The paper:
https://eprint.iacr.org/2025/692.pdf
Fundamentals. @Fundamentals21m
npub12eml5kmtrjmdt0h8shgg32gye5yqsf2jha6a70jrqt82q9d960sspky99g
XMR: xmrchat.com/fundamentals
AverageGary
npub160t5zfxalddaccdc7xx30sentwa5lrr3rq4rtm38x99ynf8t0vwsvzyjc9
[00:00:02]
Unknown:
Stop.
[00:00:25] Unknown:
I wanna mention real quick that I really had a good time last podcast attempting to go through that paper. And Oh, I have updates. The numbers I haven't told you about. Like, I don't really file I'm not a big guy that tracks downloads and stuff like that, but, like, the overwhelmingly two most downloaded episodes we've, like, ever done or at least that we've done in the last 10 or that are visible are Mhmm. Gary gets therapy and the doll the Dahlia attempt. And I think people maybe like listening to us struggle to do something that most people aren't trying to do at all, which is figure out some hardship.
Thing. Oh, that's it.
[00:01:11] Unknown:
Yeah. I'll just lost it. I I haven't I haven't really mentioned this to you. But so there is a there's a website called cisaresearch.org. Right? Cisaresearch.org. It's made by this guy, Fabian Jahre. He's a core developer. Center for Internet Security
[00:01:31] Unknown:
Analytics. Yeah. If you Google CISA,
[00:01:33] Unknown:
that is not the one that you're gonna No. Come across. Sounds like like a government alphabet soup organization.
[00:01:40] Unknown:
Don't Google CISA is what you're saying.
[00:01:44] Unknown:
Well, CISA research. Right? Bitcoin. Okay. And then maybe you'll find the results. But just don't Google it. Just go to see cisaresearch.org. K. But anyway, CISA stands for cross input signature aggregation. Right? And there's sort of, like, two types of signature aggregation that are outlined. There's the half aggregation, which if we recall from, like, signature, when we were talking about signatures, you have the r and the s value. That is the signature. Right? There's there's actually two thirty two byte values in the signature. So half aggregation is a methodology of taking just one, and I can't remember if it's the r or less. But one side of that signature, and you can aggregate all of those, but you still need the other side of the signature. Right? So you can compress If we have 10 signatures, right, you can compress all 10 of those. You can only compress half of it. Right? So it's half aggregation, one half of the signature.
What the paper is proposing is a methodology of doing a full aggregation, meaning both the r and the s values are compressed into a single 64 byte final signature. And then you can go through and verify once you have the public key, the message. Okay. That's interesting. So there's really utility signature.
[00:02:54] Unknown:
There.
[00:02:56] Unknown:
Yeah. No. Yeah. Yeah. This is this is like a and why I was excited about it is because I've I've previously looked into CISA. I'd considered even trying to do, like, a presentation on the topic. I just, in the past, had not enough time to, like, dive deep and, like, really grok what was going on. So I've done deep deeper dives, into CISA itself and, like, what does it mean? The biggest problem, from, like, implementing in Bitcoin is it would require a different it would require a soft fork because or a fork just a fork in general because it's the way that signatures are being validated. Right? And you have to have nodes that understand the new way of doing the validation. Yeah. Right? So you don't just get cross input signature aggregation. Tons of benefits. Again, cisaresearch.org is gonna, like, outline it. Fabian and a number of other people have done fantastic job, like, categorizing and, like, documenting research and implementations and stuff. Well, anyway, so Fabian also maintains this, this repository, GitHub repository called CISA playground, c I s a dash playground. So if you go to fjar, f j a h r. Right? Great for podcasts.
But if you go there and you go to Sysa Playground, his repository Mhmm. I just did a pull request because he had a Python, like, implementation of this. Right? So, like, sort of, like, not a not not not necessarily like a secure thing. Right? It uses this thing, called sec p two fifty six k one, lab, I think. But it's like a Python library for sort of, like, doing things
[00:04:33] Unknown:
with this elliptic curve that we use in Bitcoin. Yeah. So it's a way to six k one. It's a way to actually look at what's happening without incurring what I incurred going to directly to the sec p two fifty six k one. It's It's actually designed so that people can actually understand
[00:04:49] Unknown:
the system. Right. Right? It's not for it's not for implementation. Tool for playing. Yeah. If you use Python, which, like, it's one of the easiest languages to get started with, you can go read this this implementation
[00:05:01] Unknown:
Yeah. In the I'd like to see. Ag dot py file. Right? Because you sent me there was a Python basically, a Python toy model of that set p you know, of the set of set peanuts. Now that that was all I really we wouldn't be here right now. I wouldn't have been in this rabbit hole. I would I would have just gone through all that. And, who knows? Right? So, like, it would have saved me two and a half years just to I really value these Python, kinda models that are available
[00:05:32] Unknown:
that actually do explain the system. I'm glad they didn't exist because you wouldn't be in HR today. That's right. If I have to suffer. I would be so ignorant,
[00:05:41] Unknown:
and I would, like, not know number theory at all or algebra. Yeah.
[00:05:46] Unknown:
So you can go play with this math if if if you have Python. And I created in the in the Yeah. Pull request that I made, I created a quick little, read me too for, like, what you need. Right? Because you need this, this Python library sec p two fifty six a one lab. Yep. It's best to use, like, a virtual environment and everything like that. So you can go and install it, and then you can run this full act dot py, which runs through this Python script, that, yeah, I did a I did a review of earlier this week and added some comments.
There was one piece that sort of deviated from the spec and so as far as the order of the hashing goes. Mhmm. Right? So, in the in the document, the paper that we reviewed last time, it was it showed, like, a specific order of data. Right? Because when you hash data, what you're doing is you're taking data, and you can concatenate or join. Right? So it's like taking hello and then just a pending word. Right? That's a concatenation. Which is a common thing to do in cryptography with, like Very, very common. Or max. And and it's because hash function hash functions can be, computed over an arbitrary length of data. Right? So you just need a string of data, and it doesn't matter how long. But at the end of the hash function, you have a consistent output. Hash functions are like It was just Yeah. They're like Wooderson from days and confused.
[00:07:04] Unknown:
See, I've seen that movie, but I Famous line. I get too young. It's a really Famous line is about, oh, I love them high school girls. I get older, but they stay the same age. But hash function is like Okay. Yeah. The strings get longer, but my output stays the same. Exactly. Alright. Alright. Alright.
[00:07:23] Unknown:
Well, and the interesting thing about that, if you hear in cryptography, the term commitment, a lot of times that's referring to a hash of something. Right? So when you when you sign something, you you hash it usually. Right? The message that you're signing, you can sign over just arbitrary data. But generally speaking, you'll hash the data Right? And that's creating, like, a a snapshot of that data, commitment to that data, and then you sign the hash of it. Right? And so when I get the message from you, I can hash it myself and then check it against your public key in the signature Yep. To make sure that it's valid. So Good stuff. This full ag this go ahead. That just said good stuff. This is like. Right? This is Yeah. Well, I mean, like, I I had to, you know This is how Alice and Bob operate.
Exactly. Exactly. And in so in this full ag Python implementation, and it it kinda clarified a little bit how the the the actual protocol is working. So you essentially have four sort of steps, and then you have verification. Right? K. And there's there's one person that is the, coordinator amongst all the signers and can be any of the signers. Right? But it's just like you wanna dedicate one person, and then that person just does some extra computations during the signing. I see tweak. So Yeah. So it it allows you to tweak keys as well with this schema. Yeah. So tweaking is advantageous because, oh, this is gonna be a hard one to articulate.
Tweaking is like we all, if I, like, if I tweak it, it's like I add a known number to it. And now I have, like, a different key, but it's still a valid key. But if you know the number that was used to tweak, you can arrive at the same valid key that I have. And so this this signature schema or this aggregation, signature aggregation supports key tweaking, right, which is, like, another desirable property from a cryptographic standpoint. It's a great term.
[00:09:19] Unknown:
What? Tweaking? Key tweaking.
[00:09:21] Unknown:
Key tweaking. Yeah. Yeah. Don't don't tweak on drugs. Tweak on cryptography. But there's sort of, like, four steps in this, and you can see this outlined in the code. Right? So in the in the DALIOS actual
[00:09:35] Unknown:
implementation or the there's, like, a function called DALIOS. Right? And it takes in just a list of signers. Right? And the signers have this data. And then the thing that they're doing These are very simple through By the way, this is all very simple code. I should like, I think it it's it may even be worth going through. This code looks simple enough to check out. It may be that Yeah. Seeing how it all comes together is a project, but there's nothing going on here that like, the kind of code that intimidates me is when there's, like, met when there's, like, a lot of recursion that's going on in a single and, you know, there's you just have to understand why that recursion is lee is amounting to the intended thing. This is more like is, like, doing things pretty almost pure Python, like, very you know, seems very simple steps. So, like, we thought reading the paper, we thought was just well, we needed to get more up on, what was it, LFR.
We need to get more up on some of those cryptography concepts. But the code itself looks pretty, you know, vanilla. Right?
[00:10:43] Unknown:
Yeah. Well and I I dug into the paper some more because as I was reading through the code, there's sections in the paper that outline, exactly, like, how this is supposed to work. And it uses, like, the mathematical notations and everything like that. So I scroll down to sorta where is it at? So this is looking like Dolly Part two. This yeah. Definitely. I was, like, pretty excited. Very jazzed.
[00:11:08] Unknown:
But it explains I like naming the episode while we're in the middle of it. I I like I like doing that. Yeah. It's hard.
[00:11:14] Unknown:
So I'm glad that we could we could have it. So the specification. Right? Yes. You go to, like, section four of the paper. It's on page 18. Yep. And it goes over parameter setup, key generation, the signing round, coordination round, signing round, and then the final coordination round. Right? And it and it has a mathematical for each one of these, and then it finally gives you a verification. Right? Because at the end, you need to be able to verify. You have this, aggregated signature. And if you take in all the pub keys and all the messages for it, right, then you can you can verify it. And, again, having studied this math stuff with you, like, this verification makes sense. Right? So you have this thing that is l, which is just all pub keys and all messages.
