- 
sarang So I've been asked to participate in MCCVR ( magicalcryptoconference.com/2020-vr) 
- 
sarang One activity will be joining a panel on the effectiveness of Bitcoin privacy 
- 
sarang But I've also just been asked to give a talk for their privacy track 
- 
sarang Any suggestions on specific topics that might be of interest to such an audience? 
- 
sarang The coordinator initially had offered a suggestion (after I asked) to discuss Schnorr signatures and Taproot (as they apply to Bitcoin specifically), but I don't really think talking about Bitcoin "privacy technologies" is the best use of such a talk 
- 
sarang Especially since the panel looks to be _entirely_ focused on Bitcoin privacy 
- 
sarang I agreed to give a talk but mentioned that I'd think more about the best topic/scope to cover 
- 
kenshamir[m] Brainstorming: something which may be interesting is the dichotomy between privacy and convenience 
- 
kenshamir[m] Since it needs to be quite general and apply to bitcoin 
- 
sarang Well, I don't think the topic necessarily needs to apply directly to Bitcoin 
- 
sarang The coordinator said I could be "very creative" in what I want to present 
- 
sarang She said the other current privacy-focused events will be the Bitcoin privacy panel and a panel/talk on P2EP/PayJoin 
- 
sarang I wonder if it might be useful to discuss privacy tradeoffs using technologies _other_ than those intended specifically for Bitcoin protocol compliance/extension 
- 
sarang But I do really like the idea of focusing on tradeoffs 
- 
kenshamir[m] Personally, I’d like to hear about what you think the future will look like for privacy 
- 
kenshamir[m] In general, it’s always interesting to hear what those who work in the field think the direction the field will be 
- 
sarang I'd have to discuss it _not_ in the context of regulation 
- 
sarang since who the heck knows what that might look like 
- 
sarang But I see projects and protocols working toward establishing scaling for new nodes, differentiating based on trust requirements, and focusing a lot on high signer ambiguity and network-layer mitigations 
- 
sarang I think the trust part will be an interesting differentiator... e.g. right now if you're willing to offload soundness to a single point of failure in a setup process, you can do interesting things with general proofs 
- 
sarang If you aren't willing to do that (like in Monero), then you have to get creative and make a lot of tricky choices 
- 
sarang Although perhaps the regulatory side is of interest as it applies to protocol development... you have projects like Zcoin and Zcash working on protocols where decisions on transparency and surveillance are influencing protocol decisions 
- 
sarang and not in a good way, IMO 
- 
sarang But I don't want to try and predict what exchanges and regulators will decide they want in 5 years... 
- 
kenshamir[m] Yeah predicting what regulators will do, may not be interesting as I would expect your insight to be more related to the technology. 
- 
kenshamir[m] The trust and succinctness trade off is very interesting. I’ve also wondered whether a trusted setup may be okay in most business usecases; maybe even a necessary stepping stone when trying to get traditional businesses to be more open. 
- 
kenshamir[m] Also whether, the fact that you can update the SRS with SNARKs like PLONK, SONIC and Marlin is now sufficient enough. Maybe we could update it every year or so? 
- 
kenshamir[m] That would counter the criticism, that the people who participated in the original SRS will be unknown in the future 
- 
kenshamir[m] Would also be interesting to hear some call to actions in the talk; what can applied/theoretical cryptographers do now or in the long term to benefit the community 
- 
sarang Sure, a trusted setup in a private or limited use case where there are already established trust profiles could make a lot of sense 
- 
sarang The trouble comes from distributed cases where such trust is hard to come by, or undesirable as a design principle 
- 
sarang FWIW I don't really know if the idea of updatable SRS really fixes things 
- 
sarang If soundness is in question and leads to false proofs being of concern, does an update really solve anything? 
- 
sarang I agree that it could be helpful for the "who were the original MPC participants" mythos that will arise long in the future 
- 
sarang Do you happen to know any concrete data for SRS updates? 
- 
sarang The last time I checked, the preprints in question never mentioned anything about update efficiency, which seemed sketchy to me at the time... 
- 
kenshamir[m] <sarang "If soundness is in question and "> Right, we have no way to check that soundness was not violated in the past. I think SHARKS was meant to fix it, but I have not heard about it for a year now 
- 
sarang Yeah, there was some kind of presentation on it, but not even a preprint... 
