00:43:03kanzure:andytoshi: are there any proposals floating around for security-conscious integrated circuit manufacturing?
00:43:33kanzure:andytoshi: for example, circuit-level obfuscation that, when modified by the manufacturer, becomes obvious during program execution
00:44:02kanzure:or, circuit obfuscation that would take some amount of comptuational time to figure out here to hide the dopant trojans
00:44:06kanzure:*computational
00:44:12gmaxwell:so there are some papers where they can use precise timing to get high confidence that the circut is what you think it is... but these are still defeated by dopant flaws.
00:44:55gmaxwell:I've been thinking it would be interesting to use uniform combitoric logic (e.g. a FPGA) and then randomize the circuit you load... but kinda crazy power and space overhead.
00:45:00kanzure:dopant flaws require knowledge about where to insert the flaws, right?
00:45:14gmaxwell:right.
00:45:30andytoshi:kanzure: i don't know a think about it, in general "obfuscation" is synonymous with "secret crypto that is never published" tho :(
00:45:39kanzure:there might be generic dopant flaws that could be applied even in arbitrary circuits, but i'm at a loss for what to do about this
00:46:00kanzure:*generically-useful dopant flaws
00:46:11andytoshi:oh, i see, you are concerned about the designer being tricked by the mfg
00:46:22andytoshi:i was thinking, both are trying to prevent the user from modifying things
00:46:33kanzure:who is the user :)
00:47:18gmaxwell:kanzure: presumably my fpga notion could be narrowed to just have enough generality to implement a large number of possible circuits but not all...
00:47:19kanzure:i guess you could know about the class of generic dopant flaws, and attempt to test for that with precise timing tests
00:50:17kanzure:gmaxwell: so the worry is that the fpga manufacturer anticipated some of the circuits you would be loading up?
00:51:18gmaxwell:well the tradeoff is "use a FPGA" is probably sufficient unless the fpga maker knew your scheme in advance (e.g. and could reconize and replace your circuits in the loader)
00:51:35gmaxwell:but an FPGA is a rather extremely inefficient way to implement something.
00:52:16kanzure:well, inefficient solutions can be better than no solution heh
00:52:25gmaxwell:well if that works for you.
00:54:19gmaxwell:(esp since randomizing the circuit will have some large overhead too, at a minimum it will make the routing topology ugly)
00:55:15kanzure:"Obfusflow [Chakraborty and Bhunia, 2008] (and related follow-up work [Chakraborty and Bhunia, 2009]) is a method for preventing IP piracy. The general idea is to embed an authorization code in the hardware that can be turned on to convert the hardware from obfuscated mode — wherein functionality is broken — to normal mode. In order to get correct operation, the taped-out chip has to match a stored (on-chip) sequence of codes. If that ...
00:55:17gmaxwell:in any case, if your circuit is both randomized and uses voting, I think you can be very confident that no dopant flaws could be used.. though loader mischif would be harder.
00:55:21kanzure:... cannot be done, the behavior of the chip is essentially random, rendering it useless. The trade-off in this solution is area vs. anti-piracy (or anti-reverse-engineering) assurance because of the relatively high on-chip memory overheads"
00:55:54kanzure:(the anti-ip-piracy motivation is a little annoying, but i think their goals are the same)
00:56:45gmaxwell:(same kind of argument for anti-dopant would apply as does for the 'moonmathless ZKP' thing I posted)
01:01:45kanzure:is that voting between multiple implementations?
01:03:17kanzure:oh i forgot about http://diyhpl.us/~bryan/papers2/paperbot/Reversing%20Stealthy%20Dopant-Level%20Circuits.pdf
01:03:44kanzure:("use scanning electron microscopy and focused ion beams to get images of contact layers")
01:04:05kanzure:but that destroys the sample..
