sipa changed the topic of #bitcoin-wizards to: This channel is for discussing theoretical ideas with regard to cryptocurrencies, not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja
rmwb has joined #bitcoin-wizards
piano7 has quit [Ping timeout: 250 seconds]
huntingcryptos has quit [Remote host closed the connection]
rmwb has quit [Ping timeout: 250 seconds]
rusty2 has quit [Ping timeout: 240 seconds]
Xantanium has joined #bitcoin-wizards
Pilfers has quit [Quit: ereet]
null_radix has quit [Quit: EliteBNC free bnc service - http://elitebnc.org - be a part of the Elite!]
rusty has joined #bitcoin-wizards
rusty has left #bitcoin-wizards [#bitcoin-wizards]
Pilfers has joined #bitcoin-wizards
meshcollider has quit [Quit: Connection closed for inactivity]
null_radix has joined #bitcoin-wizards
wumpus has quit [Ping timeout: 268 seconds]
rmwb has joined #bitcoin-wizards
dongcarl has quit [Quit: leaving]
meshcollider has joined #bitcoin-wizards
rmwb has quit [Ping timeout: 240 seconds]
jb55 has quit [Ping timeout: 248 seconds]
Aaronvan_ has joined #bitcoin-wizards
wumpus has joined #bitcoin-wizards
<maaku>
observation: as currently implemented a signature in a MAST input is not tied to the policy script used
<maaku>
this might have some surprising implications, where a user gives up a signature for one policy (because it has a lock-time condition on it or something), and that signature can be reused on some other branch of the MAST tree the user has signing authority over
huntingcryptos has joined #bitcoin-wizards
<maaku>
this could be systematically fixed by making the signature directly cover the script currently being executed, but that breaks signature aggregation and re-introduces quadratic hashing problems
<maaku>
alternative (and probably the the best that can be done), user software should not reuse keys, even along exclusive alternate paths of the Merkle tree.
AaronvanW has quit [Ping timeout: 240 seconds]
Aaronvan_ has quit [Ping timeout: 240 seconds]
<sipa>
i don't see how that reintroduces quadratic hashing
<sipa>
it's at worst a factor over the amount of data hashed otherwise
hdevalence has joined #bitcoin-wizards
hdevalence has quit [Client Quit]
<maaku>
well there are certainly ways to implement it that don't reintroduce quadratic hashing
<maaku>
although I don't see how to do so without also mucking up signature aggregation
<sipa>
i don't understand that part either :)
<sipa>
and even the most naive implementation of hashing the script being executed would not add quadratic hashing
<maaku>
oh wait, I was assuming the messages being signed had to be the same, but B-N doesn't require that
<maaku>
ok awesome :)
<sipa>
BN itself does require identical messages - but in a signature aggregation setting you just compute the (joint) message as H(m1 || m2 || m3 || ...)
<sipa>
anyway, i do think you should commit to the actual choice of program
<sipa>
it's similar to how the sighash type is explicitly included in the sighash
<maaku>
what about the validator? it won't know the joint message until it has seen all pubkeys, right? so there's not a constant space batch-as-you-go verification algorithm?
<sipa>
right
<sipa>
it needs linear memory
<sipa>
but who cares - the transaction already needs linear memory anyway with a much larger constant factor
<maaku>
true
thrmo has quit [Quit: Waiting for .007]
rmwb has joined #bitcoin-wizards
rmwb has quit [Ping timeout: 250 seconds]
Belkaar has quit [Ping timeout: 240 seconds]
Belkaar has joined #bitcoin-wizards
Belkaar has quit [Changing host]
Belkaar has joined #bitcoin-wizards
thrmo has joined #bitcoin-wizards
huntingcryptos has quit [Ping timeout: 240 seconds]
rmwb has joined #bitcoin-wizards
thrmo has quit [Ping timeout: 240 seconds]
packetsmurf has quit [Ping timeout: 248 seconds]
coinsmurf has joined #bitcoin-wizards
TrufflePig has joined #bitcoin-wizards
rmwb has quit [Ping timeout: 255 seconds]
Ylbam has quit [Quit: Connection closed for inactivity]
dnaleor has quit [Ping timeout: 248 seconds]
rmwb has joined #bitcoin-wizards
huntingcryptos has joined #bitcoin-wizards
lakitu has joined #bitcoin-wizards
rmwb has quit [Ping timeout: 255 seconds]
thrmo has joined #bitcoin-wizards
huntingcryptos has quit [Ping timeout: 255 seconds]
rmwb has joined #bitcoin-wizards
nephyrin has quit [Remote host closed the connection]
thrmo has quit [Ping timeout: 248 seconds]
TrufflePig has quit [Ping timeout: 260 seconds]
nephyrin has joined #bitcoin-wizards
rmwb has quit [Ping timeout: 255 seconds]
satwo has quit [Ping timeout: 255 seconds]
StopAndDecrypt is now known as StopAndDecrypt|L
StopAndDecrypt|L is now known as StopAndDecrypt
<cluelessperson>
I have a question about bitcoin fees.
