00:55:34kanzure:you must be thinking about something else
01:01:35longandshort:Hey guys/gals
01:01:51longandshort:im wondering if i coudl get someoens expert opinion
01:02:12longandshort:with regards to chandran signitures and the stealthsend whitepaper
01:02:26longandshort:which is here https://www.dropbox.com/s/do4urdefwoungjz/Stealthsend-Whitepaper-Brief-201409.pdf?dl=0
01:03:18longandshort:im in a debate with their comunity over their devs claims that they ar not infact linkable/tracaeble in the way that paper implys can somebosy give me their presious time and give me their opinion?
01:03:28longandshort:sorry for my terible typing
01:05:21longandshort:currently i dont belive the dev is capable of implimenting chandran sigs in the way he is implying because they are not linkable/tracaeble
01:32:05longandshort:anyone lol
03:26:48andytoshi:longandshort: that wp certainly doesn't inspire confidence..
03:27:20longandshort:i just want another view because i cant seem to get thgourhg to the comunity here
03:27:52longandshort:and its an industry wide issue becasue it effects the rest of the anon networks that this coin damage user confidence ect ect balbla lol
03:28:23andytoshi:this nonce this is pretty clever
03:28:44andytoshi:though it requires something like my and gmaxwell's output value blinding to work properly with output values..
03:29:48andytoshi:calling two nonces "O(0)" space is a weird use of the number 0..
03:29:56longandshort:they are implying that cryptonotes group sig will solve the unlinkable tracable issue
03:30:15andytoshi:is that right? i'm still perusing the nonce page..
03:30:22longandshort:my bad
03:30:34longandshort:i dont think its applicable
03:30:57andytoshi:wat "scrypt is low energy"
03:31:16longandshort:sorry im tired tahst funny
03:31:34longandshort:gday luke
03:31:40andytoshi:longandshort: appears there is no mention of linkability at all in the wp
03:32:01longandshort:btw i have mancrush on you all just gonna put that out there thankyou all for your contributions
03:32:21andytoshi::P very flattering
03:32:27longandshort:tis true
03:32:33sipa:andytoshi: O(0) implies that for some x, every input over x results in an output 0
03:33:07Luke-Jr:longandshort: btw, please don't make an altcoin for this :/
03:33:18longandshort:Luke-Jr lol
03:33:27longandshort:not a chance not even a chance mate
03:33:52andytoshi:sipa: for all ε exists L such that inputs > x are < ε no?
03:34:02longandshort:it is what im trying so hard right now to present to their toxic comunity it is impossible and vaporware
03:34:07Luke-Jr:longandshort: "Therefore, stealthsend will be a proof-of-work coin,"
03:34:21longandshort:6 minute long blocktime
03:34:36andytoshi:other problems here are that they are using pairing-based crypto for signatures, it will take literally a thousand times as long to validate sigs as it does in bitcoin..
03:35:31Luke-Jr:longandshort: oh, this isn't yours?
03:36:11longandshort:Luke-Jr im after more expert opinions to back up my claims that it is not possible what they are implying
03:36:33longandshort:they didnt know how to pick the correct paper
03:36:34andytoshi:well, i suspect it's possible ... given a pairing it should be easy to devise a key image
03:36:43andytoshi:maybe not. i don't really wanna try :)
03:37:15longandshort:sub-linear traceable ring signatures could operate on the same principle as what they are implying, but chandran signatures aren't linkable / traceable
03:37:17andytoshi:but given the level of reasoning displayed in the wp, i don't think they'd be able to produce a provably-secure scheme with a key image
03:38:21andytoshi:longandshort: right. but bytecoin sigs were based on a scheme by fujisaki/suzuki that wasn't linkable in a way that was usable for a cryptocurrency...but the cn people hacked it up a bit to get one that was
03:39:05longandshort:right with their group sigs
03:39:06andytoshi:ofc, hacking an already-linkable scheme to be linkable in a slightly different way is a much easier job than introducing linkability where there was none before. in particular, CN was able to reuse the FS security proof almost verbatim
03:39:24longandshort:but comes with bloat
03:39:36andytoshi:longandshort: a "group sig" has a trusted dealer/setup, a "ring sig" does not, are you using the right terminology?
