00:03:20gmaxwell:Yes, you were.
00:03:48gmaxwell:(you might also not be aware but all the ed25519 signature verification code also verifies that the pubkey is on the curve; https://github.com/floodyberry/ed25519-donna/blob/master/ed25519.c#L100 e.g.)
00:05:10gmaxwell:DJB is great, but he's somewhat sloppy in his descriptions for lay-people-- esp on the curve25519 tare, where he's really promoting it over the kinda-awful brainpool curves-- in ways that may not be all that helpful.
00:07:10gmaxwell:Presumably he was talking about the montgomery ladder trick for avoiding to have to check if a point is on the curve for twist secure curves. It's only applicable to ECDH. For signature verification you're doing a multi-exp, and you also don't care about constant timeness. The non-montgomery version is enormously faster.
00:09:17gmaxwell:(also, incidentally, the montgomery-ladder trick works for any curve, given a bit of algebra to work out the equaltions for the known difference updates... though it's only reasonable to use for twist-secure curves, but many curves are twist secure including secp256k1 and NIST P256)
00:09:25gmaxwell:equations*
00:16:10adlai:is 'why secp256k1?' a welcome question here?
00:16:28hearn:adlai: nobody knows
00:16:36hearn:adlai: it was, however, a lucky choice.
00:17:24adlai:ok, what about 'how does the switch happen', when railroading time ends?
00:17:41gmaxwell:adlai: huh?
00:18:22adlai:isn't it reasonable to expect that this curve will eventually be broken, especially with more attention on it due to its role in bitcoin?
00:18:26hearn:railway time was one of the victorian era's great inventions
00:18:38hearn:it led directly to the modern notion of timezones
00:18:51hearn:adlai: fortunately for the world, cryptography does not work quite like that.
00:19:30hearn:adlai: if we wanted to switch to another curve, it'd be the same as any other forking change. everyone upgrades their software. anyway, this isn't really a #wizards level discussion, i'm afraid.
00:20:03gmaxwell:adlai: Not unless there is some fundimental mathmathical breakthrough, which would likely render all (or at least a significant fraction of all) curves of similar sizes insecure.
00:20:11adlai:'railroading time' is a heinlein reference, http://www.hjkeen.net/halqn/dor2sumr.htm#rrd
00:20:31brisque:hearn: wouldn't it be a soft fork?
00:20:55gmaxwell:adlai: Bitcoin script is forward compatible and new features can be introduced fairly easily (even without upgrading all users); e.g. p2sh added effectively a whole new scripting system (which happened to be the same as the old one, just nested inside a hash)
00:21:05brisque:(assuming "weakened", not "8 bits of security")
00:22:00gmaxwell:if there were some great need to, an opt in new cryptosystem could probably be deployed in a few weeks time.
00:22:13adlai:the event would reveal which utxos are cared about by their owners
00:22:44gmaxwell:you can care without paying attention or without having a clue. :)
00:23:47gmaxwell:(else you might say all these people who've reused revealed pubkeys care less; in that they're much more exposed to fanciful EC attacks; but I don't think that its true that they care less)
00:23:57hearn:for some very low value of "care". when we had to do a crash key rotation due to the android SecureRandom bugs, the wallets were auto updated and automatically respent the users funds back to themselves.
00:24:12hearn:not all users were even aware it was happening until after the fact.
00:24:52adlai:aha, that's the kind of process i was curious about... this is indeed more of a #bitcoin question.
00:28:44bramc:It used to be that people talked about cryptosystems expiring due to their key lengths being taken over by moore's law. Current key lengths should be enough to last forever though.
00:29:10brisque:or until the US starts restricting them again.
00:29:23gmaxwell:bramc: yes, they won't expire due to moore's law.
00:29:41gmaxwell:they'll quite possibly expire due to other things.
00:30:09bramc:Well, presumably they'll expire due to better systems being built which people switch to.
00:30:18bramc:At least, hope they do. Otherwise you have DNS.
