00:04:48gmaxwell:kanzure: if we want to be all secret decoder ring about it, here is what we do.
00:05:25kanzure:i don't know which it we're talking about, but i'm listening
00:05:31zooko:me neither and me too!
00:05:32gmaxwell:the tweet.
00:05:44kanzure:oh that's way less interesting than what i was hoping we were talking about
00:05:50kanzure:i am going to proceed with my prior assumptions then
00:06:33nsh:there was a paper that suggested you can do ECC in 400 bytes of RAM but it's in Springerjail
00:06:38gmaxwell:You generate your secret and a second random value. By hand you sum your secret and the random value. Now take your secret+random and your random value to seperate computers and compute x*G for each. then do the single point addition by hand to get your pubkey. :P
00:06:58nsh:(bytes of RAM being roughly commensurate to 'moving parts' in some mechanical system)
00:07:09zooko:gmaxwell: huh!
00:07:26gmaxwell:the first addition is plain integer addition mod order, which is trivial. The point addition requires something like 8 field operations, so it's going to take you a while by hand. :P
00:07:55gmaxwell:but its completely reasonable and I assume you could do it in under an hour.
00:07:57nsh:* nsh would like to see some abacus pros doing ECC
00:08:05kanzure:nsh: you mean springerkink
00:08:43nsh:* nsh nods
00:08:59kanzure:why isn't the tor onion routing stuff a separate library? i don't see why it has to be tor-only code.
00:09:24nsh:.title http://crypto.stackexchange.com/questions/8747/how-to-build-an-electro-mechanical-public-key-cipher-machine
00:09:24yoleaux:historic - How to build an electro-mechanical public key cipher machine? - Cryptography Stack Exchange
00:09:26gmaxwell:kanzure: it's not usefully abstractable.
00:09:28kanzure:this stuff over here: https://gitweb.torproject.org/tor.git/blob_plain/HEAD:/src/or/circuitbuild.c
00:10:17sipa:8 field operations? how fast does a human do a 512-bit by 256-bit division...?
00:10:40sipa:oh; field; if it's secp256k1 there's an easier way to do a modulus
00:10:53gmaxwell:yea.
00:11:11gmaxwell:well you can use repeated subtraction to do the reduction instead of division in any case.
00:11:15nsh:" I wonder if you could implement ECC in hardware? Have a flexible line defined by the equation to serve as a cam surface, then place a straightedge at points P and Q to find the intersecting point. It could be a great illustrative tool, but I doubt it could be made accurate enough to provide the security required. – John Deters Jun 17 '13 at 16:50 "
00:11:42nsh:that's zooko-worthy crazebition :)
00:11:51zooko:Haha
00:11:57kanzure:cc kragenjaviersitaker
00:12:06gmaxwell:nsh: lol thats goofy, ECC over Fp^n is only conceptually related to ec over reals... in particular discrete log for ec on reals is not hard.
00:12:15nsh:right
00:12:47nsh:but perhaps you can shift the quantization?
00:13:09nsh:not sure that makes any sense
00:13:24sipa:nsh: http://bitcoin.stackexchange.com/questions/21907/what-does-the-curve-used-in-bitcoin-secp256k1-look-like
00:13:28gmaxwell:sipa: also you can get a pubkey in jacobian, and just have a computer reduce it to affine, as thats easy to check.
00:19:37zooko:So, FWIW, I was imagining a hash function instead of "public key". :-)
00:20:20sipa:nsh: heh, i wonder how much ram my implementation of secp256k1 uses at most (excluding the precomputed tables)
00:20:22gmaxwell:ah people have done sha256 by hand. (sha256^2 in fact)
00:20:43nsh:hmm
00:21:16nsh:is there a limit to processing/ram tradeoff particular to a given algorithm/calculation?
00:21:41nsh:ie, generally you can use less state at the expense of longer processing but only to a point
00:21:57nsh:how does that point depend on the intrinsics of the calculation?