03:39:44andytoshi:i think, "group signature" is never interesting here :)
03:40:14longandshort:sorry i am tired they keep pointing me to 4.1 of the cn paper https://cryptonote.org/whitepaper.pdf
03:41:20andytoshi:section 4.1 says what i just said :)
03:41:23longandshort:we dot think they have the right paper for what they want to achive
03:41:44andytoshi:well, they definitely don't, as you say these sublinear-size ringsigs are not usable as is
03:41:49longandshort:almost to the "T" :)
03:42:24andytoshi:and if they care about efficiency pairings should be dismissed out of hand, nobody will be able to validate this blockchain
03:42:33longandshort:so do you guys think that wp is doable
03:42:46Luke-Jr:andytoshi: well, they already think scrypt is low energy.. :p
03:43:22longandshort:thast what im thinking with unlinkle/tacable its just going to be a doublespend spreee
03:43:28andytoshi:longandshort: i don't think it's actually impossible, no
03:43:32longandshort:luke you love scrypt don't you
03:43:37longandshort:fess up
03:44:14Luke-Jr:longandshort: for passphrases maybe
03:44:18longandshort:andytoshi yes sorry i actually do hate using such an absolute almost imposible imo for them
03:45:04longandshort:their code is ported form everythign else and they have an sms relay thats it and have put up this wp and a hard date for somethign they seem to be encouraging people to bet on
03:45:38longandshort:its not doable and will prolly burn in flames imo i just want other expert opinion
03:46:18andytoshi:longandshort: you are correct to be suspicious, i don't think they have or are able to do what they claim
03:46:35andytoshi:certainly the wp does not give an hint as to a mechanism for doing so, but does hint that they are confused
03:47:04longandshort:yeah, i think they have allowed themselves time to research but havent quite got there yet
03:47:17andytoshi:...but if i wanted a stupidly slow BRS-like scheme with sqrt(N)-sized sigs, i would be able to do it...
03:47:23longandshort:and have kind of chosen it out of default becuaese there is nothing they can pport
03:47:57longandshort:stupidly slow exacly solves non but in an inefficient way
03:48:06longandshort:it wont scale either will it
03:48:35longandshort:thanks i really apreciate yrou time i really really do
03:49:02andytoshi::P thx for the nonce idea
03:49:13longandshort:i apologise for my typing im kind of..well im not good at it so thanks for taking me seriosuly i do have a genuin conern
03:49:43andytoshi:why can't you type well? non-native speaker?
03:50:55longandshort:im australian belive it or not
03:51:10longandshort:im not really sure i cant spell or type well or puncuate
03:51:16longandshort:im highly dyslexic
03:51:18kanzure:intoxicated kangaroo, i'm calling it now
03:51:28longandshort:lol thats what it looks like dosnt it
03:55:12longandshort:how can i tip you guys can i have your addresses please andytoshi , Luke-Jr sipa
03:55:33andytoshi:longandshort: for my part, don't worry about it :)
03:55:57andytoshi:btw i think these chandran sigs have a trusted setup that allows forgery by the setting up party..
03:56:18longandshort:right how so
03:56:49longandshort:sorry wrong chat
03:57:26longandshort:andytoshi thanks thats nice of you :)
03:59:52andytoshi:yeah, they do, i think these are totally unsuitable for a cryptocurrency actually
04:00:18longandshort:do you have a source for that or its your conclusion?
04:00:26andytoshi:because even if you introduce linkability somehow, this CRS thing still lets the system setup forge signatures
04:00:50andytoshi:longandshort: well, in the chandran et al paper they say that forgery is possible by a maliciously generated reference string
04:01:05andytoshi:but say "no big deal, the CRS generator is just always implicitly in every ring"
04:02:01longandshort:yeah no biggie right :P
04:02:21andytoshi:yeah :P but even ignoring the fact that this is a big deal actually, if you want any sort of linkable scheme this will be a serious problem because the forged sigs won't be exculpable
04:02:34andytoshi:meaning, the malicious CRS generator could use other people's key images undetectably
04:03:49andytoshi:oh, ignore "exculpable", that is related but irrelavent ... "trusted party can use two different key images" means the scheme is not linkable
04:04:00andytoshi:end of story
04:05:01andytoshi:(ofc, i am just speculating on what a "linkable" modification of this chandranian signature scheme would look like, i don't have one to point at)
04:06:09andytoshi:but if you could make a linkable scheme which didn't suffer this flaw, then you could easily tweak it to remove the CRS dependence from the old one, i.e. produce a sublinear size non-CRS ringsig, which i think has never been done..
