00:00:45 Ursium has quit 00:14:32 nessence has quit 00:14:49 nessence has joined #bitcoin-wizards 00:15:10 nessence has quit 00:16:20 nessence has joined #bitcoin-wizards 00:21:05 christo has joined #bitcoin-wizards 00:33:32 nsh has quit 00:33:32 nsh has joined #bitcoin-wizards 00:46:12 <_ingsoc_> _ingsoc_ is now known as _ingsoc 00:59:18 mr_burdell has joined #bitcoin-wizards 01:01:04 Ursium has joined #bitcoin-wizards 01:03:33 mr_burdell has quit 01:05:57 Ursium has quit 01:14:15 Ursium has joined #bitcoin-wizards 01:19:01 jcrubino has quit 01:19:20 Ursium has quit 01:27:51 jcrubino has joined #bitcoin-wizards 01:43:43 justanotheruser has quit 01:44:12 justanotheruser has joined #bitcoin-wizards 01:47:25 spenvo has quit 01:48:55 justanotheruser has quit 01:57:06 <_ingsoc> _ingsoc has quit 01:57:37 <_ingsoc> _ingsoc has joined #bitcoin-wizards 01:58:58 justanotheruser has joined #bitcoin-wizards 02:02:53 justanotheruser has quit 02:02:53 justanotheruser has joined #bitcoin-wizards 02:04:52 wallet42 has quit 02:07:52 jcrubino has quit 02:15:00 Ursium has joined #bitcoin-wizards 02:19:50 Ursium has quit 02:33:21 mr_burdell has joined #bitcoin-wizards 02:40:28 <_ingsoc> _ingsoc has quit 02:46:04 spenvo has joined #bitcoin-wizards 02:56:08 mr_burdell has quit 03:15:45 Ursium has joined #bitcoin-wizards 03:19:28 Ursium_ has joined #bitcoin-wizards 03:19:38 Ursium_ has quit 03:20:51 Ursium has quit 03:31:06 CodeShark has quit 03:31:24 CodeShark has joined #bitcoin-wizards 04:02:08 mr_burdell has joined #bitcoin-wizards 04:03:27 christo has quit 04:09:49 justanotheruser has quit 04:14:16 Ursium has joined #bitcoin-wizards 04:15:11 justanotheruser has joined #bitcoin-wizards 04:19:11 Ursium has quit 04:31:10 spenvo has quit 04:54:43 spenvo has joined #bitcoin-wizards 04:56:35 justanotheruser has quit 05:00:41 OneFixt has joined #bitcoin-wizards 05:01:13 Ursium has joined #bitcoin-wizards 05:05:53 Ursium has quit 05:12:09 justanotheruser has joined #bitcoin-wizards 05:13:46 <_ingsoc> _ingsoc has joined #bitcoin-wizards 05:15:01 Ursium has joined #bitcoin-wizards 05:18:26 tacotime_ has quit 05:20:02 Ursium has quit 05:20:10 roidster has quit 05:30:56 mappum has joined #bitcoin-wizards 06:15:46 Ursium has joined #bitcoin-wizards 06:21:00 Ursium has quit 06:27:25 bobke has quit 06:27:34 bobke has joined #bitcoin-wizards 06:51:15 RoboTeddy has joined #bitcoin-wizards 07:09:23 RoboTeddy has quit 07:16:32 Ursium has joined #bitcoin-wizards 07:21:36 Ursium has quit 07:46:13 ielo has joined #bitcoin-wizards 08:09:42 justanotheruser1 has joined #bitcoin-wizards 08:10:08 justanotheruser1 has quit 08:10:22 justanotheruser1 has joined #bitcoin-wizards 08:10:40 justanotheruser1 has quit 08:10:40 justanotheruser1 has joined #bitcoin-wizards 08:11:32 justanotheruser has quit 08:17:17 Ursium has joined #bitcoin-wizards 08:20:14 <_ingsoc> _ingsoc has quit 08:22:01 <_ingsoc> _ingsoc has joined #bitcoin-wizards 08:22:39 Ursium has quit 08:35:02 Ursium has joined #bitcoin-wizards 08:47:31 nessence has quit 09:00:10 orperelman has joined #bitcoin-wizards 09:08:30 <_ingsoc> _ingsoc has quit 09:10:56 ielo has quit 10:06:14 hnz has quit 10:11:21 hnz has joined #bitcoin-wizards 10:14:16 orperelman has quit 10:18:45 spenvo has quit 10:19:43 epscy has joined #bitcoin-wizards 10:42:47 petertodd: "Can you prove to a third party that a given transaction does *not* contain a stego-encoded data packet? With SCIP it's easy to see how that could be possible in principle, but I dunno if it can be made efficient enough to be practical." <-- other than the assertion that stego wins 10:47:13 petertodd: maybe subliminal channel free signatures would be a starting point 10:53:59 orperelman has joined #bitcoin-wizards 10:54:20 wallet42 has joined #bitcoin-wizards 11:03:14 justanotheruser1 has quit 11:06:55 wallet42 has quit 11:08:31 wallet42 has joined #bitcoin-wizards 11:33:49 justanotheruser has joined #bitcoin-wizards 11:46:16 spenvo has joined #bitcoin-wizards 11:49:04 tucenaber has quit 11:49:27 tucenaber has joined #bitcoin-wizards 11:59:21 rdymac has quit 12:06:08 rdymac has joined #bitcoin-wizards 12:09:07 impulse has quit 12:11:49 he1kki has left #bitcoin-wizards 12:12:31 petertodd: "can you prove the execution of a timelock crypto sequence, which is something as simple as 10,000 SHA256 invocations, such that you can prove the end result cheaply to a third party that can evaluate that proof cheaply" <-- well just Hellman's idea to delete 16-key bits with symmetric crypto is efficiently provable after someone has found the key. or do you mean prove it is decryptable before it has been decrypted? 