| 09:05:18 | hobana.freenode.net: | topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja |
| 09:05:18 | hobana.freenode.net: | Users on #bitcoin-wizards: andy-logbot Guyver2 Dr-G3 moa weex_ hktud0 CodeShark SDCDev prodatalab grandmaster justanotheruser RoboTedd_ jaekwon_ HaltingState TheSeven Emcy_ epscy damethos nanotube d1ggy_ dgenr8 gavinandresen dc17523be3 koeppelmann cryptowest rusty melvster hashtag DougieBot5000 fanquake p15_ tromp zooko cluckj Starduster bramc go1111111 flower_ shesek binaryatrocity waxwing spinza MoALTz andytoshi hashtag_ antgreen bliljerk101 pukie amincd luktgf |
| 09:05:18 | hobana.freenode.net: | Users on #bitcoin-wizards: embicoin GAit luny tromp__ wizkid057 starsoccer xabbix comboy nsh Taek PRab arubi adlai iddo EasyAt maaku LarsLarsen Logicwax Quanttek Pan0ram1x c0rw1n helo null_radix bosma PaulCapestany sipa btcdrak NikolaiToryzin huseby s1w bepo nuke1989 Visheate crescendo livegnik asoltys_ optimator gribble fluffypony Meeh cursive yoleaux dansmith_btc ebfull [d__d] berndj Luke-Jr morcos nickler jgarzik Fistful_of_Coins dardasaba sl01 isis gwillen |
| 09:05:19 | hobana.freenode.net: | Users on #bitcoin-wizards: stonecoldpat BlueMatt face airbreather delll_ dasource espes__ GreenIsMyPepper bedeho smooth phantomcircuit ajweiss sdaftuar coryfields Xzibit17 yrashk artifexd Zouppen kumavis mariorz catcow Krellan michagogo forrestv Muis cfields platinuum sneak Oizopower BananaLotus Keefe catlasshrugged JonTitor petertodd kanzure eric mappum jbenet wiz grubles midnightmagic heath gnusha warren gmaxwell Adrian_G Iriez lechuga_ dignork kinlo jessepollak ahmed_ |
| 09:05:19 | hobana.freenode.net: | Users on #bitcoin-wizards: Graet ryan-c Eliel veox amiller warptangent indolering K1773R TD-Linux leakypat CryptOprah Apocalyptic guruvan Anduck paperbot fenn harrow a5m0 SubCreative d9b4bef9 DoctorBTC mr_burdell NeatBasis Hunger- davout Alanius brand0 @ChanServ throughnothing btc___ HM2 azariah MRL-Relay otoburb hguux__ so phedny roasbeef BrainOverfl0w wumpus jcorgan jaromil bbrittain |
| 13:15:40 | jdvs: | it's difficult for me to determine if omnicoin is based on the bitcoin blockchain or another blockchain, does anyone know the answer to this? |
| 13:17:12 | fluffypony: | jdvs: it's forked from Bitcoin, so undoubtedly yes |
| 13:21:12 | fluffypony: | forked from an old version of Bitcoin too, like 0.8-ish |
| 14:55:56 | LTD_: | LTD_ has left #bitcoin-wizards |
| 16:57:34 | prodatalab_: | prodatalab_ is now known as prodatalab |
| 17:57:01 | maaku: | GreenIsMyPepper: where does SIGHASH_NORMALIZED get the normalized transaction IDs from? |
| 18:06:41 | bramc: | A question I keep meaning to ask: If there are a bunch of utxos all of which can be unlocked with the same key, can they all be accumulated together with a single transaction which has a single signature? |
| 18:08:29 | zooko`: | zooko` is now known as zooko |
| 18:08:58 | sipa: | no, you need a signature per input |
| 18:09:14 | sipa: | in theory it would be possible to allow them to be combined |
| 18:09:22 | sipa: | but it would require a more complex design |
| 18:09:28 | sipa: | and it would encourage key reuse |
| 18:13:45 | Eliel: | yep, not going to happen because of that last part. |
| 18:18:29 | nsh: | sipa, can you sketch the more complex design? |
| 18:23:50 | maaku: | nsh: i'm not sure sipa was referencing an actual design so much as commenting that bitcoin transaction format is not expressive enough to represent 'one signature covering multiple inputs' |
| 18:23:59 | nsh: | right |
| 18:24:20 | nsh: | but you might have a sidechain that is, conceivably? |
| 18:27:34 | maaku: | sure, maybe, but why would you want to? |
| 18:29:57 | nsh: | maaku, good question |
| 18:30:22 | nsh: | i don't presume to be able to guess bramc's thinking |
| 18:30:44 | nsh: | some kind of consolidation / defragmentation maybe |
| 18:32:29 | bramc: | nsh, It's useful for reducing transaction fees by making transactions smaller (at least in the future, when such things are correlated) and yes I'm thinking of it for cleaning up dust, or at least change-making |
| 18:32:58 | nsh: | right |