00:22:21sipa:oh, for verification some factors are converted to wNAF form, which takes 4*129 bytes
00:25:22gmaxwell:nsh: there really is no limit for the s*G task, though obviously you run out of fast ram at some point. For the a*G + b*P multiexp, where only G is a constant base that you use over and over again and P you only use once, there is a small optimal amount of table to use.
00:25:55nsh:hmm
00:25:57gmaxwell:(the multiexp is what signature verification is doing; P is the pubkey)
00:26:08nsh:* nsh nods
00:26:37gmaxwell:For the multiply with a generator case, it basically always gets faster with a bigger table if you're assuming memory bandwidth is infinite.
00:26:59sipa:latency you mean
00:27:12sipa:ah, for signing; never mind
00:27:42gmaxwell:on i4770r which has a 128mb L4 cache. I get the best performance for multiply with a constant point using a 70mbyte-ish table.
00:27:45nsh:if we're aiming for something like an abacus that can be used by a trained human with good manual dexterity at 'reasonable' speed
00:28:00nsh:there will be some optimum degree of mechanical/state complexity
00:28:25gmaxwell:well for e.g. generate a pubkey, if you're allowed a book you want the most precomputation possible.
00:29:02nsh:* nsh nods
00:29:15gmaxwell:e.g. a book with 65536 entries lets you do the whole multiply yourself with only 16 point additions.
00:29:23nsh:* nsh wonders about an ECC precomp slide-rule type device
00:29:42nsh:books are suboptimal for hand-based look-up, really
00:29:56gmaxwell:they can have tabs.
00:29:58fanquake:fanquake has left #bitcoin-wizards
00:30:06nsh:* nsh nods
00:35:06zooko:sorry -- I'm playing Thunderstone in real life with my brother Nathan and my 10yo son. :-)
00:40:07rusty:gmaxwell: is there a canonical writeup on UTXO commitments somewhere? I can only find scattered references...
00:59:10phantomcircuit:gmaxwell, i have done the first 3 and the last 3 stages of sha256 by hand
00:59:16phantomcircuit:0/10 would not recommend
01:00:19gmaxwell:rusty: no, sprawling discussions, maaku's work is probably the most sophicated.
01:00:34gmaxwell:I think maaku is not around today or I'd ping him for links.
02:24:47maaku:maaku is now known as Guest76468
02:37:14zooko:phantomcircuit: haha
02:42:48wallet42:wallet42 is now known as Guest67358
02:42:48wallet421:wallet421 is now known as wallet42
02:52:48amiller:rusty, i have a paper and an ocaml library that makes authenticated data structure protocols for any data structure https://amiller.github.io/lambda-auth/
02:57:58amiller:rusty, i have a forum post, https://bitcointalk.org/index.php?topic=101734.0 etotheipi has one https://bitcointalk.org/index.php?topic=88208.0 maaku has one https://bitcointalk.org/index.php?topic=204283.0 petertodd has an implementation too https://github.com/petertodd/python-merbinnertree
02:58:46amiller:i think all of those are the best references... not *too* scattered
03:23:39rusty:amiller: thanks! Reading now...