- 
sarang so it doesn't really exist :) 
- 
kenshamir[m] <sarang "The last time I checked, the pre"> I’m not sure of concrete data, but to update the SRS it would be quite expensive since we would need to restart the MPC 
- 
sarang And presumably all such data would need to be hauled around with the chain forever... 
- 
sarang The idea seemed interesting as a theoretical construction 
- 
kenshamir[m] In terms of efficiency, I think each participants takes about a day to generate the necessary data 
- 
sarang but seemed really bizarre as something to build in practice for a distributed system... 
- 
kenshamir[m] <sarang "And presumably all such data wou"> For the update I’m not sure, I think the chain would just need some sort of way to say “this is the new SRS”. If somehow the MPC could be done in a few minutes then my idea would make sense. 
- 
sarang Right, but the SRS tend to be huge 
- 
sarang and if you have a hundred updates, you need all of them 
- 
kenshamir[m] <sarang "but seemed really bizarre as som"> Yeah for SHARKS, it would involve a bunch of logistics such as when to run the trustless verifier and what to do if a previously accepted proof was malicious. Especially if you have finality 
- 
sarang Hooray for public CRS constructions :) 
- 
sarang Here's a hash function; use it; there's your CRS 
- 
sarang :D 
- 
kenshamir[m] <sarang "and if you have a hundred update"> Oh I see, yeah there is no way to compress that data 
- 
kenshamir[m] That’s a good point, I had not thought of the previous SRS for the chain. 
- 
kenshamir[m] But I guess once you update the blocks where the SRS applies, the node can throw it away. Still downloading all of those SRSs is non-trivial 
- 
sarang You can throw it away, but then you can't provide full-node capabilities to new nodes 
- 
sarang So it seems like a nightmare for scaling when new nodes join 
- 
kenshamir[m] Yeah, this is why I’m quite interested to see how HALO 2 solves their scaling problems 
- 
sarang AFAIK they haven't said if/how it can even apply to transaction verification 
- 
sarang The only demo code was for recursive PoW verification 
- 
kenshamir[m] With the linear verifier, maybe there is a way to decrease complexity if the techniques all work 
- 
sarang Well, there's the linear verifier, but also the entire concept of recursion, no? 
- 
kenshamir[m] I guess the prover time would not be a major problem? Since the individual Tx proofs will not be that heavy? 
- 
sarang No clue; AFAIK there are no benchmarks for this 
- 
sarang I'm taking a "let's wait and see the code, and not press releases" approach 
- 
sarang ECC claims they have internal work for this, but have not released it 
- 
sarang So once again, goes back to trust profiles :) 
- 
kenshamir[m] <sarang "Well, there's the linear verifie"> Yeah that too, I think there is always a delayed linear overheard with the recursion for the verifier, so it would be interesting to see how this is mitigated, as I believe it would need to be good enough to warrant replacing Groth16 
- 
sarang Well, and I haven't seen anything about how to even structure a recursive construction that works with transactions in a meaningful way 
- 
sarang So many questions 
- 
sarang I hope it works 
- 
kenshamir[m] Yeah same, I trust that there are some novel things being done, but I’m holding out until concrete numbers can be verified 
- 
sarang Yeah, I was peeved to see the idea of "this is definitely solved" come out of discussion about their press release 
- 
sarang It's definitely not publicly solved 
- 
kenshamir[m] Yeah, I personally think that “solved” should be publicly verified 
- 
sarang and the code they linked is very much WIP and, when I had checked, had no benchmarks relevant to a desired implementation 
- 
sarang Sure, and presumably it would be 
- 
sarang If they end up giving details, great 
- 
sarang If not, it's a press release 
- 
kenshamir[m] I think there is no choice but to give more details? 
- 
sarang If they want to implement it? Of course 
- 
kenshamir[m] Since claims have been made, details and numbers should presumably follow 
- 
sarang IIRC they said details sometime this year (but not sure on that) 
- 
sarang But until then, it's Schoedinger's Proving System 
- 
sarang It has no state of existence until observed =p 
- 
kenshamir[m] Even if they do not implement it, I think claims have been already made about things that are solved 
- 
kenshamir[m] What do you think the right course of action should should have been? 