| 18:33:03 | bramc: | There's no real anonymity lost by sending a bunch of outputs to the same key if they're all going to be consolidated together anyway. |
| 18:33:21 | nsh: | i mooted at some point a kind of sweeper service that's funded from mining subsidies somehow |
| 18:33:26 | nsh: | but it was very woolly thinking |
| 18:34:17 | bramc: | There isn't a very good change-making service out there right now. Cryptoshuffle might be one but I haven't read that paper yet. |
| 18:35:55 | bramc: | I mean, cryptoshuffle might be a proposal for one, I don't believe anyone claims to be running such a service. |
| 18:36:21 | nsh: | * nsh nods |
| 18:37:29 | bramc: | It would be nice if there was a bitcoin wallet which had a 'make change' button which cleaned up the dust and unlinked all the utxos through a centralized service which specialized in that |
| 18:37:46 | bramc: | It's unclear how much demand there might be for such a beast though. |
| 18:40:17 | bramc: | But working on the design of that centralized service would be fun |
| 18:40:53 | nsh: | what would the trust implications be? |
| 18:41:22 | nsh: | (better than using bc.i obviously, but non-zero presumably) |
| 18:42:19 | bramc: | nsh, Not all that much if you use simultaneous transfer properly, a little bit of threat that the centralized service could re-link your unlinked transactions, or if they screw it up could reveal information about your business with them and hence who you are |
| 18:43:22 | bramc: | At one point in this channel we had a discussion about the algorithms for picking which utxos to combine/split when making a payment from a wallet. The upshot was basically 'we do this, but have no coherent intellectual basis for arguing that other algorithms are better or worse' |
| 18:43:40 | nsh: | right |
| 18:45:10 | bramc: | After thinking about it a bunch, my conclusion is that what you really should do is make payments by taking the smallest coin you have bigger than the target and splitting it in two, and move the extra into your dust pile, along with all received transactions, and when the amount of dust gets too much go use the change-making service |
| 18:45:34 | bramc: | There's a potential natural monopoly with the change-making service, because the bigger the pool the better the unlinking |
| 18:47:09 | nsh: | to greater the extent to which the input-choice algorithm is deterministic, the greater the ability to link transactions |
| 18:47:51 | nsh: | if you coupled with lossy mechanisms like coin-join that could be mitigated |
| 18:48:07 | bramc: | Sort of, randomization can open you up to attacks as well, where lots of small transactions are more likely to give away your identity |
| 18:48:14 | nsh: | right, yup |
| 18:48:18 | nsh: | randomness can be just as pernicious |
| 18:48:40 | nsh: | just less intuitively :/ |
| 18:48:42 | bramc: | The unlinking service I'm talking about would basically be a massive better version of coin-join |
| 18:49:00 | nsh: | ah right. that's favorable imho |
| 18:49:27 | nsh: | but as i understand it, the complexity of coin-join grows as you scale it up to more users |
| 18:49:34 | bramc: | It seems like a potentially good business, and fun to work on, but I'm busy working on other stuff |
| 18:49:37 | nsh: | * nsh nods |
| 18:51:09 | bramc: | It gets a lot easier if you have a centralized service and trust the centralized service to throw out their data eventually. The idea is that you do a coinswap with the service for all of your utxos, where they give you back somewhat better formed change by consolidating some of the dust they got from other people |
| 18:52:10 | nsh: | right. you can certainly increase the transparency and auditability to some 'trustworthy' threshold (again, certainly compared to e.g. bc.i) |
| 18:52:16 | nsh: | but proving the destruction of information is basically impossible |
| 18:52:31 | nsh: | that's the problem with trusted set-up (common reference string) schemes too |
| 18:52:33 | bramc: | The service needs a certain amount of working capital, and some algorithms for deciding which utxos to consolidate together when. That's the fun part. |