09:05:18asimov.freenode.net:topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
09:05:18asimov.freenode.net:Users on #bitcoin-wizards: andy-logbot cbeams Guyver2 nuke1989 webdeli waxwing berndj-blackout grandmaster2 Baz____ coiner aburan28 bitbumper TheSeven c0rw|sle_ FBI-AGENT maaku__ op_null rusty epscy dgenr8 zibbo rfreeman_w hashtag_ tromp Emcy koshii mkarrer_ Luke-Jr null_radix Aquent spinza jaekwon_ go1111111 Graftec fenn Starduster Nightwolf postpre ryanxcharles iddo Hunger- HaltingState d4de luny nubbins` SDCDev Pan0ram1x adlai arowser jaekwon samson_ lclc_bnc K1773R
09:05:18asimov.freenode.net:Users on #bitcoin-wizards: s1w Eliel_ kanzure bobke LaptopZZ warptangent Shiftos isis btcdrak iambernie sneak harrigan michagogo hguux_ gavinandresen SubCreative JonTitor devrandom ebfull phantomcircuit sl01 Cory Grishnakh sipa mortale DoctorBTC Flyer33 Alanius jbenet HM dansmith_btc artifexd btc__ kumavis mappum Muis azariah4 nanotube orw MRL-Relay fluffypony jgarzik PaulCapestany BlueMatt a5m0 kgk LarsLarsen gazab AdrianG yoleaux gwillen livegnik BananaLotus Myagui
09:05:18asimov.freenode.net:Users on #bitcoin-wizards: @ChanServ burcin coutts wizkid057 Dyaheon bbrittain NikolaiToryzin forrestv nickler mr_burdell Logicwax Meeh tromp_ Krellan poggy pi07r_ comboy mmozeiko lnovy Taek optimator_ [\\\] Apocalyptic throughnothing petertodd crescendo CryptOprah cfields-away Fistful_of_Coins gmaxwell kinlo ahmed_ so Anduck [d__d] espes BigBitz otoburb wumpus EasyAt starsoccer hollandais jaromil helo Keefe Iriez huseby phedny midnightmagic nsh coryfields andytoshi
09:05:18asimov.freenode.net:Users on #bitcoin-wizards: BrainOverfl0w warren asoltys gribble Graet smooth amiller danneu catcow TD-Linux [Tristan] ryan-c roasbeef harrow lechuga_ pigeons
09:33:53c0rw|sle_:c0rw|sle_ is now known as c0rw|away
10:03:24berndj-blackout:berndj-blackout is now known as berndj
14:49:31adam3us:so petertodd gengix and gwern discussed and then petertodd implemented a scheme for time-lock encryption https://github.com/petertodd/timelock and peter mentions gengix and links to gwern. http://www.gwern.net/Self-decrypting%20files
14:51:18adam3us:and if i am understanding it correctly, the idea is to farm out a say 1000 1hr hashchains to 1000 nodes starting from 1000 independent IVs, then encrypt the second IV with the k1=H^k(iv1) so you have E_k1( iv2 ) and so on.
14:51:37adam3us:the idea being setup is parallel but decrypt is serial
14:52:15adam3us:now this has a problem firstly it takes as much aggregate work to setup as decrypt. secondly the nodes you farm the setup to could remember the solutions and collude to decrypt with no additional work.
14:52:15kanzure:sounds right
14:52:44kanzure:oh, which nodes are you expecting to farm out to?
14:53:25adam3us:it doesnt say.. i was guessing other people? as they were talking long time-frames for decryption and presuming the person doesnt have a personal supercomputer.
14:53:39adam3us:(eg like month per parallel thread so it could take years to decrypt)
14:56:07adam3us:anyway i think its missing several solutions which are more efficient and private/secure against collusion. if you choose random key k encrypt m the message with it c=E_k(m) and and then publish c, and truncate k to delete 64-bits you get instant no work setup of a 2^64 decryption challenge. tune as you wish to get more or less work.
14:58:32adam3us:now that is random and the searcher could get lucky, but you can apply it multiple times to reduce the variance to negligible. eg iv1000=E_k1000(m), iv999=E_k999(iv1000) … iv1=E_k1(iv2) and omit the desired number of bits eg 56 bits missing from each of 1024 challenges gives the 64-bit work factor low variance, no trust, negligible cost during setup
14:58:34op_null:kanzure: the point is that you can parallelize generation. on a GPU you can do lots of concurrent threads, if you're limited to just one there's not much you can do but get an intel CPU and overclock the shit out of it.
14:59:08kanzure:my question was actually about the upfront setup collusion actually
14:59:22kanzure:but anyway, key truncation.. hm.