<cluelessperson>
Aren't high bitcoin fees basically forced by low bitcoin resolution?
<cluelessperson>
If you have to pay fees as 0.00000001 being the lowest unit of resolution, then 246*0.00000001 => Bitcoin Transaction Fee
<aj>
cluelessperson: per-byte fees being 1s or more is a wallet implementation detail; the only requirement is total fee is an integer number of satoshis. bitcoin core calculates satoshis per 1000 bytes, so gives you finer resolution. but market rates are higher than 1s/byte anyway
rmwb has joined #bitcoin-wizards
<cluelessperson>
aj: I feel what has set the market initially is that some popular wallets set a 1sat/B bottom limit, I suppose
<cluelessperson>
although maybe the market would raise to what people are willing to pay.
<cluelessperson>
hm
huntingcryptos has joined #bitcoin-wizards
rmwb has quit [Ping timeout: 240 seconds]
jb55 has joined #bitcoin-wizards
rmwb has joined #bitcoin-wizards
rmwb has quit [Ping timeout: 250 seconds]
huntingcryptos has quit [Ping timeout: 255 seconds]
rmwb has joined #bitcoin-wizards
rmwb has quit [Ping timeout: 255 seconds]
legogris has quit [Remote host closed the connection]
legogris has joined #bitcoin-wizards
coinsmurf has quit [Ping timeout: 248 seconds]
TheSeven has quit [Ping timeout: 250 seconds]
TheSeven has joined #bitcoin-wizards
coinsmurf has joined #bitcoin-wizards
piano7 has joined #bitcoin-wizards
d4de has quit [Quit: This computer has gone to sleep]
coinsmurf has quit [Ping timeout: 240 seconds]
coinsmurf has joined #bitcoin-wizards
rmwb has joined #bitcoin-wizards
coinsmurf has quit [Ping timeout: 240 seconds]
jb55 has quit [Ping timeout: 240 seconds]
rmwb has quit [Ping timeout: 240 seconds]
coinsmurf has joined #bitcoin-wizards
huntingcryptos has joined #bitcoin-wizards
TheSeven has quit [Ping timeout: 250 seconds]
[7] has joined #bitcoin-wizards
packetsmurf has joined #bitcoin-wizards
coinsmurf has quit [Ping timeout: 268 seconds]
arubi has quit [Ping timeout: 248 seconds]
huntingcryptos has quit [Ping timeout: 248 seconds]
arubi has joined #bitcoin-wizards
<aj>
cluelessperson: there are still plenty of wallets with a higher minimum than 1s/B. it wasn't long ago that the minimum fee was 10k satoshi per tx
rmwb has joined #bitcoin-wizards
rmwb has quit [Ping timeout: 255 seconds]
Ylbam has joined #bitcoin-wizards
huntingcryptos has joined #bitcoin-wizards
rmwb has joined #bitcoin-wizards
<eck>
to aj's point, if you look at the fees people are paying, there are huge vertical steps at different even-valued satoshi/byte fee values
<eck>
indicating a fairly large number of users who have legacy wallets that don't do real fee estimation
<eck>
if the market was perfectly efficient you would expect some gaussian (or poisson? i'm not a professional mathematician) distribution of fees measured in satoshis/byte
<eck>
there are enough outliers in the histogram bucket that i think it's safe to say that it's more important to get more clients on more accurate fee models than it is to optimize what existing clients have available to them
rmwb has quit [Ping timeout: 258 seconds]
coinsmurf has joined #bitcoin-wizards
packetsmurf has quit [Ping timeout: 248 seconds]
huntingcryptos has quit [Ping timeout: 248 seconds]
packetsmurf has joined #bitcoin-wizards
coinsmurf has quit [Ping timeout: 264 seconds]
daszorz has joined #bitcoin-wizards
BashCo has quit [Remote host closed the connection]
rmwb has joined #bitcoin-wizards
dnaleor has joined #bitcoin-wizards
rmwb has quit [Ping timeout: 240 seconds]
piano7 has quit [Ping timeout: 240 seconds]
Guyver2 has joined #bitcoin-wizards
huntingcryptos has joined #bitcoin-wizards
BashCo has joined #bitcoin-wizards
huntingcryptos has quit [Remote host closed the connection]
huntingcryptos has joined #bitcoin-wizards
huntingcryptos has quit [Remote host closed the connection]
huntingcryptos has joined #bitcoin-wizards