| 18:52:44 | nsh: | * nsh nods |
| 18:52:54 | bramc: | Dumb question: what are you referencing by bc.i? |
| 18:53:11 | nsh: | because lots of people just trust these guys with their wallet keys, as i understand it |
| 18:53:18 | nsh: | and that is really not too warranted from experience |
| 18:53:33 | nsh: | i'm just picking on them because i'm too lazy to think of other examples though |
| 18:53:37 | nsh: | oh, blockchain.info |
| 18:53:38 | nsh: | sorry |
| 18:54:03 | bramc: | Yeah trusting with wallet keys is totally cringeworthy. It calls into question whether you can get customers by doing things like change-making securely |
| 18:54:17 | nsh: | * nsh nods |
| 18:54:38 | bramc: | It could be that any such change-making service would wind up mostly servicing the relatively small number of vendors who are mostly receiving payments rather than sending them |
| 18:54:39 | nsh: | cultivating the right degree and the right kind of paranoia in the general public is a hard problem |
| 18:54:47 | nsh: | * nsh nods |
| 18:55:24 | bramc: | Although that would of course still be a very real business |
| 18:57:01 | nsh: | aye |
| 19:03:12 | bramc: | Making it truly decentralized is an interesting academic challenge but probably vastly less secure than using a centralized service |
| 19:03:33 | nsh: | i'm not sure i follow |
| 19:04:13 | nsh: | centralization generally concentrates the negative consequences of insecurity |
| 19:04:28 | nsh: | in exchange for lower complexity or better synchronicity |
| 19:06:07 | bramc: | If you try to make a truly decentralized change-making service, there are a lot more potential attacks where the participants mess with whoever they happen to be interacting with |
| 19:09:23 | nsh: | ah, i see |
| 19:09:58 | nsh: | yeah i guess you have more leeway to leverage human psychology/error in a decentralized solution that involves cluefulness |
| 19:11:26 | bramc: | It isn't just psychology. There are potential connection flooding attacks and selective leaving and tagging when you're participating in a decentralized system |
| 19:15:58 | nsh: | that too, aye |
| 19:16:34 | nsh: | you have to be very careful delegating security properties to unexamined assumptions about network connectivity |
| 19:16:44 | nsh: | this is a common way to screw up |
| 19:18:16 | nsh: | s/delegating...to/making contingent...on/ |
| 19:22:59 | bramc: | Given what a huge improvement the centralized system would be over what exists today, it's more compelling to make that. There's also less of a business in making the decentralized thing. But if anybody comes up with interesting designs on the decentralized thing I'd love to see them. |
| 19:23:06 | sipa: | bramc: i think it's a pretty bad idea to have a design that makes loss of privacy cheaper; if you don't reuse keus (which you should for privacy reasons), this optimization does not gain you anything anyway |
| 19:27:31 | bramc: | sipa, fair enough |
| 19:43:49 | adam3us: | anyone interested in cryptonote / ring sig crypto? i think you can ~halve the signature size by using section 5.1 from http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.363.3431&rep=rep1&type=pdf |
| 19:45:43 | nsh: | neat |
| 19:51:16 | andytoshi: | adam3us: cool, this is actually quite different from the van saberhagen scheme |
| 19:51:37 | andytoshi: | so i can't just copy the key image over. but probably i can come up with something analogous |
| 19:53:33 | andytoshi: | hopefully i'll have time for brainteasers later this weekend to do it, if you haven't. (anyone else who wants to give it a shot is welcome to PM me for advice -- i'm 75% sure it's just "straightforward algebra" and does not require math/crypto experience) |
| 19:54:30 | adam3us: | andytoshi: i think its close enough. if you look at the g^s*y^c that is basically L |
| 19:54:43 | adam3us: | so compute R also and put that also into each hash |
| 19:55:27 | bramc: | There tends to be a fairly firm separation between crypto primitive work and using the primitives to make protocols. The former is mostly math, the latter is mostly 'crypto' |