01:07:43gmaxwell:kanzure: the idea is that if you have a bag of circuits, and then you (unknown to the attacker) pool them randomly and then verify all the members of the pool disagree, it becomes very hard to make it such that a whole pool will be consistently wrong without having some partially wrong pools
02:47:57sipa:gmaxwell: have nodes for up to 5 or 6, for m-of-n with m>0 and n>6, and for "reference other node"
02:48:19sipa:gmaxwell: i have an encoding in mind
03:20:54NikolaiToryzin_:NikolaiToryzin_ is now known as NikolaiToryzin
03:33:50NikolaiToryzin:NikolaiToryzin is now known as AlexWagner
06:03:52_0meta:_0meta has left #bitcoin-wizards
08:04:31gmaxwell:sipa: how are you thinking of describing the fan-in. E.g. when you have a node with 5 or 6 inputs, ? .. hm. do you describe it backwards? e.g. a single bit out and a node that produces it, then just describe the input for every contributor?
08:05:17wolfe.freenode.net:topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
08:05:17wolfe.freenode.net:Users on #bitcoin-wizards: andy-logbot cbeams arowser Starduster damethos AaronvanW comboy p15 irc88__ Happzz todaystomorrow x48 Dr-G2 pen jtimon copumpkin justanotheruser EasyAt fanquake wumpus coinheavy eristisk [7] [d__d] AlexWagner mortale hashtag emsid jgarzik nsh jaekwon dgenr8 K1773R devrandom Graftec koshii tromp__ jchp spinza waxwing coryfields xmj melvster go1111111 michagogo hollandais Guest36626 arubi _2539 postpre SDCDev altoz zenojis shesek mappum warren
08:05:17wolfe.freenode.net:Users on #bitcoin-wizards: jrayhawk jbenet LaptopZZ optimator_ pi07r Meeh Hunger-- Eliel poggy_ Luke-Jr Emcy_ Guest94465 kanzure danneu catcow TD-Linux Guest50253 helo smooth otoburb gwillen ryan-c nickler_ mmozeiko roasbeef pajarillo sl01 Keefe Dyaheon Grishnakh HaltingState rs0_ Gnosis nuke1989 ahmed_ZzZz wiretapped Muis artifexd Logicwax puszl nanotube espes__ andytoshi samson_ gavinandresen mkarrer rfreeman_w so zibbo lnovy dansmith_btc epscy tacotime LarsLarsen
08:05:18wolfe.freenode.net:Users on #bitcoin-wizards: OneFixt Fistful_of_coins BlueMatt Sangheili tromp wizkid057 a5m0 digitalmagus8 iddo starsoccer midnightmagic Adohgg berndj gribble Graet kinlo [Derek] pigeons BrainOverfl0w lianj_ Apocalyptic Iriez mr_burdell fluffypony bbrittain SomeoneWeird forrestv Anduck amiller Nightwolf Krellan BigBitz [\\\] Taek42 asoltys @ChanServ phedny petertodd burcin lechuga_ abc56889 Alanius Guest47516 throughnothing CodeShark harrow DoctorBTC gmaxwell
08:05:18wolfe.freenode.net:Users on #bitcoin-wizards: phantomcircuit HM crescendo nsh- bobke sipa
08:08:16sipa:gmaxwell: basically, yes
08:08:57gmaxwell:k. Sorry I didn't see how you were going to do it until the "hm" then it made sense to me. :)
08:09:06sipa:one way is having sort of an SSA form, where you give a list of expressions, and you're able to refer back to particular previous verious
08:09:10sipa:*variables
08:09:48sipa:i'm not sure that those very compact boolean networks are a good idea, anymore, though
08:10:04sipa:because they're very hard to introspect (... by a covenant, for example)
08:10:29sipa:i think you want to be able to enforce "the output script there has to enforce this property"
08:11:33gmaxwell:You can always require someone not use a feature though, so that wouldn't be the argument I'd use against them.
