Motivate the Math

Share on social media:

The paper:
https://eprint.iacr.org/2025/692.pdf

Fundamentals.  @Fundamentals21m
npub12eml5kmtrjmdt0h8shgg32gye5yqsf2jha6a70jrqt82q9d960sspky99g
XMR: xmrchat.com/fundamentals

AverageGary
npub160t5zfxalddaccdc7xx30sentwa5lrr3rq4rtm38x99ynf8t0vwsvzyjc9

In this episode, we dive into the intricacies of Bitcoin, cryptography, and the fascinating world of aggregate signatures. We discuss the upcoming Shenandoah Bitcoin Club meeting, which will feature a Spanish-speaking sidebar, highlighting the growing need for multilingual resources in the Bitcoin community. The conversation shifts to the exciting events surrounding Baseload's birthday bash, featuring live music performances and the potential for future shows in the Shenandoah Valley. We explore the connection between music and math, and the importance of not being overly impressed by perceived intelligence, especially in fields like mathematics and cryptography.

We also delve into a recent paper on DahLIAS, an aggregate signature scheme that offers constant size signatures, which could have implications for Bitcoin's future. The discussion covers the technical aspects of the paper, including the local forking lemma and the challenges of understanding complex cryptographic proofs. We reflect on the importance of continuous learning in the Bitcoin space, especially in cryptography, and the value of tools like Sparrow Wallet in navigating the complexities of Bitcoin transactions. The episode wraps up with a reflection on the journey of understanding and the motivation to delve deeper into cryptographic studies.

[00:00:02] Unknown:

Stop.   Now the next Shenandoah Bitcoin Club, June twenty first, ten AM, Water Street Kitchen, downtown Winchester,   will have a Spanish speaking sidebar,   because I had this gentleman,   from a from a country that largely speaks Spanish. He had a translator with him,  

[00:00:42] Unknown:

show up at my office to, like, learn about Bitcoin. Like and not like trading. Like, he's kinda This is a need, right, I guess. Spanish translation's a big need. I'm thinking, like, finally, like, this is something my children can add value. They're fluent Spanish speakers.   Wow. Yeah. You know? Well, they're not ignorant of Bitcoin. They're not Yeah. Yeah. You know what I mean? They're not sociopaths   yet, unfortunately.   We're working on it. We're you know, my older daughter has fucking dreams and nightmares about matrices and math   all the time. That's like she she's consumed with. But, she speaks fluent Spanish too. So maybe that's, like, when we think about,   the June 21, bring them down. Great price. First? The Shenandoah Valley. So So June 12 is that's an inversion of June 12, which is,   Baseload's birthday bash at Pub Key, which is gonna be fucking incredible.  

June 12. Yeah. I can't go to Pub Key. I can't go that far. City. So any of you Yep. Any anybody of who likes having their math motivated   by us,   I don't know if that sounded   sounded bad, but,   it's gonna be fucking awesome. Baseload's debt and I'm not to get too into this plug, but Baseload's dad's a professional musician. He's coming to join him, and my daughter will be playing piano, and we got a great drummer.   My Man, that sounds cool. Jason, my podcast partner for Back on the Chain, the Fish podcast.   He's sick. Sick on the drums.  

I'll probably sit in on guitar for a song or two, but, like, I'm probably gonna not I'm not gonna be really featured in this one. It's gonna be   mostly those those guys. It's gonna be fun as hell, though.  

[00:02:21] Unknown:

Yeah. Yeah. That's a Thursday night. Interesting.   I will not be there, unfortunately.  

[00:02:27] Unknown:

I understand.   It's a long trip for you, man.   What? We will figure out a way to do this, though. We will we will figure out I mean, there will be more shows.   That's the thing about when you can play music,   like,  

[00:02:41] Unknown:

I don't know. There are live venues around here. Like, live buffet.   Baller venues. So I think I I think   I think there's something.   I wanna cook something up with some live music in the valley.  

[00:02:54] Unknown:

And there's a music math connection that I would also like to build out as well. You know? I mean, everybody knows that their connection exists.   Somehow, Base,   as great of a musician as he is, has never locked into this math thing.  

[00:03:11] Unknown:

But, like We're gonna motivate him. Dude,  

[00:03:14] Unknown:

dude, just, like, you know,   send   it would be so cool if everybody just sent some dust boost just to just to, you know, tell us that you would love to see Baseload,   like,   in some   way, push himself   in whatever whatever mathematical level he's at. Just Yeah. Yeah.   It's hard, though, when you're doing forty hours of Bitcoin podcast a week. It's hard. Fit in the When I met him, I was, we we took the train in New York together, and I had this book, this math book,   and he was way too impressed with what I was doing. And, like, that's and it's the kind of thing that, like,   I know p he's like, there are people that are really intelligent,   but they get way too impressed by people's math ability when it's not that impressive.  

And that it's, like, the reason I do this podcast. It's like so that all of you stop being so impressed   by   dipshits   Yeah. Who walk around with a fucking math book thinking that there's some that that they have some secret forbidden knowledge. Right?   And they kinda do, though, to a degree. Right? Because if you don't understand how something works, it's magic. The problem is what you're not impressed by the knowledge they have. You're impressed by the knowledge you assume they have   or the abilities you assume they have. Right. That's, yeah, that's fair.   You know? And I like the like, the seriously, like, the number one priority of this podcast is to get people to stop being so impressed by or,   you know, like, in poker, there used to be this term called,   MUBS,   m u b s, stands for monsters under the bed syndrome. That's like when you're playing poker and you're always just assuming that your opponent Like, you could be sitting there with full house,   and you just know the other guy. You just feel like he has four of a kind. You you just feel like he has you beat.  

Like, you know, and if you I used to be on poker forums and all this stuff, and it always just be monsters under the bed syndrome.   And it's a kiss of death for anybody playing, like, in a game of intelligence. We are Bitcoin's a game of intelligence.   Right? We have to outwit   the,   we have to outwit people trying to scam us   and trying to,   beat us down and trying to defeat us. We have to outwit those people.   Yeah. And we can't assume they have some kind of special abilities they don't have.  