huntingcryptos has quit [Remote host closed the connection]
huntingcryptos has joined #bitcoin-wizards
huntingcryptos has quit [Remote host closed the connection]
meshcollider has quit [Quit: Connection closed for inactivity]
rmwb has joined #bitcoin-wizards
laurentmt has joined #bitcoin-wizards
gielbier has quit [Ping timeout: 248 seconds]
dnaleor has quit [Quit: Leaving]
gielbier has joined #bitcoin-wizards
rmwb has quit [Ping timeout: 255 seconds]
Fugazi has quit []
gielbier has quit [Changing host]
gielbier has joined #bitcoin-wizards
dnaleor has joined #bitcoin-wizards
rilos has joined #bitcoin-wizards
rmwb has joined #bitcoin-wizards
d_t has quit [Ping timeout: 240 seconds]
rilos_ has joined #bitcoin-wizards
rilos has quit [Ping timeout: 255 seconds]
Ylbam has quit [Quit: Connection closed for inactivity]
huntingcryptos has joined #bitcoin-wizards
rmwb has quit [Ping timeout: 258 seconds]
huntingcryptos has quit [Remote host closed the connection]
huntingcryptos has joined #bitcoin-wizards
huntingcryptos has quit [Ping timeout: 255 seconds]
huntingcryptos has joined #bitcoin-wizards
huntingcryptos has quit [Read error: Connection reset by peer]
huntingcryptos has joined #bitcoin-wizards
huntingcryptos has quit [Remote host closed the connection]
AaronvanW has joined #bitcoin-wizards
huntingcryptos has joined #bitcoin-wizards
rmwb has joined #bitcoin-wizards
meshcollider has joined #bitcoin-wizards
rmwb has quit [Ping timeout: 246 seconds]
AaronvanW has quit [Remote host closed the connection]
huntingcryptos has quit [Remote host closed the connection]
packetsmurf has quit [Ping timeout: 252 seconds]
AaronvanW has joined #bitcoin-wizards
huntingcryptos has joined #bitcoin-wizards
coinsmurf has joined #bitcoin-wizards
huntingcryptos has quit [Remote host closed the connection]
huntingcryptos has joined #bitcoin-wizards
huntingcryptos has quit [Remote host closed the connection]
huntingcryptos has joined #bitcoin-wizards
huntingcryptos has quit [Remote host closed the connection]
huntingcryptos has joined #bitcoin-wizards
huntingcryptos has quit [Remote host closed the connection]
huntingcryptos has joined #bitcoin-wizards
Newyorkadam has joined #bitcoin-wizards
thrmo has joined #bitcoin-wizards
huntingcryptos has quit [Remote host closed the connection]
packetsmurf has joined #bitcoin-wizards
rilos_ has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
coinsmurf has quit [Ping timeout: 268 seconds]
rmwb has joined #bitcoin-wizards
Newyorkadam has quit [Quit: Newyorkadam]
rmwb has quit [Ping timeout: 255 seconds]
thrmo has quit [Quit: Waiting for .007]
StopAndDecrypt has quit [Ping timeout: 240 seconds]
StopAndDecrypt has joined #bitcoin-wizards
rmwb has joined #bitcoin-wizards
StopAndDecrypt has quit [Ping timeout: 264 seconds]
StopAndDecrypt_ has joined #bitcoin-wizards
dnaleor has quit [Quit: Leaving]
dnaleor has joined #bitcoin-wizards
rmwb has quit [Ping timeout: 240 seconds]
meshcollider has quit [Quit: Connection closed for inactivity]
coinsmurf has joined #bitcoin-wizards
packetsmurf has quit [Ping timeout: 248 seconds]
rmwb has joined #bitcoin-wizards
pavle_ has joined #bitcoin-wizards
Giszmo has quit [Ping timeout: 264 seconds]
rmwb has quit [Ping timeout: 258 seconds]
pavle_ has quit [Quit: Leaving]
leonidaz0r has quit [Ping timeout: 240 seconds]
leonidaz0r has joined #bitcoin-wizards
RastaFarEye has left #bitcoin-wizards [#bitcoin-wizards]
RastaFarEye has joined #bitcoin-wizards
rmwb has joined #bitcoin-wizards
dgenr8 has quit [Ping timeout: 248 seconds]
dgenr8 has joined #bitcoin-wizards
rmwb has quit [Ping timeout: 255 seconds]
laurentmt has quit [Ping timeout: 255 seconds]
laurentmt has joined #bitcoin-wizards
Guyver2_ has joined #bitcoin-wizards
Guyver2 has quit [Ping timeout: 260 seconds]
rmwb has joined #bitcoin-wizards
dnaleor has quit [Quit: Leaving]