08:11:55sipa:fair point
08:12:55sipa:so, what i was thinking about (and it seems like it may be reasonable up to 5 inputs), is having nodes that not only encode the n-ary boolean function, but also its inputs
08:13:13sipa:and each input is allowed to be "true", "false" or "omitted"
08:14:47gmaxwell:I'd imagine the main point against them would be complexity vs space savings. Though if there is a simple tableish implementation of them the complexity may not be so bad... but the amount of space they can save over the worst case graph with just the and,or basis is bounded. (and even moreso with thresholds in the basis, since thresholds have bad depth as plain circuits over and,or)
08:14:56gmaxwell:sipa: what exactly is the implication of each of those states?
08:15:39sipa:the trues need to satisfy the predicate
08:15:56sipa:false or omitted are not evaluated
08:16:24sipa:for each omitted, there is a merkle hash
08:16:33sipa:for each true or false, there is a subexpression
08:16:43gmaxwell:oh and false would just be because its input is smaller than the hash that would replace it?
08:16:46sipa:yup
08:17:06sipa:which, together with deduplication, may be meaningful
08:17:34gmaxwell:hm, you mean refering to that subexpression elsewhere?
08:17:58sipa:for example, a checksig with a particular key could be referenced twice in the graph
08:18:10sipa:you'd rather give the actual checksig, and refer to it twice
08:18:16sipa:than give the merkle hash for it twice
08:18:21gmaxwell:(otherwise I was about to suggest than perhaps the length encoding for that subexpression could actually force it it to be <= the size of the hash)
08:18:58sipa:it may be overkill though
08:19:23sipa:only having given/omitted for each of the input may be easier
08:19:38sipa:and actual evaluate it
08:20:00sipa:but allow a checksig and falsechecksig, the latter of which is not evaluated, but does provide a hash
08:21:16sipa:for a&(b|c), the observation is that there are only 4 meaningful inputs: (true,true,false), (true,true,omitted), (true,false,true), (true,omitted,true)
08:21:54sipa:while the generic case with given/omitted for each input has 8 combinations
08:22:17sipa:hmm
08:22:49gmaxwell:hm, well you could first select which of the sensible satisfactions you're using, and then code which of the omitted ones you're giving explicitly anyways.
08:23:24sipa:yeah, false/omitted is just one bit per non-required input
08:25:04gmaxwell:even that could be omitted in a sufficently complex encoding, e.g. explore all the true paths first. then resolve references, then fill in any remaining omitted branches which weren't backwards filled.
08:25:44sipa:?
08:27:15Happzz:you guys don't justify what we pay you.
08:27:19Happzz:* Happzz hides
08:29:07gmaxwell:sipa: you signal true/omitted. but only give data along the true paths. Some of the data on true paths is references to prior subexpressions, which may be omitted ones (uh, with a constrant to avoid cycles).
08:29:32gmaxwell:if it was a true reference to an omitted one, you provide the subexpression then.
08:29:39gmaxwell:at the end anything that is still omitted gets its hash provided.
08:29:58gmaxwell:so there is no false vs omitted signaling, and no subexpression or subexpression hash is repeated.
08:30:47gmaxwell:and the 'true' signaling can be restricted to necessary and sufficent. E.g. a&&(b||c) needs to only code one truth bit (if b or c is the true path)
08:31:13sipa:yes, that's what i mean
08:31:21sipa:the false/omitted thing is a bit of a distraction
08:31:54gmaxwell:I'm just saying that it needs no signaling if the coding of hashes is defered until the end.
08:31:56sipa:but in the larger cases, the number of meaningful independent ways to satisfy the predicates isn't too much
09:01:47Guest94465:Guest94465 is now known as UukGoblin
09:19:36fluffypony:t
10:22:29ahmed_ZzZz:ahmed_ZzZz is now known as ahmed_uni
11:06:35MRL-Relay:[davidlatapie] Why a relay? Can't they just get there?
11:06:46MRL-Relay:[davidlatapie] Not that I am against it, just wondering
11:15:28wumpus:what is this relay?