[00:12:01] Unknown:
This time, we have to put this in the show. We actually have to do it now. Yeah. Have to put this document in this particular maybe a picture, like a a ping file. So wait. So you're yeah. You're seeing a, a bunch of weird notation that you're no longer you might have been intimidated by it if prior to doing this podcast with me, but you are like, no. I could read this. This is a language that's successful.
[00:12:27] Unknown:
So the verification algorithm, right, is you take l, which is, like, all of this pub keys and all of the messages. Right? That's what you need. You need a pub key and a message against the signature to check it. Right? So you need all of those. And then you're doing a check to make sure that none of the pub keys are the infinity point, right, which is just one times the generator. So you're making sure there's this assert thing, which is, like, asserting Yeah. That it's the generator point or the the infinity point, one times generator, is not within the list of pub keys. Right? Because if it is, then, like, you know, don't don't do that. This is specific to ellip this is kind of, like, when we say the elliptic curve. Yeah. Right. And and then you have the signatures, which the the, the aggregated signature, which just is is defined as a capital r and an s. Right? So that's there's just two pieces of data there. There's the cap the r and the s value.
And then you're comparing, you're taking the s Yeah. And multiplying by the the g the the g point and making sure that's equal to g to the s. You're exponentiating g to the s. G g to the s. Well, it's exponentiation, but it's actually multiplication. Right? Because we're using elliptic curves, and there's that weird That's right. Nuance there. It's an operation. The operation is actually multiplication. But it's actual point multiplication.
[00:13:39] Unknown:
That's right. And that's so, like, just to go back to the group stuff we did long, long time ago now. Right? We said that when the operation was addition, you generated a group, by taking a generator and multiplying it by all the other you know? Right.
[00:13:54] Unknown:
When the operation is multiple Can you read the final notation there? Right? So, like, what is it being compared to? And this is one where it kinda like falls apart. But So g d s is trying to generate
[00:14:04] Unknown:
the it looks like it's trying to generate the group, the cyclic group here. Right? And then we say Well, s is part of that signature. Right? That compressed signature or aggregated signature, not compressed. So on the left hand side, there's just g u v s, and then we say equals. And then on the right hand side, you have this you have big r as a scalar, which is the Big r is the half. The part of your signature. So the signature is always two pieces, big r and little s. Yep. So we're taking big r, and then we're multiplying it by the the product of all of the point essentially, all you're taking x. What does x represent? Is that just the point on the x is the pub key being used. It's an x only public key. K. So the pub key is being raised to a power
[00:14:52] Unknown:
called h. What does h represent? H is a hash function, and this is a specific it's it's h subtext sig, which is a specific way of hashing. And, again, these are all sort of defined in this paper. So it's a specific way of hashing the data. Got it. And then the data that you're hash specifies four variables
[00:15:10] Unknown:
each. And and so each with a subscript of I. So what what what are these? What is what is I subscripting? What does it represent? This just one it just represents all of the possible points in the curve?
[00:15:24] Unknown:
No. I is representing all the signers. Right? So in the Oh, got it. In the example Okay. There's three signers. So in this case, it'd be zero through two. Right? Because you have three signers. Got it. And if you So then
[00:15:35] Unknown:
up. So that's what it's doing here. So what it's doing here is taking it's taking the pub key per signer raised to the hash of all of these four variables are per signer.
[00:15:48] Unknown:
So Right. Well, there's two pieces of the variables that you're hashing. The two data points that you're hashing is the l value, which is just all of the pub keys and messages together. Right? So all the pub keys and messages together. Is a concatenate this thing that you called l is just a big
[00:16:04] Unknown:
of all of of all of it.
[00:16:06] Unknown:
Of pub keys and messages. Yeah. Yes. And then r is is your piece of your big r, capital r is is your signature. So you're taking all of the pub keys and messages, concatenate them, adding or concatenating on the the r value. Right. And then for a given signer, you're concatenating again the x pub key and the message again. And that hash is what you raise the pub key to.
[00:16:30] Unknown:
Now That's the power that you raise the pub key to. Because the Of those four things sorry to interrupt you real quick, but of those four things, l, r, x, and m, of those four things, r is the one that you actually do need a you need the secret for. Is that right?
[00:16:47] Unknown:
No. Our well, that's a great question. Our is actually comes from the aggregated
[00:16:54] Unknown:
pub keys. So everything's public everything that we're talking about is can be generated publicly.
[00:17:01] Unknown:
Ex so the the Yeah. What do you mean? Hold on. Let let's let's back.
[00:17:10] Unknown:
What do you mean generated publicly? In other words public. Yeah. Yeah. Every in other words, any one of us could generate these can generate this data. Right? Yeah. That's the the whole point is, like, the verification process is your public for verifying. Yeah. Yes. For verifying. Yes. This is like I'm stupid. I just like, I'm just like a math idiot. I still don't really get you know, it's not native to me to be like, oh, yeah. Okay. When you sign, you need a secret. But when you verify, you want it to be totally You don't need a Totally public domain. Yeah. It's the whole point, dummy. Yep. Very good. And it's generating all these values
[00:17:46] Unknown:
from your secrets is, like, is the protocol as specified. Right? Yeah. And so we can actually look at these. So key generation, right, it's it's normal. Well, just for the listeners, what I'm what we're looking at here on this page
[00:18:00] Unknown:
is Page 19 of the document. It's essentially an it's a total code road map to how to do all of the things in the paper with pseudo code with pseudo code. And, you know, and Gary here can is, like, confidently going through it. Like, I know what the hell all this is.
[00:18:19] Unknown:
I do now. Yeah. No. And and, like, and thanks a lot to this podcast. Right? Like, us pressing on this Yeah. Consistently is, like, I took the time. I spent a few hours one morning just grinding through the code, which again, I code a lot better than an, like, mathematical notation. Understand. But having the two side by side, side, I can go through and look at this. Right? So there's this for every signer, they do this sign process. Right? So we can go up to this sign process and look at the code, like, what's going on with the sign process.
[00:18:53] Unknown:
Yeah. And so then the the so there's this page, this one pager that has all this pseudocode and sort of the Mhmm. Mat it's like the mathematical representation of everything. And Yeah. And then we go into the GitHub, and we can see the, it's not actual implementation code, but it's actual, model it's a model for the basically, test a test environment for the act if, you know, for the actual implementation of the code.
[00:19:22] Unknown:
And that and it's it's funny that you say test because the function when you run this full aggregation you know, if you do Python three full ag dot py, it will run the test full aggregation scheme. And so it runs through the old schema. It it creates public Yeah. Private key pairs. It creates messages for each of the signers. Right? And then it it creates this dataset called the signers, which is just, public private keys. And and this is the part that, you know, this is an example. Right? But in a real world, I would keep my key secret from this. But in the example, it's like all the public and private keys are all sort of, like, included in the same code. Interesting. And then and then you run this dataset of public private key pairs with messages through the Dalliance protocol. Right? And you get at the end of it, you get a signature that is in capital r and an s value.
And so the the sign piece of this is you're just creating a random scaler, and then you're creating, let's see. Yeah. Secret nonces. Right? So these are things that you're not gonna expose. So just On the signing side. Yeah. Yeah. Yep. And then you're computing public nonces which is the capital r values. And the way you do that is you multiply the secret nonces by the generator point much in the same way that you multiply, private key by the generator point to get to a public key. Right? So so same same very similar concept, and then you're storing this state, and then you're returning that state. Right? So one of the things about this protocol is, like, there's sort of, like, a state of signing that has, like, the different, public and private nonces, the different messages and stuff. And each pieces of this state are sort of going through each function. So the sign function is you create public and private nonces for everybody and then comes in the the coordination piece. And, again, any of the signers could be the coordinators, but whoever is the coordinator takes this list of public private, nonces or at least I think you only need, yeah, you only need the the public nonces.
And then you're you're doing some math with it. Right? And you're creating this thing called, like, a context. And the context is just sort of the the data, the public nonces with public keys, messages, and then the the actual, like, the output of of these, like, signers.
[00:21:55] Unknown:
Okay. So now can can we try to zoom out for a sec. Right? Sure. Yeah. Yeah. And remind us why this is relevant. Like, what is the what is, the promise, or what is the benefit here? Why why why should we even spend our time trying to challenge ourselves
[00:22:16] Unknown:
to to get Yeah. So there's a couple of things that, to my understanding that CISA or cross input signature aggregation brings to, Bitcoin or or, like, broader, like, cryptography stuff. And it is, when you aggregate signatures, you're compressing the final signature. Or not compressing. You're you're reducing the size of the final signatures. So in this example where you have three signers, in normal signature land where we're just signing Bitcoin transactions or whatever, we would have three sets of RNS values. Right? Those are those are all the different signatures. At the end of this process, you have one one RNS value. And that one RNS value, that one signature can be used to verify
[00:23:00] Unknown:
all of the messages that were signed. So if you
[00:23:06] Unknown:
Bitcoin stance on chain, right, every transaction has a signature in it. If you can do signature aggregation, you only need one signature for multiple transactions. And they can all be verified. Right? So you're reducing the size you need for for signatures. It's not like it's not a huge saving. And I think CISA research has, like, some math as far as, like, percentage saving goes. But you're saving on space. But one of the interesting things is imagine a coin joint transaction. Mhmm. Right? You have tons of inputs and tons of outputs. Yeah. Well, all those inputs have to have signatures. Right?
And so you're you're saving CoinJoin space. And I believe this is even called out in Sysa Research. We we should probably go look. But you're saving space when you're able to aggregate these signatures. And so that's one thing. And then not all it it creates sort of an economic incentive to do a coin join that's not just, privacy. Right? Like, privacy Right. Becomes a a huge benefit in coin joins. But if you could also save space so it looks like on the half aggregate signature. Right? It says that you can save roughly, you know, 20% in terms of bytes and 7% in in terms of, like, actual weight units of the transactions. Yeah. In an ideal world where,
[00:24:30] Unknown:
you know, then we're there. We didn't have frictions. Right. We would have competing coin joints that would be rushing for a 20% reduction in, you know, in space and size.
[00:24:46] Unknown:
Yep. And to lower to lower their fees. Right? Full aggregation, though. Right? So full aggregation gives you 26 savings in bytes and 9.6% in weight units. Mhmm. And that's just based on, like, average transaction stuff.