00:30:30gmaxwell:Sadly, an asymetric cryptosystem which can provably expire no faster than computer speed increases is sufficent to prove P != NP, so I don't think we'll be seeing one of those anytime soon. :)
00:34:18bramc:We can't prove much of anything about our symmetric ciphers either
00:35:29gmaxwell:Well some symmetric ciphers you can prove things about.
00:36:20gmaxwell:For example, anything that is a complete permutation and used in a mode where the key is the same size as the data, can have information theoretic security.
00:37:18bramc:Information theory, yes. You can also prove reductions.
00:39:11gmaxwell:and even for conventional usage you don't get a tidy reduction to P!=NP.. e.g. even if you could prove your block cipher had the property that given two plaintext, ciphertext pairs one could not efficiently recover a key the size of the block... that doesn't prove that P!=NP, because it just may mean that the inputs don't form a basis that lets you recover the key. most asymetric crypto though,
00:39:17gmaxwell:if you can prove the key can't be recovered efficiently you _directly_ have a proof that P!=NP.
00:41:02adlai:oh, here's another off-topic question: should i study math or computer science, if i want to be less useless in such discussions?
00:41:16adlai:* adlai would be glad to take this elsewhere / pm, shuts up now
00:42:19gmaxwell:Both? Really depends on where you're talking about. Some CS programs are very mathy and others are very 'java webtoys lol'.
00:45:33adlai:probably germany, frei wenn sie sprechen es
00:52:45rusty:gmaxwell: I gather you're discouraging open discussion of your half puzzles, in the short term?
00:53:34gwillen:rusty: there are people discussing them, but those of us who haven't had a chance to work on them yet would probably encourage avoiding spoilers :-)
00:54:52rusty:gwillen: fair enough. I'm hoping to find some spare cycles to tinker on the weekend. Not that I'll make progress, but at least I'll learn something :)
00:55:23gwillen:* gwillen nodnod
00:59:01maaku:adlai: at my university computer science was part of the math department
00:59:16maaku:really, study both. it's two sides of the same coin
00:59:43maaku:if you're asking what major you should have, then that depends on your career goals and is OT
01:02:24ajweiss:there are also different types of math taught out of different departments
01:03:24ajweiss:statistics vs. pure math vs. linear systems (applied math) vs. ...
01:07:26adlai:relevance towards 'crypto' https://botbot.me/freenode/bitcoin-wizards/2015-02-28/?msg=33061842&page=3
01:08:15andytoshi:adlai: if you are looking for academic/educational advice you can pm me
01:26:25bramc:I think with my new idea withholding attacks aren't stable because members of the coalition doing the withholding are incented to cheat
01:30:16gmaxwell:rusty: I updated the page to include a note that the signatures are valid. Seems many people thought they needed to find some bitflips to make them valid.
01:30:44bramc:Coinshuffle seems like a neat thing but it doesn't solve the hard problem, which is forming the groups in the first place
01:31:35gmaxwell:s/forming the groups in the first place/writing usable applications to make use of these techniques/ :)
01:31:52bramc:gmaxwell, Yes exactly
01:31:56rusty:gmaxwell: Oh, I was just hacking together some utils, decided to check that you're weren't pulling a meta-joke. Result was a wild goose chase, but I got to learn something.
01:32:31belcher_:if you're interested in coinjoin, check out joinmarket which im working on right now, it forms those groups by paying people
01:33:23gmaxwell:rusty: bitcoin.ninja has a sage notebook for secp256k1 ecdsa signatures. I'm fond of sage for random number theory noodling.
01:34:49gmaxwell:(sage's EC is super slow, but it's a decent pocket calculator for this stuff; and since its python there is very little learning curve)
01:38:19rusty:gmaxwell: great, now I have *10* tabs open awaiting reading!
01:40:39hearn:is is there a written description of satoshi's knapsack coin selection algorithm anywhere?
01:43:08hearn:specifically, why it attempts to optimise for what it does
01:44:57rrrrandom:rrrrandom is now known as belcher
01:46:54bramc:Huh this is weird, the Mixcoin paper doesn't seem to use simultaneous transfer
01:47:06bramc:https://eprint.iacr.org/2014/077.pdf
01:48:00gmaxwell:bramc: the mixcoin stuff is 'accountable' instead of secure.