[00:05:31] Unknown:

Well, we're all human at the end of the day. That's like,   one of the things Except for the lizards. One of the like, in the in the navy, when I would go to brief and everybody's like, oh, like, you have to brief some, like, high level general or admiral or something. And I'm like,   yeah. Like, the guy   sits down and takes shit just like me. So,   I don't even want   right. He shits standing up.  

[00:05:57] Unknown:

Yes. And That's the that is the way he thinks. Inside himself, not outside.   But  

[00:06:03] Unknown:

Okay. Alright. Let's,   math, anyway. Let's talk about that instead.  

[00:06:09] Unknown:

It's true, though. Like, it's you know? Well, we can we we can talk about motivating the math. And here's another thing. You know, we're in this weird spot in the podcast, right, where we're starting to get some traction. We've taught some math. It's was painful.   We talk about things adjacent to math, and that is much more accessible and probably more helpful to people.   And I feel like we do what we have to do. If we have to fucking talk math, we do it. We and then we just sit there and complain the whole way through, like, this is terrible that we have to do this.   Well, we definitely had to at first. We definitely did have to at first, and maybe we will again. But I think right now, we're sort of in this swing of we just have kind of stuff now   that   makes sense to talk about given the foundation we've laid.  

And,   so I feel like the last two weeks have been good in that way.  

[00:07:00] Unknown:

Yeah.  

[00:07:02] Unknown:

But see, you know, I did you you know, and for whatever it's worth, dude,   you look better.   Thank you. Instead, I seem to be commenting on this every week now. Like, you actually look at it. For the audience. Gary looks pretty good. Thank you. Yep.  

[00:07:16] Unknown:

I I have, yeah, I've come out of whatever funk that I was in. It was just you know? And and it still is.   I feel like I'm sprinting   without   any pause,   in a number of ways.   But I I feel like I found a good rhythm, good pacing,  

[00:07:34] Unknown:

and, I do have math to talk about today. You're just I'm ready. Go back to So you just shared your screen, and there's this paper written by Nick  

[00:07:41] Unknown:

Jonas. Tim Ruffing and Yannick Soren.  

[00:07:44] Unknown:

This is like one of the Jonas brothers?   Nick Jonas?  

[00:07:48] Unknown:

I think that's a musical tie in there. It might be some distance relation even though the first name is Jonas and not the last name. That music.   Yeah.   So But, yeah, it's a it's a new paper that came out. A new paper, Jonas, Nick, Tim Ruffing,  

[00:08:05] Unknown:

Janek   Sirin. So who they call it the Nick Ruffing Sirin or NRS.   This they're gonna refer to this. This is gonna be one of these seminal papers that changes the course of I I think they're calling it DALY. DALY. Oh my god. Alright. Screens logarithm based interactive aggregate signatures.  

[00:08:25] Unknown:

And I just I wanna go over this paper today. That's, like, my goal because there's math stuff in here. This,  

[00:08:31] Unknown:

some psych. I love this, dude. We're gonna go through a paper. I've never seen it. It's got a word in it that definitely rings   relevant, discrete logarithm. It's got about it. Based.   Discrete logarithm based.   And then we have something called interactive aggregate signatures.  

[00:08:51] Unknown:

Well, interactive is a keyword here. Right? Yeah.   There are, like, two   sort of, like when you're in the the the realm of cryptographic protocols,   there's, like, kinda two high level forks   in in how you could go. One is a noninteractive protocol. Meaning,   like, if we follow the steps of the protocol,   it works. And it we and and and we as parties in this protocol don't necessarily have to   interact with each other.   I can't think of an example off the top of my head. But this interactive one mean just means that the people participating,  

[00:09:25] Unknown:

there's there's someone's level of interaction. Like, Cygnet be an example of noninteractive   or something like that? No. Cygnet. No. You can just what I'm saying, well, you can just literally simulate the world by yourself.   You could. Yes. Yeah. Yeah. So it's okay. Let me clarify what a Cygnet. I need a hundred confirmations where I can spend this. So let me just code a hundred confirmation so now so I can just spend this.  

[00:09:47] Unknown:

Hold on. Let me that that might be more appropriate in reg test. That's what I meant. Reg test. Sorry. We're gonna do a brief, Bitcoin network one zero one. There is main net Bitcoin. That's, like, for real for real for keeps, pink slips, whatever. Like, you fuck that up and Well, everyone's gone. Become testing and prod.   Right? Well, no. Don't do that. That's what people main net is where everyone you know? There's testnets. Mainnet is Bitcoin. That will everyone will call it. Yes. Mainnet is but when you're speaking in, like, a technical developer sense, mainnet is, like, the main chain, like, this is for real for real.   Right. There there is testnet,   and there's four versions of testnet   that have like, they're as close as you could get to Mainnet as possible with some small tweaks   to make it easier to test with. And Testnet,  

[00:10:34] Unknown:

just since we're motivating the math here and, like, the way,   like, an analytical process we should be probably using when we   do our own business   is, like, if you if you use Spiro wallet,   you have the option   to you have the option now to go into have your whole environment   in Testnet,   and you can test things. And then you can just without consequences, but you just need some Testnet coins. Right? And you can create feed them.   Yep. Same here.   You can create your own   kind of protocols.   Maybe you wanna make multisig   at home.  

You can test it out before you screw it up in real time.  

[00:11:17] Unknown:

Exactly. Right. Yeah. So that's, like, that's a broader test net. Right? There's also this concept of reg test, which is, like, me, I control the blockchain, everything. And there's literally command you say, like, mine like, generate blocks.  

[00:11:30] Unknown:

Generate a hundred blocks so that now I can spend this token. Yeah.  