04:06:13longandshort:sure i get that its intresting and no there dosn't seem to be one thats what im concerned about i don't think they have the ability/skillset to do so certainly don't have the history to prove they can
04:08:27longandshort:but its doable in a fassion but it dosnt seem like something you just cook up in a month!
04:08:51longandshort:nor does it seem like a viable option to begin with certainly not if you are creating a completly new chain
04:09:08andytoshi:maybe it's doable. i didn't realize earlier that there was a CRS assumption that would have to be removed
04:09:15andytoshi:so now i'm unsure.
04:14:29longandshort:so your overall opinion in a nutshell master andytoshi?
04:15:53longandshort:because i appreciate the opinion and rate it highly im extremely concerned here tbh but am willing to give benifit of a doubt if there really is much
04:16:17andytoshi:longandshort: i like the nonce trick :) as for this wp corresponding to something, at best it is just hot air
04:16:18longandshort:perosnally i cant seem them pulling it off nor do i think its a viable option to be proposing
04:16:40andytoshi:if they say "they are starting research" then they will realize quickly it is doomed and stop it
04:17:03andytoshi:or they might try the peercoin thing where they have a point of trust and just sweep it under the rug in all PR..
04:17:08longandshort:sure thats what i figure i dont think they are really set to start untill next week®
04:17:36longandshort:right yes the point of trust...
04:19:06longandshort:thanks for your time i really appreciate your expert opinions enjoy the nounce trick :)
04:25:56TrollsRoyce:nice discussion here. it reminds me of a scene from Aliens: http://www.youtube.com/watch?v=dsx2vdn7gpY
04:26:08TrollsRoyce:“Game Over Man, GAME OVER!“
05:33:49gmaxwell:well if there is a CRS assumption then there are lots of plain accumulator options.
05:34:21longandshort:can you elaborate gmaxwell
05:35:23gmaxwell:CRS (usually) means there is a trusted setup. Generally in this space we consider trusted setup to be a serious killer. If you're willing to tolerate a trusted setup there are many possibilities.
05:35:30gmaxwell:(not just this approach)
05:36:03longandshort:sure thast kinda what the anon crowd are trying to move away form right trust
05:36:28longandshort:but sure its an option great
05:38:16gmaxwell:it's usually hard / impossible to just remove a CRS assumption from a scheme. If it weren't integral to the scheme the authors wouldn't have included it.
05:38:31fanquake:fanquake has left #bitcoin-wizards
05:40:09sipa:andytoshi: g(x) = O(f(x)) means that for some M and n, every x > n will have g(x) < M*f(x); so with f(x) = 0 that simplifies to for some n, for every x > n g(x) == 0
05:51:21Viper1:Hiya. So is the Chandran sig discussion "finished"?
05:51:55gmaxwell:the person who asked seems to have just left.
05:52:36sipa:andytoshi: or more commonly: O(0) just implies your function is always strictly 0
05:52:54sipa:with at most a finite number of exceptions
05:56:11Viper1:Ah. So I don't really know much about all this stuff. But I found a paper entitled "Sub-linear size traceable ring signatures without random oracles" by Fujisaki which, as far as I can tell, would make it possible to have things linkable/traceable in the coin that shall remain nameless.
05:56:20Viper1:I also found a reference to it for CN coins that implied it was the "inspiration" for whatever they did to have traceable and linkable ring signatures.
05:56:20gmaxwell:the context was some sketchy altcoin 'whitepaper' that doesn't seem to be written by someone who knows what they're talking about.
05:56:27longandshort-:longandshort- is now known as longandshort
05:57:35longandshort:gmaxwell hey im here
05:58:08lechuga_:cool logo
05:58:25Viper1:Yeah, that whitepaper was "thin" at best and certainly written as more of a selling point as opposed to any in depth explanation about things.
