02:23:26 <gingeropolous> can the atomic swap stuff being proposed be hacked to make payment channels / lightning network on monero?
11:31:51 <zkao> gingeropolous, not in a reasonable way, swaps wouldn't be extensible to form payment channels natively. The current swap proposal works because it uses refund transactions in bitcoin. However, it should be possible to swap on-chain monero for lightning-bitcoin. From what i know, a way to enable native payment channels is DLSAG, https://eprint.iacr.org/2019/595, written by prolific contributors of this community
12:35:19 <sarang> Monero uses a zero-knowledge range proving system (Bulletproofs) to avoid commitment "overflow"
12:35:43 <sarang> Its transaction protocol uses a witness-indistinguishable signature construction
12:36:06 <sarang> And yes, I get very annoyed when people conflate "zero-knowledge proving system" with "privacy-preserving transaction protocol" automatically...
12:36:09 <sarang> Also, hello
12:36:16 <moneromooo> heya
12:36:38 <sarang> FWIW "zero-knowledge proving system" has a precise technical meaning
12:37:13 <sarang> The balance part of the transaction protocol relies on the Pedersen binding property
12:37:38 <sarang> Which in turn relies on the discrete-log independence of our Pedersen generators
12:38:56 <sarang> This describes the situation nicely: https://raw.githubusercontent.com/SarangNoether/talks/wcc-2019/wcc-2019/puzzle.jpeg
12:40:38 <sarang> If the project were to move to something like Triptych or Arcturus or Lelantus or RingCT 3.0 or Omniring, then the transaction protocol would use a zero-knowledge proving system for transaction authorization as well... but the zero-knowledge property has _nothing_ to do with the ability to use a larger anonymity set
12:41:42 <sarang> What it does is make it easy to mathematically argue about _protocol_ properties (signer ambiguity, balance, etc.)
12:42:06 <sarang> These can be trickier to argue if you only have witness indistinguishability
12:42:22 <sarang> But I'd say that in practice, the difference doesn't really matter
12:42:25 <sarang> the end
12:47:25 <sarang> How's the channel doing?
12:48:40 <kenshamir[m]> <sarang "the end"> TLDR: Zero-knowledge is like Mjölnir , but not every problem is a nail :)
12:48:51 <sarang> Heh
12:49:03 <sarang> It's unfortunately been used as a "marketing term" in a way that I think hasn't been helpful
12:49:37 <sarang> It's a really handy tool that can help build nice protocols
12:49:54 <sarang> But having a hammer doesn't mean you automatically have a finished shed
12:50:35 <kenshamir[m]> <sarang "It's unfortunately been used as "> A: "We have this business use-case, which seems impossible"
12:52:40 <kenshamir[m]> A : "Can't seem to find my tooth-brush"
12:52:40 <kenshamir[m]> B : "You tried applying a zero knowledge protocol to figure out its rough whereabouts, then use bulletproofs to trustlessly verify the GPS co-ordinates in linear time?"
12:52:43 <kenshamir[m]> Ok, Im done :)
12:53:27 <sarang> I always liked the Where's Waldo analogy (or whatever he's called... apparently it's different outside the U.S.)
12:54:12 <kenshamir[m]> Over here, I think we use a "cave" analogy, but I can't remember
12:54:46 <kenshamir[m]> Also like the Card analogy that Groth mentioned a few years ago
12:54:58 <sarang> Suppose I have a Waldo picture and want to prove to you that I know where Waldo is, but don't want to show where
12:55:08 <sarang> I cut a Waldo-sized hole in a big piece of cardboard
12:55:24 <sarang> You turn around, and I place the picture behind the cardboard so the hole lines up with Waldo
12:55:41 <sarang> You turn back around, and see that I found Waldo, but you don't gain any information about where in the picture he is
12:56:15 <sarang> And further, once I take away the cardboard, you can't use my "proof" to claim to someone else that you know where he is
12:56:28 <kenshamir[m]> Ahh right, I guess the card-board has to be at least double the size of the picture
12:56:35 <sarang> Indeed!
12:56:48 <kenshamir[m]> Card one: If I want to convince you that the card I have is red, without telling you the exact card. I show you the deck, then give you the 26 black cards
12:57:21 <sarang> Oh nice
12:57:40 <kenshamir[m]> You can deduce the card I have is indeed red, but you do not know which card. Saw Groth mention it in a video a couple years ago
12:57:54 <sarang> So what we've demonstrated here is that all you need to build privacy-preserving transaction protocols is a deck of cards and a Waldo book
12:58:17 <kenshamir[m]> Should we start a new blockchain?
12:58:26 <sarang> Waldochain
12:58:34 <kenshamir[m]> wen ico
12:58:49 <kenshamir[m]> If you find waldo, you can take all the money from the chain
12:59:08 <kenshamir[m]> In zero knowlege <- very important
15:47:23 <gingeropolous> and the color of the cards is the only identifying feature?
15:50:38 <kenshamir[m]> <gingeropolous "and the color of the cards is th"> Hmm good question.
15:51:19 <kenshamir[m]> The colour case above is special because as soon as you prove your card does not have feature X, it implies that it has feature Y
16:27:47 <sarang> Waldo wins!
18:01:59 <Isthmus> I like the sudoku example: https://blog.goodaudience.com/understanding-zero-knowledge-proofs-through-simple-examples-df673f796d99