11:16:04fluffypony:wumpus: Monero Research Lab
11:16:25wumpus:aha
13:21:35Taek42:Do you think there would be use for a lightweight blockchain that's primary purpose was a ledger
13:21:46Taek42:for example, currnetly when I update my system I contact a centralized size
13:22:02Taek42:but what if instead, I looked at a blockchain to figure out what version is the latest released
13:22:14Taek42:and that blockchain came from the dev's address or whatever
13:22:32Taek42:***the update transaction
13:23:00andytoshi:this is what git does
13:23:37fluffypony:and, if critical, the alert system can be used to notify people that a mandatory update is available
13:24:07Taek42:oh hmmm. I've never used git beyond github
13:25:40stonecoldpat:taek42: would it be based on a pow? Or just a chain of signatures ?
13:26:16Taek42:stonecoldpat it would still be pow. The idea is just to have a decentralized way of knowing when versions were released and which is the most recent
13:26:49Taek42:from wikipedia: "no canonical copy of the codebase exists by default, only working copies"
13:27:43Taek42:so you could use something like a blockchain to signal 'canonical' copies without needing a centralized source. Although I guess you could also just have a file in your repo that does the same thing.
13:29:09stonecoldpat:taek42: a pow may be over the top ? and you probably dont trust the majority of the world - just a select few in that type of system? (if its referring to latest code etc), i don't know how git works myself, but just a blockchain that iteratively has people signing each block, giving their approval for that release, may be useful?
13:30:07stonecoldpat:obviously the block with the most signatures would be part of the chain
13:31:15Taek42:well the idea isn't that you'd use one blockchain per software project, instead you'd have a single blockchain that documents all software projects. So, instead of going to gentoo.org to find the latest versions of stuff, I would just check my local copy of the software blockchain.
13:32:38stonecoldpat:taek42: just depends on the incentive for people to do the pow really, you could easily build it into of bitcoin and take advantage of the pow available. Put the software hash / details inside OP_RETURN and sign it from a well-known pubkey
13:33:03stonecoldpat:then the chain of transactions would be your blockchain, in a way
14:00:34Eliel:stonecoldpat: pow is useful for making it difficult to forge old release announcement even if the keys are stolen.
14:14:05stonecoldpat:Eliel: of course, that's why I said it depends on the incentive for people to do that - but you have the ultimate public bulletin board available with a pow that you wouldnt be able to match, i imagine you could have an spv client that follows a bitcoin address (software owner) - and this way you only receive transactions from that bitcoin address - which would make it very lightweight.
14:14:05stonecoldpat:(i'm just throwing out an idea, not that its the best, its probably not)
15:01:04Eliel:stonecoldpat: well, transactions do form a chain of hashes too.
17:30:55sipa:gmaxwell: schnorr verification in libsecp256k1 is 2-5% faster than ecdsa...
17:31:04sipa:i was hoping for more
17:31:29sipa:this is with GMP, which has very fast scalar operations (which is the largest difference between schnorr and ecdsa)
18:21:41Dizzle__:Dizzle__ is now known as Dizzle
20:00:55andytoshi:it may interest the crypto nerds here that "strong signature" is the standard term for what we have been calling "non-malleable", i.e. a sig for which an adversary cannot forge even for a message he has already seen a valid sig for
20:01:32andytoshi:so if you were trying to create a provably nonmalleable script-based signature scheme, you'd require any signature-of-knowledge opcodes to be strong signatures
20:02:03Eliel:finally looked up and read about schnorr signatures. It reminds me of the ring signature algorithm in cryptonote.
20:03:15phantomcircuit:andytoshi, malleable of course covers the entire tx
20:03:16phantomcircuit:but yes
20:04:55andytoshi:phantomcircuit: yeah, but we had been abusing terminology to refer to ecdsa itself as "malleable" which is not correct
20:05:10andytoshi:a literally malleable signature would let you modify the message out from under the sig
20:05:34andytoshi:Eliel: yes, a schnorr sig is the standard way to prove knowledge of a discrete logarithm
20:07:43andytoshi:it is a testament to how quickly crypto moves that that was patent-eligible at one point...today you could not get your name on such a simple idea
20:08:53Eliel:yes, it's a delightfully simple algo :)
20:11:04justanotheruser:Are sidechains redemptions probably going to require a bond that can be redeemed with someone who has created a fraud proof?
