01:16:37rusty:Is there a good primer on EC math anywhere? Coursera's Crypto I didn't cover it, and parsing wikipedia leads me down many garden paths...
01:17:23zooko:I don't really understand EC math myself,
01:17:38zooko:but, there is a lecture by DJB that seems to start from first principles.
01:17:45zooko:So... I'm not really aware of a good primer. :-(
01:18:51gwillen:rusty: crypto II is supposed to cover it, if he ever does that
01:19:05rusty:gwillen: indeed, and I'm signed up if and when...
01:19:15gwillen:current alleged start date is june 1
01:19:18gwillen:but we've heard that before ;-)
01:20:03justanotheruser:rusty: I like the wiki page tbh
01:20:29zooko:Hm, and I can't find that lecture that I saw. Sorry.
01:20:43rusty:zooko: https://www.youtube.com/watch?v=l6jTFxQaUJA ?
01:21:11kanzure:how about http://antoanthongtin.vn/Portals/0/UploadImages/kiennt2/BaiBao/DuLieu/2.State%20of%20the%20art%20in%20applied%20cryptography%201997-LNCS%201528/15280131.PDF
01:21:29zooko:rusty: that looks perfect. :-)
01:21:34zooko:* zooko starts watching it
01:31:28zooko:Whoops, got to go. Just got to the part about how to get away from those tricky non-discrete trig formulas. :-
01:31:29zooko:)
01:33:23kanzure:.title https://www.youtube.com/watch?v=l6jTFxQaUJA
01:33:25yoleaux:ECCHacks - A gentle introduction to elliptic-curve cryptography [31c3] - YouTube
01:35:47brisque:I think a lot of people's introduction to bitcoin is hampered by people's poor explanations of ECDSA. you're better off knowing it's properties and otherwise black boxing it than having a half assed understanding that is ultimately meaningless.
01:37:00jcorgan:^^ knowing how it behaves and what properties you can assume lets you make better decisions; understanding why those behaviors exist and why the properties are what they are is less important.
01:46:23brisque:that goes for a lot of things in bitcoin really.
01:46:37brisque:black boxing shad256d is a nice start.
01:50:48jcorgan:and there aren't that many black boxes in bitcoin to understand
01:51:30brisque:sha256d and ecdsa are two that trip people up usually
01:53:06dgenr8:waiting for crypto II too. DJB is clearly a Knuth disciple as it relates to timelines
01:53:36jcorgan:well, pay-to-pubkey-hash seems to get universally black-boxed as "an address is an account that holds bitcoin"
01:55:07brisque:much to the damage of gmaxwell's forehead.
01:55:24jcorgan:even gribble, our saintly fount of all knowing, makes that mistake
01:56:28brisque:it's a lot due to block explorers and people's desire to try to "organise" things in particular ways, not realising accounts are a feature of the wallet and utterly unrelated to addresses.
01:59:22jcorgan:something as simple as "Redeemable Unspent Receipts" as a table header instead of "Addresses and Balances" would go a long way. But people see the latter in pretty much every wallet.
02:00:53brisque:damage is already done.
02:01:50jcorgan:and showing two UTXOs with the same pubkey hash should be highlighted in red as "ambiguous"
02:02:20justanotheruser:!balance 1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX
02:02:21gribble:0.51465589
02:02:34brisque:some PKH have tens or hundreds of thousands of UTXO, enough to crash any browser
02:04:58brisque:high water mark is 3 million total outputs for one address.
02:05:54jcorgan:dice?
02:06:09brisque:you know it.