01:48:11bramc:gmaxwell, I get that, but why not be secure?
01:49:06bramc:Also I'm not so sure that maxing explicit mixes is such a hot idea. If you've got a slightly trusted mix they can do a better job of keeping info off the block chain by maintaining some amount of working capital
01:49:22gmaxwell:I believe the work started prior to people being aware of coinjoin/coinswap; and potentially you could get better or at least different forms of privacy without that constraint.
01:49:37bramc:So they can do things like hand over a coin they got from somebody else without splitting or joining it as part of the change-making process
01:50:06bramc:I don't think coinswap hurts anything if you're doing it with a mixing third party
01:50:45brisque:bramc: put some more thought into it.
01:51:14gmaxwell:(I generally don't think the accountable but not secure approach is likely to be pratically useful; because the reputation required for it to work makes it especially vulnerable to being backdoored and also suggests a fee structure that discourages use except by criminals, and criminal use increases backdooring risk, yadda yadda)
01:51:17bramc:brisque, You'll have to say more than that to have any hope of convincing me
01:51:54gmaxwell:Indeed, I don't think coinswap implies any particular constraints that are annoying.
01:52:02gmaxwell:But its even less well known than coinjoin.
01:54:11bramc:Yeah, the things which are and aren't well known are a bit strange
01:54:23bramc:starting with how few journalists know that mining burns resources :-P
01:55:36gmaxwell:most people don't think of computers consuming energy at all.. considering that a single desktop is pretty modest to most home appliances that you think of as consuming energy. :)
02:03:15moa:resource allocation, substitution, pricing, usage is a substantial but underdeveloped area of economics with simplistic quantification ... e.g. find a rigorous definition of what a "resource" is?
03:27:18kyletorpey:kyletorpey has left #bitcoin-wizards
07:37:39NikolaiToryzin:NikolaiToryzin is now known as SeanAtToxIm
07:38:10SeanAtToxIm:SeanAtToxIm is now known as NikolaiToryzin
07:41:57NikolaiToryzin:NikolaiToryzin is now known as SeanAtNSAGov
09:05:17cameron.freenode.net:topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
09:05:17cameron.freenode.net:Users on #bitcoin-wizards: andy-logbot koeppelmann CoinMuncher d1ggy lclc Mably paveljanik hktud0 RoboTeddy hashtag_ Dr-G moa dc17523be3 PaulCapestany zooko gavinandresen p15 justanotheruser amincd nuke1989 Pan0ram1x HM2 prepost shesek tromp waxwing ahmed_ jaekwon Burrito eordano x98gvyn54ugm grassass cryptowest GAit Logicwax koshii nickler Alanius luny face PRab BananaLotus Apocalyptic guruvan ryan-c MoALTz lnovy DoctorBTC melvster adlai sipa harrow grandmaster
09:05:17cameron.freenode.net:Users on #bitcoin-wizards: prodatalab alferz Luke-Jr gribble delll_ OneFixt amiller go1111111 jgarzik ebfull espes__ cluckj brisque cfields sdaftuar mkarrer Starduster veorq coryfields dgenr8 devrandom helo bosma Hunger- xabbix burcin runeks null_radix bedeho copumpkin Cory gmaxwell Emcy huseby GreenIsMyPepper sneak SwedFTP bepo LarsLarsen epscy nanotube binaryatrocity spinza andytoshi bliljerk101 tromp__ wizkid057 starsoccer comboy nsh Taek iddo EasyAt maaku btcdrak
09:05:17cameron.freenode.net:Users on #bitcoin-wizards: SeanAtNSAGov s1w Visheate crescendo livegnik optimator fluffypony Meeh cursive yoleaux dansmith_btc [d__d] berndj morcos Fistful_of_Coins dardasaba isis gwillen BlueMatt airbreather dasource smooth phantomcircuit ajweiss Xzibit17 yrashk artifexd Zouppen kumavis mariorz catcow Krellan michagogo forrestv Muis platinuum Oizopower Keefe catlasshrugged JonTitor petertodd kanzure eric mappum jbenet wiz midnightmagic heath gnusha warren Adrian_G
