sipa changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
nuke_ has quit [Quit: Leaving]
nets1n has quit []
Ylbam has quit [Quit: Connection closed for inactivity]
belcher has quit [Quit: Leaving]
mkarrer has quit [Read error: Connection reset by peer]
dEBRUYNE has quit [Quit: Leaving]
mkarrer has joined #bitcoin-wizards
marcinja has joined #bitcoin-wizards
marcinja has quit [Remote host closed the connection]
pro has quit [Quit: Leaving]
holmes has quit [Ping timeout: 250 seconds]
domwoe has quit [Remote host closed the connection]
domwoe has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
dEBRUYNE has joined #bitcoin-wizards
domwoe has quit [Ping timeout: 244 seconds]
dEBRUYNE has quit [Quit: Leaving]
domwoe has joined #bitcoin-wizards
CrazyTruthYakDDS has joined #bitcoin-wizards
Noldorin has quit [Quit: My MacBook Pro has gone to sleep. ZZZzzz…]
marcinja has joined #bitcoin-wizards
marcinja has quit [Client Quit]
renlord has quit [Ping timeout: 260 seconds]
FNinTak has joined #bitcoin-wizards
domwoe has quit [Remote host closed the connection]
domwoe has joined #bitcoin-wizards
renlord has joined #bitcoin-wizards
domwoe has quit [Ping timeout: 252 seconds]
domwoe has joined #bitcoin-wizards
FNinTak has quit [Ping timeout: 244 seconds]
mdavid613 has quit [Read error: Connection reset by peer]
mdavid613 has joined #bitcoin-wizards
FNinTak has joined #bitcoin-wizards
AusteritySucks has quit [Ping timeout: 250 seconds]
mdavid613 has quit [Quit: Leaving.]
JackH has quit [Ping timeout: 260 seconds]
AusteritySucks has joined #bitcoin-wizards
tromp has quit [Remote host closed the connection]
ThomasV has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
tromp has quit []
tromp has joined #bitcoin-wizards
tromp has quit [Remote host closed the connection]
Emcy has quit [Ping timeout: 240 seconds]
domwoe has quit [Remote host closed the connection]
domwoe has joined #bitcoin-wizards
domwoe has quit [Ping timeout: 252 seconds]
Alopex has quit [Remote host closed the connection]
Alopex has joined #bitcoin-wizards
CrazyTruthYakDDS has quit [Quit: Connection closed for inactivity]
Alopex has quit [Remote host closed the connection]
FNinTak has quit [Quit: Leaving]
Alopex has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
tromp has quit [Ping timeout: 276 seconds]
Sleepnbum has quit [Ping timeout: 265 seconds]
arowser has joined #bitcoin-wizards
ThomasV has quit [Ping timeout: 265 seconds]
AusteritySucks has quit [Ping timeout: 250 seconds]
arowser has quit [Quit: No Ping reply in 180 seconds.]
<Taek>
[18:05:48] <kanzure> summaries would probably be more helpful than periodic discussion, although i'm not eager to sit around producing large writeups
<Taek>
[18:07:29] <qpm> tx:<Jeremy_Rand> kanzure: agree that summaries are more useful in theory, but I think the interactive nature of discussions makes it a bit easier to understand thought processes. Perhaps a "FAQ"-style summary would be the best of both.
<Taek>
Spacemint has a few issues with it still, such as relying on randomness beacons, and there's still a computation memory-time tradeoff (iirc) that could be exploited if someone draws up a fast enough ASIC
<Taek>
but the core problem still goes back to what gmaxwell said earlier: with storage-based schemes, you move the problem from operating costs to hardware costs
<Taek>
I didn't see an explanation for why this cost is undesirable, so I'll go ahead and expand
<Taek>
If the majority of the lifetime-cost of a Proof-of-Burn scheme (this is what Hashcash and Spacement are - they prove you dedicated resources to a task) is most heavily focused on the one-time-purchase of the hardware, you're much more vulnerable to unexpected events
<Taek>
for example, if the price cuts in half
<Taek>
If the cost of mining was 100% operational, there's a very safe response to a price drop: just turn your machines off.