02:21:53Apocalyptic_:Apocalyptic_ is now known as Apocalyptic
02:22:21guruvan-:guruvan- is now known as guruvan
02:26:21kyletorpey:kyletorpey has left #bitcoin-wizards
02:27:43justanot1eruser:justanot1eruser is now known as justanotheruser
03:38:44rusty:rusty has left #bitcoin-wizards
03:58:32instagibbs:brisque: for the longest time I only knew the high-level black box. Crypto 1 was my first attempt at digging deeper. Little peeved there was no signature/ECC stuff :)
04:24:46kanzure:what we really need is smart matter that cannot rise above a certain temperature so that nobody will be foolish enough to implement a hot wallet with said matter
04:36:14PaulCape_:PaulCape_ is now known as PaulCapestany
04:57:16kanzure:just-vaguely-discernably-warm-wallet
04:58:42kanzure:(signing should raise the temperature)
05:19:53PaulCapestany:PaulCapestany is now known as PaulCape_
05:45:39PaulCape_:PaulCape_ is now known as PaulCapestany
06:58:34luny``:luny`` is now known as luny
09:05:17hitchcock.freenode.net:topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
09:05:17hitchcock.freenode.net:Users on #bitcoin-wizards: andy-logbot Quanttek d1ggy Guyver2 Dr-G2 cbeams arubi_ rusty damethos hktud0 koshii moa luny grassass p15 face PRab BananaLotus Apocalyptic guruvan justanotheruser PaulCapestany ryan-c dc17523be3 MoALTz lnovy DoctorBTC melvster adlai paveljanik waxwing sipa harrow hashtagg grandmaster prodatalab flower bsm117532 alferz Luke-Jr gribble fanquake delll_ OneFixt amiller go1111111 jgarzik ebfull espes__ cluckj shesek cryptowest c0rw1n brisque
09:05:17hitchcock.freenode.net:Users on #bitcoin-wizards: cfields sdaftuar mkarrer Starduster Logicwax veorq coryfields dgenr8 devrandom Pan0ram1x helo bosma Hunger- xabbix burcin runeks null_radix bedeho copumpkin Cory gmaxwell Emcy huseby jaekwon_ GreenIsMyPepper sneak SwedFTP bepo LarsLarsen epscy nanotube tromp binaryatrocity spinza andytoshi bliljerk101 tromp__ wizkid057 starsoccer comboy nsh Taek iddo EasyAt maaku btcdrak NikolaiToryzin s1w Visheate crescendo livegnik optimator fluffypony
09:05:17hitchcock.freenode.net:Users on #bitcoin-wizards: Meeh cursive yoleaux dansmith_btc [d__d] berndj morcos Fistful_of_Coins dardasaba isis gwillen BlueMatt airbreather dasource smooth phantomcircuit ajweiss Xzibit17 yrashk artifexd Zouppen kumavis mariorz catcow Krellan michagogo forrestv Muis platinuum Oizopower Keefe catlasshrugged JonTitor petertodd kanzure eric mappum jbenet wiz midnightmagic heath gnusha warren Adrian_G Iriez lechuga_ dignork kinlo jessepollak ahmed_ Graet Eliel veox
09:05:17hitchcock.freenode.net:Users on #bitcoin-wizards: warptangent indolering K1773R TD-Linux leakypat CryptOprah Anduck bbrittain jaromil jcorgan wumpus BrainOverfl0w roasbeef phedny so hguux__ otoburb MRL-Relay azariah HM2 btc___ throughnothing @ChanServ brand0 Alanius davout NeatBasis mr_burdell d9b4bef9 a5m0 fenn
09:38:58nickler:rusty: I really like http://jeremykun.com/2014/02/08/introducing-elliptic-curves/
09:39:52rusty:nickler: oh, that looks nice!
11:59:44PaulCapestany:PaulCapestany is now known as PaulCape_
12:00:06PaulCape_:PaulCape_ is now known as PaulCapestany
12:51:04Guyver2:Guyver2 has left #bitcoin-wizards
13:42:02PaulCapestany:PaulCapestany is now known as PaulCape_
15:03:12PaulCape_:PaulCape_ is now known as PaulCapestany
15:08:15PaulCapestany:PaulCapestany is now known as PaulCape_
15:14:44waxwing__:waxwing__ is now known as waxwing
17:49:13arubi_:arubi_ is now known as arubi
18:05:36waxwing__:waxwing__ is now known as waxwing
18:46:59Guyver2:Guyver2 has left #bitcoin-wizards
19:47:14catlasshrugged:has anyone come up with a reasonble approximation of calculating the cost of a double spend vs. # of confirmations for a given tx?