14:59:35adam3us:op_null: yeah but my point is you can generate KDFs with arbitrary iterations/work and your choice variance with negligible work
15:00:38adam3us:this could be done with PBKDF2 or such things. eg you could setup a high work KDF from a cell phone processor in a fraction of a second that'd take as long as you want on a desktop.
15:01:09op_null:right, I was just talking about "now this has a problem firstly it takes as much aggregate work to setup as decrypt." in particular. I don't think it's a real problem that the amount of work is the same, really.
15:02:31op_null:I'm attracted to the idea just because there's not all that many problems you have to solve by using liquid nitrogen CPU cooling.
15:02:53adam3us:op_null: well it is because work has cost, and also you cant securely outsource this work. say you need to at short notice send a very secure/time-locked message from a cell phone using a panic button. now-what. and you dont trust the network at large not to cache the parallel setup parts.
15:03:24adam3us:(they could be sold when the actual decryptors come back and pay people to decrypt things at a profit because the worker gets paid twice for the same work)
15:03:52op_null:oh yeah, of course then you're toast. alternatives are great.
15:06:07adam3us:there is work you can securely outsource.. i made an intentionally parallelizable KDF that is blind and so securely outsourceable … not time-lock but work-locked. you can get it solved in a fraction of a second using litecoin miners (people who want to sell gpu-work at litecoin $/CPU KHrates) securely from a smart-phone
15:06:39adam3us:there is a non-parallelizable version of that (had to do extra things to make it parallelizable)
15:07:26adam3us:https://bitcointalk.org/index.php?topic=311000.0
15:08:02adam3us:(thats a different use-case really. cost-locked vs time-locked)
15:08:47adam3us:if it costs $5 per password guess that is protecting $100,000 even a weakish password will be net loss to attack (using a KDF with those properties)
15:12:32adam3us:an outsourceable non-parallel KDF could be useful also if the encrypted message is public, and the person paying for the work doesnt trust them to not decrypt the document he paid to decrypt.
15:19:23mkarrer_:mkarrer_ is now known as mkarrer
16:24:43antanst:antanst has left #bitcoin-wizards
16:58:27lclc_bnc:lclc_bnc is now known as lclc
17:25:21lclc:lclc is now known as lclc_bnc
18:51:02lclc_bnc:lclc_bnc is now known as lclc
19:02:29lclc:lclc is now known as lclc_bnc
19:08:48kanzure:http://underhandedcrypto.com/rules/ "The Underhanded Crypto contest was inspired by the famous Underhanded C Contest, which is a contest for producing C programs that look correct, yet are flawed in some subtle way that makes them behave inappropriately. This is a great model for demonstrating how hard code review is, and how easy it is to slip in a backdoor even when smart people are paying attention. We’d like to do the same for ...
19:08:54kanzure:... cryptography. We want to see if you can design a cryptosystem that looks secure to experts, yet is backdoored or vulnerable in a subtle barely-noticable way. Can you design an encrypted chat protocol that looks secure to everyone who reviews it, but in reality lets anyone who knows some fixed key decrypt the messages? We’re also interested in clever ways to weaken existing crypto programs. Can you make a change to the OpenSSL ...
19:09:00kanzure:... library that looks like you’re improving the random number generator, but actually breaks it and makes it produce predictable output?"
19:28:50gwillen:kanzure: I propose taking the current openssl source and submitting it, alleging that you have made it subtly vulnerable
19:28:53gwillen:and see what they find
19:29:14nsh:hah
19:29:38kanzure:they accept existing code only if you have modified it
19:29:56kanzure:which is pretty easy to check (diffs)
19:30:16kanzure:and i think they have you submit and make your changes obvious
19:30:40gwillen:heh, darn
20:09:58FBI-AGENT:FBI-AGENT is now known as Dr-G
20:31:44adam3us:submit ekr's patches? ;) ooh politically insensitive
20:32:57c0rw|away:c0rw|away is now known as c0rw1n
20:33:02adam3us:eg the one that broadcasts extra randomness to amplify the ec drbg breakage
20:33:06adam3us:adam3us has left #bitcoin-wizards
20:36:10sipa:?