09:05:17cameron.freenode.net:Users on #bitcoin-wizards: Iriez lechuga_ dignork kinlo jessepollak Graet Eliel veox warptangent indolering K1773R TD-Linux leakypat CryptOprah Anduck fenn a5m0 bbrittain jaromil jcorgan wumpus BrainOverfl0w roasbeef phedny so hguux__ otoburb MRL-Relay azariah btc___ throughnothing @ChanServ brand0 davout NeatBasis mr_burdell d9b4bef9
09:21:05arubi_:arubi_ is now known as arubi
10:25:04wallet421:wallet421 is now known as wallet42
13:56:26waxwing__:waxwing__ is now known as waxwing
14:09:01bbrittain_:bbrittain_ is now known as bbrittain
15:09:44waxwing__:waxwing__ is now known as waxwing
15:11:54kanzure:someone's attempt at mining analysis http://wan.poly.edu/pam2015/papers/23.pdf
15:12:33kanzure:"Obviously, a miner prefers places with low electricity price η(t), and will shut down her hardware whenever the profit rate becomes negative."
15:12:36kanzure:uh...
15:15:15kanzure:"Such a race will automatically end when the profit margin hits zero."
15:15:28kanzure:except this is ignoring the other motivations for mining?
15:19:55brisque:that they don't make note of the fact that the timestamp on a block isn't reliable makes me question the validity of the rest of it.
15:22:29brisque:if you're interested in more insanity like that, the neighbourhood pool watch site regularly goes absolutely nuts with the graphs. http://organofcorti.blogspot.nl/
15:23:50arubi__:arubi__ is now known as arubi
15:30:42arubi__:arubi__ is now known as arubi
15:35:35SeanAtNSAGov:SeanAtNSAGov is now known as NikolaiToryzin
16:22:01instagibbs:"obviously" and "clearly" are only used to power through arguments you can't prove
16:23:44fluffypony:instagibbs: obviously that's clear
16:24:35sipa:ha
16:24:56instagibbs:that said, some people were discussing death spirals of mining during price crashes. Might make sense to increase coinbase maturity time to further incentivize long-term thinking. (still not clear at all it's a problem)
16:25:53brisque:if I want to sell my immature coinbase output nothing is stopping me really
16:26:27instagibbs:hmm probably, and now that I think, it may not make any sense anyways.
16:27:39instagibbs:The idea would be that at least someone would want to make sure mining happens, immature coinbase buyer or otherwise. But the additional incentive to continue mining still may not exist.
16:28:12instagibbs:aside from what's holding it all together now
16:28:26brisque:keep in mind that the maturity time is just to provide reorg stability, not enforce some sort of continuation of mining
16:29:01instagibbs:off label uses, baby
16:29:03instagibbs:like viagra
16:29:56instagibbs:I'll think about it some more
16:42:52instagibbs:Yeah I seriously doubt that "fix" does anything. Myopic greedy miners will still do exactly what they'd do before, afaict
16:43:23brisque:we want miners to be greedy.
16:43:59instagibbs:That's fine. I'm just saying my idea was useless, from what I can tell. I was trying to fix a tragedy of commons issue.
16:44:18instagibbs:Doesn't resolve it, therefore dumb.
16:46:20hightorque:hightorque is now known as shea256
16:48:51instagibbs:The real q is if users sending txns will jack up fees to encourage inclusion in next block if blocks would be spaced out, encouraging miners to get back into mining again. And if miners expect this, then maybe this is moot.
16:50:40brisque:at least nobody can claim to be surprised
16:51:11fenn_:fenn_ is now known as fenn
19:35:42arubi__:arubi__ is now known as arubi
19:39:15gwillen:gwillen is now known as Guest28484
19:43:27Guest28484:Guest28484 is now known as gwillen
19:56:24blazes816:blazes816 is now known as tcrypt
21:05:53gavinandresen:gavinandresen has left #bitcoin-wizards