19:47:42kanzure:you mean the cost of mining a reorg?
19:48:21catlasshrugged:If I understand you correctly, yes
19:49:41kanzure:catlasshrugged: page 11 https://bitcoin.org/bitcoin.pdf
19:50:01kanzure:catlasshrugged: and https://people.xiph.org/~greg/attack_success.html
19:56:29catlasshrugged:kanzure: thanks, those are helpful
19:56:44sipa:#bitcoin please
20:08:14catlasshrugged:sorry
21:17:21bramc:tromp, I didn't remember the bit about three in the holy hand grenade sketch
21:18:20tromp:oh, it's a classic: http://en.wikipedia.org/wiki/Rabbit_of_Caerbannog#Holy_Hand_Grenade_of_Antioch
21:19:25bramc:I looked it up after you mentioned it
21:19:53tromp:then you see how your remark reminded me of it:)
21:20:03bramc:Yes. Something about how important three is.
21:20:41tromp:you also said something like 4 is out of the question
21:20:56bramc:Oh funny
21:21:01tromp:where they have " Five is right out. "
21:22:42bramc:There's a bunch of tradeoffs, I'm basically looking for a value which causes pooling rewards for not crazy pool sizes to be nearly nonexistent, and doesn't fall prey to a superfast spow server being overly advantaged.
21:23:16bramc:There's also a large blowup in the number of messages with the current way of doing things I'm working on
21:25:31tromp:you should prepare a blog entry with an outline of your scheme, and get a ton of hopefully useful feedback
21:25:53tromp:also saves you from explaining it here repeatedly:)
21:26:26gmaxwell:bramc: did I hear that you're up to three SPOWs now?
21:26:46tromp:no; he has 3 proofs of storage for each spow
21:27:08bramc:gmaxwell, No it's three pos, followed by a spow whose challenge difficulty is the sum of the quality of the three previous spows
21:27:20bramc:or maybe their geometric mean, or geometric mean squared, or something like that.
21:27:26gmaxwell:ah, okay, that isn't as rubgoldbergy as I feared.
21:28:34bramc:It's less rube goldbergy than what I was working on before, although there's annoying stuff where it needs to be done collaboratively so people send around not just the best first pos but a list of the top few, and the the top few for the first and second based on their quality
21:29:01gmaxwell:oh that sounds like it has even more progress.
21:29:31bramc:Because an attacking pool will do that on their own, so you need to do the collaborative thing for the general pool to outdo them
21:30:26bramc:Not sure what you mean by 'more progress'. Doing things in this way is necessitated because withholding attacks if the pos all used the same challenge are very effective.
21:31:45bramc:This one has all kind of funny stuff happen where a member of a pool which is trying to withholding attacks defects because they got a winner for pos #3 so they serruptitiously introduce it into the general pool without permission
21:34:18bramc:Using three pos makes it so that a pool which has a small fraction if everything has only a tiny chance of getting lucky and catching up, to the point where pooling bonus is essentially gone
21:34:18zooko:Anyone going to the MIT Bitcoin Expo? I am! ☺
21:35:36kanzure:if someone could be kind enough to link me to a livestream when it is happening, i can do transcripts and live peanut gallery
21:35:45gmaxwell:zooko: BlueMatt is I believe.
21:39:46bramc:It looks like the idea behind op_checktimelockverify is to make it so that funds don't have to keep getting re-deposited as timeouts get hit
21:39:52bramc:from the lightning paper
21:40:04zooko:gmaxwell: Sweet. ☺
21:40:36bramc:gmaxwell, Going through this exercise has given me a new appreciation for how critical having winner take all is no mining
21:40:43bramc:on mining
21:42:23bramc:I think I'll need to sit down with Joe Poon in person and discuss, the paper is fairly opaque.
