sipa changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
cocoBTC has quit [Quit: Leaving]
roxtrongo has joined #bitcoin-wizards
roxtrongo has quit [Ping timeout: 265 seconds]
GGuyZ has quit [Quit: GGuyZ]
GGuyZ has joined #bitcoin-wizards
davec has quit [Read error: No route to host]
DougieBot5000 has joined #bitcoin-wizards
tulip has quit []
drig0r has quit [Ping timeout: 264 seconds]
PRab has quit [Quit: ChatZilla 0.9.92 [Firefox 42.0/20151029151421]]
davec has joined #bitcoin-wizards
simba has quit [Read error: Connection reset by peer]
simba has joined #bitcoin-wizards
rusty has joined #bitcoin-wizards
tulip has joined #bitcoin-wizards
simba has quit [Remote host closed the connection]
justanotheruser has quit [Ping timeout: 252 seconds]
<bramc>
does it matter if I make my reference implementation in python2 or python3? Doing it in python2 is slightly annoying.
<kanzure>
nope, but if you find this turns out to be false, i'll volunteer to write a python2 implementation
justanotheruser has joined #bitcoin-wizards
TBI has joined #bitcoin-wizards
TBI_ has quit [Ping timeout: 240 seconds]
aburan28 has joined #bitcoin-wizards
bramc has quit [Quit: This computer has gone to sleep]
<rusty>
sipa: it's awesome work; I suspected it was possible but didn't follow though. Thanks :) Though I can't see a way around the requirement for an OP_CHECKKEYPAIRVERIFY.
zooko has quit [Ping timeout: 246 seconds]
TheSeven has quit [Ping timeout: 252 seconds]
TheSeven has joined #bitcoin-wizards
Yoghur114 has quit [Remote host closed the connection]
dEBRUYNE has quit [Ping timeout: 246 seconds]
roxtrongo has joined #bitcoin-wizards
PaulCapestany has quit [Quit: .]
Prattler has joined #bitcoin-wizards
roxtrongo has quit [Ping timeout: 240 seconds]
NewLiberty has joined #bitcoin-wizards
PaulCapestany has joined #bitcoin-wizards
blackwraith has quit [Read error: Connection reset by peer]
zooko has joined #bitcoin-wizards
Ylbam has quit [Quit: Connection closed for inactivity]
roconnor has joined #bitcoin-wizards
NewLiberty has quit [Ping timeout: 255 seconds]
snthsnth has joined #bitcoin-wizards
Burrito has quit [Quit: Leaving]
GGuyZ has joined #bitcoin-wizards
the`doctor has quit [Quit: the`doctor]
the`doctor has joined #bitcoin-wizards
the`doctor has quit [Ping timeout: 265 seconds]
belcher has quit [Quit: Leaving]
roxtrongo has joined #bitcoin-wizards
AaronvanW has quit [Ping timeout: 246 seconds]
roxtrongo has quit [Ping timeout: 265 seconds]
p15 has joined #bitcoin-wizards
adam3us has joined #bitcoin-wizards
adam3us has quit [Quit: Leaving.]
Lightsword has quit [Quit: Lightsword]
zooko has quit [Ping timeout: 246 seconds]
Emcy has quit [Read error: Connection reset by peer]
Lightsword has joined #bitcoin-wizards
roconnor has quit [Quit: Konversation terminated!]
Lightsword has quit [Ping timeout: 250 seconds]
Lightsword has joined #bitcoin-wizards
nephyrin has quit [Read error: Connection reset by peer]
<kanzure>
yeah actually the data set was public for a few years because nobody was complaining
* nsh
smiles
GGuyZ has quit [Quit: GGuyZ]
<aj>
kanzure: hmm, while you're doing other people's research for them; do you know if there's already been proposals to add generic crypto ops to bitcoin script (eg, ECC multiply, or verify a sig of a given message rather than a sig of the transaction as a whole)?
<gmaxwell>
There is also an unpublished requirements notes doc that I could share with you that I wrote after I'd stopped publishing such things for frustration that they were going straight into altcoin whitepapers without getting implemented.
<kanzure>
i don't remember any proposals about OP_ECDSA_STUFF ...
<gmaxwell>
aj: elements alpha can verify signatures on data coming in on the stack.
<aj>
gmaxwell: hmm, i skimmed through the opcodes and didn't spot that :(
<kanzure>
"We also add the ability to check signatures on data on the stack other than the transactoin data itself, and this allows you to build bonds on good behavior, so you could say here's some bitcoin on the network that you could be paid if you prove the same contract was signed twice by some party. This has been the work of Patrick Strateman."