[00:25:00] Unknown:
Is any of this, like, useful or prerequisite
[00:25:04] Unknown:
for, like, the scaling things they're trying to do, like CTV and things like that? Or is it Orthogonal. Unrelated? Yeah. Okay. Yeah. Un this is, you know, a CTV transaction Or covenants or whatever like this sharing. Covenant transactions are gonna have signatures on it. Right? All transactions have signatures on it. The the the the current, like, software proposals with, like, new op codes and stuff, they don't do anything, new with signatures. Right? So, like, CTV, you're just creating a hash that you're still signing as part of the transaction signature. Check sig from stack is just, right now, like, the check signature opcode in Bitcoin, it only works on the on the hash, the message that is the transaction.
Okay. Yeah. Check sig from stack allows you to create a Bitcoin script that you can give any message with a pub key and a signature. And if that evaluates to true, you check that signature from the stack against the the message in the pub key, then it it evaluates to true. Right? Which that's ultimately what you do when you spend a Bitcoin is you're creating a a script
[00:26:13] Unknown:
that evaluates to true, and then everybody accepts it. You just need to be able to sign your own piece of it. You don't have to unlike what I'm seeing here with the aggregated unlike the aggregated signature. Right? This is almost the opposite, right, where you just hope You just need a way to sign your own piece.
[00:26:30] Unknown:
Right. And and, again, the problem becomes the interactivity. Right? So this,
[00:26:35] Unknown:
half aggregation to my understanding Sorry. Atomic swaps, I could see this being very useful. Right? Too? But you don't know you either have all or nothing, and it doesn't So atomic swaps are
[00:26:45] Unknown:
again, to my understanding, atomic swaps are one of the friction points with signature aggregation because, in atomic swaps and, again, this is my understanding. So I could be a little off on this, but, it's maybe it's not atomic swaps, but there's something called, adapter signatures, which is, like, when I create the signature, I'm revealing a secret that you need. Right? But up until that point, you don't have the secret. Right. So it's like when I create the signature to send the Bitcoin, now you have the key to sweep the other whatever cryptography thing that you need. Like, you by me providing the signature to to do the spending
[00:27:20] Unknown:
And you're truly no longer net you're yeah. You're truly no longer needed in the transaction anymore, and your privacy or whatever you were protecting is no longer needed anymore at that point. It's almost like a bee stinging somebody, and that's it. Their stinger is now in the in the ecosystem, and they're they're done. Right? But
[00:27:39] Unknown:
Yeah. Okay. I can see that analogy. Yeah. But these are at odds, though, because if you're doing signature aggregation, I believe you you you lose the, ability to do, like, adapter signatures.
[00:27:51] Unknown:
Okay. I was thinking of it in the context of this is an all or nothing, like or it enables an all or nothing type of operation.
[00:28:01] Unknown:
Yeah. So there's and it actually talks about this with, like, TX wide, transaction wide full aggregation versus, like, block wide. Right? But block wide full aggregation, I I don't think we're ever gonna get there because you need again, with the Daliyah thing, you're cooperating with these other signers to create an aggregated signature. So there's an interactivity that it needs to happen there, which again for, like, CoinJoin and other, you know, collaborative transaction protocols, you're already gonna have to collaborate with the other people to create the transaction and sign the transaction, etcetera. So, you know, aggregation of signatures makes sense in that regard, but it doesn't necessarily make sense for, like, a full block wide thing because getting the entire you know, every transaction in a block to, like, agree and collaborate, is is sort of beyond, I think, the the way that we're able to to to coordinate. Right? Theoretically,
[00:28:54] Unknown:
we could live in a world where every company has to coin join their stack before they pay, you know, before they make payroll. Right? Like, there seems to be reasons why they would wanna do that with that. That's not, you know yeah. It just seems like they're standard. Like, that's that would be that would seem standard to me. And then so it seems these types of these things are being innovated to facilitate, you know, really important, just kind of important technology. Absolutely. Right? Because even if your average Bitcoin user may not use it, it's still important to us that it exists.
[00:29:36] Unknown:
Right? Yeah. And one of the things with with DAILIES, and there was an update recently to the CISA research paper or to the to the page. If you go to cisaresearch.org, the update was, you know, up until this DAILIES paper came out, there was no scheme. Right? There's no cryptographic scheme for full aggregation. And so what Dalios, to my understanding, is proposing is a scheme that has a concrete. And one of the key things is constant size. Meaning, like, it fits in the same shape and size because it's just it's two scalars on the curve. Mhmm. It still fits in the same size that a normal transaction signature does.
Right? And then they they talk about provably secure and the random Oracle model. And and I think we covered that last time, and we weren't you know, we're not mathematically savvy enough to, like, go through the proofs yet. But, you know, it this is this paper is addressing sort of a lack, or or it was there was there was no scheme before Dallios for full aggregation that worked with Schnorr signatures that had, like, the properties that's sort of the same shape as, like, a music Schnorr signature, with these other, you know, secure properties,
[00:30:48] Unknown:
if that makes sense. Yeah. I'm I am now. So I met we mentioned last time this book called cryptography.
[00:30:55] Unknown:
Yeah.
[00:30:57] Unknown:
I started so there's a book. I I needed a new book to do. It's a math book called cryptography theory and practice by Stinson and Patterson, and I started I started with it last, I guess, right after our last episode. And I just recently went through a section called perfect secrecy. Interesting. And, you know, it uses basic prob it's not I guess it's not what you think. And I get caught up I I I get caught up in the language. So when I hear perfect secrecy, I was like, oh, this is pro I don't see how you're gonna use probability theory to get perfect. Yeah. You know, the word perfect is a very hard word to live up to. Oh, I'm sorry.
But, it so there's a there's there's a technical definition of perfect secrecy. And, basically, it's when the, conditional probability equals the the non conditional probability, meaning that condition it's like if you have probability of x conditioned on y equals the probability of x, it means that knowing what happened to y and like, it gives you no new information. That that was that's really the point of it. But I I gave it this grandiose meaning of, like, oh my god. It's perfect perfect secrecy. And this is what happens when I go through these books and I struggle and I struggle. I'm like, I'm not seeing I'm not seeing perfect secrecy. You know? But, it's you know, once again, it what it did though is it reawakened my, relationship with probability. I've been ignoring probability as a math discipline pretty much on this entire journey in the rabbit hole.
And, now that has been awakened because it's really it's pretty dang cool and pretty useful, and, it's a useful way to explain, I think a lot of the things they wanna get across. And a lot of these ideas are not in the, cryptography book I went through two and a half years ago, the one that started the rabbit hole, the by Pardon. Oh, okay. Pardon Pelsle Pelsle. Sorry. So this is more, I think, of a It's like the that course would be a course, like a one zero one. This would be either be a one zero two or, it's it doesn't occur to me like graduate level.
You know? It's all still very accessible. Mhmm. But much it fills in a lot of the blanks, and I I do get I do get stuck on I do get stuck on certain things here. But reengaging with probability, I might have to really think about how to do a basic, maybe a basic probability one zero one for, that wouldn't be a bad thing to be able to be able to present. Math.
[00:33:49] Unknown:
That yeah. If you're presenting math, you're doing it right.
[00:33:52] Unknown:
You know, it's one it's another one of those things where probability is, like, actually really easy, but people consider it hard for some reason.
[00:33:59] Unknown:
I'm one of those.
[00:34:01] Unknown:
So, like, it'd be cool to demystify it. It's
[00:34:06] Unknown:
you know Well, the probability
[00:34:08] Unknown:
interest like, probability goes into into mining. Right? Like Yeah. And it's like the one thing in the white paper where probability was brought into it. I did acquire I have the textbook. I have the probability textbook that was quoted in the white paper. I kinda want it's more of a souvenir. I've one of these days, maybe that's the there are better probability textbooks to go through, but there was a part of me that was like, you know, I wanna do what Satoshi did. I wanna learn. I wanna go through it the way he did. You know? It's like you get a it I don't know. Like, you almost feel like you're somehow
[00:34:46] Unknown:
mind melding when you go through this the book that you know that You're building the same context. Yeah. Like, we've talked about this before. It's it's context. So it's like exploring the same technical resources that somebody else used to arrive at a conclusion that we take for granted or we take as just like it works. That's the whole point of what we're doing. Right? Is we're building the mathematical context. Now in the case of the white paper, it's not as
[00:35:11] Unknown:
it it's used, but it's not some big fundamental mathematical underpinning where going through several chapters of that book would have been required. It's more like I could see Satoshi saying, I need I need something to just Mhmm. To reference this one thing. And he picked the book he saw on his bookshelf, possibly. I imagine there are many other potential It is probability it's the probability book by Fuller, f u l l e r, that that is, quoted.
[00:35:50] Unknown:
Interesting.
[00:35:51] Unknown:
Yeah. I got it mostly as a souvenir. You know?
[00:35:54] Unknown:
Yeah. We're we're humans. We like to collect weird things. You know?
[00:35:59] Unknown:
But it is my intention one day. Yeah. Feller? Is it Feller or Fuller? It's a Feller. Yeah. It's 1957. The book looks like it was made in 1957, and I can barely see the cover. So Feller, not barely see the cover. So Feller, not Fuller.
[00:36:15] Unknown:
Feller. So yeah. Look. And that it's referenced in one place under, section 11 on page six of the white paper. And Yep. It's oh, it's the probability of the attacker. The probability of an attacker catching up to a given deficit in Anagalus is analogous to the gambler's rune problem. Suppose a gambler with unlimited credit starts at a deficit and plays potentially an infinite number of trials to try to break reach breakeven, we can calculate the probability he ever reaches breakeven or that an attacker ever catches up with the honest chain as follows. So, yeah, it's a it's a math thing. It this is a math thing. Yes. And this is more of, like,
[00:36:54] Unknown:
this, the vulnerability to, to the kind of mining attack that Sudoshie certainly was envisioning that I'm guessing is not an attack. We we, you know, we have different attacks now.
[00:37:10] Unknown:
Right. Yeah. Well, because and this was the I think you shared that article where there's there's, you know, the Satoshi didn't envision, hashers and miners, Right? And the distinction between the two where the hash rate is coming from a separate entity than the person creating the blocks.