<Taek>
There's very little opportunity cost associated with that. But if you had spent 99% of your budget on the up-front hardware, you're now facing greater risks over the long term uncertainty of whatever your are mining
<Taek>
But there's also a factor involving incumbents
<Taek>
someone who has hardware which will reasonably last 4 years (a reasonable hard drive lifetime) and is 2 years into the process has already survived most of the risk associated with owning the drives
<Taek>
If the hardware can be made to last forever, then they have a permanent advantage on any newcomers
<Taek>
(the newcomers can utilize the hardware for t years only, but the incumbent will have utilized it for t+X years)
thesnark has quit [Quit: Leaving]
FNinTak has joined #bitcoin-wizards
<FNinTak>
Hmm, didn't think though the response to market events
<FNinTak>
I was thinking that the lack of dependence on operating costs means that the incentive to create an ASIC is now higher than just the expected returns, which is a function of marketcap
<FNinTak>
i.e. it means one-time expenditures like design costs can reasonably be much higher
BashCo has quit [Remote host closed the connection]
arowser has quit [Quit: No Ping reply in 180 seconds.]
arowser has joined #bitcoin-wizards
pro has joined #bitcoin-wizards
TheSeven has quit [Ping timeout: 258 seconds]
TheSeven has joined #bitcoin-wizards
ThomasV has quit [Ping timeout: 276 seconds]
Giszmo has joined #bitcoin-wizards
Guyver2 has quit [Quit: :)]
jonasschnelli has quit [Excess Flood]
jonasschnelli has joined #bitcoin-wizards
ThomasV has joined #bitcoin-wizards
dnaleor has joined #bitcoin-wizards
jtimon has joined #bitcoin-wizards
toktok has joined #bitcoin-wizards
Jaamg has quit [Remote host closed the connection]
renlord has joined #bitcoin-wizards
renlord has quit [Ping timeout: 250 seconds]
aalex has quit [Ping timeout: 244 seconds]
aalex has joined #bitcoin-wizards
edvorg has joined #bitcoin-wizards
<Taek>
One-time costs can sort of be reasoned about as the ultimate extension of the hardware vs operation cost structure
<Taek>
Quantum hashing for example poses a risk, because if one company puts down (in stealth mode) hundreds of millions in R&D over the course of like 5 years, and then they release an ASIC, they've got a full monopoly on hashing until some other group can slug through the same up-front cost
<Taek>
and the first-to-market will have that X years of dominant income that nobody else will ever have, their amortization will perpetually be ahead
toktok has quit [Quit: leaving]
<Taek>
granted, I think it's pretty safe to say that if someone like BitFury were to announce a monopoly-grade ASIC, Bitcoin would threaten with a hardfork, and follow through if the tech was not made accessible to everyone
rubensayshi has joined #bitcoin-wizards
dEBRUYNE has joined #bitcoin-wizards
thesnark has joined #bitcoin-wizards
renlord has joined #bitcoin-wizards
ThomasV has quit [Ping timeout: 264 seconds]
renlord has quit [Ping timeout: 240 seconds]
domwoe has joined #bitcoin-wizards
domwoe has quit [Remote host closed the connection]
chjj has quit [Ping timeout: 244 seconds]
jtimon has quit [Ping timeout: 276 seconds]
stonecoldpat has quit [Read error: Connection reset by peer]
chjj has joined #bitcoin-wizards
ThomasV has joined #bitcoin-wizards
<waxwing>
trying to grok MW, seems like sender will have to send blinding factors and amount, and then receiver can construct and attach kG signature, so it's kind of very weakly interactive? there aren't really round trips are there?
<waxwing>
0.5 RT?
domwoe has joined #bitcoin-wizards
<Taek>
That's also what I understood. Perhaps not technically interactive, but the reciever does need to be performing some action
<Taek>
receiver could theoretically be offline though: email
<Taek>
I guess there's a kind of bonus. The sender can redact the send if the receiver never collects
<waxwing>
right, it's certainly not nothing, if that's a correct characterisation.