05:58:35gmaxwell:Viper1: the scheme they're mentioning is very slow to verify, requires trusted setup, introduces much less trusted cryptographic assumptions, and doesn't appear to have a tracability scheme (at all, much less one with a security proof) and by the figures in the paper hardly reduces the size of the signatures at all. Most of the size reduction comes from the input group selection.
05:58:49gmaxwell:and not from the cryptosystem.
05:59:49gmaxwell:And I echo andytoshi's comment that the author doesn't seem to be able to make a convincing immitation of someone who knows what they're talking about... nice colored sheets of paper though.
06:00:03gmaxwell:My thought on O(0)? 0_o
06:03:46lechuga_:it's the time complexity of an algorithm u dont bother 2 write
06:04:07Viper1:lol. Yeah, my impression is that it's mostly copy and paste and that it would actually be CN but using chandran sigs instead. Now, I had asked smooth about Chandran sigs as well at some point and he said they were looking at them for Monero. So does that coin suffer from the issues you've outlined?
06:05:19phantomcircuit:is there a way to minimize the privacy leak when using an n/m signer to enforce business logic?
06:06:11Viper1:I should clarify about the Monero thing. He said they were looking at them to maybe be used in conjuction with the current ring signatures to gain some block size reduction for high mix transactions.
06:14:45longandshort-:longandshort- is now known as longandshort
06:23:07gmaxwell:phantomcircuit: yes. use a threshold scheme where 1 of 1 and n of m are indistungishable... :) ... not possible for ECDSA.
06:28:55phantomcircuit:gmaxwell, bitgo appears to have implemented a sane multisig business logic engine
06:29:06phantomcircuit:i dont trust their wallet code at all though
06:29:53phantomcircuit:and i dont see why they need to know what you're doing
06:32:21phantomcircuit:gmaxwell, the rules are really as simple as
06:32:30phantomcircuit:transfer limits and things
06:33:07gmaxwell:phantomcircuit: looked at what greenaddress is doing in that space?
06:38:36phantomcircuit:gmaxwell, yup
06:38:47Viper1:So. At the end of the day, if you take out that whitepaper etc, my basic question is whether or not Chandran sigs can be used. Based on what smooth had told me and that whitepaper I found, it would appear so (with some issues though), but is there something that would make it not feasible?
06:41:26gmaxwell:Viper1: I'm not sure what part of what I wrote above you're decoding as anything other than "seems to be completely uninteresting"
06:41:57phantomcircuit:gmaxwell, basically their entire business comes down to a set of simple rules
06:42:01gmaxwell:It's not clearly feasable. It doesn't seem like its even worth trying. The barriers are equal to inventing (/finding) another unrelated cryptosystem.
06:42:17phantomcircuit:it's different from what greenaddress.it does in that it works well with a normal corportate structure
06:42:41phantomcircuit:i dont see any reason that policy rules couldn't be implemented by ga.it rapidly
06:47:29smooth:Viper1: "Based on what smooth had told me" <= what i said was we are looking at it, not we have determined that anything at all is feasible of useful
06:52:49trollsroyce_:evening all
06:52:59fluffypony:Viper1, the only vague conclusion we had on that paper at all was that there is no saving for small groups (low mixins)
06:53:35fluffypony:but the MRL guys will undoubtedly have a more formal analysis at some point in the future
06:55:47Viper1:fluffypony, Yeah, that was my understanding from what smooth had said. He had mentioned doing a writeup at some point.
06:56:02fluffypony:it's pretty low priority, tbh
06:57:05fluffypony:there are so many other things that need appropriate research first before looking at something like that purely to reduce an imaginary problem (omg, blockchain bloat, omgomg)
06:58:04Viper1:lol. smooth had shown me some pretty small transactions but I guess in the absense of people actually looking into things, they'll buy into any story they're fed.
06:59:29gmaxwell:gmaxwell has kicked trollsroyce_ from #bitcoin-wizards
07:23:56justanotheruser:justanotheruser is now known as sama
07:24:24sama:sama is now known as justanotheruser
07:25:28justanotheruser:justanotheruser is now known as day
07:25:46day:day is now known as justanotheruser
07:43:19bjjb:Well, howdy do
07:43:43bjjb:You know this is the first time i've logged into irc. ever.