22:36:44bramc:The monero project web page isn't praticularly helpful or confidence inspiring. Is there a web page which has a straightforward writeup on how it uses ring signatures?
22:42:20bramc:The cryptonote white paper sort of talks about it, it seems like the sum total of the whole thing is to make a bunch of counterparties agree on a ring signature and then all send equal sized payments to that ring signature and spend them at their leisure later
22:43:36bramc:Which honestly seems like an anonymity loss, since utxo signature are one time anyway all that did was link those all together. Maybe it's a bit more convenient than making transactions for unlinking.
22:45:03gmaxwell:there is no agreements.
22:46:01bramc:gmaxwell, Thanks, that makes sense. A fun crypto gizmo though.
22:46:10gmaxwell:there is a UTXO set. You can gather N UTXO of the same value and sign so that your signature shows you're signing on behalf of one of the N. A side effect of the signature is a serial number which is unique per utxo that you're actually spending, that only the signer can compute but which everyone can verify.
22:46:54gmaxwell:So your input has an anonymity set the size of the ring*, and the signature size is linear in the size of the ring. (*) there are varrious factors that can reduce the anonymity set further.
22:47:27bramc:What's to stop someone from double spending the utxo?
22:47:50bramc:Shouldn't it have to go through an intermediary step, where I transfer the utxo to a ring-signature-unlocked utxo?
22:49:29Eliel:bramc: cryptonote method does not require any cooperation between individual users. The whole idea of the ring signature it's based on is that you can prove that you're one member of a group but not specify which member.
22:50:01gmaxwell:bramc: that unique serial number.
22:50:30gmaxwell:bramc: the serial number gets stored and the system prevents any duplicate serial numbers, so no double spend is possible.
22:50:33bramc:But you still have an input utxo, and input utxos need to be mixed to prevent double spends
22:50:54Eliel:bramc: umm no, the group is formed from different input utxos.
22:51:08Eliel:and the signature proves that you know the private key to one of them
22:51:09bramc:gmaxwell, oh, so spending the original utxo would require the same serial number?
22:51:21gmaxwell:yep!
22:51:28bramc:Aaah, that makes it a lot more useful
22:51:59gmaxwell:You've got it. Yea, I'd tried prior to cryptonote stuff to use ringsigs for privacy and failed due to that issue... the that linkability is the extra part that makes it all work.
22:52:55Eliel:as long as your private key doesn't leak, your privacy can't be broken.
22:54:29Eliel:it took me a while to understand how the crypto works but it was worth the time :)
22:55:21bramc:It does make it a bit more difficult to have a list of unspent utxos :-P
22:55:39Eliel:was kind of amusing to see that cryptonote signatures consist of mostly random numbers :)
22:55:56Eliel:bramc: yep, instead you need to keep a list of spent utxo serials.
22:56:22bramc:Eliel, and a list of all utxos which have existed ever
22:57:14Eliel:yep, gmaxwell and andytoshi had a solution for that IIRC but I can't recall the details right now
22:59:10bramc:So then you can use snarks to show that a particular serial came out of the list of all utxos of a particular value which have ever existed?
22:59:53bramc:Is that what zerocoin does?
23:01:28gmaxwell:yes, thats what zero_cash_ does. There is a TXO tree H(serial||nonce) and you prove the TXO tree contains the serial you're claiming to spend.
23:01:32brisque:cnutgktcrblthhktvcvihhfncvncvrvg
23:01:39brisque:._.
23:01:42brisque:sorry.