<Taek>
so, you'd never send money to a mis-typed address, because the receiver would never collect
dEBRUYNE_ has joined #bitcoin-wizards
dEBRUYNE has quit [Ping timeout: 250 seconds]
malte has quit [Max SendQ exceeded]
malte has joined #bitcoin-wizards
edvorg has quit [Remote host closed the connection]
edvorg has joined #bitcoin-wizards
jtimon has joined #bitcoin-wizards
ThomasV has quit [Ping timeout: 276 seconds]
domwoe has quit [Remote host closed the connection]
byteflame has joined #bitcoin-wizards
domwoe has joined #bitcoin-wizards
domwoe has quit [Ping timeout: 244 seconds]
Chris_Stewart_5 has joined #bitcoin-wizards
renlord has joined #bitcoin-wizards
renlord has quit [Ping timeout: 276 seconds]
laurentmt has quit [Ping timeout: 240 seconds]
domwoe has joined #bitcoin-wizards
Chris_Stewart_5 has quit [Ping timeout: 276 seconds]
Chris_Stewart_5 has joined #bitcoin-wizards
dEBRUYNE_ is now known as dEBRUYNE
laurentmt has joined #bitcoin-wizards
instagibbs has joined #bitcoin-wizards
Guyver2 has joined #bitcoin-wizards
AusteritySucks has quit [Ping timeout: 250 seconds]
Tiraspoll is now known as Tiraspollll
stonecoldpat has joined #bitcoin-wizards
MoALTz has joined #bitcoin-wizards
Emcy has joined #bitcoin-wizards
ThomasV has joined #bitcoin-wizards
AusteritySucks has joined #bitcoin-wizards
domwoe has quit [Remote host closed the connection]
<kanzure>
why is this claiming that you can't do OP_RETURN taint analysis?
dEBRUYNE has quit [Ping timeout: 265 seconds]
domwoe has joined #bitcoin-wizards
domwoe has quit [Client Quit]
dEBRUYNE_ is now known as dEBRUYNE
Greybits has quit [Ping timeout: 244 seconds]
jaekwon has joined #bitcoin-wizards
N0S4A2 has joined #bitcoin-wizards
renlord has joined #bitcoin-wizards
renlord has quit [Ping timeout: 265 seconds]
<andytoshi>
waxwing: yes, 0.5 RT between sender and receiver
Chris_Stewart_5 has joined #bitcoin-wizards
edvorg has quit [Ping timeout: 244 seconds]
<waxwing>
andytoshi: so your (k+k') trick, i have trouble understanding, is the idea that k' is publically known?
<waxwing>
oh i think i get it from reading the copied chat log
<andytoshi>
waxwing: the idea is that after merging, only (k + k') is publicly known
<andytoshi>
but i'm thinking now that maybe all both of k, k' should be kept around while the transactions are in transit, so that when people try to merge overlapping transactions they're able to cancel out the intersection
pro has quit [Ping timeout: 264 seconds]
<andytoshi>
this exposes the original transactions to monitors
pro has joined #bitcoin-wizards
<andytoshi>
to avoid this, you'd have to send your tx to at most one aggregation service (hopefully there'd be several) .. and this service could even interact with you to merge the kG values as well
<waxwing>
i'm lost at why (k+k') is public; i thought the idea was to publish kG and k' ?
<waxwing>
then the network can sum the k'Gs and add it in
<andytoshi>
waxwing: lemme restart from your first question :)
<andytoshi>
yes. k' is publicly known
<andytoshi>
then if you have a second transaction with k2G and k2'
<andytoshi>
you can combine the transaction and you have kG, k2G, (k' + k2')
<waxwing>
right
<andytoshi>
and the latter -sum- is the only thing that's publicly known, and given only this, you can't know k' or k2', and you therefore can't discern the original transaciton boundaries
<waxwing>
i see, like hiding in the addition, so that's why you're talking about "aggregation service"
<andytoshi>
yeah
Ylbam has quit [Quit: Connection closed for inactivity]
<andytoshi>
so the problem (and also a problem with OWAS like what the first anonymous guy did) is if i have transactions A, B, C and you have transactions A, B, D and we both give these to a miner
<andytoshi>
the miner is sorta screwed, he can't combine these, he has to pick one
<andytoshi>
but if everyone avoided doing the summing (and privacy conscious people -only- used a service that privately did the summing before broadcasting anything at all), you could avoid this
<andytoshi>
at the cost of privacy, ofc
<waxwing>
i guess there's no way to throw other nums basepoints at this since the whole point is that all the k-s are supposed to be in the same summation set.
<waxwing>
proslogion was just reminding me about proof of discrete log equivalence, hmm
jannes has quit [Quit: Leaving]
<andytoshi>
i've thought about this a bit but i haven't come up with anything
<gmaxwell>
maaku: these schemes for incremental hashing do not support efficient membership proofs, right?
jaekwon has quit [Remote host closed the connection]
tromp has joined #bitcoin-wizards
<bsm117532>
I'm not aware of one that does, I've also looked into this. I'd also like to find one that was constant size.