20:36:19sipa:ah
22:35:15tacotime:someone wrote a paper about using a paillier cryptosystem to enhance blockchain privacy in conjunction with utxo-bearing spvs
22:35:21tacotime:https://drive.google.com/file/d/0B21vncLoIlIyaVpGVFN5c1VFdmM/view
22:41:35kanzure:wasn't there something recent about xss vulnerabilities in google drive.. hrm.
22:42:40tacotime:kanzure: if you are afraid i will dl the pdf and email it to you
22:42:46tacotime:not that pdfs are much safer
22:47:59kanzure:i feel like my options are one terrible javascript execution environment for another terrible javascript execution environment
22:48:08tacotime:and good discussion from gmaxwell/adam3us here: https://bitcointalk.org/index.php?topic=872377.0
22:48:11adam3us:see https://bitcointalk.org/index.php?topic=872377.msg9647318#msg9647318 they seem to be confused about the need for
22:49:51adam3us:tacotime: ah yes. that :) the need for paillier at all. its avoids introducing another crypto-assumption, is more compact to use EC DLOG than paillier (256-bit ciphertext vs 6kbit) plus they did not seem to realise that you need to prevent wrapping mod n. or misread the paper they got one of the parts from to assume it implied wrapping prevention, which afaik it does not.
22:51:54tacotime:yeah i was reading about paillier and saw it was using RSA keys and became afraid. i will read over your homomorphic value scheme, must have missed it before. :)
22:52:42adam3us:the homomorphic value is not doing anything exciting.. all standard zkp & EC dlog. 1kbit for encrypted value vs 64-bit for unencrypted.
22:57:21gmaxwell:oh I was just typing what adam3us already typed.
22:57:52adam3us:uh 1kbyte not 1kbit. i think the effect is quite exciting though :) hide the values while still validating that they add up. (though you can still tell that the person who sent it to you had at least that value). i talked about it a bit some video and slides https://bitcointalk.org/index.php?topic=509674.0
22:58:00gmaxwell:It needs proofs to prevent the wrap and I don't know how to construct those compactly (while staying with just boring cryptographic assumptions)
22:59:34adam3us:skip to 49m on the video for the encrypted value part https://www.youtube.com/watch?v=3dAdI3Gzodo&feature=youtu.be
22:59:56tacotime:cool, ty.
23:02:24adam3us:i wonder.. you could probably improve the hiding of where the money came from by proving that the sum of the inputs is the value, without revealing to the recipient the allocation of value across those inputs. didnt think of that before.
23:03:45nsh:gmaxwell, what's the security effect of wrapping around n?
23:03:57nsh:or cryptopathogenesis
23:05:43gmaxwell:nsh: it's a total break. It only shows your outputs are congruent to your inputs mod n.
23:06:12nsh:hmm
23:06:18kanzure:andy-logbot: what about non-interactive proofs where the proof isn't about some specific data, but rather just something like "the value is greater than or equal to n" or "the value is less than n"? does this exist
23:06:18kanzure:I'm logging. I don't understand 'what about non-interactive proofs where the proof isn't about some specific data, but rather just something like "the value is greater than or equal to n" or "the value is less than n"? does this exist', kanzure. Try /msg andy-logbot help
23:06:18gmaxwell:so e.g. you can create enormous value outputs when you only have a few coins.
23:06:22kanzure:oops
23:06:28kanzure:andytoshi: what about non-interactive proofs where the proof isn't about some specific data, but rather just something like "the value is greater than or equal to n" or "the value is less than n"? does this exist
23:06:51gmaxwell:kanzure: there are proofs for this, seem adam3us' writeup, but they are not tiny.
