a length, as there are techniques to accelerate when working on multiple blocks at once (see the avx2 sha512 in the linux kernel) |
| 12:40:18 | gmaxwell: | (meh, you've written a miner, no need for me to lecture you on what sha256 looks like!) |
| 12:41:19 | gmaxwell: | w.r.t. round function, see the intel instruction set for broadwell. |
| 12:42:04 | gmaxwell: | but I suspect something exposed as a round function won't be able to get within a factor of 3 of the speed of one that has 'hash this stuff' interface. |
| 12:44:54 | jgarzik: | gmaxwell, nod there are two levels. The existing cpu instructions, such as Intel's, tend to implement "the meat", ie. hash or crypto one block BLOCK_SIZE block of [AES | SHA256] but leave the setup and finalize to non-accel code. I think there is sufficient utility in a higher level doit(data,len,rounds) |
| 12:45:08 | jgarzik: | so, implement both |
| 12:45:47 | jgarzik: | metaphorically, implement SHA256() and SHA256_Update() in accelerated code. |
| 13:26:41 | jgarzik: | As this is also appropriate -wizards material, here is mmx-test.c: https://gist.github.com/jgarzik/2e2c4373b88d90ee4859 |
| 13:26:57 | jgarzik: | C (w/ inline asm) for storing uint256's in registers, rather than RAM. |
| 14:51:23 | afrotec: | afrotec has left #bitcoin-wizards |
| 14:53:46 | andytoshi: | judging from the abstract, no content but probably very silly: http://arxiv.org/abs/1408.2824 |
| 14:56:40 | nsh: | raises more kookery flags than biting satire flags, sadly |
| 15:01:13 | Aquent_: | Aquent_ is now known as Aquent |
| 15:03:06 | jgarzik: | It's not just cryptographic.... it's cryptocubic! |
| 15:03:52 | gmaxwell: | Not temporal cubic? |
| 15:04:03 | gmaxwell: | (http://www.timecube.com/) |
| 15:04:54 | wumpus: | cryptocubists are just repressed temporal cubists |
| 15:08:31 | nsh: | we joke, but at some point someone will or already has contrasted the development of the aperspectival vantage in cubism with the elaboration of systems of decentralised consensuation |
| 15:08:37 | nsh: | or words like that |
| 15:08:53 | nsh: | Cubism and Relativity -- http://www.jstor.org/discover/10.2307/774982?uid=3738032&uid=2&uid=4&sid=21104055796361 |
| 15:33:17 | wallet421: | wallet421 is now known as wallet42 |
| 15:48:01 | andytoshi: | do sidechains require sidechain validators to also be bitcoin validators? is there any clever way around this? |
| 15:48:53 | Luke-Jr: | andytoshi: they don't. |
| 15:48:54 | nsh: | how do you mean? |
| 15:49:15 | Luke-Jr: | andytoshi: they don't even need to be PoW-based |
| 15:50:26 | andytoshi: | Luke-Jr: they still need to be aware of transfers |
| 15:50:31 | andytoshi: | i don't see what PoW wolud have to do with it |
| 15:50:57 | andytoshi: | oh, i see, with a private chain you could just trust the chain signer |
| 15:51:00 | Luke-Jr: | andytoshi: transfers are just SPV validation, more or less |
| 15:52:13 | gmaxwell: | andytoshi: You can use the same mechenism in both directions, though you could get a stronger security argument if it was tightly coupled on one side. |
| 15:52:25 | gmaxwell: | mechanism* |
| 15:52:34 | andytoshi: | ok, sure |
| 15:52:41 | andytoshi: | i was hoping the answer wouldn't be so open-ended :) |
| 15:53:19 | andytoshi: | it is in some sense easier to do full validation when transfering into a sidechain, since there is one bitcoin and many sidechains (in the "bitcoin is the center of the universe" model) |
| 15:53:28 | gmaxwell: | I mean, I've mostly invisioned it as being tightly coupled one one side because why not, validating bitcoin is cheap and.. exactly. |