<aj>
gmaxwell: blind. OP_CHECKSIGFROMSTACK, neat
Monthrect is now known as Piper-Off
gmaxwell has quit [Ping timeout: 240 seconds]
gmaxwell has joined #bitcoin-wizards
gmaxwell is now known as Guest61914
Guest61914 has quit [Changing host]
Guest61914 has joined #bitcoin-wizards
<matsjj>
I would love some OP_code for verifying a priv/pub key pair - currently there are only proposals for verifying signatures
<matsjj>
I guess there are ways using multiplying and op_mod(disabled) to achieve the same
<matsjj>
oh op_mul is disabled as well - nvm
<sipa>
matsjj: that would be insanely inefficient
<matsjj>
yea
<sipa>
even if they were available
Guest61914 is now known as gmaxwell
<aj>
sipa: (as opposed to implementing libsecp256k1 in moxie? :)
<aj>
implementing in, compiling to...
<sipa>
aj: that too would be inefficient; you really need cryptographic primitives in your script language
atgreen has quit [Quit: Leaving]
<matsjj>
sipa, there are not really any downsides to all of these crypto op's, are there? is it just the lack of possible applications / lack of people implementing these?
kang_ has joined #bitcoin-wizards
<gmaxwell>
there are potential downsides, performance, verification costs (and dos attack vulnerabilties), forking from implementation disagreements, lost optimization possibilities, increased difficulty in running verification in a succinct ZKP, increased difficulty running script verification in embedded device (e.g. smart property).
<gmaxwell>
But they can have benefits too.
<nsh>
(parser differentials ain't nothin' to fork with)
<nsh>
(complexity requires assurances and justification just by default, especially so with consensus)
ThomasV has quit [Ping timeout: 260 seconds]
<gmaxwell>
matsjj: by insanely inefficient, that would be... minutes. scale.
<matsjj>
gmaxwell: I know, I was just playing around ;)
<gmaxwell>
oh good. whew.
<matsjj>
yea I guess there are lots of new attack vectors that are even difficult to think about when allowing generic crypto operations
<gmaxwell>
FWIW, with the earlier mentioned list; I'd just go ahead and publish it here now, -- the wave of altcoins hype promoting in that manner is gone, and I'm too busy now to care if they do -- but it's dated at this point and there are something in it that I'd rather not promote (now knowing much more powerful replacements :) )
tulip has quit []
eudoxia has joined #bitcoin-wizards
GAit has joined #bitcoin-wizards
simba has quit [Remote host closed the connection]
ThomasV has joined #bitcoin-wizards
Quanttek has joined #bitcoin-wizards
rustyn has quit [Read error: Connection reset by peer]
rustyn has joined #bitcoin-wizards
Argus has joined #bitcoin-wizards
adam3us has joined #bitcoin-wizards
Piper-Off is now known as Monthrect
adam3us has quit [Quit: Leaving.]
zooko has joined #bitcoin-wizards
ThomasV has quit [Ping timeout: 252 seconds]
Argus has quit [Quit: Leaving]
vdo has joined #bitcoin-wizards
liteIRC_ has joined #bitcoin-wizards
adam3us has joined #bitcoin-wizards
simba has joined #bitcoin-wizards
DougieBot5000 has joined #bitcoin-wizards
liteIRC__ has joined #bitcoin-wizards
matsjj has quit [Remote host closed the connection]
liteIRC___ has joined #bitcoin-wizards
liteIRC__ has quit [Read error: Connection reset by peer]
liteIRC_ has quit [Ping timeout: 246 seconds]
liteIRC__ has joined #bitcoin-wizards
zooko is now known as zookolaptop
liteIRC__ is now known as zooko
simba has quit [Ping timeout: 250 seconds]
liteIRC___ has quit [Read error: Connection reset by peer]
GAit has quit [Quit: Leaving.]
liteIRC_ has joined #bitcoin-wizards
GGuyZ has joined #bitcoin-wizards
GAit has joined #bitcoin-wizards
zooko has quit [Ping timeout: 246 seconds]
liteIRC_ is now known as zooko
liteIRC_ has joined #bitcoin-wizards
zooko has quit [Read error: Connection reset by peer]
liteIRC_ is now known as zooko
GGuyZ_ has joined #bitcoin-wizards
liteIRC_ has joined #bitcoin-wizards
zooko has quit [Read error: Connection reset by peer]
liteIRC_ is now known as zooko
GGuyZ has quit [Ping timeout: 272 seconds]
GGuyZ_ is now known as GGuyZ
liteIRC_ has joined #bitcoin-wizards
Guyver2 has joined #bitcoin-wizards
GGuyZ_ has joined #bitcoin-wizards
Lightsword has quit [Quit: Lightsword]
nanasho has joined #bitcoin-wizards
nanasho has left #bitcoin-wizards [#bitcoin-wizards]
zooko has quit [Ping timeout: 276 seconds]
liteIRC_ is now known as zooko
GGuyZ has quit [Ping timeout: 240 seconds]
GGuyZ_ is now known as GGuyZ
adam3us has quit [Quit: Leaving.]