ThomasV has quit [Ping timeout: 260 seconds]
maaku has left #bitcoin-wizards ["http://quassel-irc.org - Chat comfortably. Anywhere."]
tromp has quit [Ping timeout: 250 seconds]
dEBRUYNE has quit [Ping timeout: 265 seconds]
<bsm117532>
I've been wondering if there's an information-theoretic argument that an incremental hash function must be log(n) in terms of the number of stored elements, as this seems to be the case in the paper maaku linked.
dEBRUYNE has joined #bitcoin-wizards
mn3monic_ has joined #bitcoin-wizards
o3u has joined #bitcoin-wizards
so_ has joined #bitcoin-wizards
livegnik_ has joined #bitcoin-wizards
Guyver2 has quit [*.net *.split]
luke-jr has quit [*.net *.split]
Fistful_of_Coins has quit [*.net *.split]
mn3monic has quit [*.net *.split]
so has quit [*.net *.split]
BonyM has quit [*.net *.split]
RedEmerald has quit [*.net *.split]
livegnik has quit [*.net *.split]
mr_burdell has quit [*.net *.split]
mr_burdell has joined #bitcoin-wizards
RedEmerald has joined #bitcoin-wizards
luke-jr has joined #bitcoin-wizards
BonyM1 has joined #bitcoin-wizards
qpm has quit [Ping timeout: 240 seconds]
Guyver2 has joined #bitcoin-wizards
qpm has joined #bitcoin-wizards
renlord has joined #bitcoin-wizards
proslogion has quit [Ping timeout: 240 seconds]
renlord has quit [Ping timeout: 250 seconds]
bildramer has joined #bitcoin-wizards
bildramer has quit [Read error: Connection reset by peer]
bildramer has joined #bitcoin-wizards
<Taek>
I've thought some about the monitor issue with regards to OWAS/JoinMarket/MW/etc, and perhaps you could do some peer assignment
<Taek>
meaning, you have some method for selecting peers each block that are in charge of merging everything
<Taek>
you let those peers access (as little as possible) the de-anonymizing data, and then rely on them to merge everything into one giant transaction without sharing the data
<Taek>
maybe you also slip them a little something in transaction fees
<Taek>
sometimes monitors/enemies *will* end up as the selected peer / one of the selected peers
<Taek>
but this is still better than situations where the monitor gets to view most everything all of the time
<Taek>
and, a lot of forensics really relies on being able to see multiple steps
<Taek>
if a monitor is only able to view the transaction history every other block, it's more likely that they will have critical gaps which prevent them from doing full de-anonymization
<Taek>
The method for selecting peers would need some Sybil resistence, and given the miner centralization I would not use PoW to determine who to choose as the de-anonymizer
<Taek>
plus you'd have to accept a DoS vulnerability, as occasionally peers may refuse to participate without you realizing that you should move on to the next peer
<Taek>
Maybe you could employ some sort of WoT technique. You ~approx trust the 8 peers you are connected to, so you sign off on their uptime/reliability. Every node does this, so you can form an approximate graph of the network based on peer uptime
<Taek>
you can ignore any weightings over N hops, perhaps 2.
<Taek>
This gives you *some* resistance to Sybil attacks. Then you have some technique for using the peer id (either a pubkey or an ip address) and the hash of the most recent block for determining which has the highest score
<Taek>
If your pool is 8^3 large, and most of those nodes have high uptime, there's a good chance that a large number of other nodes are sending the winner transactions as well
<Taek>
(*handwave*)
<Taek>
Then you still need the winning nodes to have a way to talk to eachother and combine transactions, but at that point the anonymity set is greatly improved
<instagibbs>
Trusted mixers will most likely work fine, imo.
<waxwing>
like Bitcoin VPNs? :)
<instagibbs>
Guard Nodes, but for aggregating transactions
<instagibbs>
Run them over Tor, on a hardened HSM
* instagibbs
handwaves
<instagibbs>
Any wallets with co-signing services already get a bunch of protection, and why wouldn't each service gossip to each other first before releasing batches, etc.
ThomasV has joined #bitcoin-wizards
MoALTz has quit [Quit: Leaving]
<Taek>
Would be interesting to have something like guard node HSMs that get distributed by a company like Blockstream, where the HSM public key is signed by multiple members of the ecosystem
<Taek>
then all transactions get encrypted such that only the HSM can decrypt them
<kanzure>
you mean PKI things?