- 
kenshamir[m] Wait until they had a paper and implementation? 
- 
kenshamir[m] Updated paper* 
- 
sarang Perhaps having technical discussions publicly? 
- 
sarang There was also a modified license with restrictions, so I don't know if the nature of its license affected their decision to develop only internally 
- 
sarang ECC seemed to be very concerned about other projects "scooping" this stuff 
- 
sarang But I _definitely_ don't want to speak for them or try to figure out how they run their business... 
- 
sarang that's certainly off topic for this channel 
- 
sarang But perhaps it speaks to the usefulness of doing technical development openly 
- 
sarang The downside is people misunderstanding the nature of works-in-progress, I suppose 
- 
sarang But the upside is transparency and verifiability and having more eyes on tough problems 
- 
kenshamir[m] <sarang "Perhaps having technical discuss"> Yeah very fair 
- 
sarang To be fair, I've found that Zcash technical discussion historically _is_ done openly, usually on GitHub 
- 
sarang and that's great for ease of access 
- 
sarang This stuff with Halo 2 seemed bizarrely different in its approach 
- 
kenshamir[m] Yeah I think the outrage was mainly due to; expectation 
- 
kenshamir[m] Not outrage... questions 
- 
sarang My utterly wild speculation is that it's to avoid other projects using the technology to gain some kind of advantage over the Zcash project, but this could be entirely not the case 
- 
sarang Trying to figure out why private businesses make decisions seems a losing effort most of the time... 
- 
kenshamir[m] This sound like the rationale conclusion. Another idea is that they were trying to usher in a way for open source projects to have an advantage over closed source projects 
- 
sarang I think it'd be wild to see a full Bulletproofs-based implementation of something like the Sapling or Heartwood protocols 
- 
kenshamir[m] I’m not proficient in licenses, so I couldn’t make heads or tails of it though 
- 
sarang Yeah, me neither 
- 
sarang There was some back-of-the-envelope stuff for Bulletproofs a while back, but I don't think anyone was crazy enough to actually build it =p 
- 
kenshamir[m] I’m actually not 100% sure what the license would cover because Halo is not well defined in my head 
- 
sarang Well, the code for sure... but you can't license math 
- 
sarang at least, you're supposed to not be able to do that... 
- 
sarang *coughRSAcough* 
- 
sarang *coughSchnorrSignaturescough* 
- 
kenshamir[m] So if I code up my own halo implementation, I can put it as MIT? 
- 
kenshamir[m] Haha, I’m glad it’s frowned upon now 
- 
sarang I am not a lawyer, but I'd think so 
- 
sarang I mean, Halo is a technique for proof recursion 
- 
sarang they didn't invent the underlying proving systems 
- 
sarang nor could they license the math behind those 
- 
kenshamir[m] I’ve also seen phrases such as “halo the commitment scheme” 
- 
sarang Of course, by the time you get it coded, the restrictive license period would be over 
- 
sarang Halo The Coloring Book! 
- 
sarang Halo The Breakfast Cereal! 
- 
sarang (Spaceballs reference...) 
- 
sarang Merchandising: Where The Real Money From The Movie Is Made (tm) 
- 
sarang "God willing, we'll all meet again in Halo 2: The Search For More Money" 
- 
sarang Was there a new approach to commitment schemes in the original construction? I don't recall 
- 
kenshamir[m] True, I guess it’s fine if that license does not affect MIT/Apache licenses 
- 
sarang No idea :/ 
- 
sarang Hopefully some license experts can provide better analysis on the consequences of restrictive licenses 
- 
kenshamir[m] I don’t recall either, but I might have missed something 
- 
sarang I'm not a fan of technical topics being mixed with press and marketing messaging 
- 
sarang it just makes everything muddled and confusing :( 
- 
sarang Hopefully this project continues to improve on external messaging 
- 
sarang this project == monero 
- 
sarang kenshamir[m]: do you also follow Lelantus development at all? 
- 
kenshamir[m] <sarang "kenshamir: do you also follow Le"> Not recently, I heard there was a bug found, or do I have the wrong protocol? 
- 
sarang What bug? 