rmwb has quit [Ping timeout: 246 seconds]
rmwb has joined #bitcoin-wizards
leonidaz0r has quit [Ping timeout: 240 seconds]
leonidaz0r has joined #bitcoin-wizards
rmwb has quit [Ping timeout: 255 seconds]
huntingcryptos has joined #bitcoin-wizards
huntingcryptos has quit [Remote host closed the connection]
Emcy has quit [Ping timeout: 260 seconds]
Giszmo has joined #bitcoin-wizards
Emcy has joined #bitcoin-wizards
huntingcryptos has joined #bitcoin-wizards
d_t has joined #bitcoin-wizards
huntingcryptos has quit [Ping timeout: 255 seconds]
rmwb has joined #bitcoin-wizards
Emcy_ has joined #bitcoin-wizards
Emcy has quit [Ping timeout: 248 seconds]
rmwb has quit [Ping timeout: 258 seconds]
piano7 has joined #bitcoin-wizards
daszorz has quit [Read error: Connection reset by peer]
d_t has quit [Ping timeout: 260 seconds]
Fugazi has joined #bitcoin-wizards
Emcy has joined #bitcoin-wizards
Emcy_ has quit [Ping timeout: 248 seconds]
jb55 has joined #bitcoin-wizards
ghost43 has quit [Ping timeout: 248 seconds]
ghost43 has joined #bitcoin-wizards
d4de has joined #bitcoin-wizards
d_t has joined #bitcoin-wizards
rmwb has joined #bitcoin-wizards
jb55 has quit [Ping timeout: 248 seconds]
rmwb has quit [Ping timeout: 255 seconds]
Guyver2_ has quit [Quit: Going offline, see ya! (www.adiirc.com)]
piano7 has quit [Ping timeout: 255 seconds]
piano7 has joined #bitcoin-wizards
rmwb has joined #bitcoin-wizards
jb55 has joined #bitcoin-wizards
JackH has joined #bitcoin-wizards
rmwb has quit [Ping timeout: 255 seconds]
huntingcryptos has joined #bitcoin-wizards
meshcollider has joined #bitcoin-wizards
aeaetrjatrej has joined #bitcoin-wizards
huntingcryptos has quit [Ping timeout: 240 seconds]
StopAndDecrypt_ has quit [Ping timeout: 240 seconds]
StopAndDecrypt has joined #bitcoin-wizards
BashCo has quit [Remote host closed the connection]
laurentmt has quit [Quit: laurentmt]
rmwb has joined #bitcoin-wizards
rmwb has quit [Ping timeout: 250 seconds]
deusexbeer has quit [Ping timeout: 240 seconds]
rmwb has joined #bitcoin-wizards
BashCo has joined #bitcoin-wizards
huntingcryptos has joined #bitcoin-wizards
huntingcryptos has quit [Ping timeout: 248 seconds]
rmwb has quit [Ping timeout: 255 seconds]
huntingcryptos has joined #bitcoin-wizards
huntingcryptos has quit [Ping timeout: 240 seconds]
aeaetrjatrej has quit [Quit: Page closed]
<maaku>
so with some added features you can do support of explicit denominations confidential assets, to safely circumvent the 2^64 limit, or to allow smaller base ranges (e.g. 32-bit)
laurentmt has joined #bitcoin-wizards
<maaku>
you do this by defining the next higher denomination to be the generator created from the hash of the smaller denomination, or something like that
<sipa>
maaku: you don't need separate generators for more denominations
<maaku>
and in the transaction you involve explicit conversions between the two
<maaku>
sipa: you do if you want to allow up to 2^256 asset value, because otherwise you invalidate the rangeproof protection
<sipa>
oh, i see
<maaku>
not every application needs that, but e.g. a constant inflation rate asset will run into that
huntingcryptos has joined #bitcoin-wizards
<maaku>
a gold depository could handle their management fee by issuing 1% per year to themselves, for example
<maaku>
so it works to have an explicit conversion, e.g. append "32 units of the 2^32 deonomination are being converted into the 2^0 denomination"
huntingcryptos has quit [Ping timeout: 248 seconds]
<maaku>
but it would be nice if it could be made confidential as well. this would require a scheme for proving that a blinded generator is derived, using some scheme, from another blinded generator (or vice versa)
<maaku>
I think this precludes derivations involving hashing unblinded data
<maaku>
does anyone know any EC-math-only schemes for deriving a new generator where the DL isn't known to anyone?