12:27:59 adam3us: I mean to prove that some random junk *doesn't* contain data using the appropriate timelock-iterations algorithm 12:29:37 adam3us: remember that the timelock algorithm in this case is just a fixed number of H() invocations or similar - the question is can you prove the end-result of that algorithm to someone else cheaply? 12:29:56 adam3us: hellman's idea doesn't work in this case - proves the wrong thing 12:31:09 petertodd: well hellman's thing shows after you know the key, its certainly easy /cheap for anyone else to verify its the right key, and decrypt it and see what the plaintext was 12:31:24 adam3us: but that's the thing, there may be no key 12:31:49 petertodd: ok so you want to prove that its not a DoS msg, ie the person who encrypted actually knew the plaintext 12:32:16 petertodd: and have that be verifiable before the brute-force decryption happens 12:32:17 adam3us: no, I have random data, I want to prove that after you apply the timelock stego algorithm, you still have random data 12:32:48 adam3us: proving that there is a hidden message is the easy part 12:33:42 petertodd: ok so maybe like if you could prevent proof of publication, eg by proving with SCIP that the contents are the hash of an undisclosed value then you restrict the stego-encoding rate to ground bits of the hash 12:34:09 petertodd: kind of analogous the p2sh^2 argument frustrating data publication 12:34:32 adam3us: that still doesn't work 12:35:08 adam3us: I was referring to using SCIP to prove that you *did* the 10,000 iterations of H() honestly, and thus the result is the honest candidate decryption key, so if that key doesn't work, you know there isn't hidden data 12:35:11 petertodd: or if there is a static public key, the private key of which is used as the seed of a rng, you could prove that this hidden/encrypted value is with the next rng output, without revealing what the rng output is 12:35:56 adam3us: remember this is about my timelock crypto for embedded consensus systems thing - you don't get any control over the data other users add to the blockchain 12:36:35 petertodd: i suppose you dont want to connect the msgs to the same author or they could be blockable 12:36:47 petertodd: (provable rng seed) 12:37:48 adam3us: that's irrelevant, it's timelocked so the fact that you can decrypt the stego message in 1hour frustrates the miner who only wants to spend a few seconds at most figuring out if they can put the transaction in their block 12:37:49 petertodd: btw why scip prove you did the work, you can just reveal the key, if the msg is garbage, people can see that for themselves 12:38:43 petertodd: yes time-lock works for analogous reasons to committed-tx, there is some similarity in forcing miners to make decisions on encrypted data 12:39:12 adam3us: it's impossible to prove you revealed the *correct* key if decrypting the candidate stego data with that key results in random junk 12:39:23 adam3us: you can only use a key to prove data was hidden, not the other way around 12:39:57 jtimon has quit 12:40:04 petertodd: oh wait you want to efficiently prove this is the ground key, without attaching it to the useful decryption 12:40:14 adam3us: remember that there's far more candidate data without steggo data in it, so you save resources if everyone can work together in a trust-free way to decrypt it all 12:40:27 petertodd: because the decryption maybe garbage, and so have no inherent verifiability 12:40:37 yes 12:43:04 petertodd: i was thinking about like rivests rsa-timelock might be tweaked to be efficiently veriable maybe, (i managed to find a blindable version