- 
sarang I know they recently overhauled their security model to follow that of Zcash a bit closer 
- 
sarang but I don't know if they ever really fixed some of the one-time addressing woes that we originally found 
- 
sarang and I haven't been following their audit/deployment at all 
- 
kenshamir[m] Oh wrong protocol, I think 
- 
kenshamir[m] <sarang "I know they recently overhauled "> Was there a rationale for this? 
- 
sarang I'm not sure 
- 
sarang Perhaps to more broadly capture the entire nature of a transaction, and not just proof security 
- 
sarang Since security of the proving system doesn't imply security of the overlying tx protocol? 
- 
kenshamir[m] <sarang "Since security of the proving sy"> Yeah that makes sense 
- 
sarang I'm really curious about what their batch processing times end up looking like 
- 
kenshamir[m] I guess unless the statement being proven encapsulates the notion of a “Tx being spent” ? 
- 
sarang The values in the preprint seem crazy good 
- 
kenshamir[m] <kenshamir[m] "I guess unless the statement bei"> Actually I’m not sure 
- 
sarang kenshamir[m]: their proof does capture that, but stuff like balance checking is outside the simple sigma protocol security definitions 
- 
kenshamir[m] <sarang "The values in the preprint seem "> Did they have code? 
- 
sarang Not at the time, but they recently released FOSS code 
- 
sarang I don't think it had full benchmarks for batching, but I'm really curious 
- 
sarang esp. since their anon sets are really large and you'd need to handle spending old funds too 
- 
sarang I had a lot of questions on how all that would work 
- 
sarang I think they were targeting something like 65K sets 
- 
sarang Reminder that our weekly research meeting starts at 17:00 UTC 
- 
sarang .time 
- 
monerobux 2020-09-16 - 16:05:07 
- 
sarang good bot 
- 
kenshamir[m] I’ll need to check out those numbers, didn’t really think that there were more improvements to be made 
- 
sarang Might have to do with library choice? 
- 
sarang And it's not clear how they compared for things like range proofs, point decodings, balance, etc. 
- 
sarang but I'm really curious how Lelantus works out in practice at the scale they were targeting 
- 
kenshamir[m] I have not been up to date with your work recently, were their numbers comparable? 
- 
sarang In theory they should be 
- 
kenshamir[m] For something like a conventional Tryptich proof <- sorry can’t spell 
- 
sarang The verification structure of Triptych is _extremely_ similar to that of Lelantus 
- 
sarang They're based on the same proving system 
- 
sarang and both require range proofs 
- 
sarang I think their bulletproofs will be a bit slower, but not by much (they use a variant of Pedersen commitments) 
- 
sarang Hmm actually they might have the advantage by avoiding separate commitment points... 
- 
sarang I need to check the verification routines 
- 
kenshamir[m] Do they compare Triptych in their updated paper? 
- 
kenshamir[m] @sarang btw were you able to draw any conclusions from your recent on these groth based proofs? Such as using one of them instead of MLSAG/CLSAG or is it still early days? 
- 
sarang Looks like they did not compare to Triptych or Arcturus, but yeah, they _would_ still have an advantage by avoiding using separate amount commitments 
- 
sarang However, they had to sacrifice one-time addressing security 
- 
sarang that was a kicker 
- 
sarang I think Groth/Kohlweiss-based protocols show a ton of promise 
- 
sarang Big downside is multisig complexity due to the change in linking tag format 
- 
sarang The only way I know to do it safely is using Paillier encryption, which requires arbitrary RSA groups 
- 
sarang I do have proof-of-concept code in Python and in C++ for both Triptych and Arcturus for non-batch timing purposes 
- 
kenshamir[m] <sarang "I do have proof-of-concept code "> Link? 
- 
kenshamir[m] <sarang "The only way I know to do it saf"> Is this a show stopper? 
- 
kenshamir[m] I’m guessing you don’t want to introduce the additional complexity 
- 
sarang It's not a show-stopper, but needs to be carefully considered 
- 
sarang esp. if it's intended for hardware devices to implement with low computational complexity 
- 
sarang and there are some annoying proofs you need to do for optimal security with the Paillier-based schemes 
- 
sarang 
- 
sarang 
- 
sarang 
- 
sarang 
- 
sarang Usual disclaimer that these were not written with production security in mind, and should not be deployed as is 
- 
sarang The Python code does support batching, but isn't useful for timing purposes 
- 
sarang Arcturus soundness also requires a non-standard hardness assumption 
- 
kenshamir[m] Thanks for the link! 