<sipa>
you mean hashing onto the curve?
CheckDavid has joined #bitcoin-wizards
rmwb has joined #bitcoin-wizards
<nsh>
without hashing?
<maaku>
nsh: without traditional hash functions
<maaku>
if it's some sort of EC-hash to start with, I might be able to re-introduce blinding while not invalidating the proof
* nsh
nods
<maaku>
the hope is being able to provide a blinded generator, another blinded generator, and for someone knowing both blinding factors to generate a proof that the base/unblinded generator for the second was derived from the first via the hash-onto-the-curve scheme
<maaku>
but I'm pretty sure the standard way of doing this, e.g. just hash the point with SHA256, isn't verifiable while blinded
packetsmurf has joined #bitcoin-wizards
coinsmurf has quit [Ping timeout: 268 seconds]
<nsh>
--
<nsh>
As I discovered after releasing this, DJB and others did a similar exercise in the context of manipulated elliptic curves in their "BADA55 curves" paper (http://safecurves.cr.yp.to/bada55.html), though I don't think they released their code. Anyway, they make the same point: "The BADA55-VPR curves illustrate the fact that 'verifiably pseudorandom' curves with 'systematic' seeds generated from 'nothing-up-my-sleeve numbers' also do not stop the attacker
<nsh>
from generating a curve with a one-in-a-million weakness." The two works obviously overlap, but we use slightly different tricks.
<sipa>
nothing can protect against a 1-in-a-million weakness
<sipa>
but NUMS does protect against 1-in-a-trillion
<nsh>
'The generator points on all six curves are selected as the points of order rb and rd, respectively, with the smallest value for x(P) when represented as a positive integer.' - https://tools.ietf.org/id/draft-black-numscurves-00.html#rfc.appendix.B
rmwb has quit [Ping timeout: 240 seconds]
<nsh>
maaku, surely as long as the derivation tree is constrained above at some point by at least one [specified] hashed generator then trapdoorness can't be introduced without knowing a nontrivial DL relation?
<maaku>
i think that system-wide trapdoor concern is orthogonal? i'm not concerned about that
laurentmt has quit [Quit: laurentmt]
<nsh>
i mean as long as you have at least G and H where the DL of H wrt G isn't known, then you should be able to derive further generators in zk with some pederson linear algebra
<sipa>
nsh: really?
<nsh>
hmm, maybe i'm being silly. will think about it
<sipa>
if you're talking about linear algebra, all the group elements you can construct from G and H are of the form a*G + b*H
<sipa>
which are never linear independent from G and H
packetsmurf has quit [Ping timeout: 240 seconds]
piano7 has quit [Ping timeout: 264 seconds]
leonidaz0r has quit [Ping timeout: 240 seconds]
leonidaz0r has joined #bitcoin-wizards
<nsh>
yeah you'd have to do some MPC to instantiate and that would require to assume at least not total collusion between the parties calculating the generator
<nsh>
but it's a one-off problem
<nsh>
but you can bootstrap the computation using a circuit translated into a distributed bulletproofs argument