of it so you could securely offload KDF calculation to untrused nodes) but maybe more simply if you make the key to grind have structure (an indirection) 12:44:33 adam3us: yeah, something with just hashes is probably best - easier to be sure you have an efficient implementation 12:44:49 petertodd: so c= E_k( msg ), e = E_b( k ) publicsh c, e, bits b[32-255] and bits b[192-255]=0 12:45:25 petertodd: now you have to brute force decrypt e to find k by finding the missing 32-bit of b, hwen you find it its obvious its the right key 12:45:51 because its much harder to find a collision in the 64-bits of b set to 0 (adust to 80 or 128 even) 12:46:19 adam3us: yeah, but starting from random data I still can't prove I did that procedure honestly and came up with nothing 12:46:20 and so that allows fast verification, and then people can decrypt c and see what the msg looks like, even if its garbage they're pretty sure its the right key and proves work 12:47:03 oh I see, you're saying that there's only going to be one solution in the space... bit risky there 12:47:26 you don't want it to be possible at all for people to create false proofs to consensus will break down 12:47:26 jtimon has joined #bitcoin-wizards 12:47:52 petertodd: well it would be almost impossible to find b!=b' such that D_b(c)=mod 2^192==0 and D_b'(c) mod 2^192==0 12:48:42 petertodd: if its bits 128-255=0 there is no way they're going to be able to collide that. 12:50:03 adam3us: but that's not very adjustable re: difficulty - I either make it basically impossible to ever find that distinguished key in the space, or I make it possible to find one such key, and therefor possible to find a second 12:51:17 petertodd: well the bruteforce space is fromthe delete bits 0-31 so that can be tuned 12:51:47 orperelman has quit 12:52:09 spenvo has quit 12:52:11 petertodd: and the strength of the assurance that they didnt cheat and make two solutions is separately tunable as the trailing 0 bits (80 or 128 of those) 12:52:27 petertodd: so you can chose those strengths independently 12:53:45 adam3us: ok, but this is the issue: from random data you won't be able to find a distinguished solution at all, therefore have no way of proving you did the work 12:54:35 petertodd: well it is true that its a known solution proof of work... the person who did the encryption knows the solution so has a work advantage 12:55:13 petertodd: if someone sends random junk there is very likely no solution yes. 12:55:15 adam3us: but that's not the point! the point is to prove the case where no-one did any encryption and no solution exists 12:55:31 adam3us: what you're doing has a zillion easy ways to do it - it's not the hard part 12:55:32 petertodd: got it you want to prove this actually is random junk 12:55:37 adam3us: yes! 12:55:54 adam3us: I need to honestly prove that, so other people don't have to re-do that work! 12:56:20 petertodd: yeah i was never able to find a symmetric encryption PoW with no trapdoor that was efficiently verifiable... i tried back in 1997 12:57:17 ight, I'm assuming this needs moon-math 12:57:20 petertodd: and symmetric encryption search space was interesting because it has a maximum work.. ie we know it takes no more than 2^n work so you can not get more unlucky than that 12:57:23 mappum has quit 12:57:57 well it's not about luck in this case: the work required is well-defined 12:58:10 petertodd: i left it as an open problem for research in the conclusion section in the amortitzable hashcash paper 12:58:27 petertodd: different use case. but if we had that building block i think it could've been a solution 12:59:14 wallet42 has quit 12:59:19 anyway bbl 13:01:48 petertodd: maybe u can get closer it by defining a verifiable problem instance defined by the ciphertext. so like coelho merkle hash using he ciphertext a deterministic seed. then the fiat shamir gives you possibility to only spot check the work. still fairly expensive though 13:06:44 wallet42 has joined #bitcoin-wizards 13:06:44 wallet42 has quit 13:08:49 petertodd: you can probably do it reasonably efficiently with the asymmetric PoWs like dwork & naor's eg use the ciphertext as a seed to define a big num, compute the squareroot of it mod p a large fixed prime. now people can veryify the root PoW by squaring, and then try to say hash the number and use it a sym key to decrypt. there is only one solution. it resonably efficiently verifiable. p has to be quite big to create much work they 13:11:09 petertodd: the down side of their approach is the asymmetry of work to verification is less extreme than with hashcash. bigger work tends to require somewhat bigger verification cost. you are basically using a signature algorithm with weak parameters and breaking them in their other scheme sothat maybe is a bit faster verification for reasonable work than square root 13:12:20 wallet42 has joined #bitcoin-wizards 13:14:00 petertodd: unfortunately their non square root scheme has a setup time trapdoor like zerocoin (n=pq with p&q must be deleted and forgotten). its the fiat shamir signature scheme (that introduced the fiat-shamir transform.) 13:34:08 shesek has quit 13:41:32 wallet42 has quit 13:42:27 wallet42 has joined #bitcoin-wizards 13:49:14 shesek has joined #bitcoin-wizards 13:52:24 wallet42 has quit 13:53:43 wallet42 has joined #bitcoin-wizards 14:03:11 wallet42 has quit 14:03:44 wallet42 has joined #bitcoin-wizards 14:07:11 wallet42 has quit 14:07:11 wallet421 has joined #bitcoin-wizards 14:07:12 wallet421 is now known as wallet42 14:10:37 shesek has quit 14:33:07 shesek has joined #bitcoin-wizards 14:33:44 wallet42 has quit 14:35:20 Ursium has quit 14:38:21 nsh has quit 14:40:23 wallet42 has joined #bitcoin-wizards 15:04:46 nsh has joined #bitcoin-wizards 15:07:12 mr_burde_ has joined #bitcoin-wizards 15:10:26 mr_burdell has quit 15:16:28 Ursium has joined #bitcoin-wizards 15:20:14 execut3 has joined #bitcoin-wizards 15:23:41 shesek has quit 15:32:05 roidster has joined #bitcoin-wizards 15:38:39 wallet421 has joined #bitcoin-wizards 15:38:39 wallet42 is now known as Guest17024 15:38:39 Guest17024 has quit 15:38:39 wallet421 is now known as wallet42 15:40:30 Ursium has quit 15:40:52 jav has joined #bitcoin-wizards 15:40:55 zaoluiza has joined #bitcoin-wizards 15:42:45 orperelman has joined #bitcoin-wizards 15:51:05 zaoluiza has quit 15:53:22 jps has joined #bitcoin-wizards 15:58:09 jps has quit 16:01:13 jps has joined #bitcoin-wizards 16:01:37 i was pretty interseted to see this RSA UFO paper mentioned in zerocoin http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.28.4015&rep=rep1&type=pdf 16:01:42 you get a sort-of RSA without any setup trapdoor 16:02:16 would be really thrilling to get this for snarks somehow... 16:15:04 Ursium has joined #bitcoin-wizards 16:26:45 justanotheruser has quit 16:38:53 justanotheruser has joined #bitcoin-wizards 16:43:26 orperelman has quit 16:43:31 Ursium has quit 17:04:44 RBRubicon has joined #bitcoin-wizards 17:23:38 1A9Px42draCmgcYLC3xcsVZVmQV8YuGxuD 17:23:43 sorry wrong channel 17:25:32 RBRubicon has quit 17:25:52 RBRubicon has joined #bitcoin-wizards 17:28:31 RBRubicon has quit 17:28:52 RBRubicon has joined #bitcoin-wizards 17:35:15 execut3 is now known as shesek 17:35:29 rdymac has quit 17:35:38 rdymac has joined #bitcoin-wizards 17:35:58 MoALTz has quit 17:38:04 justanotheruser has quit 17:40:24 justanotheruser has joined #bitcoin-wizards 17:40:36 justanotheruser has quit 17:40:54 justanotheruser has joined #bitcoin-wizards 17:41:13 MoALTz has joined #bitcoin-wizards 17:42:29 shesek has quit 17:45:11 RBRubicon has quit 17:45:43 justanotheruser has quit 17:47:01 RBRubicon has joined #bitcoin-wizards 17:54:02 ielo has joined #bitcoin-wizards 17:58:36 shesek has joined #bitcoin-wizards 17:59:47 justanotheruser has joined #bitcoin-wizards 18:00:57 tubro has joined #bitcoin-wizards 18:01:54 justanotheruser1 has joined #bitcoin-wizards 18:02:09 jgarzik_ has joined #bitcoin-wizards 18:02:16 justanotheruser has quit 18:02:22 jgarzik_ has quit 18:02:22 jgarzik_ has joined #bitcoin-wizards 18:03:17 shesek has quit 18:03:29 justanotheruser1 has quit 18:03:29 justanotheruser1 has joined #bitcoin-wizards 18:09:19 amiller: yeah but its huge eh 40kbit key or something? i was thinking you maybe able to shave some bits on it with a big online factorizing effort to see if you can find any feasible ones like any < 512-bit factors with some effort. its a composite n=p1*..