| 15:54:04 | gmaxwell: | the only case where I've really thought it interesting to do otherwise is when you're simultaniously 2-way pegging against multiple chains. |
| 15:55:38 | andytoshi: | ok, that's in line with what i was thinking |
| 16:20:47 | andytoshi: | tw |
| 16:49:49 | tromp__: | amazing what kind of garbage passes for whitepaper these days; https://www.dropbox.com/s/m5nop0ev0jn16t6/whitepaper.pdf |
| 16:55:28 | gmaxwell: | tromp__: pft. well it's not asking for money at least! |
| 16:56:02 | tacotime_: | haha. |
| 16:56:45 | tromp__: | someone used this for some scammy ipo: https://bitcointalk.org/index.php?topic=739018.0 |
| 17:00:46 | gmaxwell: | tromp__: ah. nevermind then! |
| 17:01:24 | tromp__: | i guess behind every crappy whitepaper there is a scammy coin |
| 17:01:31 | gmaxwell: | Or three. |
| 17:04:05 | hearn: | tromp__: lol |
| 17:04:24 | hearn: | "BitKey\texttrademark is an platform- and cryptocurrency-independent softwarepackage" |
| 17:04:27 | hearn: | looks legit |
| 17:04:56 | gmaxwell: | I giggled at the thought of emailing them to let them know that fradulently claiming to have a registered mark is unlawful in the US. |
| 17:05:59 | gmaxwell: | "scamcoin foiled by lifebuoy soap poisoning" |
| 17:06:21 | justanotheruser: | gmaxwell: tms don't require registration |
| 17:06:54 | kdomanski_: | kdomanski_ is now known as kdomanski |
| 17:07:04 | gmaxwell: | justanotheruser: they do— if you hold out that you have a _registered mark_ its some administrative code violation, with no real consequence except gumming up your trademark enforcement. |
| 17:07:57 | justanotheruser: | gmaxwell: where do they have (R)? |
| 17:08:19 | gmaxwell: | (normally you need to use the circle-r mark to end up in that state, but if you had an intent of misleading people, e.g. here where it looks like they are just using it to create false authority., then you can still run afowl) |
| 17:09:21 | helo: | * helo ™ |
| 17:09:34 | tacotime_: | helo, take my money |
| 17:09:56 | tacotime_: | tacotime_ is now known as tacotime |
| 17:10:37 | gmaxwell: | I like that their whitepaper seems to be claiming that they've been NSA-inside enhanced via inclusion of secp256_r_1 |
| 17:12:04 | justanotheruser: | helo: when is your IPO? |
| 17:17:45 | gmaxwell: | going the route of dank and his failed personal singularity? https://bitcointalk.org/index.php?topic=93003.0 |
| 17:20:20 | justanotheruser: | "By the end of this year, 2012, I believe I will be a highly known guitarist/musician. This time frame may seem unrealistically short, for I have only started playing electric guitar towards the end of August, but recent realizations have led me to believe this is possible." |
| 17:20:26 | justanotheruser: | wat |
| 17:23:58 | tromp__: | it's like the nigerian spam having red flags on purpose in order to target only the most gullible of ppl |
| 17:25:00 | gmaxwell: | serves a dual use, when it eventually doesn't pan out you think "I was an idiot, what did I expect? I better tell no one." |
| 19:02:14 | maaku: | maaku is now known as Guest25963 |
| 19:06:32 | wallet42: | wallet42 is now known as Guest59394 |
| 19:06:32 | wallet421: | wallet421 is now known as wallet42 |
| 20:06:39 | kdomanski__: | kdomanski__ is now known as kdomanski |
| 21:02:15 | wallet42: | wallet42 is now known as Guest81150 |
| 21:02:15 | wallet421: | wallet421 is now known as wallet42 |
| 22:27:09 | DougieBot5000_: | DougieBot5000_ is now known as DougieBot5000 |
| 22:46:48 | wyager: | wyager has left #bitcoin-wizards |
| 22:52:34 | wyager: | wyager has left #bitcoin-wizards |