07:44:11bjjb:And i'll be honest. I'm here because of some good questions asked by complete assholes. So, I brought popcorn. Where's the fire
07:45:23gmaxwell:That is an ...odd... introduction. I am unsure what you're going on about.
07:46:35kiely:kiely has left #bitcoin-wizards
07:46:42bjjb:gmaxwell, there's been some talk of chandran signatures in here tonight. Now, I'm not going to pretend I know what this technobabble is about. But, there's a duo in here posting screenshots of this chat and insulting a huge community of people with your name attached to it
07:47:05fluffypony:bjjb: link?
07:47:36bjjb:https://bitcointalk.org/index.php?topic=681725.9380 look up the replies by this pookie person and longandshort
07:48:13longandshort:dotn talk garbage
07:48:44bjjb:hi longandshort. you dont know me, but you've been a real pain and i cant believe you've been up for 3 days fudding stealthcoin non-stop
07:48:54bjjb:you are a ravenous, tireless cave troll
07:48:59fluffypony:* fluffypony shrugs
07:49:00longandshort:ive presented facts to a comunity clearly in denial and be abused non stop trying to get at least soem sense out of someone there im extremly concerned abotu the project and have stated it many times
07:49:08longandshort:dont bring that nonesense in here
07:49:11Luke-Jr:bjjb: take it somewhere else
07:49:14fluffypony:this isn't the place for that, bjjb
07:49:52bjjb:Fair enough. I just want to see the conversation taking place instead of living it vicariously through him
07:50:11gmaxwell:then read the logs, see the topic.
07:50:20bjjb:How do you read logs
07:50:54fluffypony:bjjb: the conversation's over, there's not really much more to say
07:51:02fluffypony:this isn't #research-every-altcoins-whitepaper-for-free
07:51:26longandshort:btw can i have some of your addresses id like to tip for your time
07:52:23longandshort:which i do really appreciate i know andytoshi is happy they scored their "nounce trick" :P
07:52:29gmaxwell:Thanks but thats okay.
07:52:51longandshort:i really do apreciate the time you took to read it
08:05:15sinisalo.freenode.net:topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
08:05:15sinisalo.freenode.net:Users on #bitcoin-wizards: andy-logbot [Derek] bjjb irc88 cbeams amtri coinheavy pen longandshort Viper1 Starduster_ SDCDev waxwing TheSeven justanotheruser qualiabyte p15 nsh @gmaxwell koshii wumpus jedunnigan artilectinc austinhill Adlai go1111111 mortale devrandom heath jchp espes__ RoboTeddy samson_ Sangheili @gwillen sl01 napedia grandmaster2 Graftec tromp_ andytoshi Aquent phantomcircuit lysobit Luke-Jr Krellan emsid c0rw1n rfreeman_w HaltingState tacotime
08:05:15sinisalo.freenode.net:Users on #bitcoin-wizards: TrollsRoyce digitalmagus wiretapped jgarzik copumpkin spinza dansmith_btc Fistful_of_coins artifexd _2539 michagogo lnovy tromp bbrittain weex gribble nanotube a5m0 EasyAt_ Transisto grishnakh__ altoz Kretchfoop Emcy jaekwon CryptOprah Muis Hunger-- wizkid057 nuke1989 BrainOverfl0w Guest42039 jrayhawk_ jasx shesek firepacket dgenr8 arowser zenojis LarsLarsen BigBitz Adohgg drawingthesun berndj [d__d] jcorgan yoleaux Iriez hollandais hguux
08:05:15sinisalo.freenode.net:Users on #bitcoin-wizards: livegnik stonecoldpat Dyaheon MRL-Relay mappum jbenet zibbo_ kanzure petertodd optimator [\\\] warren pi07r K1773R Eliel HM amiller_ crescendo cfields btc_ kgk bobke iddo comboy NikolaiToryzin coryfields LaptopZZ Meeh poggy_ UukGoblin danneu catcow TD-Linux [Tristan] helo smooth otoburb ryan-c mmozeiko roasbeef pajarillo Keefe Gnosis ahmed_vegas Logicwax so epscy BlueMatt starsoccer midnightmagic Graet kinlo pigeons lianj Apocalyptic
08:05:15sinisalo.freenode.net:Users on #bitcoin-wizards: mr_burdell fluffypony SomeoneWeird forrestv Anduck Taek42 asoltys @ChanServ phedny burcin lechuga_ abc56889 Alanius throughnothing harrow DoctorBTC [nsh] sipa
08:09:23bjjb:Cool. I actually found that conversation very informative and am happy to have a discerning skeptical take on the chandran implementation. Kudos
08:10:21justanotheruser:justanotheruser is now known as animerakiza
08:10:31animerakiza:animerakiza is now known as justanotheruser
08:11:24fluffypony:yeah, bjjb - I think some altcoin "developers" are taking it as "omg technologiez for anonymuss cryptocurrency!", when the research paper isn't about that at all, it's about group signatures in a more generalised sense
08:14:02qualiabyte_:qualiabyte_ is now known as qualiabyte
08:17:42bjjb:I lack the technical background to make a compelling argument for or against their use. It would be much more productive if Hondo would come here for discussion himself, I think.