*pk for variable sized and unknown p, with a statistical argument that at least two fo them should be > 512-bit (or whatever the security margin is) 18:16:30 shesek has joined #bitcoin-wizards 18:50:49 Ursium has joined #bitcoin-wizards 19:09:07 Ursium has quit 19:28:57 RBRubicon has quit 19:34:21 RBRubicon has joined #bitcoin-wizards 19:47:33 shesek has quit 19:52:16 torido has joined #bitcoin-wizards 20:03:01 shesek has joined #bitcoin-wizards 20:18:11 justanotheruser1 has quit 20:18:42 torido has quit 20:23:18 justanotheruser1 has joined #bitcoin-wizards 20:24:00 justanotheruser1 has quit 20:24:00 justanotheruser1 has joined #bitcoin-wizards 20:28:13 ielo has quit 20:38:53 jgarzik_ has quit 20:54:46 epscy has quit 20:59:43 mr_burde_ has quit 21:00:33 mr_burdell has joined #bitcoin-wizards 21:05:35 Herkules36 has joined #bitcoin-wizards 21:07:22 Emcy has quit 21:21:09 sigh, I'm going to miss playing the exciting game "Is that dewer full of liquid helium, or liquid oxygen?" 21:21:47 maybe I can convince mastercoin to fund some QC miner research? 21:22:04 I technically it'd be ASIC hard... 21:22:09 *I guess 21:24:17 petertodd: Do you mean Dewar? 21:24:56 michagogo|cloud: lol, yeah 21:25:09 to dewar, that means to make peace? 21:25:26 sipa: I think you should stick to your day job... :p 21:25:59 * maaku groans 21:26:25 Trying to wrap things up at work... First time I've had to do that with non-trivial projects, and it's not proving to be very easy. 21:30:21 sipa: ... 21:31:19 I'm assuming that was a joke, but if not, http://en.wikipedia.org/wiki/Cryogenic_storage_dewar 21:32:49 yeah, it was a joke :) 21:33:08 For the peanut gallery full of investors, the dewar I'm talking about is related to the quantum stuff I do for the mining company I was working at. 21:33:13 I suggest you sell all your Bitcoins right now. 21:36:22 <_ingsoc> _ingsoc has joined #bitcoin-wizards 21:42:35 Herkules36 has quit 21:49:29 MoALTz has quit 21:50:20 MoALTz has joined #bitcoin-wizards 21:54:22 petertodd, why? 21:55:09 just have to mine the transactions spending my pubkeyhash bitcoins to my lamport sig bitcoins 21:56:01 mr_burde_ has joined #bitcoin-wizards 21:56:24 mr_burdell has quit 21:57:27 MoALTz has quit 21:57:32 phantomcircuit: well actually in theory a QC computer can do a sqrt(bits) (or was it bits/2?) speedup compared to a conventional computer for even hash functions 21:58:09 phantomcircuit: though I suspect QC computers will never be developed - they're basically infinite precision analog computers and that doesn't sound very physical to me 21:58:20 MoALTz has joined #bitcoin-wizards 22:01:34 rdymac has quit 22:06:38 rdymac has joined #bitcoin-wizards 22:07:13 jcrubino has joined #bitcoin-wizards 22:07:25 petertodd, at least one quantum computer exists. 22:07:31 (unfortunately we're inside it) 22:08:44 heh 22:10:13 QC works just fine for God, I don't see why you've got a problem with it :P 22:10:14 i was happy to read about the revelation that our brains/consciousness relies on quantum tricks 22:10:35 helo: very off topic, but I wouldn't put much credence in that 22:10:48 yeah :/ 22:11:23 helo: mysterious answer for a mysterious question 22:15:17 orperelman has joined #bitcoin-wizards 22:20:15 tubro has quit 22:21:03 petertodd: not sure where i read this quote, but it says that QC is essentially trading NP-hard runtime for NP-hard engineering 22:22:09 heh nice 22:23:28 sipa: that's an excellent description - my coworkers echo that sentiment 22:31:00 orperelman has quit 22:38:36 orperelman has joined #bitcoin-wizards 22:43:27 wallet42 has quit 22:44:01 wallet42 has joined #bitcoin-wizards 22:44:04 wallet42 has quit 22:44:05 wallet42 has joined #bitcoin-wizards 22:51:28 <_ingsoc> _ingsoc has quit 22:54:29 spenvo has joined #bitcoin-wizards 23:09:51 orperelman has quit 23:10:50 <_ingsoc> _ingsoc has joined #bitcoin-wizards 23:29:41 RBRubicon has quit 23:51:12 spenvo has quit