<kanzure>
er, CA things
<Taek>
similar, except that the CA in this case is authenticating an HSM instead of a tls key
<andytoshi>
neat, so the idea is that encrypted transactions go out, the HSMs are the only ones that can decode these, and they only output merged transactions
<Taek>
yeah. With the idea being that an adversary with an HSM is not going to be able to use it to figure out what the decrypted inputs are
<Taek>
I'm not sure how hard it is to pull the key out of an HSM
<andytoshi>
for a proper HSM you need an electron microscope and you need to know how to dissemble it without it triggering key erasure
<andytoshi>
you could also do this in a way that you can detect if an HSM has not included your transaction (and won't), then you can encrypt to another HSM without worrying about causing conflicts
<kanzure>
i wonder if you could make it so that for transaction merging you could split it among multiple machines without any machine seeing the pre-merged transaction itself
<kanzure>
er, see the entire pre-merged transactions
<Taek>
oh hmm. So you give an output to 1 machine, another output to another, input to another, etc, and then when they all combine they get the right answer?
<Taek>
seems easy to DoS though, just make a transaction that's missing an output
<kanzure>
like all denial-of-service problems this one can be solved by requiring a fee
marcinja has joined #bitcoin-wizards
<nickler>
There's probably no need to trust the HSM. There are lots of protocols that prevent revealing input/output relationships the the centralized mixer like coinshuffle++ or tumblebit. With mimblewimble they can probably be simplified.
<waxwing>
good point, but coinshuffle++ has a fair amount of interactivity right (dc-net)
zooko has joined #bitcoin-wizards
<instagibbs>
reintroducing interactivity makes baby Voldemort cry
<waxwing>
just thinking, why not have a ring signature over multiple kG values?
<kanzure>
instagibbs: some forms of interactivity are tolerable, like in p2p transactions before broadcast, might not be end of world
zooko` has joined #bitcoin-wizards
dnaleor has quit [Quit: Leaving]
zooko has quit [Ping timeout: 265 seconds]
dnaleor has joined #bitcoin-wizards
<nsh>
andytoshi, would it be possible to create a MW-merged transaction of [some subset of] existing alpha-CT blockchain retrospectively?
dgenr8 has quit [Ping timeout: 240 seconds]
contrapumpkin is now known as copumpkin
<andytoshi>
nsh: nope, unfortunately, becuase the exsting alpha-CT chain uses scriptsigs for authentication
* nsh
nods
LeMiner2 has quit [Read error: Connection reset by peer]
LeMiner2 has joined #bitcoin-wizards
jtimon has joined #bitcoin-wizards
dgenr8 has joined #bitcoin-wizards
renlord has joined #bitcoin-wizards
Chris_Stewart_5 has quit [Ping timeout: 258 seconds]
renlord has quit [Ping timeout: 276 seconds]
Chris_Stewart_5 has joined #bitcoin-wizards
renlord has joined #bitcoin-wizards
byteflame has quit [Ping timeout: 260 seconds]
renlord has quit [Ping timeout: 244 seconds]
bildramer has quit [Ping timeout: 276 seconds]
marcinja has quit [Remote host closed the connection]
bildramer has joined #bitcoin-wizards
<nsh>
as a node syncing with MW, i construct eventually from honest nodes a chain that has all explicit inputs, a current UTXOset in the form of pederson commitments, with merkle proofs that each commitment reallocated r-values representing spending authority in such a way that ownership of spendable r-values derive ultimately from explicit inputs through a series of steps [of indeterminate number] keepin
<nsh>
g total value invariant?
<nsh>
and i settle upon this chain because it has the longest PoW still?
<nsh>
the k-values i get with the latest block allow me to prove that the commitments sum to zero and there is a non-inflationary history from genesis
<nsh>
but i am aghostic of the possible histories in terms of ownership [re]allocation and output age
<nsh>
however, transactors can prove a transaction occurred at what chain height and can give a minimum age to an implicit output
<nsh>
is that roughly accurate, andytoshi?
<nsh>
as far as i'm concerned the genesis could have been followed by a single block that merged all the transactions, but i know the extent of history still from block height [assuming things about block discovery time distribution] and i know something about the complexity of the transaction graph from the merkle proofs and cumulative k-values?