[00:11:34] Unknown:

Coinbase specifically is the thing that you need That's a hundred blocks to spend. To block yeah. For block one. Right? So you can spend out of Coinbase. Mhmm. And then,   Cygnet, what you refer to, is like a test net, except there are   people that are allowed to sign to sort of, like, mine the blocks. So you could spin up your own custom Cygnet. Like, an example, there's, like, Bitcoin inquisition, I believe, is one. I think  

[00:11:59] Unknown:

I think there's just, like, one Cygnet.   That's all I need to know. That's all I need to know about Cygnet. All I need to know. I wanna use it. But you could, there's another  

[00:12:07] Unknown:

Cygnet, I believe.   I think it's called mutant it's MutinyNet, I believe, is also a Cygnet. And that that has, like, thirty second block times or something like that. But it's all these different, like, tweaking some of the parameters of how the chain works,   to make it easier to test certain aspects of Bitcoin.  

[00:12:26] Unknown:

Yeah. So, like, if you're worried about, like Yeah. If your job like, imagine having a job where you had to,   you you had to code,   like, block headers or something like that, and you literally had to wait. Let's say you imagine having to wait, like, an hour for every this is partly why all these these kinda   all these forks came from coding losers who had couldn't care less about money. They just cared that their jobs suck because they had to wait ten, twenty minutes before they can run another test on their Yep. On their code. Right?   Yeah.  

Let's fork everybody's money let's fork everybody's money so that we can have an easier easier job.  

[00:13:04] Unknown:

One reg test you see a lot in software test suites where it will be an automated   test of the thing,   the application in doing the thing,   because you have just absolute all the knobs that you can turn for the entire chain on how things work. Love knobs. So I see that a lot.   You love knobs?  

[00:13:23] Unknown:

I'm a guitar player, man. I love my I love there's a whole guitar players is a whole thing around knobs. Like, if you are obsessed with pedals,   you know, the world of pedals is all knobs.  

[00:13:34] Unknown:

Pedals and knobs. Yes.  

[00:13:37] Unknown:

I know. And what about I know you're looking for a sexual reference there, but you know? No. No. I I'm talking That is not where my mind went at all. You. Talking to the audience.  

[00:13:46] Unknown:

Ah, yeah. Stop it, Dan. Okay.  

[00:13:50] Unknown:

Aggregate signatures. These two guys I'm just looking sorry. I'm looking at the, just real quick before we dive into this thing. I'm seeing they are,   two of these authors are from Blockstream and the other is from Ledger?   Correct.   And which are the probably the two biggest   companies that  

[00:14:09] Unknown:

do research in this space? Yeah. So yeah. Yeah. That I would say that's accurate.  

[00:14:14] Unknown:

I mean, I don't I don't wanna I don't wanna hold a ledger, but I certainly   wanna read their research because I know they're I mean, you know, they're they're pushing,   you know, they're pushing it in a way that   others aren't.   So so that that's a, like, a ledger apologist   for the sake of education.   Right? And Blockstream too. Right? This is the thing this is probably the thing they do well is what we're like like, write papers like this, and that's why it's worth our time.  

[00:14:42] Unknown:

Yeah.   Alright. This paper specifically goes over this aggregate signature scheme, a new a new one that works   with   the curve, sec p two fifty six k one that Bitcoin uses.   Caveat,   the the use of this, though, would require a consensus change. There's no like, this is not like, it doesn't work on main net Bitcoin  

[00:15:05] Unknown:

because of that fact. And so maybe go into a   maybe you're not ready to do this, but, like, when you say it needs a consensus change, it's because   we don't have the   opcodes.   We don't have what is it that might Mainnet doesn't have?   Because, like, for instance, I was just listening to Rob Hamilton talk about how Mhmm. MiniScript didn't require a consensus change. It was already it was it was snuck in   before he started working on it. Right? Yep.  

[00:15:33] Unknown:

So So The consensus chain here is it just it's about how signatures are. Because on Bitcoin,   generally speaking,   unless you have, like, a multisig.   Right? Mhmm.   You you have one signature for your Bitcoin transaction.   And since   since the Taproot upgrade,   since we got Schnorr,   there are ways of doing, like, multiparty signatures where it's just one signature. So, like, Frost and Mooseig are the the two most well known ones.   This is compared   to those as like, hey. You know, this works on the same curve,   but it requires a consensus change. And my understanding is the consensus change would be   about the way signatures are verified   because   this allows you to essentially and and it's kinda called out here,   where   you can have an aggregate signature over,   you know, m one through m n, m being the signatures. Right? So multiple messages   signed by multiple pub keys, so pub key one through n.  

You can take that entire list of pub keys and messages as a pair. Like, that's what you need to with a signature. Right? But you can you can combine all this into one aggregate signature. And so the way Bitcoin like, the Bitcoin is, is not designed   to do this aggregate signature   verification.  

[00:16:56] Unknown:

Right? Yes. So that would be the change. Because these aren't because it's not a group.   Because it's what? It's not a group.   And if the because if it's not so you don't have you don't have what's called an isomorphism,   and you don't have so you you don't have,   a mapping.   So that's why you need to patch it into   the existing you know, you you have to patch the capability   to view,   data this way,   right,   into the existing code because it's never considered it just never considered doing it. Like, you know, you know what I mean? Never considered this functionality.  

[00:17:34] Unknown:

Yeah. But, like, everything they've done  

[00:17:36] Unknown:

everything they've done that doesn't require   a fork   is done so because they've been able to exploit the same mapping.  

[00:17:45] Unknown:

Right. This would require because right now, every message   every every transaction, every message, because you're signing transactions,   like, those are separate signatures. In this aggregate signature, you would have multiple transactions   and multiple pub keys   that are it just has one signature that that one signature can validate   Yeah. All of them. Interesting.   And so that's, like, the the key difference here, and that's the idea of aggregate signature. You you might have heard people   may have heard, CISA or cross input signature aggregation.   Yeah. And there was sort of a a limitation way of doing full aggregation versus half aggregation,   which is just if we remember our signature math, there's two values. There's the r and the s that are that are the signature.  