GGuyZ_ has joined #bitcoin-wizards
GGuyZ has quit [Read error: Connection reset by peer]
GGuyZ_ is now known as GGuyZ
GGuyZ_ has joined #bitcoin-wizards
GGuyZ has quit [Read error: Connection reset by peer]
GGuyZ_ is now known as GGuyZ
GGuyZ has quit [Client Quit]
damethos has quit [Quit: Bye]
Starduster has quit [Read error: Connection reset by peer]
simba has quit [Remote host closed the connection]
bramc has quit [Quit: This computer has gone to sleep]
snthsnth has joined #bitcoin-wizards
orik has joined #bitcoin-wizards
<bsm1175321>
Does anyone know a zero knowledge algorithm for proving PoW? i.e. a ZKP that I know x satisfying hash(x) < t, without revealing x or hash(x)?
<zookolaptop>
zk-SNARKs!
<zookolaptop>
That's my answer to everything.
* nsh
smiles
<bsm1175321>
which comes down to proving an inequality.
<zookolaptop>
That, and keto diet, and listening to econtalk.
snthsnth has quit [Ping timeout: 276 seconds]
<nsh>
so i think you can prove that now with snarkfront, bsm1175321
<bsm1175321>
Interesting. Now can I prove that I know many n x_i satisfying the PoW compactly? ;-)
<zookolaptop>
You can do *anything* with zk-SNARKs.
<zookolaptop>
(for sufficiently small definitions of anything.)
* bsm1175321
now wonders what zooko is an acronym for.
<bsm1175321>
I hope we get a talk about zk-snarks at scaling bitcoin...
<jcorgan>
Zero Observed Orthogonal Knowledge Output? :-)
<jcorgan>
sorry, i'll go back to lurking
<zookolaptop>
bsm117532: yes! There is one talk about zk-SNARKs lined up for Scaling Bitcoin, from Madars Virza of the Zcash team.
<zookolaptop>
And, Madars and I were brainstorming about what aspects of zk-SNARKs would be
<zookolaptop>
most interesting to the audience.
<zookolaptop>
So if and only if you are going to be in the audience at Scaling Bitcoin, Hong Kong, please
<zookolaptop>
speak up about what zk-SNARKy topic would keep you most interested.
<bsm1175321>
Right now I'm trying to figure out how to "aggregate" a set of blocks from miners. I want to prove that I know the PoW's, but also somehow prove that I haven't omitted their payout addresses. And I want the proof to not scale with the number of miners...
<bsm1175321>
Looking forward to Madars' talk. ;-)
<bsm1175321>
Frankly ZKP's and zk-Snarks are on my reading list and I've done some reading about Yao's garbled circuits, but I've got a long way to go. Moon math wizardry, it is.
<instagibbs>
Frankly I might want to hear interesting things that snarks *can't* do. It might help build conceptual boundaries on this witchraft
<bsm1175321>
+1 instagibbs
<alan_>
... encryption ...
<instagibbs>
but ofc Zooko said only audience members...
<bsm1175321>
If anyone in NYC wants to lead a discussion on the topic, we'll host it an provide pizza & beer.
* instagibbs
sulking bc can't go
mrkent has joined #bitcoin-wizards
<zookolaptop>
Actually, I definitely want to hear the opinions of non-HK-audience members,
<zookolaptop>
but if you *are* an HK-audience-member could you tag your opinion as such?
frankenmint has quit [Remote host closed the connection]
frankenmint has joined #bitcoin-wizards
<jcorgan>
"what can you do with zk-SNARKS that would be impossible (not just slower/harder) without them?"
roxtrongo has joined #bitcoin-wizards
<jcorgan>
that would help justify the use cases that are worth the extra complexity they bring
frankenmint has quit [Read error: No route to host]
<kanzure>
zookolaptop: i don't think that's a fair restriction (audience) (some people are online)
<bsm1175321>
It will be streamed too
frankenmint has joined #bitcoin-wizards
roxtrong_ has joined #bitcoin-wizards
<zookolaptop>
Yeah, I'm sorry I phrased it as a restriction.
<zookolaptop>
I'm just *especially* interested in what audience members would find most compelling.
<kanzure>
zookolaptop: libsnark implementation details would be a good thing to talk about
<kanzure>
trustless setup without mpc would be nice, but i know you're not santa (yet)
frankenmint has quit [Remote host closed the connection]
<bsm1175321>
In the back of my mind I've got a ton of questions about how to use that stuff for identity.