[00:37:32] Unknown:
Right. That's true. And, also probably didn't envision much beyond CPU either.
[00:37:40] Unknown:
Yeah. Yeah.
[00:37:42] Unknown:
Yep. So it just tells me Satoshi is human. Right? Like It's interesting. This is really the only math in the white paper. And Really? Yeah. For the and it's so like, even well, okay. It's not true. Go go go back. No. Yeah. You're this is this is the same idea with the probability. Yeah. It's probability. It talks about So before this section this is the last section called calculations. Right? Yep. Yeah. Yep. So if you go oh, I I I'd say that to say, like, even, like, something like the Byzantine generals problem. It's not a math problem. Right? It's more it was a it was a computer science problem. People talk about it. It was a math problem.
[00:38:27] Unknown:
Yeah. I mean, there's some math in here with, you know, the size of
[00:38:32] Unknown:
block headers, but that's not right. Yeah. It's not using mathematical latex. The you mean but math meaning answering to answer the question, why is this gonna work? Right. You see what I mean? And that's which is, I think, how most people talk about math with regard to Bitcoin. Mhmm. You know? I I the most ridiculous thing I saw this weekend, and I didn't see any presentations. I was in Vegas. I didn't go to any presentations, but I did watch, because I I don't know why I have such a perverse love for, Peter Schiff. I he's such a good he's just so good at, like, angering people.
And so I watched I watched, the panel with him and Trace Mayer that Natalie Brunell. And, you know, she was just like, god, like, insufferable. Like, I wish she'd like, they'd muted her on this because Peter Schiff, man, was you say what you want about the guy. Right? He's a smart guy. And you know what? It's like, I want him I want people to hear him talk. I people should consider the things he's saying. He's basically saying Bitcoin is harmful, and I want him to call attention to it. Why don't you just let why just let him do that. Right? But the okay. There's a reason I'm bringing this up, the math podcast. Important reason. Because he was saying something about Bitcoin, and Natalie Brunel said something that trigger it's once again, these are the things that trigger me about, like, the influencers.
They'll say, wait. Do you not believe in math? He said something like how she said? Yeah. He said something like how Bitcoin has no intrinsic value or something like that. And her, like, knee jerk response was, I'm sorry. Do you not believe in math? You know? And it's just like like, they were this reminds me so much of the COVID arguments and the trust of science and these peep like Yeah. The you know, it it really is. And I remembered at the time you know, look. Prior to COVID, I spent ten years studying biology, neuro and, you know, neuroscience, and I was basically in this Jack Cruz rabbit hole trying to figure out why he says the shit he says. And so I basically, I was like, dude, there's gonna be a real penalty to be paid for people who think they know science and don't walk around telling people to trust it. There's gonna be a massive massive price to be paid there.
And it's like the people in Bitcoin, at least, like, in the influencer class or connected to it are doing the same thing with the do the math, trust the math. It's just math. And then you have you, you know, you have this idea that you are comfortable with the math, but the question is, can you open this paper? Right? Can you open, whether it's the white paper and not be totally full of shit about going to understanding what what he's doing in that back section? Or can you open that DALIAS paper, go to the pseudo code, and actually makes you know, believe you can make sense of what's going on? Or do you you're just like, you know what? I trust math. I believe in math. Bitcoin is math, you know, and fuck you, Peter Schiff.
Right?
[00:41:38] Unknown:
Yeah. It's It's easy to do that. It's easy to condense that to that just that thought process. Right? And and and arguably, I think most people in the Bitcoins like, like, you're gonna there's gonna there's tons of people Bitcoiners out there that that just do that. Like, then and and luckily, Bitcoin works
[00:42:01] Unknown:
Yeah. So that they don't have to if they Totally, dude. It's like, you know what? You know what the good news is? Yeah. The good news is Yeah. You don't really have to know math or care. Right. It helps. I mean, if you wanna hold on to your stack, it probably helps to learn these things. Right. Right? If you want to survive all of the social attacks that are gonna make you know, that wanna FUD your life savings, it's probably a good idea to have some conviction that's really based on what's going on in between your ears, not what goes on. Maybe Natalie Brunel knows the math, and she's fine with it. But, you you know, you need to make sure that you understand it. I Right. And not just be not just feel good about it because some people you trust are okay with it.
[00:42:47] Unknown:
Yeah. Totally. Absolutely. That's why we do this. You have to live comfortably with knowing. Right? And and I think, you could just understand and know that you're outsourcing brain juice to other people on the math part by just asserting that, well, hey. You know, you don't trust the math or you don't believe in math or whatever. It's like, yeah. You know, you can you can live your life that way, the same way. Like, I don't I don't know. I I don't understand the the math behind gravity. So but I understand that it works, right, because I live it. But as soon as some, like, anti gravitational gravitate manipulation thing comes out, like, I'm not I'm not ready to to understand that or
[00:43:34] Unknown:
know if it's bullshit or not. Yeah. I was just thinking, okay. It's just really the inverse square law, I think, with gravity. But
[00:43:41] Unknown:
Well, what I don't know what that mean. What do you mean?
[00:43:45] Unknown:
This. So the two masses are naturally attract gravity to each other, and it's seems like it. I think it's m one times m two divided by distance squared. Maybe we're baiting somebody to boost us to correct us that's dying to correct us. Could be. Could be. But, you know, so, like, again, the the stronger the the closer you are, the closer the the closer the two masses are to each other, the stronger the gravitational force between them.
[00:44:13] Unknown:
Right.
[00:44:14] Unknown:
And Okay. The further away they are, the weaker, and it's by and it's squared. You know? So and it's one way it's like a way of if you, like, are worried about exposure to electromagnetic fields, for example, and you there's a cell tower in your town, and, you know, you can buy a house that's another a mile further away, you're gonna benefit, in a, you know, squared fashion by distancing yourself that much further from it. Interesting. Yeah. Closer you Because the
[00:44:48] Unknown:
the distance relative
[00:44:50] Unknown:
between the two things affects the energy between it. Yeah. In Bitcoin parlance, the closer you are to something, you parabolically increase your exposure to it. Everybody understands pair parabola. So inverse Parabola. Parabola is just square. At y equals x squared is a parabola. So parabolic describes the notion of essentially quadratic or squared, you know, motion. Right. The thing that our monkey brains don't understand. Yes. Now it happens to be that parabolic is kind of lame. Like, exponential really is where where it's at. Parabolic is kinda gay.
That's gonna be the title of the episode. Well, because parabolic just assumes that you're squaring it. Right? So that exponential value is constant in in a parabolic function. Yeah. And programmers know this. It's like squared's not like especially, like, if o if I'm I have my big o. Right? Big o squares are nothing. You know? I don't know that.
[00:45:50] Unknown:
Well The big o thing.
[00:45:52] Unknown:
And I know it's a weakness of mine as well that I hope to strengthen, but you can't so this is literally this was, like, the page of the Cobblets book. Like, you can't really know how much it costs to run compute without really understanding the big o notation. In In other words, without understanding whether or not your compute is a function of something linear, quadratic, exponential?
[00:46:17] Unknown:
Well, for me, it was always it it, the big o conversation is always a conversation of trade offs between, like, time and space. Because you can do, you can spend a lot of time on the computation, or you can use a lot of space in your computation.
[00:46:35] Unknown:
But it sets the barriers for whether or not your Yeah. Crypto system can be attacked by the prevailing resources on the planet.
[00:46:44] Unknown:
Boom. Wow. Yeah. That's, yeah, that's a beautiful way to put that. Yeah. Because if you have the computational resources to iterate over all pub all private keys in the sec p curve, like, that's the that's the risk of the attack. Yes. But if you can reduce
[00:47:09] Unknown:
you if you'd let's say, you say, you know what? I don't wanna get every access to every I don't wanna run every every private key. Yep. All I need to do is take, whatever the big o of the elliptic curve is. Right? Or I can you know, basically, I take the space. It's like the calculation space of what I'm solving for. If I can somehow reduce that, right, I can cut it in half
[00:47:33] Unknown:
Right.
[00:47:34] Unknown:
Or square root it or something. You know? Like, that's the other that, you know, that's the other way to do it. I either invent the, I either invent the capacity to run to brute force it. Right? Yep. Or I can, like, you know, like, if somebody reuses an address, then now I have now I can overcome I can overcome that, computational, barrier. Right?
[00:48:01] Unknown:
They've made they've reduced the problem. Just exposes the public key with a different signature twice.
[00:48:09] Unknown:
Understand. I mean, if they yeah. Yeah. They they It's really They leak somebody leaks their key if somebody leaks their key, then they reduce the computation space greatly to below Right. The earth's capacity. That's my most humble and my point. So there are two ways to do it.
[00:48:25] Unknown:
This makes me think back to, like, Fermat's theorem and stuff where it's, like, you're taking this computation and you're deriving a shortcut computationally to arrive at the same conclusion or the same answer.
[00:48:39] Unknown:
Yeah. Yeah. Imagine if you can just use from out to the to get somebody's, you know,
[00:48:46] Unknown:
to get somebody's private. Right. Well, that's You don't want that. The risk. That's right. Right? That's the risk is some big brain mathematician in the future figures out some way to computationally reduce, discrete logarithm. Right? Like, that's the Yeah. That's the risk to all modern cryptography is, like, this this discrete logarithm assumption.
[00:49:05] Unknown:
There's a good chance that it's just gradually and suddenly, sometime in the year 3240 or whatever, somebody's gonna do so somebody will figure it out. Like, you know, we we went thousands of years, and then Euler and Gauss came in, like, just in Vermont. Right? And did so much. Right? And maybe we'll go another maybe we'll go another couple hundred years. But maybe, honestly, it's maybe one of the byproducts of Bitcoin is that and maybe one of the byproducts of what we're doing is we're gonna create the person that figures this attack out. And maybe we need to We're gonna break Bitcoin. Maybe we need to break Bitcoin.
[00:49:47] Unknown:
Yeah.
[00:50:06] Unknown:
Dahlia and I were taking a bath, and Dahlia was smoking a cigar. And she said to me, I bet you've never taken a bath with a girl who smoked King of Sigbar before. And she told me all about
[00:50:33] Unknown:
her car accident. She was overdosed on Valley Arm, and she made an attempt to cry.