23:07:11nsh:oh god, the logbots are starting giving academic interjections now. skynet dawns
23:07:17kanzure:hmm okay then
23:07:22nsh:*have started
23:09:10gmaxwell:really, the problem is that expanding values to a kilo-bit for encryption would be bad enough that it would be hard to tolerate. ... having to go to several times that for all the proofs is ... considerable overhead.
23:09:20adam3us:kanzure: yes its a research area for "zk range proofs" the one i focussed on optimizing is one by berry schoenmakers which is simple & convenient for EC dlog. this kind of proof is useful in many protocols because most zkps are all modulo n so you either need to prove n is >> the values so it couldnt wrap, or that it doesnt wrap
23:15:43nsh:still hard to intuit why proving nonwrap would require extra stronger assumptions
23:17:48nsh:* nsh reads more
23:18:38nsh:(or is that just within efficiency tolerances)
23:21:24adam3us:gmaxwell: yes i am disappointed about the size. annoying range proofs.
23:22:42adam3us:gmaxwell: about the only thing you could say in defence is that without hiding the value, if you actually cared about privacy to that degree you'd be sending multiple standard-sized values or something. ie these hidden value spends would be providing more privacy per transaction.
23:28:16petertodd:adam3us: you're misunderstanding the design space of timelock in a whole variety of ways - anything other than highly optimized algorithms with existing excellent scalar implementations is a bad idea.
23:28:31petertodd:adam3us: (I'll probably switch it to AES when I get around to it)
23:29:04andytoshi:off channel i mentioned to kanzure that i believe you cannot form a NIZK without either CRS and RO (and that i would not trust an RO SNARK, or any "cryptography of programs" that assumed that a big chunk of its own code was ethereal and could not be fed into itself)
23:29:05petertodd:adam3us: secondly the "farm it out" part of the problem is pretty trivial - think of how little parallelism you need to make it practical
23:29:18andytoshi:kanzure: the proofs that adam3us is talking about are in the RO model
23:29:45adam3us:petertodd: yeah but then you need to trust the people you farmed it out to to forget
23:29:58petertodd:adam3us: e.g "I want to lock for 5 years, and I want to setup the proof in a month" -> 60 cores, not a big deal at all to just go out and buy, or if someone writes me a GPU implementation
23:30:25adam3us:petertodd: i do agree that its preferable to use sym key, thats why i rejected pubkey variants, for hashcash
23:31:28adam3us:petertodd: anyway my symkey argument stands: you can do that without oursourcing. just delete keybits.
23:32:45nsh:andytoshi, "ethereal.. fed into itself"?
23:33:31nsh:are there any actually analytically-enlightening papers on how systems break down under various departures from random oracle?
23:34:10adam3us:petertodd: but also the even optimized things get toasted if someone makes an asic for it. probably your best bet would be to use sha256 and find a way to construct it out of repurposing bitcoin miners.
23:34:51rusty2:petertodd: my problem with all timelock schemes is more meta: someone has to care about your specific time-lock. AFAICT that introduces the most variance, as valuable timelocks get attacked first. If someone produces timelocks which can be solved via merge-mining, *that* would open far more uses.
23:35:22petertodd:rusty2: my timelock scheme incentivises everyone to crack it because cracking it gets you bitcoins
23:35:28gmaxwell:andytoshi: I am moving my eyebrows at your dismissal of RO assumptions.
23:35:32rusty2:rusty2 is now known as rusty
23:35:42nsh:(constraining algorithms and protocols in the interests of maintaining the utility of legacy hardware is definitely not something that's going to cause later regret)
23:35:53nsh:(not this time!)
23:35:53petertodd:rusty2: solves that problem, *and* gives solid proof of what's the fastest scalar implementation out there (by people willing to use it publicly)
23:36:09andytoshi:gmaxwell: specifically for SNARKs, things like KDM-secure encryption, obfuscation
23:36:23andytoshi:gmaxwell: anything that treats code as executable code (as opposed to blindly treating its input as data)
23:36:32petertodd:rusty: tech is such that that scalar implementation is very likely close to the best possible (<10x)
23:37:04andytoshi:nsh: one sec, i have an example of a broken RO-secure system for KDM-secure encryption..
