| 09:05:14 | card.freenode.net: | topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja |
| 09:05:14 | card.freenode.net: | Users on #bitcoin-wizards: andy-logbot cbeams hollandais Guest57566 koshii dgenr8 ryanxcharles Guest2745 coiner Dr-G3 MoALTz TheSeven devrandom wiz atgreen Cory PaulCapestany gues epscy Shiftos thrasher` HaltingState hashtag_ Guest44359 waxwing butters smk nickler c0rw1n berndj SDCDev Emcy_ Logicwax lnovy ahmed_ cluckj luny sl01_ gavinandresen SubCreative warren Krellan fenn LarsLarsen jchp nsh_ mkarrer pi07r phantomcircuit mr_burdell Graet shesek optimator morcos |
| 09:05:14 | card.freenode.net: | Users on #bitcoin-wizards: Starduster DougieBot5000 lclc_bnc isis NikolaiToryzin hashtagg [\\\] michagogo mappum Muis Baz__ BrainOverfl0w phedny Keefe helo so crescendo petertodd throughnothing Taek poggy burcin livegnik sipa harrigan sneak s1w yoleaux azariah kinlo iddo Guest38445 HM2 Fistful_of_Coins warptangent lechuga_ andytoshi pigeons gmaxwell Nightwolf eordano btcdrak comboy Meeh @ChanServ a5m0 K1773R asoltys_ JonTitor Alanius mmozeiko smooth roasbeef ryan-c |
| 09:05:14 | card.freenode.net: | Users on #bitcoin-wizards: TD-Linux catcow danneu starsoccer midnightmagic null_radix tromp EasyAt Apocalyptic DoctorBTC bbrittain go1111111 heath toddf dansmith_btc eric stonecoldpat wumpus btc__ CryptOprah samson_ gwillen digitalmagus OneFixt jbenet AdrianG hguux_ nanotube Eliel jaromil Anduck cfields BlueMatt coutts BigBitz bsm117532 coryfields nsh Guest2104 v3Rve Greed kumavis_ prodatalab grandmaster nuke1989 iambernie artifexd harrow amiller copumpkin BananaLotus |
| 09:05:14 | card.freenode.net: | Users on #bitcoin-wizards: [d__d] huseby rfreeman_w bobke tromp_ Adlai Graftec prepost Luke-Jr mortale wizkid057 tacotime tlrobinson maaku paveljanik MRL-Relay gribble kanzure fluffypony alferz espes__ Iriez jgarzik |
| 09:31:25 | Pan0ram1x: | Pan0ram1x is now known as Guest35685 |
| 09:31:25 | irc.freenode.net: | Disconnected from irc.freenode.net (ERROR :Closing Link: wpsoftware.net (Ping timeout: 244 seconds)) |
| 09:32:42 | rajaniemi.freenode.net: | topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja |
| 09:32:42 | rajaniemi.freenode.net: | Users on #bitcoin-wizards: andy-logbot jgarzik alferz Guest35685 CoinMuncher cbeams hollandais Guest57566 koshii dgenr8 ryanxcharles coiner Dr-G3 MoALTz TheSeven devrandom wiz atgreen Cory PaulCapestany gues epscy Shiftos thrasher` HaltingState Guest44359 waxwing butters smk nickler c0rw1n berndj SDCDev Emcy_ Logicwax lnovy ahmed_ cluckj luny sl01_ gavinandresen SubCreative warren Krellan fenn LarsLarsen jchp nsh_ mkarrer pi07r phantomcircuit mr_burdell Graet shesek |
| 09:32:42 | rajaniemi.freenode.net: | Users on #bitcoin-wizards: optimator morcos Starduster DougieBot5000 lclc_bnc isis NikolaiToryzin hashtagg [\\\] michagogo mappum Muis Baz__ Iriez espes__ kanzure gribble MRL-Relay paveljanik maaku tlrobinson tacotime wizkid057 mortale Luke-Jr prepost Graftec Adlai tromp_ bobke rfreeman_w huseby [d__d] BananaLotus copumpkin amiller harrow artifexd iambernie nuke1989 grandmaster prodatalab kumavis_ Greed v3Rve Guest2104 nsh coryfields bsm117532 BigBitz coutts BlueMatt |
| 09:32:42 | rajaniemi.freenode.net: | Users on #bitcoin-wizards: jaromil Eliel nanotube hguux_ cfields Anduck AdrianG jbenet OneFixt digitalmagus gwillen samson_ CryptOprah btc__ wumpus stonecoldpat eric dansmith_btc toddf heath go1111111 bbrittain DoctorBTC Apocalyptic EasyAt tromp null_radix midnightmagic starsoccer danneu catcow TD-Linux ryan-c roasbeef smooth mmozeiko Alanius JonTitor asoltys_ K1773R a5m0 @ChanServ Meeh comboy btcdrak eordano Nightwolf gmaxwell pigeons andytoshi lechuga_ warptangent |
| 09:32:42 | rajaniemi.freenode.net: | Users on #bitcoin-wizards: Fistful_of_Coins HM2 Guest38445 iddo kinlo azariah yoleaux s1w sneak harrigan sipa livegnik burcin poggy Taek throughnothing petertodd crescendo so helo Keefe phedny BrainOverfl0w |
| 09:32:42 | rajaniemi.freenode.net: | [freenode-info] help freenode weed out clonebots -- please register your IRC nick and auto-identify: http://freenode.net/faq.shtml#nicksetup |
| 09:35:30 | fluffypony: | fluffypony is now known as Guest30042 |
| 09:36:44 | Guest30042: | Guest30042 is now known as fluffypony |
| 09:55:14 | omni: | omni is now known as Guest47020 |
| 11:07:03 | grandmaster: | grandmaster has left #bitcoin-wizards |
| 11:30:43 | omni: | omni is now known as Guest41892 |
| 13:29:59 | gues: | gues is now known as nullbyte_ |
| 13:30:43 | nullbyte_: | nullbyte_ is now known as Guest52567 |
| 13:33:31 | Guest52567: | Guest52567 is now known as e1782d11df4c9914 |
| 15:07:28 | Adlai: | is it OK to think of digital signatures as a trivial ZKP? I prove that I know the secret referred to by this pubkey, without revealing anything about the secret itself? |