Half aggregation   is just compressing one half of that. I think it's just the s part of it where you you still have to keep track of all the r's.   Full aggregation   is you compress all of that into a single 64 byte, because each piece, each r and s is a 32 byte piece of that signature.   The compression   for half is just the the s side.   The full compression   or or aggregate.   Compression is the wrong term.   Aggregation. Let's let's make sure we keep using these right terms. So aggregation,   full aggregation means you're compressing both sides of that signature, the r and the s together into a single   r s that can be used to validate   all of the messages for all the pub keys.  

So it it's like a it is a Okay. Data compression of sort. Why do we wanna do this?   I don't know if we wanna Why do we wanna put ourselves through all this?   Yeah. Yeah. So so it's not necessarily   that   we want to do this. It is just proving, and let me see here. In the paper, there was a   they   prove dahlias secure in the concurrent setting with key tweaking  

[00:19:43] Unknown:

under the one more discrete logarithm assumption in the random oracle model. I like the word at something. You you left the word at. What's that? Boundary algebraic   in parentheses. I'm trying to think about what they mean by that. Algebraic,   which usually means that there's a solution   to   algebraic means there's a there's a, like, a solution   in, like, a rational   or real there's a solution inside the field. And this signature has a shape. Supposed to transcendental number, which is the the  

[00:20:14] Unknown:

What does that mean?  

[00:20:16] Unknown:

So here's the math here's the math lesson and the piece of this. So there's, like, two one of the ways you can classify numbers is algebraic numbers or transadental numbers. Okay.   An algebraic number would be that there's that there's a solution to   so let's say you have   x squared minus two   equals zero. You wanna solve that. Now if all you have are if all you have are rational numbers to do so, then   there is no solution. But if you want to extend the rationals you wanna extend to the reals, you have the square root of two solves   this x squared minus two equals zero. And so the square root of two   would be a,   algebraic number inside of that field, right, if it's extended to include it.  

So the there's the then there housebreak numbers are numbers that basically satisfy an equation   that like that that say there is a solution,   whereas transcendental numbers are then numbers like pi.   They'll   they never they never satisfy they never   they never solve these types of problems.  

[00:21:25] Unknown:

Well, that's why the the group stuff is important. Right? Because, like, the that mean you're you're you're staying within this bounding box.  

[00:21:32] Unknown:

Is that Especially groups in finite dimensional space. God, I I hate that I hate that I'm now, like   three months ago or whenever we started this podcast, I would not have even used uttered that phrase, finite dimensional space. Mhmm. But, like, it's that's really is now why   a group with a group inside of finite dimensional space   now has   algebraic numbers.  

[00:21:56] Unknown:

Now what is this, like, this this part that I highlighted here? I'll I'll just I'll read it for the the audio listener. It goes it says this in this paper, we proposed DALYOS, the first aggregate   signature scheme with constant size, meaning it's the same shape as a standard signature, meaning the final size is an RNNS, 64 bytes.   Yes. That's the size of a store signature,  

[00:22:17] Unknown:

but in the same shape. But it says it's directly based nice because every like, you because it's standardized to what the the hash output, I guess. Right?  

[00:22:27] Unknown:

I don't think that has anything necessarily to do with hash output.   Standard size. I think it just fits,   like   because one of the things with, other signature types so, like, if you looked at any of the quantum   signature types, those signatures are bigger. That's a different shape. Right? The final result of a signature   and some of these other  

[00:22:48] Unknown:

Maybe you can hide in plain sight more if you're hiding among   hashes.  

[00:22:53] Unknown:

Well, block space is a scarce resource. Right? And so, like, having something that's the same size of existing signatures   is a desirable trait Yeah. If you wanna adopt this signature   schema, this aggregation signature.  

[00:23:06] Unknown:

You have to redo the Merkle structure and all all you have to redo all that.  

[00:23:12] Unknown:

I don't think it has anything to do with the Merkle structure. It's just the amount of data that you have to put into   the chain   to have a a valid signature.   Right? So, like,   the signature   is the same like, you're not taking up any more size. Right? We already like, this is   one of the one of the, you know, I would say trade offs in Bitcoin is you only have so much size to work with within a block. Right? And so if you have bigger signatures that take up more block space, then you're you're you're taking up more resources.   So the fact that this is just the same shape and size as a standard signature means it would not take up. And and in fact, because you're able to,   aggregate,   right, the As a Schnorr signature.  

As a snore sign yes. Yeah. It's the same size as a snore sign. Which is the reduced  

[00:23:57] Unknown:

form of that we still haven't really evolved to yet, but that's, like, that's good. What do you mean the reduced form we haven't evolved to yet? So we're not using snore signatures for the most part. We still like, we still see   we still see a lot of multisig.   Like, if I go if I open the last block that just got published while we're talking.  

[00:24:15] Unknown:

Yeah.  

[00:24:17] Unknown:

No. We, It's you you would   Capital uses Schnorr. I understand. But no Yeah. It's not that it's not being used in practice still yet very widely. People are creating multisigs   using,   you know, p two s h or, you know,   showing the three signatures. They're, you know, not not using, you know,   not using the Schnorr signature.  

[00:24:42] Unknown:

I don't know. I mean, any anybody who's using Taproot is using Schnorr signatures. And if you turn on mempool goggles for, let's just look at the last block, 897854.  

[00:24:52] Unknown:

How far do you have to go before you find before you find a old school  

[00:24:57] Unknown:

multisig? Not prime. I would guess not far. Oh, we could find it. Like, a bare multisig?   There's a few in the last block. Yeah. We're a p  

[00:25:06] Unknown:

pay to witness. Sorry. Pay to witness,  

[00:25:10] Unknown:

Pave.  

[00:25:11] Unknown:

Yeah. We're pay to witness. Most of them are. That's and that's   Yeah. Segue. That's that's all I'm saying.  

[00:25:17] Unknown:

Yeah.  

[00:25:19] Unknown:

Yeah. We're a ways away from Schnorr being, like, this standard way people make multisicks.  

[00:25:27] Unknown:

Yes. Yeah. Yeah. Yeah.  

