TL;DR @gregoryneven et al proved 2-round musig insecure, we made 2-round work with deterministic nonces + bulletproof ZKP (2 round is good for usability). as SHA256 is CPU expensive @pwuille@n1ckler@real_or_random@yannickseurin designed Purify for low bulletproof complexity.
I thought it was a pretty neat and simple trick to disprove the impossibility by counter-example: make a bulletproof that the nonce is deterministic, cuts off wagner adaptive attack as there are no free variables left. hearing "impossible" led to "is that true, really?" question.
in fairness the impossibility proof, is presumably correct, just within model assumptions that this solution side-steps. 2-round is interesting for usability because it reduces interactivity in multi-party signatures, which might involve fetching hardware-wallet from safe 2x.
the optimized-for-bulletproof Purify keyed-PRF to reduce the verification complexity, and security proofs of that were the bulk of the work by DN paper authors, as a bulletproof of normal bitcoin HMAC-SHA256 deterministic nonce is a bigger proof, and maybe 45x slower to verify.
the proof is more nuanced "we prove none of the schemes can be proved secure without radically departing from currently known techniques. We show if the one-more discrete-log problem is hard, no algebraic reduction exists that proves any of these schemes secure" @real_or_random
usually when people find impossible to prove results, it's a hint your direction is not securable, plus here Neven et al also concretely broke the previous MuSig version. which says if you try to repair by adding complexity, you're unlikely to get to work with this approach.
so bulletproof + determinstic nonce is a radically different technique and different approach, so the proof scope does not apply. plus it's pleasingly simple and has a clear intuitive security argument. the bulk of the work was the DN authors with #Purity and making it efficient.
and there firstly design of #Purity keyed-PRF (aka KDF, commonly built with MAC like HMAC), optimization of bulletproof circuit complexity (45x smaller vs HMAC) and security proofs of Purity's PRF security. strong work in applied crypto. MuSig2 is a whole other story, to come!
• • •
Missing some Tweet in this thread? You can try to
force a refresh
"paper bitcoin" story playing again, to avoid repetition here's a thread to debunk that theory. think about it: fundamentally there are very few people who are long-term short bitcoin because it's volatile and tends to go up 10x in short periods so no one wants to short it.
one data point: there are generally no call or put options longer than 12 month duration. that's because no one wants to sell the calls. lots of people would buy them. with futures (perpetuals and dated futures) they are side-contracts, so there is a short seller for every buyer.
however the vast majority of the perp & future shorts are basis trade arbitrage, so they are neutral or even positive. how it works: someone with $60k to collect interest buys 1 BTC, uses it as collateral to short 1 perpetual future contract. now they look like they're short BUT
"a security is first and foremost an ethical concept, which is why the legal concept even exists" -@allenf32
you're relying on company management or service opetators who have privileged information, and management discretion affecting your investment. they defacto could rob you
Cypherpunks like Wei Dai, Tim May, myself were interested in smart contracts, anonymous or pseudonymous commerce using reputations, good behavior bonds etc without the possibility for physical enforcement and smart contracts rather than court/arbitration process. A decade of alt
altcoin premines, ICOs, definitely, nft rug-pull exit scams shows empirically that was maybe optimistic. Self regulation, smart contracts, in theory preferable, in practice can it work in isolation? I think cypherpunks underestimated the casino use case with rug-pull incentive.
early this year i was curious of the claim "bitcoin 2x's per year on average". it checks: the decade jan 2013 - dec 2022 #bitcoin went up 2.036x/year (1200x in a decade). if that continues we'll cross $10mil/BTC and $200 tril market cap by end of next 2 halvenings, about 9 years.
$200 trillion is a @halfin 2009 #bitcoin market cap prediction number. it's a LOT, displaces a significant part of the store of value premiums in bonds, real estate monetary premium, gold, 60:40 stock portfolios, etc. some think adoption will slow, derivatives reduce volatility.
i'm not sure about the adoption slowing, nor the volatility reducing; there are other factors. the new cycle people who learn to hodl/stack, who over time make it their mission to buy and cold store a much #bitcoin as possible, even resorting to leverage (volatility creator).
what if gold miners agreed to "improve" it, selling gold plated lead as gold, wouldn't users have to follow? obviously no. yet for #bitcoin newcomers keep getting hung up on this. #bitcoin miners cannot change it, and it's more automatic: ever node assays and rejects digital lead
the crux of it is buyers know what they want: pure real gold, and real bitcoin. money is a technology and #bitcoin is better gold, digital gold with a huge network effect and investor history and conviction: buyers know they want real bitcoin, and they can tell the difference.
yes it's digital and digital scarcity is a new concept, but even aside from #bitcoin embodying the digital scarcity concept, you can't rewrite #bitcoin's history, lindy effect, network effect, battle scars, distribution of ownership, fair launch and user demand for real #bitcoin.
for first-seen-safe transactions, a current topic of discussion, I had proposed in 2013 #bitcoin-wizards IRC a different way to do it, based on an older concept called "limited show" credentials, an idea comes from electronic cash where you want to deter double-spending in an
offline electronic cash system (where people can spend device to device without being able to reach a server or the network), i think the same idea works for bitcoin, but with some new trade-offs. the idea is simple to understand - users could double-spend but if they do then
miners can take their money. so the double-spend attack degrades to one where you can only profitably do it in collusion with a miner, and that's not easy in the face of competing miners who you probably can't expect to collude, and just keep the double-spent funds.
@nic__carter@VitalikButerin It depends what purpose it works for. Don't forget the context, some PoS coin promoters spend time FUDding PoW to sell their coins, and go as far as to claim PoS is "better" than PoW, and we all know why PoW is needed. PoS fails at those reasons, and so doesn't work (for purpose)
@nic__carter@VitalikButerin Eg a central server "works" but it does not work as a basis for decentralised bearer money, without public audit, unilateral withdraw, fraud proofs and ability for users to fire, recover state and replace the server.
@nic__carter@VitalikButerin Further if even PoS was magically fixable (for purpose), it is still undesirable replicated the problems of fiat systems: the wealthy have over-sized policy influence, can and do bail out their friends, seize, freeze, those close to power gain favors etc.