20:11:29justanotheruser:or is there going to be any method of directly incentivizing fraud proofs?
20:11:50andytoshi:well, fraud proofs are already incentivized by "if you don't make one your currency will be inflated by a thief"
20:12:11andytoshi:but there may need to be some sort of bond to deal with network fees
20:12:24justanotheruser:yeah
20:12:31justanotheruser:fraud proofs will not be free
20:12:53andytoshi:well, the proofs themselves could be free
20:13:06justanotheruser:there is a fee
20:13:09andytoshi:the problem is, if i post a sidechain transfer, pay a bunch of fees, then you prove it was fraudulent, how do you get the miner fees that i (the fraudster) have paid?
20:13:19andytoshi:justanotheruser: what fee?
20:13:30justanotheruser:andytoshi: transaction fee?
20:13:37justanotheruser:Or am I mistaking how a fraud proof would work
20:13:40andytoshi:the miners don't want inflation either
20:13:45andytoshi:they would let fraud proofs be posted for free
20:13:53justanotheruser:so they are paying the fee
20:14:28andytoshi:sure, if space is so limited that they are losing fees by including the reorg proof, they are eating that
20:21:51Eliel:of course, you could have a separate limit for valid fraud proofs
20:22:07justanotheruser:a separate limit?
20:22:48justanotheruser:also, there will need to be a decision to be made between blockchain bloat and utxo bloat, right? You can either keep the SPV proof information in the UTXO so it can be extended or you can do a new UTXO proof each time
20:23:08justanotheruser:s/UTXO proof/SPV proof
20:23:17fluffypony:we face that challenge with Monero - lots of conflation of "utxo bloat" with "blockchain bloat"
20:23:22fluffypony:when the two are no the same
20:23:35andytoshi:i think "new proof every time" is by far the simpler thing..
20:24:05Eliel:fluffypony: I thought utxo is a mostly useless concept with monero.
20:24:20fluffypony:Eliel: on the contrary, it's critical to the protoocl
20:24:22fluffypony:*protocol
20:24:24andytoshi:plus you generally favour blockchain bloat over utxo block whenever there is an option, the blockchain is stored by archival nodes while the utxo set must be stored by all full nodes
20:24:48Eliel:fluffypony: oh right, the key images?
20:24:51fluffypony:if you mix you do so with utxo's, and unless a utxo is spent at mixin 0 it remains a utxo forever
20:25:10justanotheruser:* justanotheruser wonders what the conversion rate is between utxo bloat and blockchain bloat
20:25:11fluffypony:no, key images are different, they're there to prevent obvious double-spends
20:26:39fluffypony:Eliel: in our 2.4gb-ish blockchain (physically, on disk) m_outputs (utxoset) is ~465mb, and m_spent_keys (key images) is ~266mb
20:26:43Eliel:fluffypony: ah right, you don't have an utxo set, you have a potential utxo set.
20:27:28fluffypony:Eliel: yes - well, or maybe more correctly "assumed-still-utxo set" ;)
21:55:27Eliel:is it safe to use the same k variable in multiple different signatures with schnorr signature?
21:55:49gmaxwell:no.
22:18:13ahmed_uni:ahmed_uni is now known as ahmed_
23:11:02andytoshi:Eliel: in both cases you are creating a line determined by your nonce and secret key (roughly, one is slope, the other y-intercept) as well as a point on this line determined by the message. because the map x -> xG is homomorphic from modular addition to group addition, by providing xG and kG you can allow others to verify the point is on this line, but the hardness of discrete log means they cannot
23:11:04andytoshi:determine the line itself
23:11:15andytoshi:but if you publish two points, that determines the line, and all your secrecy is in vain
23:32:01x48_:x48_ is now known as x48