[00:51:22] Unknown:
Draw an old camel t shirt with some magic of its own. And we listen to the stones, soaking cherry dog blow pops. Sucking cherry charms blow pops.
Stop.
[00:00:25] Unknown:
I wanna mention real quick that I really had a good time last podcast attempting to go through that paper. And Oh, I have updates. The numbers I haven't told you about. Like, I don't really file I'm not a big guy that tracks downloads and stuff like that, but, like, the overwhelmingly two most downloaded episodes we've, like, ever done or at least that we've done in the last 10 or that are visible are Mhmm. Gary gets therapy and the doll the Dahlia attempt. And I think people maybe like listening to us struggle to do something that most people aren't trying to do at all, which is figure out some hardship.
Thing. Oh, that's it.
[00:01:11] Unknown:
Yeah. I'll just lost it. I I haven't I haven't really mentioned this to you. But so there is a there's a website called cisaresearch.org. Right? Cisaresearch.org. It's made by this guy, Fabian Jahre. He's a core developer. Center for Internet Security
[00:01:31] Unknown:
Analytics. Yeah. If you Google CISA,
[00:01:33] Unknown:
that is not the one that you're gonna No. Come across. Sounds like like a government alphabet soup organization.
[00:01:40] Unknown:
Don't Google CISA is what you're saying.
[00:01:44] Unknown:
Well, CISA research. Right? Bitcoin. Okay. And then maybe you'll find the results. But just don't Google it. Just go to see cisaresearch.org. K. But anyway, CISA stands for cross input signature aggregation. Right? And there's sort of, like, two types of signature aggregation that are outlined. There's the half aggregation, which if we recall from, like, signature, when we were talking about signatures, you have the r and the s value. That is the signature. Right? There's there's actually two thirty two byte values in the signature. So half aggregation is a methodology of taking just one, and I can't remember if it's the r or less. But one side of that signature, and you can aggregate all of those, but you still need the other side of the signature. Right? So you can compress If we have 10 signatures, right, you can compress all 10 of those. You can only compress half of it. Right? So it's half aggregation, one half of the signature.
What the paper is proposing is a methodology of doing a full aggregation, meaning both the r and the s values are compressed into a single 64 byte final signature. And then you can go through and verify once you have the public key, the message. Okay. That's interesting. So there's really utility signature.
[00:02:54] Unknown:
There.
[00:02:56] Unknown:
Yeah. No. Yeah. Yeah. This is this is like a and why I was excited about it is because I've I've previously looked into CISA. I'd considered even trying to do, like, a presentation on the topic. I just, in the past, had not enough time to, like, dive deep and, like, really grok what was going on. So I've done deep deeper dives, into CISA itself and, like, what does it mean? The biggest problem, from, like, implementing in Bitcoin is it would require a different it would require a soft fork because or a fork just a fork in general because it's the way that signatures are being validated. Right? And you have to have nodes that understand the new way of doing the validation. Yeah. Right? So you don't just get cross input signature aggregation. Tons of benefits. Again, cisaresearch.org is gonna, like, outline it. Fabian and a number of other people have done fantastic job, like, categorizing and, like, documenting research and implementations and stuff. Well, anyway, so Fabian also maintains this, this repository, GitHub repository called CISA playground, c I s a dash playground. So if you go to fjar, f j a h r. Right? Great for podcasts.
But if you go there and you go to Sysa Playground, his repository Mhmm. I just did a pull request because he had a Python, like, implementation of this. Right? So, like, sort of, like, not a not not not necessarily like a secure thing. Right? It uses this thing, called sec p two fifty six k one, lab, I think. But it's like a Python library for sort of, like, doing things
[00:04:33] Unknown:
with this elliptic curve that we use in Bitcoin. Yeah. So it's a way to six k one. It's a way to actually look at what's happening without incurring what I incurred going to directly to the sec p two fifty six k one. It's It's actually designed so that people can actually understand
[00:04:49] Unknown:
the system. Right. Right? It's not for it's not for implementation. Tool for playing. Yeah. If you use Python, which, like, it's one of the easiest languages to get started with, you can go read this this implementation
[00:05:01] Unknown:
Yeah. In the I'd like to see. Ag dot py file. Right? Because you sent me there was a Python basically, a Python toy model of that set p you know, of the set of set peanuts. Now that that was all I really we wouldn't be here right now. I wouldn't have been in this rabbit hole. I would I would have just gone through all that. And, who knows? Right? So, like, it would have saved me two and a half years just to I really value these Python, kinda models that are available
[00:05:32] Unknown:
that actually do explain the system. I'm glad they didn't exist because you wouldn't be in HR today. That's right. If I have to suffer. I would be so ignorant,
[00:05:41] Unknown:
and I would, like, not know number theory at all or algebra. Yeah.
[00:05:46] Unknown:
So you can go play with this math if if if you have Python. And I created in the in the Yeah. Pull request that I made, I created a quick little, read me too for, like, what you need. Right? Because you need this, this Python library sec p two fifty six a one lab. Yep. It's best to use, like, a virtual environment and everything like that. So you can go and install it, and then you can run this full act dot py, which runs through this Python script, that, yeah, I did a I did a review of earlier this week and added some comments.
There was one piece that sort of deviated from the spec and so as far as the order of the hashing goes. Mhmm. Right? So, in the in the document, the paper that we reviewed last time, it was it showed, like, a specific order of data. Right? Because when you hash data, what you're doing is you're taking data, and you can concatenate or join. Right? So it's like taking hello and then just a pending word. Right? That's a concatenation. Which is a common thing to do in cryptography with, like Very, very common. Or max. And and it's because hash function hash functions can be, computed over an arbitrary length of data. Right? So you just need a string of data, and it doesn't matter how long. But at the end of the hash function, you have a consistent output. Hash functions are like It was just Yeah. They're like Wooderson from days and confused.
[00:07:04] Unknown:
See, I've seen that movie, but I Famous line. I get too young. It's a really Famous line is about, oh, I love them high school girls. I get older, but they stay the same age. But hash function is like Okay. Yeah. The strings get longer, but my output stays the same. Exactly. Alright. Alright. Alright.
[00:07:23] Unknown:
Well, and the interesting thing about that, if you hear in cryptography, the term commitment, a lot of times that's referring to a hash of something. Right? So when you when you sign something, you you hash it usually. Right? The message that you're signing, you can sign over just arbitrary data. But generally speaking, you'll hash the data Right? And that's creating, like, a a snapshot of that data, commitment to that data, and then you sign the hash of it. Right? And so when I get the message from you, I can hash it myself and then check it against your public key in the signature Yep. To make sure that it's valid. So Good stuff. This full ag this go ahead. That just said good stuff. This is like. Right? This is Yeah. Well, I mean, like, I I had to, you know This is how Alice and Bob operate.
Exactly. Exactly. And in so in this full ag Python implementation, and it it kinda clarified a little bit how the the the actual protocol is working. So you essentially have four sort of steps, and then you have verification. Right? K. And there's there's one person that is the, coordinator amongst all the signers and can be any of the signers. Right? But it's just like you wanna dedicate one person, and then that person just does some extra computations during the signing. I see tweak. So Yeah. So it it allows you to tweak keys as well with this schema. Yeah. So tweaking is advantageous because, oh, this is gonna be a hard one to articulate.
Tweaking is like we all, if I, like, if I tweak it, it's like I add a known number to it. And now I have, like, a different key, but it's still a valid key. But if you know the number that was used to tweak, you can arrive at the same valid key that I have. And so this this signature schema or this aggregation, signature aggregation supports key tweaking, right, which is, like, another desirable property from a cryptographic standpoint. It's a great term.
[00:09:19] Unknown:
What? Tweaking? Key tweaking.
[00:09:21] Unknown:
Key tweaking. Yeah. Yeah. Don't don't tweak on drugs. Tweak on cryptography. But there's sort of, like, four steps in this, and you can see this outlined in the code. Right? So in the in the DALIOS actual
[00:09:35] Unknown:
implementation or the there's, like, a function called DALIOS. Right? And it takes in just a list of signers. Right? And the signers have this data. And then the thing that they're doing These are very simple through By the way, this is all very simple code. I should like, I think it it's it may even be worth going through. This code looks simple enough to check out. It may be that Yeah. Seeing how it all comes together is a project, but there's nothing going on here that like, the kind of code that intimidates me is when there's, like, met when there's, like, a lot of recursion that's going on in a single and, you know, there's you just have to understand why that recursion is lee is amounting to the intended thing. This is more like is, like, doing things pretty almost pure Python, like, very you know, seems very simple steps. So, like, we thought reading the paper, we thought was just well, we needed to get more up on, what was it, LFR.
We need to get more up on some of those cryptography concepts. But the code itself looks pretty, you know, vanilla. Right?
[00:10:43] Unknown:
Yeah. Well and I I dug into the paper some more because as I was reading through the code, there's sections in the paper that outline, exactly, like, how this is supposed to work. And it uses, like, the mathematical notations and everything like that. So I scroll down to sorta where is it at? So this is looking like Dolly Part two. This yeah. Definitely. I was, like, pretty excited. Very jazzed.
[00:11:08] Unknown:
But it explains I like naming the episode while we're in the middle of it. I I like I like doing that. Yeah. It's hard.
[00:11:14] Unknown:
So I'm glad that we could we could have it. So the specification. Right? Yes. You go to, like, section four of the paper. It's on page 18. Yep. And it goes over parameter setup, key generation, the signing round, coordination round, signing round, and then the final coordination round. Right? And it and it has a mathematical for each one of these, and then it finally gives you a verification. Right? Because at the end, you need to be able to verify. You have this, aggregated signature. And if you take in all the pub keys and all the messages for it, right, then you can you can verify it. And, again, having studied this math stuff with you, like, this verification makes sense. Right? So you have this thing that is l, which is just all pub keys and all messages.
[00:12:01] Unknown:
This time, we have to put this in the show. We actually have to do it now. Yeah. Have to put this document in this particular maybe a picture, like a a ping file. So wait. So you're yeah. You're seeing a, a bunch of weird notation that you're no longer you might have been intimidated by it if prior to doing this podcast with me, but you are like, no. I could read this. This is a language that's successful.