08:21:44longandshort:its not really their problem i mena they looked at the paper they gave an opinion and they are already not thinking about it. to sum it up its just not really somethign that is viable but it is doable but comes with conditions..loads of them its better to go back to the drawing board and start again they are looking at the wrong paper end of story
08:24:03gmaxwell:it's not clear to me that its 'doable', there may be related schemes in that family which are applicable (I haven't researched further), but the particular paper cited is of a technique which is not usable as is. And looks like it would not be advantagious if it were possible to modify it to make it usable.
08:30:22bjjb:I feel like a brief discourse could answer a lot of questions. Truly, I can't defend his work and there are likely many nuances I'm absolutely overlooking
08:30:29gmaxwell:surprised to hear that the thing whitepapered before is somehow being traded already; I should really someday stop being surprised by these things.
08:31:13bjjb:The market is saturated by non-technical people, right?
08:32:55bjjb:The same thing happens in science. You come up with a great revelation, awesome data, but presentation wins the race.
08:33:17fluffypony:gmaxwell: it's the normal course of things in the altcoin world - you first launch so that you can mine a bucketload at low diff, then you make vague hand-wavey promises, then you sell a bit on the back of the claims, wait for it to tank, buy back in, push out a whitepaper with little technical merit, and offload
08:34:15longandshort:sad but true very true
08:37:08bjjb:At the same time I would argue that Hondo has demonstrated good work ethic and some integrity. I do not think that he is the type of person to profit like that. It seems very counter to my experiences with him.
08:38:05bjjb:If this is truly a work of his passion, maybe he will find a way to make it work. I do appreciate the skeptic professional opinions tonight - they are rare in the trade scene.
08:40:32gmaxwell:You can't really honest effort yourself through something that is just not applicable, and probably not through not knowing what you're doing. ... and you speak of integrity, but launching some speculative asset when you've not done the work? I don't think that is something that speaks of integrity.
08:45:13bjjb:He never promised to already have the Chandran implimentation done at any time beforehand. He did deliver on previous promises to the community, and insofar there are still 2 months before his target date for Chandran implimentation. While I do not have the technical background to know the nuances of just how far-fetched it may seem, he reminds me of people I worked with in my lab. And if they figure out it doesn't work, trul
08:46:53bjjb:For what it's worth, he is transparent with what he knows as far as I can tell. And that's why I mentioned it would be productive to have a discourse with him and other professionals -- for him to be grilled. I do want to know if he knows or not.
08:46:58bjjb:I just can't test it myself.
08:48:36longandshort:its a whitepaper and its on the roadmap are you kidding me thast a straight up vaporware pitch to selleff cmon calling it anything but with a dev of that caliber is ridiculous and insulting you
08:48:41fluffypony:bjjb: why? this is a place to discuss Bitcoin-related research, not to provide free assistance to altcoin developers
08:48:47longandshort:sound like you are trying to convince yourself
08:49:02longandshort:bloody setup i saw that a mile off
08:49:05gmaxwell:please take the altcoin fighting elsewhere.
08:49:12longandshort:comming here pretending to ask questions
08:49:19bjjb:Stop it, long.