| 19:55:33 | andytoshi: | oh, yeah, i see...but if R is in there you lose the space savings right? |
| 19:55:50 | adam3us: | and i think you're done (add I to the signature, add R=H(y)^s*I^c to the verification step) |
| 19:55:58 | adam3us: | (and convert to EC basis) |
| 19:56:42 | adam3us: | andytoshi: no because R is computed |
| 19:57:22 | adam3us: | andytoshi: the sig includes I now, and you can compute the rest…. H(y)^s*I^c |
| 19:58:29 | andytoshi: | ok, that seems correct, i'm not confident of security because the van saberhagen scheme has a second set of challenges and i worry they are necessary (and will imply that you need bigger sigs) |
| 19:58:33 | bramc: | This all sounds like fun. I'm stuck in monte carlo land. |
| 19:58:43 | andytoshi: | but i just need to write it out |
| 20:00:05 | adam3us: | andytoshi: i have the cryptonote paper here. it includes c_i and q_i which are analogous c_i and s_i here. |
| 20:01:01 | adam3us: | andytoshi: i was trying to figure out how to do this trick (towards my hobby of trying to find a fixed size ring sig for all of utxo ha ha) and found this paper with the magic formula- they did what i was trying to do. |
| 20:01:44 | adam3us: | andytoshi: so that takes it form O(2n+c) to O(n+c) only the pesky O(n) to get rid of :) |
| 20:05:07 | andytoshi: | adam3us: "analogous" is a stretch, they require sum{c_i} = H(...) so they can program all but one of the c_i's, whereas in this paper the c_i's are all hashes and all-but-one are programmed by chaining into each other, which is enough difference to confuse my intuition |
| 20:05:17 | andytoshi: | but i see what you're saying now, i think that you're right |
| 20:10:18 | andytoshi: | it's surprising to me that s doesn't even need to change, it's as though c_i = d_i in the van saberhagen scheme |
| 20:12:41 | andytoshi: | oh never mind, there is no d_i in the saberhagen scheme, i am looking at my own notes which do something else (combining signatures iirc) |
| 20:12:45 | adam3us: | andytoshi: i think the actual challenge requirement is that they depend on the commitments (g^s*y^c) such that you can forge at most n-1 of them and need one private key. the c values are arbitrary and could come from a CPRNG |
| 20:14:40 | andytoshi: | adam3us: right ... doing it by sum is the "obvious" way, this chaining thing is entirely new to me ... does the space savings come from this change somehow? |
| 20:16:30 | andytoshi: | ah, i think so, doing it by sum requires that you have a new equation for each new thing you wanna prove the DL of (in this case, the key image I = H(y)^x as well as y = g^x), else you have fewer equations than unknown and are not forced |
| 20:16:46 | andytoshi: | whereas you can put as many things as you want into a single hash challenge and it'll force them all at once |
| 20:16:52 | andytoshi: | very slick |
| 20:17:13 | adam3us: | andytoshi: yes you only need to send c1, the rest is computed by recurrence. so then the sig becomes c1,s1,…,sn instead of c1,…,cn,s1,…,sn |
| 20:22:47 | andytoshi: | ok, i understand. the space savings is simply because the recurrence avoids the need to send every c_i. (what i was saying explained how we avoid having both L_i's and R_i's, which are not sent but computed in verification; the paper you posted has only e_i's, so there's also a 50% speedup) |
| 20:31:02 | andytoshi: | this is really cool, this "ring of hash commitments" is totally out of left field to me |
| 20:39:31 | andytoshi: | for constant-size sigs, i wonder if you can do something like: replace the s_i's with a single sum of c_i^i*x_i, then [magic magic] this reduces to "given g^x, g^(x^2), ..., g^(x^q) determine g^(x^{q+1})" which is a standard and imo safe assumption (called q-diffie-hellman iirc) |
| 21:03:02 | adam3us: | andytoshi: i know scribbles on paper here in similar directions. the hard part is to correct it so you dont disclose which signature was the one with known private key. if it can be made to work its practically useful for bitcoin. |
| 21:04:49 | adam3us: | andytoshi: the issue is one of the s_i values is computed as \alpha-c_i*x_i (where x_i is the private key from y_i = g^x_i) |