| 15:09:30 | fluffypony: | Adlai: I think so - in the sense that you have "zero knowledge" of the private key? |
| 15:10:02 | Adlai: | the prover has knowledge, but transfers none of it to the verifier (in the case of bitcoin, anybody verifying the blockchain) |
| 15:11:40 | fluffypony: | yes makes sense, although I'm unsure if there is a formal definition of the term |
| 15:17:09 | Adlai: | ZKP is a newer concept than public key crypto, so I imagine the conventional formal definitions don't explain an older concept in terms of a newer one... this is my mental exercise to wrap my head around ZKP |
| 15:22:09 | sipa: | Adlai: i think a signature is a specific form of zkp yes |
| 15:22:19 | sipa: | a very non-general one |
| 15:22:26 | sipa: | not sure about the formal definition, though |
| 15:45:27 | hearn: | Adlai: technically i think a signature scheme can be called a non-interactive proof of knowledge |
| 15:45:30 | hearn: | http://en.wikipedia.org/wiki/Proof_of_knowledge |
| 16:02:16 | Adlai: | * Adlai adds this to the ever-growing reading list |
| 16:17:20 | wallet421: | wallet421 is now known as wallet42 |
| 16:42:34 | andytoshi: | Adlai: yes, a public key digital signature is a form of a nizk (noninteractive proof of knowledge) |
| 16:42:46 | andytoshi: | Adlai: a term used to emphasize this is "signature of knowledge" |
| 16:50:46 | andytoshi: | actually i don't think it's true in general that an existentially unforgeable sig is a nizk. but this is true that schnorr signatures are nizk (and possibly ecdsa too) |
| 17:00:07 | sipa: | andytoshi: is it still a nizk if it has a requirement such as 'never use related nonces for the same message/key' ? |
| 17:01:28 | MRL-Relay: | [surae] sipa probably not.. ZK protocols are built to avoid edge cases like using related nonces |
| 17:03:23 | MRL-Relay: | [surae] in principal, a NIZK proof should be a general algorithm that proves knowledge without revealing any secret information, regardless of choices of input to the message like nonces... whereas a previously agreed-upon parameters (like the elliptic curve choice in ecdsa) could possibly ruin an NIZK scheme. but andytoshi will almost certainly correct |
| 17:03:23 | MRL-Relay: | me on this |
| 17:07:29 | andytoshi: | surae: the security property of nizk is roughly (a) soundness, ie it is "hard" to make a proof without a witness, (b) zero-knowledge, ie there exists a simulator which can produce a proof of any statement in the language which is statistically indistinguishable from an honest proof |
| 17:07:56 | andytoshi: | here "simulator" is a term of art meaning an entity that can control the CRS, control the random oracle, in an interactive protocol can go back in time, etc |
| 17:08:41 | andytoshi: | sipa: yeah, the trick is that against an adversary who controls the RO you -can't- have such a requirement, because you have to commit to the nonce before you know the hash challenge |
| 17:08:58 | sipa: | the RO? |
| 17:09:11 | andytoshi: | random oracle |
| 17:09:13 | sipa: | ah random oracle |
| 17:09:39 | andytoshi: | there are unique signature schemes which have this "no nonce reuse" condition baked into them, i expect there aren't any such schemes that are also nizks |
| 17:12:25 | andytoshi: | ah, this is deterministic but uses a RO ... and it is zero knowledge https://en.wikipedia.org/wiki/Boneh-Lynn-Shacham |
| 17:13:43 | andytoshi: | (because you can set H(m) = g^y for uniformly random y, then H(m)^x is easy to compute as (g^x)^y, but H(m) will still appear to be uniformly random) |
| 17:16:38 | andytoshi: | here is one that is non-deterministic, but has no RO, so a simulator has no extra powers. so not a nizk: https://crypto.stanford.edu/~dabo/pubs/papers/bbsigs.pdf (page 8 is the actual scheme) |
| 18:17:46 | wallet42: | wallet42 is now known as Guest84483 |
| 18:17:46 | wallet421: | wallet421 is now known as wallet42 |
| 18:26:10 | kumavis_: | kumavis_ is now known as kumavis |
| 19:12:49 | Aquent: | Aquent is now known as Santa |
| 19:13:19 | Santa: | Santa is now known as Guest44981 |
| 19:13:34 | Guest44981: | Guest44981 is now known as Santaa |
| 19:38:09 | belcher_: | belcher_ is now known as belcher |
| 20:23:54 | omni: | omni is now known as Guest20795 |
| 20:24:53 | NewLiberty: | NewLiberty is now known as NewLiberty-afk |
| 20:41:10 | NewLiberty-afk: | NewLiberty-afk is now known as NewLiberty |
| 21:11:58 | omni: | omni is now known as Guest98788 |
| 22:29:07 | rrrrandom: | rrrrandom is now known as belcher |
| 23:05:04 | tlrobinson_: | tlrobinson_ is now known as tlrobinson |
| 23:29:58 | tlrobinson_: | tlrobinson_ is now known as tlrobinson |