[00:12:27] Unknown:
So the verification algorithm, right, is you take l, which is, like, all of this pub keys and all of the messages. Right? That's what you need. You need a pub key and a message against the signature to check it. Right? So you need all of those. And then you're doing a check to make sure that none of the pub keys are the infinity point, right, which is just one times the generator. So you're making sure there's this assert thing, which is, like, asserting Yeah. That it's the generator point or the the infinity point, one times generator, is not within the list of pub keys. Right? Because if it is, then, like, you know, don't don't do that. This is specific to ellip this is kind of, like, when we say the elliptic curve. Yeah. Right. And and then you have the signatures, which the the, the aggregated signature, which just is is defined as a capital r and an s. Right? So that's there's just two pieces of data there. There's the cap the r and the s value.
And then you're comparing, you're taking the s Yeah. And multiplying by the the g the the g point and making sure that's equal to g to the s. You're exponentiating g to the s. G g to the s. Well, it's exponentiation, but it's actually multiplication. Right? Because we're using elliptic curves, and there's that weird That's right. Nuance there. It's an operation. The operation is actually multiplication. But it's actual point multiplication.
[00:13:39] Unknown:
That's right. And that's so, like, just to go back to the group stuff we did long, long time ago now. Right? We said that when the operation was addition, you generated a group, by taking a generator and multiplying it by all the other you know? Right.
[00:13:54] Unknown:
When the operation is multiple Can you read the final notation there? Right? So, like, what is it being compared to? And this is one where it kinda like falls apart. But So g d s is trying to generate
[00:14:04] Unknown:
the it looks like it's trying to generate the group, the cyclic group here. Right? And then we say Well, s is part of that signature. Right? That compressed signature or aggregated signature, not compressed. So on the left hand side, there's just g u v s, and then we say equals. And then on the right hand side, you have this you have big r as a scalar, which is the Big r is the half. The part of your signature. So the signature is always two pieces, big r and little s. Yep. So we're taking big r, and then we're multiplying it by the the product of all of the point essentially, all you're taking x. What does x represent? Is that just the point on the x is the pub key being used. It's an x only public key. K. So the pub key is being raised to a power
[00:14:52] Unknown:
called h. What does h represent? H is a hash function, and this is a specific it's it's h subtext sig, which is a specific way of hashing. And, again, these are all sort of defined in this paper. So it's a specific way of hashing the data. Got it. And then the data that you're hash specifies four variables
[00:15:10] Unknown:
each. And and so each with a subscript of I. So what what what are these? What is what is I subscripting? What does it represent? This just one it just represents all of the possible points in the curve?
[00:15:24] Unknown:
No. I is representing all the signers. Right? So in the Oh, got it. In the example Okay. There's three signers. So in this case, it'd be zero through two. Right? Because you have three signers. Got it. And if you So then
[00:15:35] Unknown:
up. So that's what it's doing here. So what it's doing here is taking it's taking the pub key per signer raised to the hash of all of these four variables are per signer.
[00:15:48] Unknown:
So Right. Well, there's two pieces of the variables that you're hashing. The two data points that you're hashing is the l value, which is just all of the pub keys and messages together. Right? So all the pub keys and messages together. Is a concatenate this thing that you called l is just a big
[00:16:04] Unknown:
of all of of all of it.
[00:16:06] Unknown:
Of pub keys and messages. Yeah. Yes. And then r is is your piece of your big r, capital r is is your signature. So you're taking all of the pub keys and messages, concatenate them, adding or concatenating on the the r value. Right. And then for a given signer, you're concatenating again the x pub key and the message again. And that hash is what you raise the pub key to.
[00:16:30] Unknown:
Now That's the power that you raise the pub key to. Because the Of those four things sorry to interrupt you real quick, but of those four things, l, r, x, and m, of those four things, r is the one that you actually do need a you need the secret for. Is that right?
[00:16:47] Unknown:
No. Our well, that's a great question. Our is actually comes from the aggregated
[00:16:54] Unknown:
pub keys. So everything's public everything that we're talking about is can be generated publicly.
[00:17:01] Unknown:
Ex so the the Yeah. What do you mean? Hold on. Let let's let's back.
[00:17:10] Unknown:
What do you mean generated publicly? In other words public. Yeah. Yeah. Every in other words, any one of us could generate these can generate this data. Right? Yeah. That's the the whole point is, like, the verification process is your public for verifying. Yeah. Yes. For verifying. Yes. This is like I'm stupid. I just like, I'm just like a math idiot. I still don't really get you know, it's not native to me to be like, oh, yeah. Okay. When you sign, you need a secret. But when you verify, you want it to be totally You don't need a Totally public domain. Yeah. It's the whole point, dummy. Yep. Very good. And it's generating all these values
[00:17:46] Unknown:
from your secrets is, like, is the protocol as specified. Right? Yeah. And so we can actually look at these. So key generation, right, it's it's normal. Well, just for the listeners, what I'm what we're looking at here on this page
[00:18:00] Unknown:
is Page 19 of the document. It's essentially an it's a total code road map to how to do all of the things in the paper with pseudo code with pseudo code. And, you know, and Gary here can is, like, confidently going through it. Like, I know what the hell all this is.
[00:18:19] Unknown:
I do now. Yeah. No. And and, like, and thanks a lot to this podcast. Right? Like, us pressing on this Yeah. Consistently is, like, I took the time. I spent a few hours one morning just grinding through the code, which again, I code a lot better than an, like, mathematical notation. Understand. But having the two side by side, side, I can go through and look at this. Right? So there's this for every signer, they do this sign process. Right? So we can go up to this sign process and look at the code, like, what's going on with the sign process.
[00:18:53] Unknown:
Yeah. And so then the the so there's this page, this one pager that has all this pseudocode and sort of the Mhmm. Mat it's like the mathematical representation of everything. And Yeah. And then we go into the GitHub, and we can see the, it's not actual implementation code, but it's actual, model it's a model for the basically, test a test environment for the act if, you know, for the actual implementation of the code.
[00:19:22] Unknown:
And that and it's it's funny that you say test because the function when you run this full aggregation you know, if you do Python three full ag dot py, it will run the test full aggregation scheme. And so it runs through the old schema. It it creates public Yeah. Private key pairs. It creates messages for each of the signers. Right? And then it it creates this dataset called the signers, which is just, public private keys. And and this is the part that, you know, this is an example. Right? But in a real world, I would keep my key secret from this. But in the example, it's like all the public and private keys are all sort of, like, included in the same code. Interesting. And then and then you run this dataset of public private key pairs with messages through the Dalliance protocol. Right? And you get at the end of it, you get a signature that is in capital r and an s value.
And so the the sign piece of this is you're just creating a random scaler, and then you're creating, let's see. Yeah. Secret nonces. Right? So these are things that you're not gonna expose. So just On the signing side. Yeah. Yeah. Yep. And then you're computing public nonces which is the capital r values. And the way you do that is you multiply the secret nonces by the generator point much in the same way that you multiply, private key by the generator point to get to a public key. Right? So so same same very similar concept, and then you're storing this state, and then you're returning that state. Right? So one of the things about this protocol is, like, there's sort of, like, a state of signing that has, like, the different, public and private nonces, the different messages and stuff. And each pieces of this state are sort of going through each function. So the sign function is you create public and private nonces for everybody and then comes in the the coordination piece. And, again, any of the signers could be the coordinators, but whoever is the coordinator takes this list of public private, nonces or at least I think you only need, yeah, you only need the the public nonces.
And then you're you're doing some math with it. Right? And you're creating this thing called, like, a context. And the context is just sort of the the data, the public nonces with public keys, messages, and then the the actual, like, the output of of these, like, signers.
[00:21:55] Unknown:
Okay. So now can can we try to zoom out for a sec. Right? Sure. Yeah. Yeah. And remind us why this is relevant. Like, what is the what is, the promise, or what is the benefit here? Why why why should we even spend our time trying to challenge ourselves
[00:22:16] Unknown:
to to get Yeah. So there's a couple of things that, to my understanding that CISA or cross input signature aggregation brings to, Bitcoin or or, like, broader, like, cryptography stuff. And it is, when you aggregate signatures, you're compressing the final signature. Or not compressing. You're you're reducing the size of the final signatures. So in this example where you have three signers, in normal signature land where we're just signing Bitcoin transactions or whatever, we would have three sets of RNS values. Right? Those are those are all the different signatures. At the end of this process, you have one one RNS value. And that one RNS value, that one signature can be used to verify
[00:23:00] Unknown:
all of the messages that were signed. So if you
[00:23:06] Unknown:
Bitcoin stance on chain, right, every transaction has a signature in it. If you can do signature aggregation, you only need one signature for multiple transactions. And they can all be verified. Right? So you're reducing the size you need for for signatures. It's not like it's not a huge saving. And I think CISA research has, like, some math as far as, like, percentage saving goes. But you're saving on space. But one of the interesting things is imagine a coin joint transaction. Mhmm. Right? You have tons of inputs and tons of outputs. Yeah. Well, all those inputs have to have signatures. Right?
And so you're you're saving CoinJoin space. And I believe this is even called out in Sysa Research. We we should probably go look. But you're saving space when you're able to aggregate these signatures. And so that's one thing. And then not all it it creates sort of an economic incentive to do a coin join that's not just, privacy. Right? Like, privacy Right. Becomes a a huge benefit in coin joins. But if you could also save space so it looks like on the half aggregate signature. Right? It says that you can save roughly, you know, 20% in terms of bytes and 7% in in terms of, like, actual weight units of the transactions. Yeah. In an ideal world where,
[00:24:30] Unknown:
you know, then we're there. We didn't have frictions. Right. We would have competing coin joints that would be rushing for a 20% reduction in, you know, in space and size.
[00:24:46] Unknown:
Yep. And to lower to lower their fees. Right? Full aggregation, though. Right? So full aggregation gives you 26 savings in bytes and 9.6% in weight units. Mhmm. And that's just based on, like, average transaction stuff.