[00:25:29] Unknown:

Right. I would almost guess every lightning channel is still using the two of two.   Like Yeah. Yeah. That's probably the same stuff. My only point is it but this is not this is, like, already to the Schnorr is the best standard.   Like, you know, presumably, it would be great if we could snap our fingers and accept with the one exception being   maybe, like, a company like Anchor Watch who likes having all that detail on chain. You know? Like, there are people that like that detail or there are reasons to want that detail   on chain.  

But for the most part, it for people who want to obscure   the fact that they're in a multisig, which would be probably most users, it would be nice if we were it'd be nice to snap our fingers and have us everyone on the channel. Yeah. And that though like, if you're one of those parties,  

[00:26:14] Unknown:

that's where you would use music too, which I think was just merged into some   so Rust Bitcoin, which is,   one of the libraries, like, underpinning a lot of these Rust projects such as Sure. BDK,   Bitcoin development kit,   and everything else just merged in music too recently.   That would be multi   sig that looks like a single sig. That is a, you know, you don't know the number of parties.   And there's some trade offs there because  

[00:26:42] Unknown:

Right. But I feel like that's huge. Like, I I you know? Oh, yeah. That's huge. We've talked about it before here, but, like, that I feel like that's huge, and   I my only point here was to say that this is   this paper already assumes that everyone's kinda already on that standard who wants to be.   And now Absolutely. Yeah.  

[00:27:01] Unknown:

Yeah. Well and this also one of the reasons why this highlighted me is previously when I looked into, like, cross input signature aggregation   and learning sort of, like, the the hurdles to overcome   that for, like, full aggregation.   Full aggregation   was   impractical,   because of the interactivity   required between everybody. Like, if we if we wanted to do full aggregation, like, everybody would have everybody doing a transaction in a block would have to, like,   collaborate. Mhmm. But my understanding of this, this DALIOS,   is   this allows for a two round interaction,   which is this the same sort of,   rounds in music,   to accomplish a similar goal. Yeah. Two rounds. The signing protocol of DALYOS consists of two rounds, the first of which can be preprocessed without the message.  

So, like, that's that's pretty cool.   And I don't I don't know what that preprocessing is. That's what this paper would highlight.   And then the second round   is verification.   So for a signature created by end signers   is dominated by one multi exponentiation   of size n plus one, which is asymptotically   twice as batch as batch verification   of n individual store signatures.   That's a lot to unpack there, but I think Yeah. This is a loaded abstract. My god. Well, the batch verification of end individual signatures, that's,   from my understanding,   what   full aggregation does   without this was, like, you would have to do a batch verification of   of Schnorr signatures. I might be off on that, actually. Yeah. I mean, I think we'd probably What does asymptotically mean?  



[00:28:41] Unknown:

Asymptotically   would be,   it approaches   a number but never reaches it. So think of,   think of   a a graph of, like, y equals one over x.  

[00:28:53] Unknown:

So this is not exactly twice as fast. This  

[00:28:56] Unknown:

is as close as you get to twice as fast. An asymptote would be like a dotted line that your line will approach but never reach. So, like, one over x Right. Your when your x goes to zero,   one over x goes to infinity,   but it never it never crosses   the zero line.   You you you can't be you because you can't reach zero.  

[00:29:17] Unknown:

Okay. So this is just saying that it is   it is not ever going to be twice as fast, but it is asymptotically   twice as fast, meaning it's it gets close to twice as fast. Purposes,  

[00:29:28] Unknown:

it's as close to twice as fast as   as you can possibly   imagine   without it ever reaching.  

[00:29:37] Unknown:

What about multi   exponentiation   of a given size of size n plus one?   So in this case, if we're doing a signer, we're doing five signers in this. So verifying   a signature created by five signers   would be dominated by   one multi exponentiation  

[00:29:56] Unknown:

of size n plus one, in this case, size six. Yeah. Well well, I mean, we know what exponentiation is. I don't know what it is in this context, but exponentiation   is taking something to a power and what. So in my mind, I'm thinking, okay.   In this context, maybe it's   the the the discrete logarithm around, like, Diffie Hellman, if you imagine,   you know, you have something raised to the   power of your, you know, little composite number. Mhmm. So composite number is so,   two primes multiplied together gives you a composite number.   So your n would equal a b, and then your multi   explanation multi exponentiation   would   be the a and the b. Raise you're raising to   you're raising to both powers.  

Oh, okay. Maybe yeah. That is not what it is, but that's to me, I don't know. I mean, my my sort of autistic line into Yeah. Literally what it means.   But this is why I need to beef up my cryptography context. Right? And you need to go from math, and we're gonna continue to come together so that one day, dude, we're gonna just pull papers up like this and just we're gonna just freaking nail it the whole way through.  

[00:31:12] Unknown:

It also mentions that it offers key tweaking.   So, like, that's, like,   basically,   well,   it it's just another way of,   adding in a value. And then if you do that and it it it to quote the paper,   it says,   besides the aforementioned benefits of space saving space saving and verification speed ups, DALYOS offers key tweaking,   a technique commonly used in Bitcoin to derive keys in hierarchical deterministic wallets. It's funny because I was just going over BIP 32 with somebody recently   because they're like, oh, no. I imported my c phrase, and I lost all my money. And it's just because they used   a different derivation path than the original wallet that they were using.  

And the derivation path when you're looking at,   HD wallets or hierarchical deterministic wallets, like, just taking those two words together. So, like, hierarchical means, like, you start from the top, and then there's, like, a structure going down, like, the structure from top to bottom. And then deterministic   means, like, you know how to get from top to bottom. Right? And there's a clear  

[00:32:19] Unknown:

path.  

[00:32:20] Unknown:

Right. And so what what you do like, when you go into when you pop open Sparrow,   right, and and you have all these addresses,   all those addresses   are actually   hierarchically   deterministically   arrived at   using this HD wallet BIP, which is BIP 32.   So and and that's why if you're in Sparrow, if you're over if you hover over an address, you'll see this little pop up that says, you know, dot zero,   / 0 / 0 for the very first address.   Yep. And if you go down to, like, the change address and you hover over the first one, you get ./1/zero.   And and then furthermore, the derivation path, the higher level derivation path based on the the like, what script you're using.  