- 
kenshamir[m] <sarang "Arcturus soundness also requires"> Which one? 
- 
sarang a new one 
- 
kenshamir[m] Checking paper * 
- 
sarang I haven't been able to reduce it to a standard assumption yet :( 
- 
sarang Page 4, Definition 1 
- 
sarang 
- 
sarang A reviewer claimed to have broken it, but their example didn't work (I don't think they read the definition carefully) 
- 
sarang kenshamir[m]: if you're able to break the assumption, or reduce it to a known assumption, I would be unbelievably happy 
- 
sarang Right now it's just this weird thing 
- 
sarang I think it's a reasonable assumption, but it's totally untested 
- 
sarang OK, we'll start our meeting momentarily 
- 
sarang 
- 
sarang Let's get started! 
- 
sarang First, greetings 
- 
sarang hello 
- 
hyc hey 
- 
h4sh3d[m] Hello 
- 
Isthmus Holla 
- 
sarang On to the roundtable, where anyone is welcome to share research of interest 
- 
sarang Who wishes to begin? 
- 
UkoeHB_ hi 
- 
UkoeHB_ not research, but it seems the hardfork protocol changes have been finalized 
- 
sarang Indeed! 
- 
sarang Binaries are set to be released, and the protocol upgrade will happen around October 17 
- 
UkoeHB_ CLSAG, fixed block rewards, and chain-data-based  UTC timestamp timelocks 
- 
sarang This gives users and other ecosystem participants a month to update 
- 
UkoeHB_ are the changes I know about 
- 
hyc on that note, I've been running teh new stuff on testnet for about 2 weeks 
- 
sarang Anything of note hyc? 
- 
hyc nope, decidedly boring 
- 
sarang Excellent 
- 
sarang Ledger and Trezor teams are ready as well 
- 
sarang So users of those devices should see a seamless transition, provided they keep their devices updated 
- 
sarang Thanks to everyone who participated in the upgrade process 
- 
sarang CLSAG was a particularly long road to walk... 
- 
h4sh3d[m] What's the best resource to see what changed in the transaction serialization, regarding the hardfork (directly the code I imagine)? 
- 
h4sh3d[m] So I can update the Rust library and include the new format 
- 
Isthmus Ooh I didn't know that we had a Rustnero. Where does that repo live? 
- 
sarang Good question h4sh3d[m]... I'm not sure there's something easier than examining the code, or perhaps something like the onion explorer source 
- 
h4sh3d[m] 
- 
Isthmus Sweet, ty 
- 
h4sh3d[m] sarang: ok, I'll check the code anyway then 
- 
sarang Might also be worth pinging moneromooo as well 
- 
sarang (ping) 
- 
sarang I can get you the serialization for CLSAG signatures specifically, if that's useful 
- 
h4sh3d[m] Yes, it is useful 
- 
sarang 
- 
h4sh3d[m] Thanks 
- 
moneromooo Oh hi 
- 
» moneromooo reads back 
- 
sarang Er, that's my branch, so it's probably not fully up to date with the project master branch 
- 
sarang whoops 
- 
moneromooo Data format changes ? I can look that up, gimme a few minutes. 
- 
h4sh3d[m] At least I have the right file with this 
- 
sarang :D 
- 
sarang Was there anything else that should be discussed related to the upgrade, now that it's been brought up? 
- 
moneromooo Oh right, what sarang pointed to actually :) 
- 
sarang :D 
- 
sarang 
- 
sarang not my clone of it, which is probably a bit old 
- 
moneromooo and the rct type is 5 for those. 4 for MLSAG. 
- 
sarang Does anyone else wish to share research topics of interest? 
- 
Isthmus 
- 
sarang Great! 
- 
sarang Anything of note to which we should pay particular attention? 
- 
sarang That link isn't for viewing 
- 
sarang You'll need to access the read link from the share menu 
- 
sarang It's different from the project URL 
- 
Isthmus 
- 
sarang success 
- 
sarang Any big recent changes of note? 
- 
sarang <3 line numbers 
- 
h4sh3d[m] I like 766 :D 
- 
Isthmus Added the sections about pq-crypto and mitigations 
- 
sarang No Oxford comma on L766? 