08:49:50longandshort:stop what this is not the place for any of that crap
08:50:01gmaxwell:gmaxwell has kicked longandshort from #bitcoin-wizards
08:50:05gmaxwell:gmaxwell has kicked bjjb from #bitcoin-wizards
09:29:25Emcy:"trollsroyce" is pretty clever lol
10:22:07wallet421:wallet421 is now known as wallet42
12:06:36Guyver2:Guyver2 has left #bitcoin-wizards
12:19:10cbeams_:cbeams_ is now known as cbeams
12:46:20luke-jr_:luke-jr_ is now known as Luke-Jr
12:49:32andytoshi:(Viper1, for mischaracterizing my -wizards comments on bct)
12:50:28andytoshi:andytoshi has kicked smooth from #bitcoin-wizards
13:55:47[nsh]:in the RFC entitled: "More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)" why are the primes given high bits determined by pi? / " The prime is: 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 }" / because it's a nothing-up-my-sleeves number?
14:07:51andytoshi:idk, doesn't seem very nothing-up-my-sleeve, i suspect there is some cool reason to do with the prime searching algorithm
14:38:00andytoshi:jgarzik: you mean, LOCKTIMEVERIFY being able to take a "N blocks from this one" rather than "N blocks from genesis"?
14:38:46andytoshi:s/this one/the block that the output was created in/
14:41:09jgarzik:Transaction 0x1234 is mined in block 300000. An output inside 0x1234 sets nLockTimeOut to 321000. Protocol and miners would reject spends of that output prior to block 321000.
14:41:24jgarzik:So yes, relative to the block in which the TX is mined.
14:41:33jgarzik:Which can obviously change with reorg.
14:45:24[nsh]:so the actual earliest spendable time is variable by hashrate variance?
14:46:15andytoshi:[nsh]: yes, this is always true when you use blockheights to measure time. but i think the q here is "is it safe to use differences from the current blockheight vs only using absolute blockheight"
14:46:35[nsh]:i think you could renormalize to nLockTimeOut * 10m (modulo nearest block) in principle
14:46:55andytoshi:where "safe" means "there is no way to somehow get the current blockheight onto the stack and use it to create unspendable-after-block-X outputs"
14:47:25andytoshi:and (i think) the answer is yes, this is fine, and tbh i would prefer these semantics for LOCKTIMEVERIFY
14:47:47jgarzik:I suppose in practice absolute is what most will choose/need
14:47:58jgarzik:easier to reason about
14:49:20andytoshi:yeah, i guess so, i'm thinking of cases where you want to setup some protocol that involves locking, then sometime indeterminately far in the future actually execute
15:20:27dgenr8:for relative, you need to reference the height of the input. that seems safe if there were a limit to how small the difference could be.
15:25:57andytoshi:dgenr8: the height of the input is implicit
15:26:09andytoshi:the input is necessarily in the blockchain somewhere when you create a tx that spends it
15:29:25dgenr8:i mean the script would need to reference the numeric value of the input height, to validate a relative CHECKLOCKTIMEVERIFY
15:29:42dgenr8:script engine rather
15:32:53andytoshi:the engine, yes, but the only thing it would do with this is fail the script immediately, and the failure condition changes fail->nofail but never in the opposite direction
15:33:15andytoshi:you couldn't get any information about the height onto the stack
15:56:41dgenr8:agreed. i see, you are considering an even more advanced scenario than just a relative locktime check.
16:24:47CoinMuncher:Core devs are discussing right now about another feature CHECKLOCKTIMEVERIFY. Both hard or softforks are being discussed. https://www.mail-archive.com/bitcoin-development@lists.sourceforge.net/msg06296.html
16:24:56CoinMuncher:Quote from Gavin: > I don't have any opinion on the hard- versus soft- fork debate. I think either can work.
16:25:06CoinMuncher:oops sorry, wrong channel.
16:32:00tjopper:tjopper has left #bitcoin-wizards
17:44:10gmaxwell:jgarzik: some folks around this channel have wanted relative locks too, but they're moderately more complex and risky and it seems the cases where they would help are fairly narrow.
18:28:10Aquent:Aquent is now known as bullwhale
18:45:41bullwhale:bullwhale is now known as Aquent
18:47:46Quanttek_:Quanttek_ is now known as Quanttek
20:21:53Aquent:Aquent is now known as yoloscum
20:23:37yoloscum:yoloscum is now known as Aquent