23:02:02Eliel:brisque needs a new password :)
23:04:15bramc:Of course, if you're going that way you can dispense with the ring signature completely and make the 'signature' be a hash preimage reveal
23:04:31MRL-Relay:[othe] bramc, did u check MRL-0003 ? it explains that stuff u are asking about https://lab.getmonero.org/pubs/MRL-0003.pdf, theres also a python ringsignature port on github
23:05:09bramc:What is this mrl relay thing?
23:05:31MRL-Relay:[othe] just a relay bot from monero irc to freenode
23:06:21bramc:Thanks othe
23:08:02justanotheruser:gmaxwell: what curve is the blockstream challenge using? Or should that not matter?
23:08:36brisque:I would be shocked if it wasn't secp256k
23:09:24gmaxwell:it's secp256k1.. the signatures are just old style armory signatures.
23:09:35justanotheruser:ok thanks
23:09:45gmaxwell:I need to put a sage script up that verifies them, seems a lot of people expect them to be invalid.
23:10:21bramc:gmaxwell, what did you mean about there being progress?
23:11:32justanotheruser:If they were invalid then that would be a dumb puzzle
23:11:52gmaxwell:justanotheruser: yea, thats my thinking too!
23:12:28justanotheruser:though it would be a great troll
23:12:38gmaxwell:bramc: that larger participants gain more advantage. But I see that you're expecting participants to share their progress. I understand now that you're basically instutionalizing some of the strategic mining we'd talked about before.
23:13:39bramc:gmaxwell, Yeah it's institutionalizing it but capping it at a small fixed number of generations in
23:14:08bramc:And yeah, the idea is to make the cooperation squeeze out anyone who tries to form their own separate pool
23:20:15bramc:Funny thing, zerocash has some clear benefits in terms of having a relatively small block chain
23:20:32bramc:Because all the public keys are just secure hashes
23:22:24brisque:aren't their proofs absolutely massive?
23:22:32tromp:288 bytes
23:23:37bramc:I guess it's like using p2sh and overall winds up being a little bit bigger
23:24:51gmaxwell:it's completely unprunable though.
23:25:00bramc:unprunable?
23:25:24gmaxwell:right now you only need <1GB stroage to run a bitcoin full node, because there is no need to retain the past history.
23:25:27bramc:Oh, you mean zerocash. Yes, it has similar problems to cryptonote but worse
23:25:59bramc:That appears to be inherent in the design goals.
23:26:26gmaxwell:Well the cryptonote stuff is unprunable and the signatures are pretty big (well, only a bit bigger than zerocash proofs, I guess).
23:26:51bramc:The signatures are arbitrarily large, aren't they?
23:27:01bramc:Because you can throw in any number of other things into your set
23:27:10gmaxwell:At least in the ZC paper though they require multiple proofs per transaction if you have more than 2 inputs 2 outputs, so 288 is kind of a lower bound (though with more circuits more cases could be covered with a single proof)
23:27:31gmaxwell:bramc: yes, the signatures are linear in the ring size.
23:34:14justanotheruser:oh now I feel dumb, I just realized the signature blocks had addresses in them
23:35:27Luke-Jr:justanotheruser: ?
23:37:47justanotheruser:Luke-Jr: I asked the curve type for the blockstream challenge, but the fact that it records addresses makes it quite obvious that it's secp256k1
23:54:40adlai:[compressed] addresses don't reveal which curve is being used?
23:55:00adlai:especially not after ripemd160...
23:55:17adlai:* adlai has encountered a patent violation: https://github.com/krkhan/cl-ecc/blob/master/ecdsa.lisp#L29
23:57:29gmaxwell:adlai: uh. I'm not sure why you're saying that; (there is a lot of misinformation about whats actually patented; most patents are _far_ narrower than the general public thinks they are)
23:58:07gmaxwell:adlai: the point about the addresses is that it would be really screwy to have a bitcoin address on something that wasn't actually a bitcoin address, not that its impossible but it would certantly be messed up to do otherwise.
23:58:29adlai:* adlai might be taking djb's joke (from https://www.youtube.com/watch?v=l6jTFxQaUJA ) too literally