- 
sarang tsk tsk 
- 
sarang I had pointed out some issues to suraeNoether a while back, but they appear to have been addressed at first glance 
- 
sarang Namely about having access to multiple outputs, which included some incorrect math 
- 
sarang Isthmus: is there anything you'd like from this channel related to this new draft? 
- 
sarang Particular review, etc.? 
- 
zkao hello guys 
- 
sarang Hi zkao 
- 
sarang OK, well I suppose we can move on! 
- 
zkao since we're on research paper review topic, we'd like to get the atomic swap paper more widely scrutinized, vtnerd did a good job so far, so it would be great if more eyes look into it carefully and drop questions, could some people in here give more feedback? 
- 
sarang Can you summarize the comments from vtnerd? 
- 
zkao 
- 
h4sh3d[m] 
- 
zkao he picked up on all the differences btwn traditional atomic swaps and h4sh3ds assymetrical one 
- 
sarang Ah, there's more discussion there since I checked last; excellent 
- 
sarang Thanks for linking this 
- 
zkao his process of reading it and analysing it, made me feel like almost nobody tried to understand it yet 
- 
zkao because other people should have spelled some of that stuff before 
- 
kenshamir[m] <sarang "kenshamir: if you're able to bre"> Battery died on phone, I did think of something where we can use it to solve the DL of G with respects to H. But I think I might just have misunderstood the assumption 
- 
zkao except a few experts 
- 
kenshamir[m] > <@freenode_sarang:matrix.org> kenshamir: if you're able to break the assumption, or reduce it to a known assumption, I would be unbelievably happy 
- 
kenshamir[m]  * Battery died on phone, I did think of something where we can use it to solve the DL of G with respects to H. But I think I might just have misunderstood the assumption, or my maths is off 
- 
kenshamir[m]  * Battery died on phone, I did think of something where we can use it to solve the DL of G with respects to H. But I think I might just have misunderstood the assumption, or my maths is off.. Ahh meeting in progress, can wait for it to end. 
- 
sarang zkao: has the latest version of the preprint been posted to the IACR archive? 
- 
h4sh3d[m] Yes 
- 
sarang great 
- 
h4sh3d[m] it's submitted, not yet published 
- 
h4sh3d[m] I'll past a link as soon as it gets on the preprint server 
- 
sarang When was it submitted? 
- 
sarang They're usually pretty quick 
- 
h4sh3d[m] today :D 
- 
sarang Ah ok! 
- 
h4sh3d[m] pretty quick < some days/weeks? 
- 
sarang kenshamir[m]: I definitely want to know about this after the meeting :) 
- 
sarang h4sh3d[m]: yeah, maybe delayed a few days, but generally not too bad 
- 
sarang They're not as on top of things as arXiv for daily postings, it seems 
- 
zkao i guess you should drop it in bitcoin-wizards after its in the prepint server 
- 
h4sh3d[m] seems good yes 
- 
sarang Are you not in that channel? 
- 
sarang I can certainly link it there if you wish 
- 
h4sh3d[m] I am in the channel, yes please! :D 
- 
sarang OK :) 
- 
sarang You can of course feel free to post it there if you prefer! 
- 
sarang I don't have any particular sway in that channel 
- 
sarang I have a few things to share 
- 
sarang I did some review with suraeNoether on the post-quantum security draft 
- 
sarang Worked on the Arcturus security model to make it more clear after its last review 
- 
sarang Produced BP+ and BP Python updates to demonstrate additional hidden data embedding 
- 
Isthmus Sorry, lost internet a few. Yea, Sarang had a lot of very helpful comments 
- 
sarang Gave a presentation to a Chicago bitcoin group 
- 
sarang And am participating in this week's ongoing ESORICS conference 
- 
sarang Additionally, I've been asked to give an MCC talk soon relating to privacy 
- 
sarang I think they presumed bitcoin-related privacy, but I think that's not useful 
- 
sarang I welcome suggestions on particular topics you think might be of most use to that audience 
- 
sarang Anyway, did anyone else wish to share research topics? 