So in native segwit, it's the derivation path is MSlash84,   And then there's a way of doing hardened derivation paths, which, like,   I can't intelligently comment on what that means right now, so I'm not gonna try.   But but I I understand this little,   this little,   what is it called? The   apostrophe.   Yeah. So it's how lucky are we to 84 apostrophe slash one   apostrophe slash zero apostrophe. Right? And that's, like, the high level derivation   for this for Yeah. Native Segwit.  

[00:33:40] Unknown:

Dude, how lucky are we to have how lucky are we to have Sparrow? Dude,   Like, it's really That crazy man. Dude doesn't get due.   Yeah.   Holy like,   it's like a different world. Like, I almost thought about like, I wanted it I actually wanted to say something in my book about how, like, there are two worlds of Bitcoin. 1 where Sparrow exists and one where it doesn't. And it's like, you know, I would not be   I would not be as bullish if we didn't have Sparrow. It's the honest But it's dangerous if you don't know what you're doing. Right?   Back to the point It's not that hard to learn what you're doing, but there's you so, like, the fact that there's a book. Right? Like, there's a book called Mastering Bitcoin.  

Yes. And if you   you basically combine   that book, spend three months reading that book,   and you and then Sparrow, which is essentially, like, the code base already for that book, it'll, like,   teach you exactly   how all of that works. Yeah. You can look at all the different And it's just bubbles. You can do. You can do Yeah. And it's just like that. There aren't many things in life where you take the kind of risk we're taking,   where you have these things in public that are publicly available. They're free. Well, I mean, the book is book can be gotten for free.   You know, we're very lucky to have this. And I was just gonna say people should open Sparrow up   and go to an address, hover over it so you can see what Gary's talking.  

Absolutely.   And then go to listening to this everybody listening to this should have Sparrow.  

[00:35:08] Unknown:

Right? And along the left side, when you open your wallet in Sparrow, there's this little settings, and that's where   you can look at the high level derivation. You'll see a couple things. You'll see, like, a label, the type under key stores specifically.   You'll see a master fingerprint, which is just like a byte representation   taken from the master pub key. So that's how you know you're using, like, the same seed phrase. But then that derivation   piece   right below that tells you like, if you were   to change from native SegWit to a nested SegWit,   it's a it's a different derivation. And so you get different addresses   because it's a it's a different path,   right, in this hierarchical deterministic   tree.  

It's a a way of arriving at addresses a different way, and that's that is what in that   key tweaking is part of that because you are you're tweaking   the keys   in this tree structure. So if I know that I'm at derivation,   you know,   zero So there are no drugs involved with key tweaking? Drugs. Not that I'm aware of. That's good. Drugs inotropics might help. Nicotine, caffeine, psilocybin might be their thing. Key tweaking.   There are drugs involved with key twerking,   but that's a Vegas thing, and I'm not going there. So alright. In the final   line of this abstract for this this signature   schema,   they say we prove, which from our math studies, we know that there's there's gotta be some there's some math in here. Bold statement. There's a proof in here. We prove DALIA secure   in the concurrent setting   with key tweaking   under the algebraic   parentheses.  

Yeah. One more discrete logarithm assumption in the random Oracle model.   So, like, that's a lot to unpack in that. Last  

[00:36:57] Unknown:

sentence. The the job of the reader is to validate the fact that they prove this. Anyone can say they prove it, and they may think they prove it.   And that's, again,   why we motivate the math. So because so that so that there's enough people that can read a paper like this and be like, oh, well,   you know what? We'll just see who proves what here. Right?  

[00:37:17] Unknown:

Yeah. I think we should see. Like, we you and I. You wanna try it? Do you wanna, like, just jump to the proofs?  

[00:37:23] Unknown:

Let's see what they let's see what they got. It's hard   Yeah. Yeah. Fully knowing what this thing means that they said they proved. You know, look. Maybe when we see maybe maybe the answer isn't the proof. You know, sometimes I'm going through a textbook,   and I I see a theorem,   And I don't understand it, but then I go through the proof, and I'm like, oh, that makes it actually finally makes sense.  

[00:37:44] Unknown:

Section five, security proof.  

[00:37:46] Unknown:

Oh, the local forking lemma. Damn. These guys really know how to turn a mathematical phrase.   What is that? The LFL. Does that mean does that mean anything to you, this the local forking lemma? It just looks like it's a it's a something that's going to be it's like a subproof   that's gonna be needed for the main proof.   I've never heard of I've never heard those words strung together, local forking lemma.   Yeah.   So,   I'm seeing the local forking lemma is a and it's referred to something called BDL 19, is a variant of the generalized forking lemma.   Wow. Okay. Which makes sense. If there's a local forking lemma, then there's a generalized   forking lemma.  

The GFL, generalized forking lemma, considers an adversary a having access to a random oracle h,   which is run twice on different but related instances of h. So I guess this there's a there's an there's some educational   corpus that   takes this as public knowledge.   We should make a note and look into that.   I don't recall ever seeing this in, like, any of the cryptography things I've read, but I've only done a very entry level   stuff here and more math focused.   Yeah. So there's the general   generalized forking lemma sounds like something to make a mental note of.  

[00:39:09] Unknown:

To go dig into.  

[00:39:11] Unknown:

And so there's there,   an adversary is running   is has access to a random oracle h, which is run twice on different but related instances.   In the first execution,   all random Oracle answers are sampled normally. Okay.   I know what that means.  

[00:39:31] Unknown:

In the second execution mean?  

[00:39:35] Unknown:

They're sampled   probabilistically   using the normal distribution. No. The standard normal the standard normal distribution, meaning that there's so, I mean, we can we can do an episode on what is a standard normal random variable,   but it's the it's,   like, the most typical   random number,   that you'll see.   Okay. So it makes sense. That's probably a baseline. And then in the second execution, the answers are identical to those provided in the first   up to some specific query called the forking point, after which all random   oracle answers are refreshed, I e, resampled   using fresh randomness.  