[00:25:00] Unknown:
Is any of this, like, useful or prerequisite
[00:25:04] Unknown:
for, like, the scaling things they're trying to do, like CTV and things like that? Or is it Orthogonal. Unrelated? Yeah. Okay. Yeah. Un this is, you know, a CTV transaction Or covenants or whatever like this sharing. Covenant transactions are gonna have signatures on it. Right? All transactions have signatures on it. The the the the current, like, software proposals with, like, new op codes and stuff, they don't do anything, new with signatures. Right? So, like, CTV, you're just creating a hash that you're still signing as part of the transaction signature. Check sig from stack is just, right now, like, the check signature opcode in Bitcoin, it only works on the on the hash, the message that is the transaction.
Okay. Yeah. Check sig from stack allows you to create a Bitcoin script that you can give any message with a pub key and a signature. And if that evaluates to true, you check that signature from the stack against the the message in the pub key, then it it evaluates to true. Right? Which that's ultimately what you do when you spend a Bitcoin is you're creating a a script
[00:26:13] Unknown:
that evaluates to true, and then everybody accepts it. You just need to be able to sign your own piece of it. You don't have to unlike what I'm seeing here with the aggregated unlike the aggregated signature. Right? This is almost the opposite, right, where you just hope You just need a way to sign your own piece.
[00:26:30] Unknown:
Right. And and, again, the problem becomes the interactivity. Right? So this,
[00:26:35] Unknown:
half aggregation to my understanding Sorry. Atomic swaps, I could see this being very useful. Right? Too? But you don't know you either have all or nothing, and it doesn't So atomic swaps are
[00:26:45] Unknown:
again, to my understanding, atomic swaps are one of the friction points with signature aggregation because, in atomic swaps and, again, this is my understanding. So I could be a little off on this, but, it's maybe it's not atomic swaps, but there's something called, adapter signatures, which is, like, when I create the signature, I'm revealing a secret that you need. Right? But up until that point, you don't have the secret. Right. So it's like when I create the signature to send the Bitcoin, now you have the key to sweep the other whatever cryptography thing that you need. Like, you by me providing the signature to to do the spending
[00:27:20] Unknown:
And you're truly no longer net you're yeah. You're truly no longer needed in the transaction anymore, and your privacy or whatever you were protecting is no longer needed anymore at that point. It's almost like a bee stinging somebody, and that's it. Their stinger is now in the in the ecosystem, and they're they're done. Right? But
[00:27:39] Unknown:
Yeah. Okay. I can see that analogy. Yeah. But these are at odds, though, because if you're doing signature aggregation, I believe you you you lose the, ability to do, like, adapter signatures.
[00:27:51] Unknown:
Okay. I was thinking of it in the context of this is an all or nothing, like or it enables an all or nothing type of operation.
[00:28:01] Unknown:
Yeah. So there's and it actually talks about this with, like, TX wide, transaction wide full aggregation versus, like, block wide. Right? But block wide full aggregation, I I don't think we're ever gonna get there because you need again, with the Daliyah thing, you're cooperating with these other signers to create an aggregated signature. So there's an interactivity that it needs to happen there, which again for, like, CoinJoin and other, you know, collaborative transaction protocols, you're already gonna have to collaborate with the other people to create the transaction and sign the transaction, etcetera. So, you know, aggregation of signatures makes sense in that regard, but it doesn't necessarily make sense for, like, a full block wide thing because getting the entire you know, every transaction in a block to, like, agree and collaborate, is is sort of beyond, I think, the the way that we're able to to to coordinate. Right? Theoretically,
[00:28:54] Unknown:
we could live in a world where every company has to coin join their stack before they pay, you know, before they make payroll. Right? Like, there seems to be reasons why they would wanna do that with that. That's not, you know yeah. It just seems like they're standard. Like, that's that would be that would seem standard to me. And then so it seems these types of these things are being innovated to facilitate, you know, really important, just kind of important technology. Absolutely. Right? Because even if your average Bitcoin user may not use it, it's still important to us that it exists.
[00:29:36] Unknown:
Right? Yeah. And one of the things with with DAILIES, and there was an update recently to the CISA research paper or to the to the page. If you go to cisaresearch.org, the update was, you know, up until this DAILIES paper came out, there was no scheme. Right? There's no cryptographic scheme for full aggregation. And so what Dalios, to my understanding, is proposing is a scheme that has a concrete. And one of the key things is constant size. Meaning, like, it fits in the same shape and size because it's just it's two scalars on the curve. Mhmm. It still fits in the same size that a normal transaction signature does.
Right? And then they they talk about provably secure and the random Oracle model. And and I think we covered that last time, and we weren't you know, we're not mathematically savvy enough to, like, go through the proofs yet. But, you know, it this is this paper is addressing sort of a lack, or or it was there was there was no scheme before Dallios for full aggregation that worked with Schnorr signatures that had, like, the properties that's sort of the same shape as, like, a music Schnorr signature, with these other, you know, secure properties,
[00:30:48] Unknown:
if that makes sense. Yeah. I'm I am now. So I met we mentioned last time this book called cryptography.
[00:30:55] Unknown:
Yeah.
[00:30:57] Unknown:
I started so there's a book. I I needed a new book to do. It's a math book called cryptography theory and practice by Stinson and Patterson, and I started I started with it last, I guess, right after our last episode. And I just recently went through a section called perfect secrecy. Interesting. And, you know, it uses basic prob it's not I guess it's not what you think. And I get caught up I I I get caught up in the language. So when I hear perfect secrecy, I was like, oh, this is pro I don't see how you're gonna use probability theory to get perfect. Yeah. You know, the word perfect is a very hard word to live up to. Oh, I'm sorry.
But, it so there's a there's there's a technical definition of perfect secrecy. And, basically, it's when the, conditional probability equals the the non conditional probability, meaning that condition it's like if you have probability of x conditioned on y equals the probability of x, it means that knowing what happened to y and like, it gives you no new information. That that was that's really the point of it. But I I gave it this grandiose meaning of, like, oh my god. It's perfect perfect secrecy. And this is what happens when I go through these books and I struggle and I struggle. I'm like, I'm not seeing I'm not seeing perfect secrecy. You know? But, it's you know, once again, it what it did though is it reawakened my, relationship with probability. I've been ignoring probability as a math discipline pretty much on this entire journey in the rabbit hole.
And, now that has been awakened because it's really it's pretty dang cool and pretty useful, and, it's a useful way to explain, I think a lot of the things they wanna get across. And a lot of these ideas are not in the, cryptography book I went through two and a half years ago, the one that started the rabbit hole, the by Pardon. Oh, okay. Pardon Pelsle Pelsle. Sorry. So this is more, I think, of a It's like the that course would be a course, like a one zero one. This would be either be a one zero two or, it's it doesn't occur to me like graduate level.
You know? It's all still very accessible. Mhmm. But much it fills in a lot of the blanks, and I I do get I do get stuck on I do get stuck on certain things here. But reengaging with probability, I might have to really think about how to do a basic, maybe a basic probability one zero one for, that wouldn't be a bad thing to be able to be able to present. Math.
[00:33:49] Unknown:
That yeah. If you're presenting math, you're doing it right.
[00:33:52] Unknown:
You know, it's one it's another one of those things where probability is, like, actually really easy, but people consider it hard for some reason.
[00:33:59] Unknown:
I'm one of those.
[00:34:01] Unknown:
So, like, it'd be cool to demystify it. It's
[00:34:06] Unknown:
you know Well, the probability
[00:34:08] Unknown:
interest like, probability goes into into mining. Right? Like Yeah. And it's like the one thing in the white paper where probability was brought into it. I did acquire I have the textbook. I have the probability textbook that was quoted in the white paper. I kinda want it's more of a souvenir. I've one of these days, maybe that's the there are better probability textbooks to go through, but there was a part of me that was like, you know, I wanna do what Satoshi did. I wanna learn. I wanna go through it the way he did. You know? It's like you get a it I don't know. Like, you almost feel like you're somehow
[00:34:46] Unknown:
mind melding when you go through this the book that you know that You're building the same context. Yeah. Like, we've talked about this before. It's it's context. So it's like exploring the same technical resources that somebody else used to arrive at a conclusion that we take for granted or we take as just like it works. That's the whole point of what we're doing. Right? Is we're building the mathematical context. Now in the case of the white paper, it's not as
[00:35:11] Unknown:
it it's used, but it's not some big fundamental mathematical underpinning where going through several chapters of that book would have been required. It's more like I could see Satoshi saying, I need I need something to just Mhmm. To reference this one thing. And he picked the book he saw on his bookshelf, possibly. I imagine there are many other potential It is probability it's the probability book by Fuller, f u l l e r, that that is, quoted.
[00:35:50] Unknown:
Interesting.
[00:35:51] Unknown:
Yeah. I got it mostly as a souvenir. You know?
[00:35:54] Unknown:
Yeah. We're we're humans. We like to collect weird things. You know?
[00:35:59] Unknown:
But it is my intention one day. Yeah. Feller? Is it Feller or Fuller? It's a Feller. Yeah. It's 1957. The book looks like it was made in 1957, and I can barely see the cover. So Feller, not barely see the cover. So Feller, not Fuller.
[00:36:15] Unknown:
Feller. So yeah. Look. And that it's referenced in one place under, section 11 on page six of the white paper. And Yep. It's oh, it's the probability of the attacker. The probability of an attacker catching up to a given deficit in Anagalus is analogous to the gambler's rune problem. Suppose a gambler with unlimited credit starts at a deficit and plays potentially an infinite number of trials to try to break reach breakeven, we can calculate the probability he ever reaches breakeven or that an attacker ever catches up with the honest chain as follows. So, yeah, it's a it's a math thing. It this is a math thing. Yes. And this is more of, like,
[00:36:54] Unknown:
this, the vulnerability to, to the kind of mining attack that Sudoshie certainly was envisioning that I'm guessing is not an attack. We we, you know, we have different attacks now.
[00:37:10] Unknown:
Right. Yeah. Well, because and this was the I think you shared that article where there's there's, you know, the Satoshi didn't envision, hashers and miners, Right? And the distinction between the two where the hash rate is coming from a separate entity than the person creating the blocks.
[00:37:32] Unknown:
Right. That's true. And, also probably didn't envision much beyond CPU either.
[00:37:40] Unknown:
Yeah. Yeah.