- 
sarang We're approaching the end of our scheduled hour 
- 
sarang I do wish to note that I will not be requesting community funding after the end of this month 
- 
sarang So any research meetings will need to be coordinated by someone else, if it's desired that they continue 
- 
zkao the transaction graph of bitcoin is on the clear, even if scripts get hidden with taproot, so u could push the agenda that it is not good enough, on that conference 
- 
UkoeHB_ what will you be up next month, if I may ask? 
- 
sarang I have yet to finalize anything specific 
- 
sarang OK, well, I suppose we can adjourn then 
- 
sarang Thanks to everyone for joining today 
- 
hyc thanks for running the meeting 
- 
sarang kenshamir[m]: would be very interested in the details around that hardness assumption 
- 
zkao thank you for hosting 
- 
h4sh3d[m] Thanks everyone 
- 
TheCharlatan applause to sarang 
- 
kenshamir[m] <sarang "kenshamir: would be very interes"> Just looked over it again, and I'm quite excited to be proven wrong, since it will be an opportunity to learn 
- 
sarang If it's possible to reduce the assumption to knowledge of the DL of G w.r.t H then that's great 
- 
kenshamir[m] I have two ideas, will say the first one 
- 
sarang Since those are assumed to have no known DL relation 
- 
- 
» sarang fetches a pad and pen 
- 
kenshamir[m] Is this correct so fatr? 
- 
kenshamir[m]  * Is this correct so far? 
- 
- 
- 
sarang n=1 looks fine, with appropriate variable renaming 
- 
- 
kenshamir[m] I then say that we can use this A to solve the DL of H wrt to G.  If we set R to H or Q to be G. 
- 
kenshamir[m] Can you spot an error? 
- 
sarang incorrect in that last paste 
- 
sarang The second condition is `y*(H-x*G) == 0` 
- 
sarang The last condition should be `x*Q != H` 
- 
sarang The point is that the way the indexing appears in the first two bulleted sums of the definition are "reversed" in a sense 
- 
kenshamir[m] Ahh right 
- 
kenshamir[m] updating * 
- 
- 
kenshamir[m] sarang: What about the "I then say that we can use this A to solve the DL of H wrt to G.  If we set R to H or Q to be G." part? 
- 
- 
sarang Can you write that out as a wrapped security game? 
- 
sarang just for clarity 
- 
sarang i.e. the DL player receives `G` and `H` and needs to return the DL 
- 
sarang and passes things into the dual-target player 
- 
kenshamir[m] Ahh right, yep 
- 
sarang I think it's also important to identify the nature of the set parameter `n` 
- 
sarang Being able to pass in zero values, e.g., may suffice for arbitrary `n` 
- 
kenshamir[m] <sarang "I think it's also important to i"> Good point, I think the second idea deals with n=2 which may generalise to arbitrary n. Will need to check it again though 
- 
sarang Yeah, hopefully this approach is more straightfoward than I've been making it 
- 
kenshamir[m] I think I might have something mistaken, but not sure what 
- 
- 
- 
kenshamir[m] The Dual Target game is modified slightly, so that instead of the Challenger choosing a random G, H. It is now the G, H from the DL game 
- 
sarang Sure, the DL player takes on the role of the dual-target challenger in a wrapped game 
- 
sarang So it provides the dual-target player's input and receives its output, and can do what it wishes with them 
- 
- 
kenshamir[m] If the adversary sets H_k == xG. Then x will need to be the DL of H wrt to G 
- 
kenshamir[m] sarang: does that work? 
- 
kenshamir[m] My second idea was to show that if the adversary tries to cancel out each term, then he will need to know the DL of multiple pairs of random group elements which I think would be harder than the DL. 
- 
kenshamir[m] I used the fact that no matter what group element the adversary chooses, as long as it is not the identity. When we multiply by the challengers random _mu_ value, or _y_ in the case above, the element can be seen as random too. 
- 
kenshamir[m] Assuming a group of prime order 
- 
- 
- 
kenshamir[m] This is assuming the first part works 
- 
kenshamir[m] Have to head off now, let me know if you find any errors in the logic 
- 
sarang kenshamir[m]: sorry, have been watching a livestreamed privacy talk 
- 
sarang kenshamir[m]: if I'm reading it right, I don't think that approach works 
- 
sarang The DL player can manipulate the inputs it sends to the dual-target player, but it can't change how that player operates internally 
- 
sarang It can only receive its outputs, and use the fact that the dual-target player can win with some advantage