Okay. This I'm I'm something's coming together.  

[00:40:17] Unknown:

At some point in the query, we   we've it's the forking port in the query.   Everything following that are new sets of randomness.  

[00:40:28] Unknown:

I think one, the first the normal what we said sample normally is supposed to suggest what it looks like when things are truly random.   Mhmm. And then in the second one, they're basically, I think they're looking for something that doesn't.   They're looking for it to reach a point where it doesn't look random anymore.   That's normally when an attacker right? It's like once your, once your your world doesn't look random, it actually then it looks deterministic, and then it looks like something somebody then it, you know, somebody can start guessing,   you know, or seeing actual information.  

Right?   Mhmm.   And then they   so that seems to be generally what this process is, which is interesting. You know, one thing I have ignored   in my rabbit hole is probability, and that's probably because I spent my whole career with it, and I just don't you know, I haven't   spent time with it in a Bitcoin context.   But all of these,   papers seem to really use probability a lot. So may I might start bringing that in   to,   I have to think about   integrating   some   some basic probability   education,   like, maybe enough to get to the question of what is a standard normal random variable.   You know? So maybe just make an another mental note there.  

As a result, the two executions,   including the behavior of a, are identical up to the forking point, meaning they're all they they look random and noisy,   but then start to diverge   with a receiving the random oracle answer at the forking point.   So, I mean, I don't know if we should continue to read the rest of this, but the so they're describing a process here. And this is just a this looks like a long like, this looks like it's gonna take some reps to be able to explain and figure out. This is just one this is just a local forking lemma. Piece of this. This is the GFL. This is the generalized forking lemma   because it goes on Right. That's before they haven't even talked about what the local forking lemma is yet. This is Right. They had to establish the GFL   to get to the   LFL, then they state the LFL. There's a bunch of math   there. I see   Yeah. Excuse me. I see a bunch of math, and then I see a bunch of   interesting. Then I see, like, a algorithm,   essentially,   being shown here and then a proof sketch. So I would say, as we sit here at this point,   I don't think we're in a position to   validate or even No. Even understand what's being done.  

But,   this is gonna take some reps and some time,   and it may just expose parts of the parts of our skill set that we're still lacking.   I think that's exactly what it's doing. And it brings up for me. It's just like it it it to me, it just,   exacerbates   the crisis   of   god.   Who's gonna like, these peep like,   who's gonna validate these things, and who's gonna believe them? And, like, it   you know, if we're this far away   and I don't know how far I mean, I I rec I I, you know, it's I see   this the math here isn't as foreign to me as it would have been, like, five years ago if I looked at this page. That's good. Yeah. You know?   It's more of, like, it's it's it would be it's a lot of time. It's a kind of thing that if this was in if this was my job,   I would spend time with a group of people with with it and hit it regularly.  

Yeah.   If the For context, the detailed security proof is seven pages. Starts on page 25, goes to page 32. It's a long, long proof. So, I mean, at least in my mind, I'm like, I know if I spent the time on this, I could probably get to the point where at least I could ask these guys questions. But the question then is are we gonna spend that kind of time on this? And   that's a that's the I I don't I don't I don't think that's true. Until it's  

[00:44:29] Unknown:

it's until it is   proposed   as some   soft work  

[00:44:36] Unknown:

or for or inclusion into Bitcoin, it's like, I don't know. Is it is it worth spending time on it? Right? Like, that's a It might be worth the time. Yeah. It might be worth it. It maybe it's worth it to know what the generalized forking limit is. Maybe, like, some of these things are   stand are, like, inherent enough to   this type of cryptography that it's worth building, you know, that it's worth building your knowledge set on. I don't think that these guys are writing a big long paper just to confuse people. I don't think that. But I do think some people I think I think the time will come where we   we're not gonna know the difference between a paper, let's say, like this and a paper that is just designed to confuse people.  



[00:45:17] Unknown:

That's an inch yeah. That's interesting.   So the it looks like the   general forking lemma   was a 02/2006   publication.   Multisignatures  

[00:45:31] Unknown:

with plain low key models. Predate Bitcoin. I love when I see things in in cryptography that are not,   you know, like, they're not altered or influenced at all by by   what happened with Bitcoin, by the value   of Bitcoin. You know? That's why I love that.  

[00:45:47] Unknown:

The local forking lemma,   2019.   Mir Baler Weidai, that's a name that Bitcoiners should probably would recognize,  

[00:45:57] Unknown:

and Lucy Li. Interesting. That is interesting. And it's published in a Springer   it's a math.   It's published by Springer.   What does that mean? That's a math publication.   That's all. Interesting.   So we're I mean, like You know, we're running into some interesting things here. Like, we would all,   Gary, you and I. Right? We'd like to understand what's going on in this paper and probably worth maybe us spending a little bit of time,   on maybe picking   out the things I think that are   kinda really worth hitting.   Because this thing is big. This is a monster.   This is big. Yeah.  

Yeah. I don't know how long they spent writing it, but,   you know  

[00:46:41] Unknown:

Who knows? It was published in April 2020. The the the the paper is dated 04/16/2025.   So it's relatively recently.   And maybe perhaps   going back to the the Musig and the Frost papers might do us,   which I don't I don't know how much there's overlap here, though,   is sort of the the thing here.  

[00:47:04] Unknown:

It might be it might be worth spending time for me on frost. This is, like, back to the this is goes back to the minute I met you, like, a year ago. Yeah. I feel like you sent me something on Frost.   And I was like, oh, man. I just lost my job. I should spend some time on this. It sounds cool, but I never really did. I never did.   Maybe it is worthwhile.  