23:37:13gmaxwell:andytoshi: the only RO assunption _required_ for a SNARK is a fiat shamir transform to make the protocol non-interactive.
23:37:34adam3us:petertodd: dont forget people may have an interest to crack lots of time-lock in parallel if they got used much at vastly lower J/crack
23:37:38andytoshi:gmaxwell: oh, FS i think is ok
23:37:55andytoshi:but i don't really trust that feeling because i can't tell why exactly i'm ok with fs
23:38:08nsh:+1 economy of scale cracking
23:38:24rusty:petertodd: If I understand correctly, you don't scale. How do I make my timelocked will-and-testament, for example? Do I hook onto your current puzzles somehow?
23:38:55andytoshi:nsh: bottom of page 19 https://eprint.iacr.org/2007/315.pdf
23:39:14nsh:ty
23:39:20andytoshi:oh, i'm OK with FS because it treats its input as raw data
23:39:42andytoshi:to contrast, the example i just gave to nsh (which is pretty jargonny, sorry) is using the RO in a pretty integral way
23:40:51nsh:i still suspect there might be something interest, analogous to andytoshi's impossibility conjecture, if the self-referential part were clearer
23:40:55andytoshi:KDM security is where the attacker can request encryptions of arbitrary functions of the secret key material ... and the "security proof" of one such system assumes that RO output is uniformly random and in particular totally independent of these ciphertexts
23:41:05petertodd:rusty: you spend 1core * T computer power and make it yourself; scales linearly
23:41:28andytoshi:and obviously, in a real system this assumption is false because your RO is instantiated with an actual function you can give to the ciphertext oracle
23:41:41petertodd:rusty: it's meant to actually work, right now, because I had a client who actually needed it...
23:41:55nsh:but really it's would be nice to quantify the weakness in terms of the dependency in terms of some notion of algorithmic-information-theoretical proximity of inputs and outputs
23:42:01nsh:*unmangle()
23:42:13andytoshi:nsh: welll, the way "zero knowledge" is defined in cryptography is in terms of a simulator, so you need an oracle ... this means a CRS ("trusted setup oracle"), an RO, or interaction
23:42:30andytoshi:nsh: but maybe there is a better definition of ZK that'd give us what we want without such a requirement
23:42:44petertodd:adam3us: what's the relevance of what "people might have an interest in cracking in parallel" - I just want a solution that works and is maximally predictable - anything parallel isn't
23:42:47rusty:petertodd: and what would motivate someone to solve it? The cost of that setup seems to be the ~ cost to solve it, since I have to offer a reward. But that seems redundant: is there a system where unrelated parties can share a timelock?
23:43:15nsh:i think we're grasping at a informational theoretical conservation law but it's a bit beyond my conceptual horizons at least
23:43:20petertodd:rusty: the motiviation is there exist Bitcoins on the bitcoin blockchain that by cracking the timelock you get to take the bitcoins...
23:43:24andytoshi:nsh: i hope not :)
23:43:28andytoshi:but maybe, i get that feeling too
23:43:46petertodd:rusty: no such "ulrelated parties" systems exist without adding huge amounts of complexity and/or handwaving
23:43:54nsh:just doesn't sit so well, aesthetically, that the assumptions can't be made less discrete/binary
23:44:50rusty:petertodd: Thanks, I thought that might be the case :( Unfortunately that constrains usage significantly, since the locker has to pay the solving cost.
23:45:06petertodd:adam3us: so, AFAICT your symkey arrangement basically makes it a semi-parallelizable problem?