| 21:10:24 | andytoshi: | the other s_i's are random, i wonder if we can deterministically generate them from each other (with an arbitrary one being programmable) with something like an "invertible permutation hash" |
| 21:11:21 | andytoshi: | lol, is there anything wrong with just doing s_i = s_0 + i actually? |
| 21:21:11 | andytoshi: | or what if all the s_i's are the same? |
| 21:24:31 | adam3us: | andytoshi: i did try s_{k+1} = E( s_k ) which implies s_{k-1} = D( s_k ) etc however you still arrive back at the problem that either you make the one you can fix coincide with the c_k you are calculating and divulge which is the real private key) |
| 21:27:37 | andytoshi: | i don't see why, the one you fix is blinded by α which is not revealed |
| 21:32:52 | andytoshi: | oh derp i see, you cannot actually have all the s_i's constant because you need to know c_k (which depends on s_{k-1}) before you compute s_k |
| 22:30:13 | Eliel: | if you wanted to help people learn bitcoin better, you'd first need to create a compact but easily understandable materials and then persuade the most popular wallets to include or at least link to it. |
| 22:34:50 | nsh: | you mean documentation? |
| 22:36:19 | nsh: | it's useful to appreciate how the curve might look when you graph the amount of information required to understand something well enough to do it right against the distribution of people who would benefit by using it |
| 22:36:34 | nsh: | i suspect the decay is quite sharp |
| 22:37:09 | nsh: | you can only package things and make them accessible to a certain degree, after that it's just a case of how much a given person is willing to eat the morsels |
| 22:37:31 | nsh: | if you want a wide franchise, you can't expect there to be a large meal of lore to swallow |
| 22:37:43 | nsh: | even if you make it into a yummy fruit smoothie |
| 22:37:43 | bramc: | Given that journalists sometimes write laudatory 'bitcoin is the future' articles while clearly not even understanding what it does and how, I don't think lack of documentation is the problem. |
| 22:37:55 | nsh: | journalism is the problem :) |
| 22:38:01 | nsh: | no, that's glib :) |
| 22:38:38 | bliljerk101: | what's the bitcoin-wizards channel for? |
| 22:39:31 | bramc: | bliljerk101, For discussing advanced topics and potential new development outside of the day to day of bitcoin development |
| 22:39:54 | nsh: | discussion of the theory and future developments of the technology of the blockchain and its associated/peripheral things |
| 22:40:20 | nsh: | and sometimes, within reason, other topics that might be of interest to the demographic that would usually discuss such thing |
| 22:43:17 | bliljerk101: | i see. i wasn't sure since i don't see much useful discussion going on in here |
| 22:43:45 | bramc: | bliljerk101, You can see past discussion in the archives on bitcoin.ninja |
| 22:44:01 | nsh: | thank goodness you intervened, bliljerk101 :) |
| 22:44:12 | bramc: | It frequently gets deep into arcane and technical discussions |
| 22:48:50 | prodatalab_: | prodatalab_ is now known as prodatalab |
| 22:56:31 | bliljerk101: | bramc thanks. nsh thanks for adding merit to my previous statement |
| 22:56:46 | nsh: | * nsh nods |
| 23:54:39 | zooko: | phantomcircuit, maaku: Ah! Psychology! Now that is an argument I can admit might be true, although I have a hard time judging if it is true. |
| 23:55:34 | phantomcircuit: | zooko, it's pretty obvious that it's different |
| 23:56:05 | phantomcircuit: | there's a reason the irs collects taxes through withholding and tax collectors |
| 23:56:28 | maaku: | zooko: the psychological argument is real |
| 23:56:39 | maaku: | the other argument is from sticky prices |
| 23:57:21 | maaku: | inflation allows those closest to the source of money to unevenly profit from the inflation |
| 23:57:25 | zooko: | To me sticky prices are another expression of psychology. |
| 23:57:37 | zooko: | Or of inaccurate or limited mental models of the players. |
| 23:57:41 | maaku: | well, in the sense that economics is really a social science |
| 23:58:07 | zooko: | bbiab |