<kanzure>
zookolaptop: generally, avoid introductory stuff that has been mentioned in prior presentations
c-cex-yuriy has quit [Quit: Connection closed for inactivity]
c-cex-finch has quit [Quit: Connection closed for inactivity]
psztorc has joined #bitcoin-wizards
frankenmint has quit [Remote host closed the connection]
psztorc_ has quit [Ping timeout: 240 seconds]
Guyver2 has quit [Quit: :)]
rustyn has quit [Read error: Connection reset by peer]
rustyn has joined #bitcoin-wizards
damethos has joined #bitcoin-wizards
eudoxia has quit [Quit: Leaving]
davec has quit [Read error: Connection reset by peer]
JackH has joined #bitcoin-wizards
davec has joined #bitcoin-wizards
Lightsword has quit [Quit: Lightsword]
Mat555 has joined #bitcoin-wizards
Lightsword has joined #bitcoin-wizards
roxtrong_ has quit []
PaulCape_ has quit [Quit: .]
wilbns has quit [Ping timeout: 255 seconds]
ibrightly has quit [Ping timeout: 250 seconds]
PaulCapestany has joined #bitcoin-wizards
zmanian_ has quit [Ping timeout: 250 seconds]
alexkuck has quit [Ping timeout: 264 seconds]
bitkarma has quit [Ping timeout: 250 seconds]
btcdrak has quit [Ping timeout: 272 seconds]
psztorc has quit [Ping timeout: 255 seconds]
bramc has joined #bitcoin-wizards
adam3us has joined #bitcoin-wizards
snthsnth has quit [Ping timeout: 276 seconds]
justanotheruser has quit [Ping timeout: 276 seconds]
justanotheruser has joined #bitcoin-wizards
Dizzle has quit [Quit: Leaving...]
adam3us has quit [Ping timeout: 272 seconds]
Newyorkadam has quit [Quit: Newyorkadam]
wilbns has joined #bitcoin-wizards
damethos has quit [Quit: Bye]
adam3us has joined #bitcoin-wizards
ibrightly has joined #bitcoin-wizards
zmanian_ has joined #bitcoin-wizards
damethos has joined #bitcoin-wizards
damethos has quit [Client Quit]
DougieBot5000 has quit [Quit: Leaving]
btcdrak has joined #bitcoin-wizards
alexkuck has joined #bitcoin-wizards
JackH has quit [Ping timeout: 240 seconds]
<bramc>
Dumb question: Couldn't you do proofs of time using snarks? I mean, couldn't you generate a proof that you'd added 1 to X Y times?
<tromp__>
seems to me that snarks apply to any circuit, even one that does a trivial computation in a grossly ineffiecient way
<kanzure>
time seems like one of those things that would be difficult to make proofs about?
<gmaxwell>
bramc: I would be really careful with that. A snark shows (under certian assumptions) that the statement is true, not that you did the work. For certian kinds of of very regular circuits, I wouldn't be shocked if there turned out to be shortcuts.
<kanzure>
as far as i know, time itself is external to a circuit's definition
<gmaxwell>
he doesn't really mean time, he means sequential computation, and he's making assumption that we can't make sequential computation faster than some threshold.
<bramc>
gmaxwell, Could be, but the best proofs of time I know of are workable but truly awful: repeated hashing with checkpoints along the way. All they to is make it possible to parallelize checking
<bramc>
Yeah I say 'time' because 'proof of sequential computation' is a real mouthful
<sipa>
posc?
<kanzure>
no more acronyms
<kanzure>
all of them are taken
<sipa>
NMA
<tromp__>
the question is whether snark proof construction is necessarily sequential in the circuit depth
<gmaxwell>
most of the work in the proof construction itself is embarassingly parallel.
<kanzure>
*current snark prover performance
<bramc>
Also whether its output is truly canonical. I think it is but don't know the underyling machinery well enough to know.
<kanzure>
*somewhat recent..
<gmaxwell>
bramc: the ggpr12 like snarks are inherently perfectly malleable; in general malleability is often a consequence of zero knoweldge.
<bramc>
kanzure, Talking about 'performance' here is a little weird. I don't care about whether performance is good, bad, or whatever, I just care that it's known and has to be sequential.
<bramc>
gmaxwell, Argh well that kills in right there
<bramc>
Unrelatedly, I realized the other day that I've done more thinking about what bitcoin's peer protocol than I realized, because I've spent some time thinking about the much harder problem of a peer protocol for a blockchain which peers spot check and can invalidate.
<bramc>
Now I just need to read up on how Bitcoin's peer protocol actually works and then I can compare.
<kanzure>
invalidate with fraud proofs?
<bramc>
kanzure, Invalidate in an embarrassingly trivial way: Time proof X is invalid at position Y