[00:47:26] Unknown:

Maybe that's I think it is because Cross is being used at like, there are   I guess okay. Alright. To go back to our previous point of, like, is it worth the time to spend on this? It's like, I don't know because it's not   usable on Bitcoin currently.   But the things mentioned in here   and and I think they're only mentioned in as, like, a comparison for, like, things.   They mentioned Musik and Frost only in the context   of aggregate signatures have received much less attention than other members of the multiparty signature family.   So this   is a multiparty   signature   or falls into this family of signatures, meaning   there's multiple people coming together to do a signature together. Right? Yeah. Musig is that where you have if there's two of us, it's it's n of n. Meaning, if there's two of us, it's two two signatures,   two parties. Frost being that threshold version of that where it's,   t of n where it's some threshold within n  

[00:48:25] Unknown:

to arrive at a valid signature. It does feel like the key here is that it's a constant size signature.  

[00:48:32] Unknown:

Well, I think they highlight that just to show that it fits in   the size of shore already.   Right? Like, the the constant size piece is a desirable trait for signatures because it's not going to at least from my perspective,   it won't lead to more block space use.   Okay. When comparing to, like, the the quant the post quantum signature proposals and stuff, like, those are bigger signatures. So you're consuming more block space in that instance.   So But having a constant size  

[00:49:03] Unknown:

Yeah. I guess what I would say   at what we're discovering going through this paper is there's a lot more going on than just discreet log   than what was in the title that attracted us in here to begin with. There's a lot more going on.   It's probably like, for me personally, I'm gonna I'm gonna look through this paper just to see where they you know, just so I can, in my mind's eye,   paint   the picture of the gap between where I am and where this paper is. Right? It's not a big Yeah. Yeah. That that that's that's very worthwhile for me. Right? It's like, oh, I'm getting almost a map of, like, what the rabbit hole could look like because I could see the difference. So I can see that.   Aside from that, what I think what I'm motivated to do is to continue to,   like, I have to actually choose a new textbook for the next   indefinite period of time for my value use. And   I think it's going to be back to a deep dive with crypto. And   right. And so and I have a good I have,   you know, I still have like, I wanna revisit   the understanding cryptography textbook because it's been two and a half years   in a rabbit hole. I wanna go back to and so I think I'm gonna maybe do the exercises, the mathematical exercises in this book, but I have a book,   a more, it's probably it's, like, I said, in the more advanced version of this book   that I've been with. It's called it's called cryptography.  



[00:50:26] Unknown:

Should've brought it down here. But, oh Is it the KOBLETS one or no? No. No. No. No. No. The KOBLETS is the elliptic curve one.  

[00:50:33] Unknown:

KOBLETS was called a course in number theory and cryptography.  

[00:50:36] Unknown:

Okay.  

[00:50:38] Unknown:

Which was a graduate level   textbook,   and terrific.   But it's heavy it's much heavier on the math, the number theory   than on the cryptography.   So and I feel like in these papers like this, things like key tweaking is the kind of thing you would see more in a cryptography. Yeah. But key tweaking more is just an addition to my understanding. Right. Because it I I know. Like but, like, if you don't   it's like in my world where I've came from in finance, most of the stuff most of the math is   trivial, but   but you have to know what people are doing. But I think it's still,   I I see you googling it.  

I would know it if I saw it. And it it there's no subtitle?  

[00:51:20] Unknown:

No. You just know the  

[00:51:22] Unknown:

We'll link in the show notes. I know the author. If you told me the author, I'd I'd,   oh, go back. Go back.   I I think I saw it. It's I think I saw it, Chapman. It's it's it might be the Chapman,   publishing. Well, let's look at this. Introduction of modern cryptography. That's not it.   Anyway and anywho.   That's gonna be, like so, like, I'm I'm   this experience   of looking at this paper is motivating me much more and making it much more clear that the direction I'm going in the rabbit hole is more cryptography   as opposed to, like, as opposed to, like, another type of excursion,   Boolean   coding theory. Oh, I see it right there. This one? Yeah.  



[00:52:07] Unknown:

Photography theory and practice.  

[00:52:09] Unknown:

Yeah. Chapman and Hall.   The author are,   Stinson and Peterson.   So what what I'm saying is as as exposed to another excursion like, coding theory or   even going back to real analysis, which I was tempted to do.  

[00:52:27] Unknown:

What do you mean real analysis? Is the is cryptography  

[00:52:30] Unknown:

is what I need to now, you   you know, take another hard   a hard another hard shot at   another hard rep, which means for the people listening, I'm gonna probably have more,   probably better   examples, you know, especially as I go through the old book.   You know? I might do a series where I just do,   you know, do these problems.   Mhmm.  

[00:52:56] Unknown:

But the Are these gonna be a video series? What's that? You mean a video series?  

[00:53:01] Unknown:

Yeah.   Or maybe a live maybe, like, a live problem solving type of thing, something like that too.   But, like, I feel like that this is the direction to get me closer to even reading an abstract of this and having, like, a decent idea   of,   like, whether or not it's I'm even capable of going through this thing. Mhmm. Because it's just there's too many foreign words that are in the cryptography realm to me. Yeah. It's interesting though, because I think we've touched on some of the fundamentals, though. Right? Like, just understanding discrete logarithm  

[00:53:33] Unknown:

and the groups and the finite   stuff.   I say stuff because,   clearly, my mastery is also lacking.   But, yeah, I saw this. Somebody shared this today, and it it got me,   excited. It motivated me on the math front because I was like, oh, a paper to look at with math.   Yeah.  

[00:53:51] Unknown:

And then getting through the abstract was fun. Yeah. I mean, usually, I I can tell you. Like, the story of my life is looking at papers like this and being like, what the I can, like, not even even   deciphering a character. Whereas at least I looked through that, and I was like, you know, if I   that's it's tackleable.   Yeah. A lot of that's tackleable.  

[00:54:10] Unknown:

You know, like,   in the abstract, though, like, one of the the first sentence sort of, like,   has some mathematical notation,   and I did understand a lot more of that. Right? Because it talks about,  

[00:54:23] Unknown:

to join the try it. You're like, oh, let me actually use my brain. I can Yes. Might I actually can do it. Yeah. Yep. Yeah. Cool.  

[00:54:30] Unknown:

Happy   pizza day.   Where is my mind?   Where is my mind? Where is my mind?   Where   is   my mind?