[00:37:42] Unknown:
Yep. So it just tells me Satoshi is human. Right? Like It's interesting. This is really the only math in the white paper. And Really? Yeah. For the and it's so like, even well, okay. It's not true. Go go go back. No. Yeah. You're this is this is the same idea with the probability. Yeah. It's probability. It talks about So before this section this is the last section called calculations. Right? Yep. Yeah. Yep. So if you go oh, I I I'd say that to say, like, even, like, something like the Byzantine generals problem. It's not a math problem. Right? It's more it was a it was a computer science problem. People talk about it. It was a math problem.
[00:38:27] Unknown:
Yeah. I mean, there's some math in here with, you know, the size of
[00:38:32] Unknown:
block headers, but that's not right. Yeah. It's not using mathematical latex. The you mean but math meaning answering to answer the question, why is this gonna work? Right. You see what I mean? And that's which is, I think, how most people talk about math with regard to Bitcoin. Mhmm. You know? I I the most ridiculous thing I saw this weekend, and I didn't see any presentations. I was in Vegas. I didn't go to any presentations, but I did watch, because I I don't know why I have such a perverse love for, Peter Schiff. I he's such a good he's just so good at, like, angering people.
And so I watched I watched, the panel with him and Trace Mayer that Natalie Brunell. And, you know, she was just like, god, like, insufferable. Like, I wish she'd like, they'd muted her on this because Peter Schiff, man, was you say what you want about the guy. Right? He's a smart guy. And you know what? It's like, I want him I want people to hear him talk. I people should consider the things he's saying. He's basically saying Bitcoin is harmful, and I want him to call attention to it. Why don't you just let why just let him do that. Right? But the okay. There's a reason I'm bringing this up, the math podcast. Important reason. Because he was saying something about Bitcoin, and Natalie Brunel said something that trigger it's once again, these are the things that trigger me about, like, the influencers.
They'll say, wait. Do you not believe in math? He said something like how she said? Yeah. He said something like how Bitcoin has no intrinsic value or something like that. And her, like, knee jerk response was, I'm sorry. Do you not believe in math? You know? And it's just like like, they were this reminds me so much of the COVID arguments and the trust of science and these peep like Yeah. The you know, it it really is. And I remembered at the time you know, look. Prior to COVID, I spent ten years studying biology, neuro and, you know, neuroscience, and I was basically in this Jack Cruz rabbit hole trying to figure out why he says the shit he says. And so I basically, I was like, dude, there's gonna be a real penalty to be paid for people who think they know science and don't walk around telling people to trust it. There's gonna be a massive massive price to be paid there.
And it's like the people in Bitcoin, at least, like, in the influencer class or connected to it are doing the same thing with the do the math, trust the math. It's just math. And then you have you, you know, you have this idea that you are comfortable with the math, but the question is, can you open this paper? Right? Can you open, whether it's the white paper and not be totally full of shit about going to understanding what what he's doing in that back section? Or can you open that DALIAS paper, go to the pseudo code, and actually makes you know, believe you can make sense of what's going on? Or do you you're just like, you know what? I trust math. I believe in math. Bitcoin is math, you know, and fuck you, Peter Schiff.
Right?
[00:41:38] Unknown:
Yeah. It's It's easy to do that. It's easy to condense that to that just that thought process. Right? And and and arguably, I think most people in the Bitcoins like, like, you're gonna there's gonna there's tons of people Bitcoiners out there that that just do that. Like, then and and luckily, Bitcoin works
[00:42:01] Unknown:
Yeah. So that they don't have to if they Totally, dude. It's like, you know what? You know what the good news is? Yeah. The good news is Yeah. You don't really have to know math or care. Right. It helps. I mean, if you wanna hold on to your stack, it probably helps to learn these things. Right. Right? If you want to survive all of the social attacks that are gonna make you know, that wanna FUD your life savings, it's probably a good idea to have some conviction that's really based on what's going on in between your ears, not what goes on. Maybe Natalie Brunel knows the math, and she's fine with it. But, you you know, you need to make sure that you understand it. I Right. And not just be not just feel good about it because some people you trust are okay with it.
[00:42:47] Unknown:
Yeah. Totally. Absolutely. That's why we do this. You have to live comfortably with knowing. Right? And and I think, you could just understand and know that you're outsourcing brain juice to other people on the math part by just asserting that, well, hey. You know, you don't trust the math or you don't believe in math or whatever. It's like, yeah. You know, you can you can live your life that way, the same way. Like, I don't I don't know. I I don't understand the the math behind gravity. So but I understand that it works, right, because I live it. But as soon as some, like, anti gravitational gravitate manipulation thing comes out, like, I'm not I'm not ready to to understand that or
[00:43:34] Unknown:
know if it's bullshit or not. Yeah. I was just thinking, okay. It's just really the inverse square law, I think, with gravity. But
[00:43:41] Unknown:
Well, what I don't know what that mean. What do you mean?
[00:43:45] Unknown:
This. So the two masses are naturally attract gravity to each other, and it's seems like it. I think it's m one times m two divided by distance squared. Maybe we're baiting somebody to boost us to correct us that's dying to correct us. Could be. Could be. But, you know, so, like, again, the the stronger the the closer you are, the closer the the closer the two masses are to each other, the stronger the gravitational force between them.
[00:44:13] Unknown:
Right.
[00:44:14] Unknown:
And Okay. The further away they are, the weaker, and it's by and it's squared. You know? So and it's one way it's like a way of if you, like, are worried about exposure to electromagnetic fields, for example, and you there's a cell tower in your town, and, you know, you can buy a house that's another a mile further away, you're gonna benefit, in a, you know, squared fashion by distancing yourself that much further from it. Interesting. Yeah. Closer you Because the
[00:44:48] Unknown:
the distance relative
[00:44:50] Unknown:
between the two things affects the energy between it. Yeah. In Bitcoin parlance, the closer you are to something, you parabolically increase your exposure to it. Everybody understands pair parabola. So inverse Parabola. Parabola is just square. At y equals x squared is a parabola. So parabolic describes the notion of essentially quadratic or squared, you know, motion. Right. The thing that our monkey brains don't understand. Yes. Now it happens to be that parabolic is kind of lame. Like, exponential really is where where it's at. Parabolic is kinda gay.
That's gonna be the title of the episode. Well, because parabolic just assumes that you're squaring it. Right? So that exponential value is constant in in a parabolic function. Yeah. And programmers know this. It's like squared's not like especially, like, if o if I'm I have my big o. Right? Big o squares are nothing. You know? I don't know that.
[00:45:50] Unknown:
Well The big o thing.
[00:45:52] Unknown:
And I know it's a weakness of mine as well that I hope to strengthen, but you can't so this is literally this was, like, the page of the Cobblets book. Like, you can't really know how much it costs to run compute without really understanding the big o notation. In In other words, without understanding whether or not your compute is a function of something linear, quadratic, exponential?
[00:46:17] Unknown:
Well, for me, it was always it it, the big o conversation is always a conversation of trade offs between, like, time and space. Because you can do, you can spend a lot of time on the computation, or you can use a lot of space in your computation.
[00:46:35] Unknown:
But it sets the barriers for whether or not your Yeah. Crypto system can be attacked by the prevailing resources on the planet.
[00:46:44] Unknown:
Boom. Wow. Yeah. That's, yeah, that's a beautiful way to put that. Yeah. Because if you have the computational resources to iterate over all pub all private keys in the sec p curve, like, that's the that's the risk of the attack. Yes. But if you can reduce
[00:47:09] Unknown:
you if you'd let's say, you say, you know what? I don't wanna get every access to every I don't wanna run every every private key. Yep. All I need to do is take, whatever the big o of the elliptic curve is. Right? Or I can you know, basically, I take the space. It's like the calculation space of what I'm solving for. If I can somehow reduce that, right, I can cut it in half
[00:47:33] Unknown:
Right.
[00:47:34] Unknown:
Or square root it or something. You know? Like, that's the other that, you know, that's the other way to do it. I either invent the, I either invent the capacity to run to brute force it. Right? Yep. Or I can, like, you know, like, if somebody reuses an address, then now I have now I can overcome I can overcome that, computational, barrier. Right?
[00:48:01] Unknown:
They've made they've reduced the problem. Just exposes the public key with a different signature twice.
[00:48:09] Unknown:
Understand. I mean, if they yeah. Yeah. They they It's really They leak somebody leaks their key if somebody leaks their key, then they reduce the computation space greatly to below Right. The earth's capacity. That's my most humble and my point. So there are two ways to do it.
[00:48:25] Unknown:
This makes me think back to, like, Fermat's theorem and stuff where it's, like, you're taking this computation and you're deriving a shortcut computationally to arrive at the same conclusion or the same answer.
[00:48:39] Unknown:
Yeah. Yeah. Imagine if you can just use from out to the to get somebody's, you know,
[00:48:46] Unknown:
to get somebody's private. Right. Well, that's You don't want that. The risk. That's right. Right? That's the risk is some big brain mathematician in the future figures out some way to computationally reduce, discrete logarithm. Right? Like, that's the Yeah. That's the risk to all modern cryptography is, like, this this discrete logarithm assumption.
[00:49:05] Unknown:
There's a good chance that it's just gradually and suddenly, sometime in the year 3240 or whatever, somebody's gonna do so somebody will figure it out. Like, you know, we we went thousands of years, and then Euler and Gauss came in, like, just in Vermont. Right? And did so much. Right? And maybe we'll go another maybe we'll go another couple hundred years. But maybe, honestly, it's maybe one of the byproducts of Bitcoin is that and maybe one of the byproducts of what we're doing is we're gonna create the person that figures this attack out. And maybe we need to We're gonna break Bitcoin. Maybe we need to break Bitcoin.
[00:49:47] Unknown:
Yeah.
[00:50:06] Unknown:
Dahlia and I were taking a bath, and Dahlia was smoking a cigar. And she said to me, I bet you've never taken a bath with a girl who smoked King of Sigbar before. And she told me all about
[00:50:33] Unknown:
her car accident. She was overdosed on Valley Arm, and she made an attempt to cry.
[00:51:22] Unknown:
Draw an old camel t shirt with some magic of its own. And we listen to the stones, soaking cherry dog blow pops. Sucking cherry charms blow pops.