<nsh>
[as far as i'm concerned regarding non-inflation and non-theft]
proslogion has joined #bitcoin-wizards
<proslogion>
it's perhaps trivial, that if everyone using mimblewimble signs with the same nonce, then all k_n*G signatures can be aggregated into one
<proslogion>
which of course has serious problems
<cjd>
oh cool mw conversaion :D
<bsm117532>
How do forks work with MW? Does one choose to keep a (sub)set of past blocks, and then discard them when you're reasonably sure that a reorg can't happen? Is there a danger that history is lost and a reorg can't be performed?
<cjd>
bsm117532: AFAICT you can basically just scrap everything and revalidate from zero if there is a reorg
<cjd>
22:40 < nsh> and i settle upon this chain because it has the longest PoW still? <-- yes
<cjd>
22:43 < nsh> however, transactors can prove a transaction occurred at what chain height and can give a minimum age to an implicit output <-- no because the transaction outputs are unglued from the inputs and unglued from the block, all you know is that they're valid
Emcy_ has joined #bitcoin-wizards
Emcy_ has quit [Changing host]
Emcy_ has joined #bitcoin-wizards
<cjd>
I am speaking from what I understand, I might also be very wrong
<sipa>
cjd: if you have 'merged' multiple blocks together, you don't have the ability to only validate part of it
<sipa>
you could download it again from the network of course, assuming someone kept the non-merged blocks
<cjd>
You have only outputs in memory and you just reorg the header chain then add everything up, no?
<sipa>
but you don't know the outputs that were spent by the blocks that are reorged
Ylbam has joined #bitcoin-wizards
<nsh>
i think if you store your receipt rangeproof and blinding value, then you can prove afterwards that you participated in a transaction by signing the blinding value and showing that it rewinds the proof
Emcy has quit [Ping timeout: 265 seconds]
<cjd>
ahh indeed so when you reorg you both add and remove utxos
<nsh>
but this still depends on some nodes storing more than is required for consensus
<nsh>
i think
<sipa>
i expect that every node will just not merge the blocks at the tip
<sipa>
everyone will keep some range of blocks unmerged, to deal with reorgs
<gmaxwell>
Assuming you only care about MW-security you can just sync the new header chain and then do set reconciliation to change to the new utxo set.
<cjd>
^^this
<gmaxwell>
Then you don't even need to deal with reorgs.
<sipa>
what is MW security?
<gmaxwell>
(By MW security I mean the anti-inflation and anti-theft properties of MW, rather than, say, script validation)
<cjd>
So I also have a concern with the proposal, can't Eve just create a spend transaction for money that's not hers but then add an output for which she does not know the key and plow a little bit of money into the ground ? It seems to me that outputs must sign themselves...
<gmaxwell>
I'm pretty disenchanted by iblt. The constant factors kill its performance. But whatever, there are other approaches to set reconciliation.
<gmaxwell>
cjd: eve cannot produce a rangeproof for a junk output.
<cjd>
you don't know r so you make up a number to balance the budget...
<nsh>
oh right, you can use another knapsack
<nsh>
that's fine then
<nsh>
gmaxwell, cool, ty
<cjd>
hmm it seems that somehow you need to prove knowledge of v *and* r in order to not be making up magical numbers to balance the sum
<proslogion>
that's what k*G is for
ThomasV has quit [Ping timeout: 240 seconds]
<cjd>
maybe I'm being silly here but this is my attack: I make a transaction which pays out a zillion coins to myself and I tag on a little signature
<cjd>
I add up the outputs and subtract the inputs and the signature, ok problem it's not zero
<cjd>
now I add a new output which pays 0.00001 and it pays it to a key which I don't have the private key but the public key is the sum of all the above plus the new output value (times H) which I just added
<cjd>
presto valid transaction
<cjd>
or not ?
<nsh>
you don't pay to keys in CT
<cjd>
CT ?
<nsh>
confidential transactions
<cjd>
ok what do you call them? They're things which you point-multiply
<nsh>
so inputs and outputs are points, you interactive create a commitment that proves the sum to zero
<nsh>
*interactively
<nsh>
*they
<cjd>
right, and I can make it zero by adding an arbitrary output which I cannot spend...