23:45:08andytoshi:nsh: one thing my team at UT is working on is "universal parameters" which means a single CRS which can then generate other CRS's without additional trust http://eprint.iacr.org/2014/507
23:45:27nsh:very theological :)
23:45:32andytoshi::P
23:45:47petertodd:rusty: meh, solve problems that actually exist first - like I said, I had a client who actually needed a working timelock crypto application! (and hell, I found another person who needed one after)
23:46:02andytoshi:nsh: using obfuscation they have a selectively secure candidate ... one discouraging theoretical result they have is that adaptive security is impossible even in the RO model
23:46:26andytoshi:which is much stronger than my impossibility result...plus they actually finished it instead of handwaving the way i did :P
23:46:29nsh:((iacr.org should apply some sort of latex.js for abstracts))
23:47:02nsh:hmm
23:47:14andytoshi:so an open problem is, well, maybe there is a security definition between selectively secure and fully adaptively secure which evades the impossibility result ... how strong a claim do we need to make before it becomes impossible?
23:47:34andytoshi:i dunno, i will spend some time thinking about it over the next months
23:47:44nsh:petertodd, you should be able to solve 5 impossible things for pre-delivery client invoicing before breakfast
23:47:56nsh:you're not thinking MBA-dimensionally, Marty!
23:48:21nsh:andytoshi, a fine question to ponder
23:48:56rusty:petertodd: It's nice work, for sure.
23:48:58andytoshi:nsh: right, right. I have a real problem with that.
23:49:10andytoshi:(re "not thinking MBA-dimensionally")
23:49:18petertodd:rusty: thanks!
23:49:21andytoshi:i had to look up marty's response :P
23:49:24nsh:well, a lot of people have the opposite problem
23:49:25kanzure:consequences of that could be disastrous and destroy the entire universe
23:50:28nsh:i don't mind disaster OR eschaton. it's both at once that really messes up your weekend
23:50:40kanzure:(context: ) (not worth your time)
23:51:44petertodd:adam3us: so the interesting thing re adding a bit of varience back, is it may make cracking timelocks more interesting to the casual observer, becaues even though the guy with a fancy liquid nitrogen cooled rig still has a big edge, it's not a 100% guaranteed edge - helps ensure there's diversity in the community of timelock crackers
23:52:13kanzure:andytoshi: what was the problem again you had with the random oracle model for zero knowledge proofs of knowledge? something about forged or faulty transcripts?
23:52:35kanzure:or, in particular, the forged or faulty transcripts are the thing i'm trying to place
23:53:48andytoshi:kanzure: in the CRS model, the party generating the common reference string has access to secret data which allows them to create "proofs" of false statements
23:54:09nsh:petertodd, can you synopsize what adding variance means? you can make it so the expected time to crack timelock has a higher variance through parameter adjustment?
23:54:15andytoshi:kanzure: in the RO model, my problem was that certain ways of using ROs block attacks by sleight-of-hand assuming they cannot happen
23:54:30andytoshi:kanzure: but if the RO is only used in a fiat-shamir transform, this is not the case (as gmaxwell observers)
23:54:39nsh:(i don't know to what extent you can reliably project statistical distributions onto human cracking motivation)
23:55:47petertodd:nsh: so, if I understand adam's proposal, by dropping bits only some fraction of attempts to crack a given key will actually succeed, e.g. drop 1 bit, half succeed
23:55:57nsh:hm
23:56:37petertodd:nsh: though, actually, thinking about it more, that's probably not going to give us what we want, because the guy who can afford 1024 dewars full of boiling LN still wins...
23:57:08kanzure:jokes on you i'm holding out until the LN market falls through
23:57:12petertodd:nsh: (or in adam's example, 2^56 dewars)
23:57:43nsh:just think of the scrap metal value of those cannisters though; practically pays for itself
23:58:08andytoshi:metallurgy to #bitcoin-alchemists pls
23:58:09petertodd:nsh: which is bad, because we *want* people to invent in small scale but utterly pushing the limits exotic tech to crack this stuff, as that gets you as close as possible to physical limits, and in turn that gives everyone predictability
23:58:30nsh:* nsh smiles, nods