<nsh>
so the recipient choses their outputs
<nsh>
after the sender has committed
<nsh>
or pre-half-committed, i don't know
<cjd>
If you don't make me prove knowledge of the private key somehow, I will always be able to balance anything to zero
<cjd>
by private key I mean "the value of r", in practice it is effectively a private key
<nsh>
sure
<nsh>
you prove knowledge of the private keys for unspent outputs by committing to a blinding multiple of the H-generator that cancels out the amount multiple of the G generator
<nsh>
(you inherit this ability to match G and H multiples from when you were paid those outputs)
<cjd>
ok you lost me, what exactly is it that the sender and recipient broadcast to the rest of the world ? [ inputID, r*G, v*H, proof_v_is_in_range ] ?
<cjd>
that and a signature across emptystring to prove knowledge of the difference ?
<cjd>
If that's all you're sending then you're not proving knowledge of r and if I can put multiple outputs in a transaction then your protocol is going to be funny
<nsh>
well, in alpha's CT txs are broadcast more like bitcoin. in MW you'd broadcast the pederson commitment, the excess blinding value and the empty string signed with its discrete logarithm
<cjd>
I don't know CT at all, I only read MW
<cjd>
oh in leu of the range proof, you could make v be a 256 bit number where the lower 64 bits are the value and then sign v*H using v
<cjd>
that's a proof of knowledge
<cjd>
and if r*G is signed with r then I can nolonger add silly crap to balance the sum
Guyver2 has quit [Quit: :)]
dnaleor has quit [Quit: Leaving]
<nsh>
letting any of the v be chosen by either participant breaks the security model. v must be dictated by the prior inputs, the sender's precommitment and recipient's blinding factor choices for their outputs
Giszmo has quit [Quit: Leaving.]
<cjd>
yeah I guess you're right
<cjd>
it sounded nice
mdavid6131 has quit [Quit: Leaving.]
renlord has joined #bitcoin-wizards
Emcy_ has quit [Ping timeout: 252 seconds]
Emcy has joined #bitcoin-wizards
mdavid613 has joined #bitcoin-wizards
zooko` has quit [Ping timeout: 276 seconds]
proslogion has quit [Ping timeout: 258 seconds]
renlord has quit [Ping timeout: 244 seconds]
renlord has joined #bitcoin-wizards
proslogion has joined #bitcoin-wizards
tromp has joined #bitcoin-wizards
<andytoshi>
nsh: you can fix the age thing by means of having each block commit to the utxoset. but yep, that sounds right
<andytoshi>
lol proslogion, if i know your nonce then i know your secret key
<andytoshi>
cjd: the CT rangeproof forces you to know r
<cjd>
ok thanks, I guessed that it must be such after thinking more, certainly such an elementry error would not go overlooked
<andytoshi>
yep. and you definitely can't sign the excess values with the r value from an output, that links all the outputs :)
<cjd>
So my understanding is that MW requires these signatures of emptystring to persist forever, is this correct ?
<andytoshi>
cjd: but even without that, observe that if every output has a rangeproof of being in [0, 2^64], you can't make outputs with negative values anyway
<andytoshi>
cjd: correct
<cjd>
Ahh no, I meant to sign the output itself using the output's r which would not link it to stuff but might reveal things
<andytoshi>
unless they can be aggregated somehow (if it used a pairing based curve this could be done)
<cjd>
Ok I believe I have a solution
<andytoshi>
cjd: ah, yeah, understood. that is not necessary, the rangeproof itself is effectively a signature with r
<cjd>
perfect
<cjd>
Suppose I make a payment to you and so I pass you the sum of inputs and outputs for you to add in your output, then you and I both bcast the transaction incomplete with the sum of all of our input and output private values and the remaining value (fee)
<cjd>
the miner is a participant in the transaction, he adds another output to take the fee and thus he is the one who makes the signature on emptystring
<cjd>
but then he can produce only one per block
<cjd>
am I talking shit?
<andytoshi>
cjd: he can put as many outputs as he likes. he's gotta add another k*G value to be sure that nobody else can know this output's key
<andytoshi>
and he can do a single output for every transaction that he's received
<cjd>
right
<cjd>
and if I am not mistaken, he needs only one signature to balance the entire block
<andytoshi>
yep
JackH has quit [Ping timeout: 252 seconds]
<proslogion>
andytoshi: sorry, only meant the pubkey of the nonce
<andytoshi>
proslogion: ah, yes, though this requires interaction
<proslogion>
true
<cjd>
furthermore, we can as a matter of protocol, we can require that he rebalances out that signature in order to spend the fee money
rhett has joined #bitcoin-wizards
<cjd>
but if we are paying 64 bytes per block, we have already made a breakthrough